Coverage Report

Created: 2026-06-02 06:36

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/php-src/main/php_variables.c
Line
Count
Source
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright © The PHP Group and Contributors.                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to the Modified BSD License that is      |
6
   | bundled with this package in the file LICENSE, and is available      |
7
   | through the World Wide Web at <https://www.php.net/license/>.        |
8
   |                                                                      |
9
   | SPDX-License-Identifier: BSD-3-Clause                                |
10
   +----------------------------------------------------------------------+
11
   | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca>                       |
12
   |          Zeev Suraski <zeev@php.net>                                 |
13
   +----------------------------------------------------------------------+
14
 */
15
16
#include <stdio.h>
17
#include "php.h"
18
#include "ext/standard/php_standard.h"
19
#include "ext/standard/credits.h"
20
#include "zend_smart_str.h"
21
#include "php_variables.h"
22
#include "php_globals.h"
23
#include "php_content_types.h"
24
#include "SAPI.h"
25
#include "zend_globals.h"
26
#include "zend_exceptions.h"
27
28
/* for systems that need to override reading of environment variables */
29
static void _php_import_environment_variables(zval *array_ptr);
30
static void _php_load_environment_variables(zval *array_ptr);
31
PHPAPI void (*php_import_environment_variables)(zval *array_ptr) = _php_import_environment_variables;
32
PHPAPI void (*php_load_environment_variables)(zval *array_ptr) = _php_load_environment_variables;
33
34
PHPAPI void php_register_variable(const char *var, const char *strval, zval *track_vars_array)
35
0
{
36
0
  php_register_variable_safe(var, strval, strlen(strval), track_vars_array);
37
0
}
38
39
/* binary-safe version */
40
PHPAPI void php_register_variable_safe(const char *var, const char *strval, size_t str_len, zval *track_vars_array)
41
0
{
42
0
  zval new_entry;
43
0
  assert(strval != NULL);
44
45
0
  ZVAL_STRINGL_FAST(&new_entry, strval, str_len);
46
47
0
  php_register_variable_ex(var, &new_entry, track_vars_array);
48
0
}
49
50
static zend_always_inline void php_register_variable_quick(const char *name, size_t name_len, zval *val, HashTable *ht)
51
0
{
52
0
  zend_string *key = zend_string_init_interned(name, name_len, 0);
53
54
0
  zend_hash_update_ind(ht, key, val);
55
0
  zend_string_release_ex(key, 0);
56
0
}
57
58
PHPAPI void php_register_known_variable(const char *var_name, size_t var_name_len, zval *value, zval *track_vars_array)
59
0
{
60
0
  HashTable *symbol_table = NULL;
61
62
0
  ZEND_ASSERT(var_name != NULL);
63
0
  ZEND_ASSERT(var_name_len != 0);
64
0
  ZEND_ASSERT(track_vars_array != NULL && Z_TYPE_P(track_vars_array) == IS_ARRAY);
65
66
0
  symbol_table = Z_ARRVAL_P(track_vars_array);
67
68
0
#if ZEND_DEBUG
69
  /* Verify the name is valid for a PHP variable */
70
0
  ZEND_ASSERT(!(var_name_len == strlen("GLOBALS") && !memcmp(var_name, "GLOBALS", strlen("GLOBALS"))));
71
0
  ZEND_ASSERT(!(var_name_len == strlen("this") && !memcmp(var_name, "this", strlen("this"))));
72
73
  /* Assert that the variable name is not numeric */
74
0
  zend_ulong idx;
75
0
  ZEND_ASSERT(!ZEND_HANDLE_NUMERIC_STR(var_name, var_name_len, idx));
76
  /* ensure that we don't have null bytes, spaces, dots, or array bracket in the variable name (not binary safe) */
77
0
  const char *p = var_name;
78
0
  for (size_t l = 0; l < var_name_len; l++) {
79
0
    ZEND_ASSERT(*p != '\0' && *p != ' ' && *p != '.' && *p != '[');
80
0
    p++;
81
0
  }
82
83
  /* Do not allow to register cookies this way */
84
0
  ZEND_ASSERT(Z_TYPE(PG(http_globals)[TRACK_VARS_COOKIE]) == IS_UNDEF ||
85
0
    Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]) != symbol_table);
86
0
#endif
87
88
0
  php_register_variable_quick(var_name, var_name_len, value, symbol_table);
89
0
}
90
91
/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
92
 * Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
93
static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
94
0
{
95
0
  if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
96
0
    return true;
97
0
  }
98
99
0
  if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
100
0
    return true;
101
0
  }
102
103
0
  return false;
104
0
}
105
106
PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array)
107
0
{
108
0
  char *p = NULL;
109
0
  char *ip = NULL;   /* index pointer */
110
0
  char *index;
111
0
  char *var, *var_orig;
112
0
  size_t var_len, index_len;
113
0
  zval gpc_element, *gpc_element_p;
114
0
  bool is_array = 0;
115
0
  HashTable *symtable1 = NULL;
116
0
  ALLOCA_FLAG(use_heap)
117
118
0
  assert(var_name != NULL);
119
120
0
  if (track_vars_array && Z_TYPE_P(track_vars_array) == IS_ARRAY) {
121
0
    symtable1 = Z_ARRVAL_P(track_vars_array);
122
0
  }
123
124
0
  if (!symtable1) {
125
    /* Nothing to do */
126
0
    zval_ptr_dtor_nogc(val);
127
0
    return;
128
0
  }
129
130
131
  /* ignore leading spaces in the variable name */
132
0
  while (*var_name==' ') {
133
0
    var_name++;
134
0
  }
135
136
  /*
137
   * Prepare variable name
138
   */
139
0
  var_len = strlen(var_name);
140
0
  var = var_orig = do_alloca(var_len + 1, use_heap);
141
0
  memcpy(var_orig, var_name, var_len + 1);
142
143
  /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
144
0
  for (p = var; *p; p++) {
145
0
    if (*p == ' ' || *p == '.') {
146
0
      *p='_';
147
0
    } else if (*p == '[') {
148
0
      is_array = 1;
149
0
      ip = p;
150
0
      *p = 0;
151
0
      break;
152
0
    }
153
0
  }
154
0
  var_len = p - var;
155
156
0
  if (var_len==0) { /* empty variable name, or variable name with a space in it */
157
0
    zval_ptr_dtor_nogc(val);
158
0
    free_alloca(var_orig, use_heap);
159
0
    return;
160
0
  }
161
162
0
  if (var_len == sizeof("this")-1 && EG(current_execute_data)) {
163
0
    zend_execute_data *ex = EG(current_execute_data);
164
165
0
    while (ex) {
166
0
      if (ex->func && ZEND_USER_CODE(ex->func->common.type)) {
167
0
        if ((ZEND_CALL_INFO(ex) & ZEND_CALL_HAS_SYMBOL_TABLE)
168
0
            && ex->symbol_table == symtable1) {
169
0
          if (memcmp(var, "this", sizeof("this")-1) == 0) {
170
0
            zend_throw_error(NULL, "Cannot re-assign $this");
171
0
            zval_ptr_dtor_nogc(val);
172
0
            free_alloca(var_orig, use_heap);
173
0
            return;
174
0
          }
175
0
        }
176
0
        break;
177
0
      }
178
0
      ex = ex->prev_execute_data;
179
0
    }
180
0
  }
181
182
  /* GLOBALS hijack attempt, reject parameter */
183
0
  if (symtable1 == &EG(symbol_table) &&
184
0
    var_len == sizeof("GLOBALS")-1 &&
185
0
    !memcmp(var, "GLOBALS", sizeof("GLOBALS")-1)) {
186
0
    zval_ptr_dtor_nogc(val);
187
0
    free_alloca(var_orig, use_heap);
188
0
    return;
189
0
  }
190
191
0
  index = var;
192
0
  index_len = var_len;
193
194
0
  if (is_array) {
195
0
    int nest_level = 0;
196
0
    while (1) {
197
0
      char *index_s;
198
0
      size_t new_idx_len = 0;
199
200
0
      if(++nest_level > PG(max_input_nesting_level)) {
201
0
        HashTable *ht;
202
        /* too many levels of nesting */
203
204
0
        if (track_vars_array) {
205
0
          ht = Z_ARRVAL_P(track_vars_array);
206
0
          zend_symtable_str_del(ht, var, var_len);
207
0
        }
208
209
0
        zval_ptr_dtor_nogc(val);
210
211
        /* do not output the error message to the screen,
212
         this helps us to avoid "information disclosure" */
213
0
        if (!PG(display_errors)) {
214
0
          php_error_docref(NULL, E_WARNING, "Input variable nesting level exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_nesting_level in php.ini.", PG(max_input_nesting_level));
215
0
        }
216
0
        free_alloca(var_orig, use_heap);
217
0
        return;
218
0
      }
219
220
0
      ip++;
221
0
      index_s = ip;
222
0
      if (isspace((unsigned char)*ip)) {
223
0
        ip++;
224
0
      }
225
0
      if (*ip==']') {
226
0
        index_s = NULL;
227
0
      } else {
228
0
        ip = strchr(ip, ']');
229
0
        if (!ip) {
230
          /* not an index; un-terminate the var name */
231
0
          *(index_s - 1) = '_';
232
          /* PHP variables cannot contain ' ', '.', '[' in their names, so we replace the characters with a '_' */
233
0
          for (p = index_s; *p; p++) {
234
0
            if (*p == ' ' || *p == '.' || *p == '[') {
235
0
              *p = '_';
236
0
            }
237
0
          }
238
239
0
          index_len = 0;
240
0
          if (index) {
241
0
            index_len = strlen(index);
242
0
          }
243
0
          goto plain_var;
244
0
          return;
245
0
        }
246
0
        *ip = 0;
247
0
        new_idx_len = strlen(index_s);
248
0
      }
249
250
0
      if (!index) {
251
0
        array_init(&gpc_element);
252
0
        if ((gpc_element_p = zend_hash_next_index_insert(symtable1, &gpc_element)) == NULL) {
253
0
          zend_array_destroy(Z_ARR(gpc_element));
254
0
          zval_ptr_dtor_nogc(val);
255
0
          free_alloca(var_orig, use_heap);
256
0
          return;
257
0
        }
258
0
      } else {
259
0
        if (php_is_forbidden_variable_name(index, index_len, var_name)) {
260
0
          zval_ptr_dtor_nogc(val);
261
0
          free_alloca(var_orig, use_heap);
262
0
          return;
263
0
        }
264
265
0
        gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
266
0
        if (!gpc_element_p) {
267
0
          zval tmp;
268
0
          array_init(&tmp);
269
0
          gpc_element_p = zend_symtable_str_update_ind(symtable1, index, index_len, &tmp);
270
0
        } else {
271
0
          if (Z_TYPE_P(gpc_element_p) == IS_INDIRECT) {
272
0
            gpc_element_p = Z_INDIRECT_P(gpc_element_p);
273
0
          }
274
0
          if (Z_TYPE_P(gpc_element_p) != IS_ARRAY) {
275
0
            zval_ptr_dtor_nogc(gpc_element_p);
276
0
            array_init(gpc_element_p);
277
0
          } else {
278
0
            SEPARATE_ARRAY(gpc_element_p);
279
0
          }
280
0
        }
281
0
      }
282
0
      symtable1 = Z_ARRVAL_P(gpc_element_p);
283
      /* ip pointed to the '[' character, now obtain the key */
284
0
      index = index_s;
285
0
      index_len = new_idx_len;
286
287
0
      ip++;
288
0
      if (*ip == '[') {
289
0
        is_array = 1;
290
0
        *ip = 0;
291
0
      } else {
292
0
        goto plain_var;
293
0
      }
294
0
    }
295
0
  } else {
296
0
plain_var:
297
0
    if (!index) {
298
0
      if (zend_hash_next_index_insert(symtable1, val) == NULL) {
299
0
        zval_ptr_dtor_nogc(val);
300
0
      }
301
0
    } else {
302
0
      if (php_is_forbidden_variable_name(index, index_len, var_name)) {
303
0
        zval_ptr_dtor_nogc(val);
304
0
        free_alloca(var_orig, use_heap);
305
0
        return;
306
0
      }
307
308
0
      zend_ulong idx;
309
310
      /*
311
       * According to rfc2965, more specific paths are listed above the less specific ones.
312
       * If we encounter a duplicate cookie name, we should skip it, since it is not possible
313
       * to have the same (plain text) cookie name for the same path and we should not overwrite
314
       * more specific cookies with the less specific ones.
315
       */
316
0
      if (Z_TYPE(PG(http_globals)[TRACK_VARS_COOKIE]) != IS_UNDEF &&
317
0
        symtable1 == Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]) &&
318
0
        zend_symtable_str_exists(symtable1, index, index_len)) {
319
0
        zval_ptr_dtor_nogc(val);
320
0
      } else if (ZEND_HANDLE_NUMERIC_STR(index, index_len, idx)) {
321
0
        zend_hash_index_update(symtable1, idx, val);
322
0
      } else {
323
0
        php_register_variable_quick(index, index_len, val, symtable1);
324
0
      }
325
0
    }
326
0
  }
327
0
  free_alloca(var_orig, use_heap);
328
0
}
329
330
typedef struct post_var_data {
331
  smart_str str;
332
  char *ptr;
333
  char *end;
334
  uint64_t cnt;
335
336
  /* Bytes in ptr that have already been scanned for '&' */
337
  size_t already_scanned;
338
} post_var_data_t;
339
340
static bool add_post_var(zval *arr, post_var_data_t *var, bool eof)
341
0
{
342
0
  char *start, *ksep, *vsep, *val;
343
0
  size_t klen, vlen;
344
0
  size_t new_vlen;
345
346
0
  if (var->ptr >= var->end) {
347
0
    return false;
348
0
  }
349
350
0
  start = var->ptr + var->already_scanned;
351
0
  vsep = memchr(start, '&', var->end - start);
352
0
  if (!vsep) {
353
0
    if (!eof) {
354
0
      var->already_scanned = var->end - var->ptr;
355
0
      return false;
356
0
    } else {
357
0
      vsep = var->end;
358
0
    }
359
0
  }
360
361
0
  ksep = memchr(var->ptr, '=', vsep - var->ptr);
362
0
  if (ksep) {
363
0
    *ksep = '\0';
364
    /* "foo=bar&" or "foo=&" */
365
0
    klen = ksep - var->ptr;
366
0
    vlen = vsep - ++ksep;
367
0
  } else {
368
0
    ksep = "";
369
    /* "foo&" */
370
0
    klen = vsep - var->ptr;
371
0
    vlen = 0;
372
0
  }
373
374
0
  php_url_decode(var->ptr, klen);
375
376
0
  val = estrndup(ksep, vlen);
377
0
  if (vlen) {
378
0
    vlen = php_url_decode(val, vlen);
379
0
  }
380
381
0
  if (sapi_module.input_filter(PARSE_POST, var->ptr, &val, vlen, &new_vlen)) {
382
0
    php_register_variable_safe(var->ptr, val, new_vlen, arr);
383
0
  }
384
0
  efree(val);
385
386
0
  var->ptr = vsep + (vsep != var->end);
387
0
  var->already_scanned = 0;
388
0
  return true;
389
0
}
390
391
static inline zend_result add_post_vars(zval *arr, post_var_data_t *vars, bool eof)
392
0
{
393
0
  uint64_t max_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars));
394
395
0
  vars->ptr = ZSTR_VAL(vars->str.s);
396
0
  vars->end = ZSTR_VAL(vars->str.s) + ZSTR_LEN(vars->str.s);
397
0
  while (add_post_var(arr, vars, eof)) {
398
0
    if (++vars->cnt > max_vars) {
399
0
      php_error_docref(NULL, E_WARNING,
400
0
          "Input variables exceeded %" PRIu64 ". "
401
0
          "To increase the limit change max_input_vars in php.ini.",
402
0
          max_vars);
403
0
      return FAILURE;
404
0
    }
405
0
  }
406
407
0
  if (!eof && ZSTR_VAL(vars->str.s) != vars->ptr) {
408
0
    memmove(ZSTR_VAL(vars->str.s), vars->ptr, ZSTR_LEN(vars->str.s) = vars->end - vars->ptr);
409
0
  }
410
0
  return SUCCESS;
411
0
}
412
413
#ifdef PHP_WIN32
414
#define SAPI_POST_HANDLER_BUFSIZ 16384
415
#else
416
0
# define SAPI_POST_HANDLER_BUFSIZ BUFSIZ
417
#endif
418
SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler)
419
0
{
420
0
  zval *arr = (zval *) arg;
421
0
  php_stream *s = SG(request_info).request_body;
422
0
  post_var_data_t post_data;
423
424
0
  if (s && SUCCESS == php_stream_rewind(s)) {
425
0
    memset(&post_data, 0, sizeof(post_data));
426
427
0
    while (!php_stream_eof(s)) {
428
0
      char buf[SAPI_POST_HANDLER_BUFSIZ] = {0};
429
0
      ssize_t len = php_stream_read(s, buf, SAPI_POST_HANDLER_BUFSIZ);
430
431
0
      if (len > 0) {
432
0
        smart_str_appendl(&post_data.str, buf, len);
433
434
0
        if (SUCCESS != add_post_vars(arr, &post_data, 0)) {
435
0
          smart_str_free(&post_data.str);
436
0
          return;
437
0
        }
438
0
      }
439
440
0
      if (len != SAPI_POST_HANDLER_BUFSIZ){
441
0
        break;
442
0
      }
443
0
    }
444
445
0
    if (post_data.str.s) {
446
0
      add_post_vars(arr, &post_data, 1);
447
0
      smart_str_free(&post_data.str);
448
0
    }
449
0
  }
450
0
}
451
#undef SAPI_POST_HANDLER_BUFSIZ
452
453
SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
454
0
{
455
  /* TODO: check .ini setting here and apply user-defined input filter */
456
0
  if(new_val_len) *new_val_len = val_len;
457
0
  return 1;
458
0
}
459
460
SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
461
3.98k
{
462
3.98k
  char *res = NULL, *var, *val, *separator = NULL;
463
3.98k
  const char *c_var;
464
3.98k
  zval array;
465
3.98k
  int free_buffer = 0;
466
3.98k
  char *strtok_buf = NULL;
467
3.98k
  zend_long count = 0;
468
469
3.98k
  ZVAL_UNDEF(&array);
470
3.98k
  switch (arg) {
471
0
    case PARSE_POST:
472
1.99k
    case PARSE_GET:
473
3.98k
    case PARSE_COOKIE:
474
3.98k
      array_init(&array);
475
3.98k
      switch (arg) {
476
0
        case PARSE_POST:
477
0
          zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_POST]);
478
0
          ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_POST], &array);
479
0
          break;
480
1.99k
        case PARSE_GET:
481
1.99k
          zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_GET]);
482
1.99k
          ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_GET], &array);
483
1.99k
          break;
484
1.99k
        case PARSE_COOKIE:
485
1.99k
          zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_COOKIE]);
486
1.99k
          ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_COOKIE], &array);
487
1.99k
          break;
488
3.98k
      }
489
3.98k
      break;
490
3.98k
    default:
491
0
      ZVAL_COPY_VALUE(&array, destArray);
492
0
      break;
493
3.98k
  }
494
495
3.98k
  if (arg == PARSE_POST) {
496
0
    sapi_handle_post(&array);
497
0
    return;
498
0
  }
499
500
3.98k
  if (arg == PARSE_GET) {   /* GET data */
501
1.99k
    c_var = SG(request_info).query_string;
502
1.99k
    if (c_var && *c_var) {
503
0
      res = (char *) estrdup(c_var);
504
0
      free_buffer = 1;
505
1.99k
    } else {
506
1.99k
      free_buffer = 0;
507
1.99k
    }
508
1.99k
  } else if (arg == PARSE_COOKIE) {   /* Cookie data */
509
1.99k
    c_var = SG(request_info).cookie_data;
510
1.99k
    if (c_var && *c_var) {
511
0
      res = (char *) estrdup(c_var);
512
0
      free_buffer = 1;
513
1.99k
    } else {
514
1.99k
      free_buffer = 0;
515
1.99k
    }
516
1.99k
  } else if (arg == PARSE_STRING) {   /* String data */
517
0
    res = str;
518
0
    free_buffer = 1;
519
0
  }
520
521
3.98k
  if (!res) {
522
3.98k
    return;
523
3.98k
  }
524
525
0
  switch (arg) {
526
0
    case PARSE_GET:
527
0
    case PARSE_STRING:
528
0
      separator = ZSTR_VAL(PG(arg_separator).input);
529
0
      break;
530
0
    case PARSE_COOKIE:
531
0
      separator = ";\0";
532
0
      break;
533
0
  }
534
535
0
  var = php_strtok_r(res, separator, &strtok_buf);
536
537
0
  while (var) {
538
0
    size_t val_len;
539
0
    size_t new_val_len;
540
541
0
    val = strchr(var, '=');
542
543
0
    if (arg == PARSE_COOKIE) {
544
      /* Remove leading spaces from cookie names, needed for multi-cookie header where ; can be followed by a space */
545
0
      while (isspace((unsigned char)*var)) {
546
0
        var++;
547
0
      }
548
0
      if (var == val || *var == '\0') {
549
0
        goto next_cookie;
550
0
      }
551
0
    }
552
553
0
    zend_long max_input_vars = REQUEST_PARSE_BODY_OPTION_GET(max_input_vars, PG(max_input_vars));
554
0
    if (++count > max_input_vars) {
555
0
      php_error_docref(NULL, E_WARNING, "Input variables exceeded " ZEND_LONG_FMT ". To increase the limit change max_input_vars in php.ini.", max_input_vars);
556
0
      break;
557
0
    }
558
559
0
    if (val) { /* have a value */
560
561
0
      *val++ = '\0';
562
563
0
      if (arg == PARSE_COOKIE) {
564
0
        val_len = php_raw_url_decode(val, strlen(val));
565
0
      } else {
566
0
        val_len = php_url_decode(val, strlen(val));
567
0
      }
568
0
    } else {
569
0
      val     = "";
570
0
      val_len =  0;
571
0
    }
572
573
0
    val = estrndup(val, val_len);
574
0
    if (arg != PARSE_COOKIE) {
575
0
      php_url_decode(var, strlen(var));
576
0
    }
577
0
    if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
578
0
      php_register_variable_safe(var, val, new_val_len, &array);
579
0
    }
580
0
    efree(val);
581
0
next_cookie:
582
0
    var = php_strtok_r(NULL, separator, &strtok_buf);
583
0
  }
584
585
0
  if (free_buffer) {
586
0
    efree(res);
587
0
  }
588
0
}
589
590
static zend_always_inline int valid_environment_name(const char *name, const char *end)
591
0
{
592
0
  const char *s;
593
594
0
  for (s = name; s < end; s++) {
595
0
    if (*s == ' ' || *s == '.' || *s == '[') {
596
0
      return 0;
597
0
    }
598
0
  }
599
0
  return 1;
600
0
}
601
602
static zend_always_inline void import_environment_variable(HashTable *ht, char *env)
603
0
{
604
0
  char *p;
605
0
  size_t name_len, len;
606
0
  zval val;
607
0
  zend_ulong idx;
608
609
0
  p = strchr(env, '=');
610
0
  if (!p
611
0
    || p == env
612
0
    || !valid_environment_name(env, p)) {
613
    /* malformed entry? */
614
0
    return;
615
0
  }
616
0
  name_len = p - env;
617
0
  p++;
618
0
  len = strlen(p);
619
0
  ZVAL_STRINGL_FAST(&val, p, len);
620
0
  if (ZEND_HANDLE_NUMERIC_STR(env, name_len, idx)) {
621
0
    zend_hash_index_update(ht, idx, &val);
622
0
  } else {
623
0
    php_register_variable_quick(env, name_len, &val, ht);
624
0
  }
625
0
}
626
627
static void _php_import_environment_variables(zval *array_ptr)
628
0
{
629
0
  tsrm_env_lock();
630
631
0
#ifndef PHP_WIN32
632
0
  for (char **env = environ; env != NULL && *env != NULL; env++) {
633
0
    import_environment_variable(Z_ARRVAL_P(array_ptr), *env);
634
0
  }
635
#else
636
  wchar_t *environmentw = GetEnvironmentStringsW();
637
  for (wchar_t *envw = environmentw; envw != NULL && *envw; envw += wcslen(envw) + 1) {
638
    char *env = php_win32_cp_w_to_any(envw);
639
    if (env != NULL) {
640
      import_environment_variable(Z_ARRVAL_P(array_ptr), env);
641
      free(env);
642
    }
643
  }
644
  FreeEnvironmentStringsW(environmentw);
645
#endif
646
647
0
  tsrm_env_unlock();
648
0
}
649
650
static void _php_load_environment_variables(zval *array_ptr)
651
0
{
652
0
  php_import_environment_variables(array_ptr);
653
0
}
654
655
/* {{{ php_build_argv */
656
PHPAPI void php_build_argv(const char *s, zval *track_vars_array)
657
1.99k
{
658
1.99k
  zval arr, argc, tmp;
659
1.99k
  int count = 0;
660
661
1.99k
  if (!(SG(request_info).argc || track_vars_array)) {
662
1.99k
    return;
663
1.99k
  }
664
665
0
  array_init(&arr);
666
667
  /* Prepare argv */
668
0
  if (SG(request_info).argc) { /* are we in cli sapi? */
669
0
    int i;
670
0
    for (i = 0; i < SG(request_info).argc; i++) {
671
0
      ZVAL_STRING(&tmp, SG(request_info).argv[i]);
672
0
      if (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {
673
0
        zend_string_efree(Z_STR(tmp));
674
0
      }
675
0
    }
676
0
  } else  if (s && *s) {
677
0
    while (1) {
678
0
      const char *space = strchr(s, '+');
679
      /* auto-type */
680
0
      ZVAL_STRINGL(&tmp, s, space ? space - s : strlen(s));
681
0
      count++;
682
0
      if (zend_hash_next_index_insert(Z_ARRVAL(arr), &tmp) == NULL) {
683
0
        zend_string_efree(Z_STR(tmp));
684
0
      }
685
0
      if (!space) {
686
0
        break;
687
0
      }
688
0
      s = space + 1;
689
0
    }
690
0
  }
691
692
  /* prepare argc */
693
0
  if (SG(request_info).argc) {
694
0
    ZVAL_LONG(&argc, SG(request_info).argc);
695
0
  } else {
696
0
    ZVAL_LONG(&argc, count);
697
0
  }
698
699
0
  if (SG(request_info).argc) {
700
0
    Z_ADDREF(arr);
701
0
    zend_hash_update(&EG(symbol_table), ZSTR_KNOWN(ZEND_STR_ARGV), &arr);
702
0
    zend_hash_update(&EG(symbol_table), ZSTR_KNOWN(ZEND_STR_ARGC), &argc);
703
0
  }
704
0
  if (track_vars_array && Z_TYPE_P(track_vars_array) == IS_ARRAY) {
705
0
    Z_ADDREF(arr);
706
0
    zend_hash_update(Z_ARRVAL_P(track_vars_array), ZSTR_KNOWN(ZEND_STR_ARGV), &arr);
707
0
    zend_hash_update(Z_ARRVAL_P(track_vars_array), ZSTR_KNOWN(ZEND_STR_ARGC), &argc);
708
0
  }
709
0
  zval_ptr_dtor_nogc(&arr);
710
0
}
711
/* }}} */
712
713
/* {{{ php_register_server_variables */
714
static inline void php_register_server_variables(void)
715
0
{
716
0
  zval tmp;
717
0
  zval *arr = &PG(http_globals)[TRACK_VARS_SERVER];
718
0
  HashTable *ht;
719
720
0
  zval_ptr_dtor_nogc(arr);
721
0
  array_init(arr);
722
723
  /* Server variables */
724
0
  if (sapi_module.register_server_variables) {
725
0
    sapi_module.register_server_variables(arr);
726
0
  }
727
0
  ht = Z_ARRVAL_P(arr);
728
729
  /* PHP Authentication support */
730
0
  if (SG(request_info).auth_user) {
731
0
    ZVAL_STRING(&tmp, SG(request_info).auth_user);
732
0
    php_register_variable_quick("PHP_AUTH_USER", sizeof("PHP_AUTH_USER")-1, &tmp, ht);
733
0
  }
734
0
  if (SG(request_info).auth_password) {
735
0
    ZVAL_STRING(&tmp, SG(request_info).auth_password);
736
0
    php_register_variable_quick("PHP_AUTH_PW", sizeof("PHP_AUTH_PW")-1, &tmp, ht);
737
0
  }
738
0
  if (SG(request_info).auth_digest) {
739
0
    ZVAL_STRING(&tmp, SG(request_info).auth_digest);
740
0
    php_register_variable_quick("PHP_AUTH_DIGEST", sizeof("PHP_AUTH_DIGEST")-1, &tmp, ht);
741
0
  }
742
743
  /* store request init time */
744
0
  ZVAL_DOUBLE(&tmp, sapi_get_request_time());
745
0
  php_register_variable_quick("REQUEST_TIME_FLOAT", sizeof("REQUEST_TIME_FLOAT")-1, &tmp, ht);
746
0
  ZVAL_LONG(&tmp, zend_dval_to_lval_silent(Z_DVAL(tmp)));
747
0
  php_register_variable_quick("REQUEST_TIME", sizeof("REQUEST_TIME")-1, &tmp, ht);
748
0
}
749
/* }}} */
750
751
/* {{{ php_autoglobal_merge */
752
static void php_autoglobal_merge(HashTable *dest, HashTable *src)
753
0
{
754
0
  zval *src_entry, *dest_entry;
755
0
  zend_string *string_key;
756
0
  zend_ulong num_key;
757
0
  int globals_check = (dest == (&EG(symbol_table)));
758
759
0
  ZEND_HASH_FOREACH_KEY_VAL(src, num_key, string_key, src_entry) {
760
0
    if (Z_TYPE_P(src_entry) != IS_ARRAY
761
0
      || (string_key && (dest_entry = zend_hash_find(dest, string_key)) == NULL)
762
0
      || (string_key == NULL && (dest_entry = zend_hash_index_find(dest, num_key)) == NULL)
763
0
      || Z_TYPE_P(dest_entry) != IS_ARRAY) {
764
0
      Z_TRY_ADDREF_P(src_entry);
765
0
      if (string_key) {
766
0
        if (!globals_check || !zend_string_equals_literal(string_key, "GLOBALS")) {
767
0
          zend_hash_update(dest, string_key, src_entry);
768
0
        } else {
769
0
          Z_TRY_DELREF_P(src_entry);
770
0
        }
771
0
      } else {
772
0
        zend_hash_index_update(dest, num_key, src_entry);
773
0
      }
774
0
    } else {
775
0
      SEPARATE_ARRAY(dest_entry);
776
0
      php_autoglobal_merge(Z_ARRVAL_P(dest_entry), Z_ARRVAL_P(src_entry));
777
0
    }
778
0
  } ZEND_HASH_FOREACH_END();
779
0
}
780
/* }}} */
781
782
/* {{{ php_hash_environment */
783
PHPAPI zend_result php_hash_environment(void)
784
1.99k
{
785
1.99k
  memset(PG(http_globals), 0, sizeof(PG(http_globals)));
786
  /* Register $argc and $argv for CLI SAPIs. $_SERVER['argc'] and $_SERVER['argv']
787
   * will be registered in php_auto_globals_create_server() which clears
788
   * PG(http_globals)[TRACK_VARS_SERVER] anyways, making registration at this point
789
   * useless.
790
   */
791
1.99k
  php_build_argv(NULL, NULL);
792
1.99k
  zend_activate_auto_globals();
793
1.99k
  return SUCCESS;
794
1.99k
}
795
/* }}} */
796
797
static bool php_auto_globals_create_get(zend_string *name)
798
1.99k
{
799
1.99k
  if (PG(variables_order) && (strchr(PG(variables_order),'G') || strchr(PG(variables_order),'g'))) {
800
1.99k
    sapi_module.treat_data(PARSE_GET, NULL, NULL);
801
1.99k
  } else {
802
0
    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_GET]);
803
0
    array_init(&PG(http_globals)[TRACK_VARS_GET]);
804
0
  }
805
806
1.99k
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_GET]);
807
1.99k
  Z_ADDREF(PG(http_globals)[TRACK_VARS_GET]);
808
809
1.99k
  return false; /* don't rearm */
810
1.99k
}
811
812
static bool php_auto_globals_create_post(zend_string *name)
813
1.99k
{
814
1.99k
  if (PG(variables_order) &&
815
1.99k
      (strchr(PG(variables_order),'P') || strchr(PG(variables_order),'p')) &&
816
1.99k
    !SG(headers_sent) &&
817
1.99k
    SG(request_info).request_method &&
818
0
    !strcasecmp(SG(request_info).request_method, "POST")) {
819
0
    sapi_module.treat_data(PARSE_POST, NULL, NULL);
820
1.99k
  } else {
821
1.99k
    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_POST]);
822
1.99k
    array_init(&PG(http_globals)[TRACK_VARS_POST]);
823
1.99k
  }
824
825
1.99k
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_POST]);
826
1.99k
  Z_ADDREF(PG(http_globals)[TRACK_VARS_POST]);
827
828
1.99k
  return false; /* don't rearm */
829
1.99k
}
830
831
static bool php_auto_globals_create_cookie(zend_string *name)
832
1.99k
{
833
1.99k
  if (PG(variables_order) && (strchr(PG(variables_order),'C') || strchr(PG(variables_order),'c'))) {
834
1.99k
    sapi_module.treat_data(PARSE_COOKIE, NULL, NULL);
835
1.99k
  } else {
836
0
    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_COOKIE]);
837
0
    array_init(&PG(http_globals)[TRACK_VARS_COOKIE]);
838
0
  }
839
840
1.99k
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_COOKIE]);
841
1.99k
  Z_ADDREF(PG(http_globals)[TRACK_VARS_COOKIE]);
842
843
1.99k
  return false; /* don't rearm */
844
1.99k
}
845
846
static bool php_auto_globals_create_files(zend_string *name)
847
1.99k
{
848
1.99k
  if (Z_TYPE(PG(http_globals)[TRACK_VARS_FILES]) == IS_UNDEF) {
849
1.99k
    array_init(&PG(http_globals)[TRACK_VARS_FILES]);
850
1.99k
  }
851
852
1.99k
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_FILES]);
853
1.99k
  Z_ADDREF(PG(http_globals)[TRACK_VARS_FILES]);
854
855
1.99k
  return false; /* don't rearm */
856
1.99k
}
857
858
/* Ugly hack to fix HTTP_PROXY issue, see bug #72573 */
859
static void check_http_proxy(HashTable *var_table)
860
0
{
861
0
  if (zend_hash_str_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1)) {
862
0
    char *local_proxy = getenv("HTTP_PROXY");
863
864
0
    if (!local_proxy) {
865
0
      zend_hash_str_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1);
866
0
    } else {
867
0
      zval local_zval;
868
0
      ZVAL_STRING(&local_zval, local_proxy);
869
0
      zend_hash_str_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1, &local_zval);
870
0
    }
871
0
  }
872
0
}
873
874
static bool php_auto_globals_create_server(zend_string *name)
875
0
{
876
0
  if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) {
877
0
    php_register_server_variables();
878
879
0
    if (SG(request_info).argc) {
880
0
      zval *argc, *argv;
881
882
0
      if ((argc = zend_hash_find_ex_ind(&EG(symbol_table), ZSTR_KNOWN(ZEND_STR_ARGC), 1)) != NULL &&
883
0
        (argv = zend_hash_find_ex_ind(&EG(symbol_table), ZSTR_KNOWN(ZEND_STR_ARGV), 1)) != NULL) {
884
0
        Z_ADDREF_P(argv);
885
0
        zend_hash_update(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), ZSTR_KNOWN(ZEND_STR_ARGV), argv);
886
0
        zend_hash_update(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]), ZSTR_KNOWN(ZEND_STR_ARGC), argc);
887
0
      }
888
0
    } else if (PG(register_argc_argv)) {
889
0
      zend_error(E_DEPRECATED, "Deriving $_SERVER['argv'] from the query string is deprecated. Configure register_argc_argv=0 to turn this message off");
890
0
      php_build_argv(SG(request_info).query_string, &PG(http_globals)[TRACK_VARS_SERVER]);
891
0
    }
892
893
0
  } else {
894
0
    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_SERVER]);
895
0
    array_init(&PG(http_globals)[TRACK_VARS_SERVER]);
896
0
    zend_hash_real_init_mixed(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));
897
0
  }
898
899
0
  check_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));
900
0
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_SERVER]);
901
0
  Z_ADDREF(PG(http_globals)[TRACK_VARS_SERVER]);
902
903
  /* TODO: TRACK_VARS_SERVER is modified in a number of places (e.g. phar) past this point,
904
   * where rc>1 due to the $_SERVER global. Ideally this shouldn't happen, but for now we
905
   * ignore this issue, as it would probably require larger changes. */
906
0
  HT_ALLOW_COW_VIOLATION(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER]));
907
908
0
  return false; /* don't rearm */
909
0
}
910
911
static bool php_auto_globals_create_env(zend_string *name)
912
0
{
913
0
  zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_ENV]);
914
0
  array_init(&PG(http_globals)[TRACK_VARS_ENV]);
915
916
0
  if (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) {
917
0
    php_import_environment_variables(&PG(http_globals)[TRACK_VARS_ENV]);
918
0
  }
919
920
0
  check_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_ENV]));
921
0
  zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_ENV]);
922
0
  Z_ADDREF(PG(http_globals)[TRACK_VARS_ENV]);
923
924
0
  return false; /* don't rearm */
925
0
}
926
927
static bool php_auto_globals_create_request(zend_string *name)
928
0
{
929
0
  zval form_variables;
930
0
  unsigned char _gpc_flags[3] = {0, 0, 0};
931
0
  char *p;
932
933
0
  array_init(&form_variables);
934
935
0
  if (PG(request_order) != NULL) {
936
0
    p = PG(request_order);
937
0
  } else {
938
0
    p = PG(variables_order);
939
0
  }
940
941
0
  for (; p && *p; p++) {
942
0
    switch (*p) {
943
0
      case 'g':
944
0
      case 'G':
945
0
        if (!_gpc_flags[0]) {
946
0
          php_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_GET]));
947
0
          _gpc_flags[0] = 1;
948
0
        }
949
0
        break;
950
0
      case 'p':
951
0
      case 'P':
952
0
        if (!_gpc_flags[1]) {
953
0
          php_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_POST]));
954
0
          _gpc_flags[1] = 1;
955
0
        }
956
0
        break;
957
0
      case 'c':
958
0
      case 'C':
959
0
        if (!_gpc_flags[2]) {
960
0
          php_autoglobal_merge(Z_ARRVAL(form_variables), Z_ARRVAL(PG(http_globals)[TRACK_VARS_COOKIE]));
961
0
          _gpc_flags[2] = 1;
962
0
        }
963
0
        break;
964
0
    }
965
0
  }
966
967
0
  zend_hash_update(&EG(symbol_table), name, &form_variables);
968
0
  return false;
969
0
}
970
971
void php_startup_auto_globals(void)
972
2
{
973
2
  zend_register_auto_global(zend_string_init_interned("_GET", sizeof("_GET")-1, 1), 0, php_auto_globals_create_get);
974
2
  zend_register_auto_global(zend_string_init_interned("_POST", sizeof("_POST")-1, 1), 0, php_auto_globals_create_post);
975
2
  zend_register_auto_global(zend_string_init_interned("_COOKIE", sizeof("_COOKIE")-1, 1), 0, php_auto_globals_create_cookie);
976
2
  zend_register_auto_global(ZSTR_KNOWN(ZEND_STR_AUTOGLOBAL_SERVER), PG(auto_globals_jit) && (SG(request_info).argc || !PG(register_argc_argv)), php_auto_globals_create_server);
977
2
  zend_register_auto_global(ZSTR_KNOWN(ZEND_STR_AUTOGLOBAL_ENV), PG(auto_globals_jit), php_auto_globals_create_env);
978
2
  zend_register_auto_global(ZSTR_KNOWN(ZEND_STR_AUTOGLOBAL_REQUEST), PG(auto_globals_jit), php_auto_globals_create_request);
979
2
  zend_register_auto_global(zend_string_init_interned("_FILES", sizeof("_FILES")-1, 1), 0, php_auto_globals_create_files);
980
2
}