Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragm…

…ent)

NEWS

@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 10 Mar 2011, PHP 5.3.6RC3
+- Core:
+  . Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment).
+    (tomas dot brastavicius at quantum dot lt, Pierrick)
+
 - Shmop extension:
   . Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe)
     Reported by Jose Carlos Norte <jose at eyeos dot org> (CVE-2011-1092)

ext/standard/tests/url/bug54180.phpt

@@ -0,0 +1,32 @@
+--TEST--
+Bug #54180 (parse_url() incorrectly parses path when ? in fragment)
+--FILE--
+<?php
+
+var_dump(parse_url("http://example.com/path/script.html?t=1#fragment?data"));
+var_dump(parse_url("http://example.com/path/script.html#fragment?data"));
+
+?>
+--EXPECTF--
+array(5) {
+  ["scheme"]=>
+  string(4) "http"
+  ["host"]=>
+  string(11) "example.com"
+  ["path"]=>
+  string(17) "/path/script.html"
+  ["query"]=>
+  string(3) "t=1"
+  ["fragment"]=>
+  string(13) "fragment?data"
+}
+array(4) {
+  ["scheme"]=>
+  string(4) "http"
+  ["host"]=>
+  string(11) "example.com"
+  ["path"]=>
+  string(17) "/path/script.html"
+  ["fragment"]=>
+  string(13) "fragment?data"
+}

ext/standard/url.c

@@ -316,6 +316,10 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
 		pp = strchr(s, '#');
 
 		if (pp && pp < p) {
+			if (pp - s) {
+				ret->path = estrndup(s, (pp-s));
+				php_replace_controlchars_ex(ret->path, (pp - s));
+			}
 			p = pp;
 			goto label_parse;
 		}