Fix #81727: Don't mangle HTTP variable names that clash with ones tha…

…t have a specific semantic meaning.

NEWS

@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
     (CVE-2022-31628). (cmb)
+  . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
+    that have a specific semantic meaning. (CVE-2022-31629). (Derick)
   . Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
     (Tim Starling)
   . Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb,

ext/standard/tests/bug81727.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #81727: $_COOKIE name starting with ..Host/..Secure should be discarded
+--COOKIE--
+..Host-test=ignore; __Host-test=correct; . Secure-test=ignore; . Elephpant=Awesome;
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(2) {
+  ["__Host-test"]=>
+  string(7) "correct"
+  ["__Elephpant"]=>
+  string(7) "Awesome"
+}

main/php_variables.c

@@ -104,6 +104,20 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
 	}
 	var_len = p - var;
 
+	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+		zval_ptr_dtor_nogc(val);
+		free_alloca(var_orig, use_heap);
+		return;
+	}
+
+	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+		zval_ptr_dtor_nogc(val);
+		free_alloca(var_orig, use_heap);
+		return;
+	}
+
 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
 		zval_ptr_dtor_nogc(val);
 		free_alloca(var_orig, use_heap);