Merge branch 'PHP-7.3'

* PHP-7.3:
  Fix #76688: Disallow excessive parameters after options array

4 files changed, 47 insertions, 3 deletions

diff --git a/ext/session/session.c b/ext/session/session.c
index c7d54b0ee7..c46af0d87d 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1704,6 +1704,15 @@ static PHP_FUNCTION(session_set_cookie_params)
 		zend_string *key;
 		zval *value;
 
+		if (path) {
+			path = NULL;
+			domain = NULL;
+			secure_null = 1;
+			httponly_null = 1;
+			php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
+			RETURN_FALSE;
+		}
+
 		ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(lifetime_or_options), key, value) {
 			if (key) {
 				ZVAL_DEREF(value);
diff --git a/ext/session/tests/session_set_cookie_params_variation7.phpt b/ext/session/tests/session_set_cookie_params_variation7.phpt
index ebd9b71df6..9d1f8709be 100644
--- a/ext/session/tests/session_set_cookie_params_variation7.phpt
+++ b/ext/session/tests/session_set_cookie_params_variation7.phpt
@@ -36,6 +36,10 @@ var_dump(ini_get("session.cookie_lifetime"));
 var_dump(session_set_cookie_params(["lifetime" => 42]));
 var_dump(ini_get("session.cookie_lifetime"));
 
+var_dump(ini_get("session.cookie_path"));
+var_dump(session_set_cookie_params(["path" => "newpath/"], "arg after options array"));
+var_dump(ini_get("session.cookie_path"));
+
 echo "Done";
 ob_end_flush();
 ?>
@@ -57,4 +61,9 @@ string(6) "please"
 string(1) "0"
 bool(true)
 string(2) "42"
+string(1) "/"
+
+Warning: session_set_cookie_params(): Cannot pass arguments after the options array in %s
+bool(false)
+string(1) "/"
 Done
diff --git a/ext/standard/head.c b/ext/standard/head.c
index 5a9f09b1e7..5e753840cc 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -211,6 +211,15 @@ static int php_head_parse_cookie_options_array(zval *options, zend_long *expires
 	zend_string *key;
 	zval *value;
 
+	if (*path) {
+		*path = NULL;
+		*domain = NULL;
+		*secure = 0;
+		*httponly = 0;
+		php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
+		return 0;
+	}
+
 	ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(options), key, value) {
 		if (key) {
 			ZVAL_DEREF(value);
@@ -243,7 +252,6 @@ static int php_head_parse_cookie_options_array(zval *options, zend_long *expires
 	/* Array is not empty but no valid keys were found */
 	if (found == 0 && zend_hash_num_elements(Z_ARRVAL_P(options)) > 0) {
 		php_error_docref(NULL, E_WARNING, "No valid options were found in the given array");
-		return 0;
 	}
 
 	return 1;
diff --git a/ext/standard/tests/network/setcookie_error.phpt b/ext/standard/tests/network/setcookie_error.phpt
index 1cbdf9ef0c..d9241d3de7 100644
--- a/ext/standard/tests/network/setcookie_error.phpt
+++ b/ext/standard/tests/network/setcookie_error.phpt
@@ -10,9 +10,15 @@ ob_start();
 // Unrecognized key and no valid keys
 setcookie('name', 'value', ['unknown_key' => 'only']);
 // Numeric key and no valid keys
-setcookie('name', 'value', [0 => 'numeric_key']);
+setcookie('name2', 'value2', [0 => 'numeric_key']);
 // Unrecognized key
-setcookie('name', 'value', ['path' => '/path/', 'foo' => 'bar']);
+setcookie('name3', 'value3', ['path' => '/path/', 'foo' => 'bar']);
+// Arguments after options array (will not be set)
+setcookie('name4', 'value4', [], "path", "domain.tld", true, true);
+
+var_dump(headers_list());
+
+--EXPECTHEADERS--
 
 --EXPECTF--
 Warning: setcookie(): Unrecognized key 'unknown_key' found in the options array in %s
@@ -24,3 +30,15 @@ Warning: setcookie(): Numeric key found in the options array in %s
 Warning: setcookie(): No valid options were found in the given array in %s
 
 Warning: setcookie(): Unrecognized key 'foo' found in the options array in %s
+
+Warning: setcookie(): Cannot pass arguments after the options array in %s
+array(4) {
+  [0]=>
+  string(%d) "X-Powered-By: PHP/%s"
+  [1]=>
+  string(22) "Set-Cookie: name=value"
+  [2]=>
+  string(24) "Set-Cookie: name2=value2"
+  [3]=>
+  string(37) "Set-Cookie: name3=value3; path=/path/"
+}