From ee832705d1e3e86ceecc056ec3533a60d035d9c5 Mon Sep 17 00:00:00 2001
From: Pierrick Charron <pierrick@php.net>
Date: Sun, 13 Mar 2011 04:02:56 +0000
Subject: [PATCH] Fixed bug #54180 (parse_url() incorrectly parses path when ?
 in fragment)

---
 NEWS                                 |  4 ++++
 ext/standard/tests/url/bug54180.phpt | 32 ++++++++++++++++++++++++++++
 ext/standard/url.c                   |  4 ++++
 3 files changed, 40 insertions(+)
 create mode 100644 ext/standard/tests/url/bug54180.phpt

diff --git a/NEWS b/NEWS
index 935e2334dd8a0..f5b275f9f8578 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 10 Mar 2011, PHP 5.3.6RC3
+- Core:
+  . Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment).
+    (tomas dot brastavicius at quantum dot lt, Pierrick)
+
 - Shmop extension:
   . Fixed bug #54193 (Integer overflow in shmop_read()). (Felipe)
     Reported by Jose Carlos Norte <jose at eyeos dot org> (CVE-2011-1092)
diff --git a/ext/standard/tests/url/bug54180.phpt b/ext/standard/tests/url/bug54180.phpt
new file mode 100644
index 0000000000000..2e64e27d07fdd
--- /dev/null
+++ b/ext/standard/tests/url/bug54180.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #54180 (parse_url() incorrectly parses path when ? in fragment)
+--FILE--
+<?php
+
+var_dump(parse_url("http://example.com/path/script.html?t=1#fragment?data"));
+var_dump(parse_url("http://example.com/path/script.html#fragment?data"));
+
+?>
+--EXPECTF--
+array(5) {
+  ["scheme"]=>
+  string(4) "http"
+  ["host"]=>
+  string(11) "example.com"
+  ["path"]=>
+  string(17) "/path/script.html"
+  ["query"]=>
+  string(3) "t=1"
+  ["fragment"]=>
+  string(13) "fragment?data"
+}
+array(4) {
+  ["scheme"]=>
+  string(4) "http"
+  ["host"]=>
+  string(11) "example.com"
+  ["path"]=>
+  string(17) "/path/script.html"
+  ["fragment"]=>
+  string(13) "fragment?data"
+}
diff --git a/ext/standard/url.c b/ext/standard/url.c
index e4f71b1460747..0f4b836e628f2 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -316,6 +316,10 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
 		pp = strchr(s, '#');
 
 		if (pp && pp < p) {
+			if (pp - s) {
+				ret->path = estrndup(s, (pp-s));
+				php_replace_controlchars_ex(ret->path, (pp - s));
+			}
 			p = pp;
 			goto label_parse;
 		}