diff options
| author | Thies C. Arntzen <thies@php.net> | 2000-02-06 14:36:27 +0000 |
|---|---|---|
| committer | Thies C. Arntzen <thies@php.net> | 2000-02-06 14:36:27 +0000 |
| commit | 59e466d54c4a3b452af958c10d447aa9827d09d7 (patch) | |
| tree | 6c0d5053284bad4c2c6dd1a12bcbfd066992f529 /ext/standard/head.c | |
| parent | bc8c90f0d2a65642ba02dc7179418663fd27790a (diff) | |
| download | php-git-59e466d54c4a3b452af958c10d447aa9827d09d7.tar.gz | |
fix for #3413
@- Fixed possible buffer-overflow in setcookie(). (Thies)
Diffstat (limited to 'ext/standard/head.c')
| -rw-r--r-- | ext/standard/head.c | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/ext/standard/head.c b/ext/standard/head.c index 8e33490cda..493703e772 100644 --- a/ext/standard/head.c +++ b/ext/standard/head.c @@ -242,10 +242,10 @@ CookieList *php_pop_cookie_list(void) /* php_set_cookie(name,value,expires,path,domain,secure) */ PHP_FUNCTION(setcookie) { - char *cookie; + char *cookie, *encoded_value = NULL; int len=sizeof("Set-Cookie: "); time_t t; - char *r, *dt; + char *dt; char *name = NULL, *value = NULL, *path = NULL, *domain = NULL; time_t expires = 0; int secure = 0; @@ -293,7 +293,8 @@ PHP_FUNCTION(setcookie) len += strlen(name); } if (value) { - len += strlen(value); + encoded_value = php_url_encode(value, strlen (value)); + len += strlen(encoded_value); } if (path) { len += strlen(path); @@ -316,9 +317,7 @@ PHP_FUNCTION(setcookie) efree(dt); } else { /* FIXME: XXX: this is not binary data safe */ - r = php_url_encode(value, strlen (value)); - sprintf(cookie, "Set-Cookie: %s=%s", name, value ? r : ""); - if (r) efree(r); + sprintf(cookie, "Set-Cookie: %s=%s", name, value ? encoded_value : ""); if (value) efree(value); value=NULL; if (name) efree(name); @@ -330,6 +329,9 @@ PHP_FUNCTION(setcookie) efree(dt); } } + + if (encoded_value) efree(encoded_value); + if (path && strlen(path)) { strcat(cookie, "; path="); strcat(cookie, path); |