Warning to error promotion for set(raw)cookie()

Author: Girgias

ext/standard/head.c

@@ -83,30 +83,6 @@ PHPAPI int php_setcookie(zend_string *name, zend_string *value, time_t expires,
 	int result;
 	smart_str buf = {0};
 
-	if (!ZSTR_LEN(name)) {
-		zend_error( E_WARNING, "Cookie names must not be empty" );
-		return FAILURE;
-	} else if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
-		zend_error(E_WARNING, "Cookie names cannot contain any of the following '=,; \\t\\r\\n\\013\\014'" );
-		return FAILURE;
-	}
-
-	if (!url_encode && value &&
-			strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-		zend_error(E_WARNING, "Cookie values cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
-		return FAILURE;
-	}
-
-	if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-		zend_error(E_WARNING, "Cookie paths cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
-		return FAILURE;
-	}
-
-	if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
-		zend_error(E_WARNING, "Cookie domains cannot contain any of the following ',; \\t\\r\\n\\013\\014'" );
-		return FAILURE;
-	}
-
 	if (value == NULL || ZSTR_LEN(value) == 0) {
 		/*
 		 * MSIE doesn't delete a cookie when you set it to a null value
@@ -225,10 +201,10 @@ static void php_head_parse_cookie_options_array(zval *options, zend_long *expire
 	}
 }
 
-/* {{{ setcookie(string name [, string value [, array options]])
-   Send a cookie */
-PHP_FUNCTION(setcookie)
+#define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", and \"\\014\""
+static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
 {
+	/* to handle overloaded function array|int */
 	zval *expires_or_options = NULL;
 	zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
 	zend_long expires = 0;
@@ -248,24 +224,61 @@ PHP_FUNCTION(setcookie)
 	if (expires_or_options) {
 		if (Z_TYPE_P(expires_or_options) == IS_ARRAY) {
 			if (UNEXPECTED(ZEND_NUM_ARGS() > 3)) {
-				php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
-				RETURN_FALSE;
+				zend_argument_count_error("%s(): Expects exactly 3 arguments when argument #3 "
+					"($expires_or_options) is an array", get_active_function_name());
+				RETURN_THROWS();
 			}
 			php_head_parse_cookie_options_array(expires_or_options, &expires, &path, &domain, &secure, &httponly, &samesite);
+			if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+				zend_value_error("%s(): Argument #3 ($expires_or_options[\"path\"]) cannot contain "
+					ILLEGAL_COOKIE_CHARACTER, get_active_function_name());
+				goto cleanup;
+				RETURN_THROWS();
+			}
+			if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+				zend_value_error("%s(): Argument #3 ($expires_or_options[\"domain\"]) cannot contain "
+					ILLEGAL_COOKIE_CHARACTER, get_active_function_name());
+				goto cleanup;
+				RETURN_THROWS();
+			}
+			/* Should check value of SameSite? */
 		} else {
 			expires = zval_get_long(expires_or_options);
+			if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+				zend_argument_value_error(4, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
+				RETURN_THROWS();
+			}
+			if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+				zend_argument_value_error(5, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
+				RETURN_THROWS();
+			}
 		}
 	}
 
+	if (!ZSTR_LEN(name)) {
+		zend_argument_value_error(1, "cannot be empty");
+		RETURN_THROWS();
+	}
+	if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+		zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER);
+		RETURN_THROWS();
+	}
+	if (is_raw && value &&
+		strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+		zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
+		RETURN_THROWS();
+	}
+
 	if (!EG(exception)) {
-		if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, 1) == SUCCESS) {
+		if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) {
 			RETVAL_TRUE;
 		} else {
 			RETVAL_FALSE;
 		}
 	}
 
 	if (expires_or_options && Z_TYPE_P(expires_or_options) == IS_ARRAY) {
+		cleanup:
 		if (path) {
 			zend_string_release(path);
 		}
@@ -277,59 +290,20 @@ PHP_FUNCTION(setcookie)
 		}
 	}
 }
+
+/* {{{ setcookie(string name [, string value [, array options]])
+   Send a cookie */
+PHP_FUNCTION(setcookie)
+{
+	php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, false);
+}
 /* }}} */
 
 /* {{{ setrawcookie(string name [, string value [, array options]])
    Send a cookie with no url encoding of the value */
 PHP_FUNCTION(setrawcookie)
 {
-	zval *expires_or_options = NULL;
-	zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
-	zend_long expires = 0;
-	zend_bool secure = 0, httponly = 0;
-
-	ZEND_PARSE_PARAMETERS_START(1, 7)
-		Z_PARAM_STR(name)
-		Z_PARAM_OPTIONAL
-		Z_PARAM_STR(value)
-		Z_PARAM_ZVAL(expires_or_options)
-		Z_PARAM_STR(path)
-		Z_PARAM_STR(domain)
-		Z_PARAM_BOOL(secure)
-		Z_PARAM_BOOL(httponly)
-	ZEND_PARSE_PARAMETERS_END();
-
-	if (expires_or_options) {
-		if (Z_TYPE_P(expires_or_options) == IS_ARRAY) {
-			if (UNEXPECTED(ZEND_NUM_ARGS() > 3)) {
-				php_error_docref(NULL, E_WARNING, "Cannot pass arguments after the options array");
-				RETURN_FALSE;
-			}
-			php_head_parse_cookie_options_array(expires_or_options, &expires, &path, &domain, &secure, &httponly, &samesite);
-		} else {
-			expires = zval_get_long(expires_or_options);
-		}
-	}
-
-	if (!EG(exception)) {
-		if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, 0) == SUCCESS) {
-			RETVAL_TRUE;
-		} else {
-			RETVAL_FALSE;
-		}
-	}
-
-	if (expires_or_options && Z_TYPE_P(expires_or_options) == IS_ARRAY) {
-		if (path) {
-			zend_string_release(path);
-		}
-		if (domain) {
-			zend_string_release(domain);
-		}
-		if (samesite) {
-			zend_string_release(samesite);
-		}
-	}
+	php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, true);
 }
 /* }}} */
 

ext/standard/tests/network/bug69523.phpt

@@ -2,7 +2,11 @@
 setcookie() allows empty cookie name
 --FILE--
 <?php
-setcookie('', 'foo');
+try {
+    setcookie('', 'foo');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
 ?>
---EXPECTF--
-Warning: Cookie names must not be empty in %s on line %d
+--EXPECT--
+setcookie(): Argument #1 ($name) cannot be empty

ext/standard/tests/network/bug69948.phpt

@@ -2,17 +2,21 @@
 Bug #69948 (path/domain are not sanitized for special characters in setcookie)
 --FILE--
 <?php
-var_dump(
-    setcookie('foo', 'bar', 0, 'asdf;asdf'),
-    setcookie('foo', 'bar', 0, '/', 'foobar; secure')
-);
+try {
+    var_dump(setcookie('foo', 'bar', 0, 'asdf;asdf'));
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+try {
+    var_dump(setcookie('foo', 'bar', 0, '/', 'foobar; secure'));
+} catch (\ValueError $e) {
+    echo $e->getMessage() . \PHP_EOL;
+}
+
 ?>
 ===DONE===
 --EXPECTHEADERS--
---EXPECTF--
-Warning: Cookie paths cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
-
-Warning: Cookie domains cannot contain any of the following ',; \t\r\n\013\014' in %s on line %d
-bool(false)
-bool(false)
+--EXPECT--
+setcookie(): Argument #4 ($path) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): Argument #5 ($domain) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
 ===DONE===

ext/standard/tests/network/setcookie_array_option_error.phpt

@@ -0,0 +1,61 @@
+--TEST--
+setcookie() array variant error tests
+--INI--
+date.timezone=UTC
+--FILE--
+<?php
+
+ob_start();
+
+// Unrecognized key and no valid keys
+setcookie('name', 'value', ['unknown_key' => 'only']);
+// Numeric key and no valid keys
+setcookie('name2', 'value2', [0 => 'numeric_key']);
+// Unrecognized key
+setcookie('name3', 'value3', ['path' => '/path/', 'foo' => 'bar']);
+// Invalid path key content
+try {
+    setcookie('name', 'value', ['path' => '/;/']);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+// Invalid domain key content
+try {
+    setcookie('name', 'value', ['path' => '/path/', 'domain' => 'ba;r']);
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+
+// Arguments after options array (will not be set)
+try {
+    setcookie('name4', 'value4', [], "path", "domain.tld", true, true);
+} catch (\ArgumentCountError $e) {
+    echo $e->getMessage() . "\n";
+}
+
+var_dump(headers_list());
+--EXPECTHEADERS--
+
+--EXPECTF--
+Warning: setcookie(): Unrecognized key 'unknown_key' found in the options array in %s
+
+Warning: setcookie(): No valid options were found in the given array in %s
+
+Warning: setcookie(): Numeric key found in the options array in %s
+
+Warning: setcookie(): No valid options were found in the given array in %s
+
+Warning: setcookie(): Unrecognized key 'foo' found in the options array in %s
+setcookie(): Argument #3 ($expires_or_options["path"]) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): Argument #3 ($expires_or_options["domain"]) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): Expects exactly 3 arguments when argument #3 ($expires_or_options) is an array
+array(4) {
+  [0]=>
+  string(%d) "X-Powered-By: PHP/%s"
+  [1]=>
+  string(22) "Set-Cookie: name=value"
+  [2]=>
+  string(24) "Set-Cookie: name2=value2"
+  [3]=>
+  string(37) "Set-Cookie: name3=value3; path=/path/"
+}

ext/standard/tests/network/setcookie_error.phpt

@@ -1,43 +1,49 @@
 --TEST--
-setcookie() array variant error tests
+setcookie() error tests
 --INI--
 date.timezone=UTC
 --FILE--
 <?php
 
 ob_start();
 
-// Unrecognized key and no valid keys
-setcookie('name', 'value', ['unknown_key' => 'only']);
-// Numeric key and no valid keys
-setcookie('name2', 'value2', [0 => 'numeric_key']);
-// Unrecognized key
-setcookie('name3', 'value3', ['path' => '/path/', 'foo' => 'bar']);
-// Arguments after options array (will not be set)
-setcookie('name4', 'value4', [], "path", "domain.tld", true, true);
+try {
+    setcookie('');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    setcookie('invalid=');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    setcookie('name', 'invalid;');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    setcookie('name', 'value', 100, 'invalid;');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
+try {
+    setcookie('name', 'value', 100, 'path', 'invalid;');
+} catch (\ValueError $e) {
+    echo $e->getMessage() . "\n";
+}
 
 var_dump(headers_list());
 --EXPECTHEADERS--
 
 --EXPECTF--
-Warning: setcookie(): Unrecognized key 'unknown_key' found in the options array in %s
-
-Warning: setcookie(): No valid options were found in the given array in %s
-
-Warning: setcookie(): Numeric key found in the options array in %s
-
-Warning: setcookie(): No valid options were found in the given array in %s
-
-Warning: setcookie(): Unrecognized key 'foo' found in the options array in %s
-
-Warning: setcookie(): Cannot pass arguments after the options array in %s
-array(4) {
+setcookie(): Argument #1 ($name) cannot be empty
+setcookie(): Argument #1 ($name) cannot contain "=", ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): Argument #4 ($path) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+setcookie(): Argument #5 ($domain) cannot contain ",", ";", " ", "\t", "\r", "\n", "\013", and "\014"
+array(2) {
   [0]=>
   string(%d) "X-Powered-By: PHP/%s"
   [1]=>
-  string(22) "Set-Cookie: name=value"
-  [2]=>
-  string(24) "Set-Cookie: name2=value2"
-  [3]=>
-  string(37) "Set-Cookie: name3=value3; path=/path/"
+  string(27) "Set-Cookie: name=invalid%3B"
 }