diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 8cd812eb084c0..80cade4d76057 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -5617,7 +5617,6 @@ static inline zend_result build_tablename(smart_str *querystr, PGconn *pg_link, PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *table, zval *var_array, zend_ulong opt, zend_string **sql) { zval *val, converted; - char buf[256]; char *tmp; smart_str querystr = {0}; zend_result ret = FAILURE; @@ -5700,7 +5699,7 @@ PHP_PGSQL_API zend_result php_pgsql_insert(PGconn *pg_link, const zend_string *t smart_str_append_long(&querystr, Z_LVAL_P(val)); break; case IS_DOUBLE: - smart_str_appendl(&querystr, buf, snprintf(buf, sizeof(buf), "%F", Z_DVAL_P(val))); + smart_str_append_double(&querystr, Z_DVAL_P(val), 6, false); break; case IS_NULL: smart_str_appendl(&querystr, "NULL", sizeof("NULL")-1); @@ -5884,8 +5883,7 @@ static inline int build_assignment_string(PGconn *pg_link, smart_str *querystr, smart_str_append_long(querystr, Z_LVAL_P(val)); break; case IS_DOUBLE: { - char buf[256]; - smart_str_appendl(querystr, buf, MIN(snprintf(buf, sizeof(buf), "%F", Z_DVAL_P(val)), sizeof(buf) - 1)); + smart_str_append_double(querystr, Z_DVAL_P(val), 6, false); } break; case IS_NULL: diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c index 63c0093eb05c8..4bf599234f780 100644 --- a/ext/soap/php_http.c +++ b/ext/soap/php_http.c @@ -1014,22 +1014,22 @@ int make_http_soap_request( char *eqpos = strstr(cookie, "="); char *sempos = strstr(cookie, ";"); if (eqpos != NULL && (sempos == NULL || sempos > eqpos)) { - size_t cookie_len; zval zcookie; + size_t cookie_value_len; if (sempos != NULL) { - cookie_len = sempos-(eqpos+1); + cookie_value_len = sempos-(eqpos+1); } else { - cookie_len = strlen(cookie)-(eqpos-cookie)-1; + cookie_value_len = strlen(cookie)-(eqpos-cookie)-1; } zend_string *name = zend_string_init(cookie, eqpos - cookie, false); array_init(&zcookie); - add_index_stringl(&zcookie, 0, eqpos + 1, cookie_len); + add_index_stringl(&zcookie, 0, eqpos + 1, cookie_value_len); if (sempos != NULL) { - char *options = cookie + cookie_len+1; + char *options = sempos + 1; while (*options) { while (*options == ' ') {options++;} sempos = strstr(options, ";"); diff --git a/ext/soap/tests/bugs/cookie_parse_options_offset.phpt b/ext/soap/tests/bugs/cookie_parse_options_offset.phpt new file mode 100644 index 0000000000000..988af9d31959f --- /dev/null +++ b/ext/soap/tests/bugs/cookie_parse_options_offset.phpt @@ -0,0 +1,61 @@ +--TEST-- +SOAP Set-Cookie option parsing starts at wrong offset due to variable shadowing +--EXTENSIONS-- +soap +--SKIPIF-- + +--FILE-- + + + + + + +XML; +PHP; + +php_cli_server_start($code, null, $args); + +$client = new SoapClient(null, [ + 'location' => 'http://' . PHP_CLI_SERVER_ADDRESS . '/test/endpoint', + 'uri' => 'test-uri', + 'trace' => true, +]); + +try { + $client->__soapCall("test", []); +} catch (SoapFault $e) { + // Response parsing may fault, cookies are still stored +} + +$cookies = $client->__getCookies(); + +// path should default to "/test" from the request URI, not "/evil" from the value. +echo "value: " . $cookies['sessionkey'][0] . "\n"; +echo "path: " . $cookies['sessionkey'][1] . "\n"; +echo "domain: " . $cookies['sessionkey'][2] . "\n"; +?> +--EXPECT-- +value: path=/evil +path: /test +domain: good.com