/src/php-src/ext/standard/head.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | +----------------------------------------------------------------------+ |
3 | | | Copyright (c) The PHP Group | |
4 | | +----------------------------------------------------------------------+ |
5 | | | This source file is subject to version 3.01 of the PHP license, | |
6 | | | that is bundled with this package in the file LICENSE, and is | |
7 | | | available through the world-wide-web at the following url: | |
8 | | | https://www.php.net/license/3_01.txt | |
9 | | | If you did not receive a copy of the PHP license and are unable to | |
10 | | | obtain it through the world-wide-web, please send a note to | |
11 | | | license@php.net so we can mail you a copy immediately. | |
12 | | +----------------------------------------------------------------------+ |
13 | | | Author: Rasmus Lerdorf <rasmus@lerdorf.on.ca> | |
14 | | +----------------------------------------------------------------------+ |
15 | | */ |
16 | | |
17 | | #include <stdio.h> |
18 | | #include "php.h" |
19 | | #include "ext/standard/php_standard.h" |
20 | | #include "ext/date/php_date.h" |
21 | | #include "SAPI.h" |
22 | | #include "php_main.h" |
23 | | #include "head.h" |
24 | | #include <time.h> |
25 | | |
26 | | #include "php_globals.h" |
27 | | #include "zend_smart_str.h" |
28 | | |
29 | | |
30 | | /* Implementation of the language Header() function */ |
31 | | /* {{{ Sends a raw HTTP header */ |
32 | | PHP_FUNCTION(header) |
33 | 138 | { |
34 | 138 | bool rep = 1; |
35 | 138 | sapi_header_line ctr = {0}; |
36 | 138 | char *line; |
37 | 138 | size_t len; |
38 | | |
39 | 414 | ZEND_PARSE_PARAMETERS_START(1, 3) |
40 | 552 | Z_PARAM_STRING(line, len) |
41 | 138 | Z_PARAM_OPTIONAL |
42 | 410 | Z_PARAM_BOOL(rep) |
43 | 217 | Z_PARAM_LONG(ctr.response_code) |
44 | 138 | ZEND_PARSE_PARAMETERS_END(); |
45 | | |
46 | 138 | ctr.line = line; |
47 | 138 | ctr.line_len = len; |
48 | 138 | sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr); |
49 | 138 | } |
50 | | /* }}} */ |
51 | | |
52 | | /* {{{ Removes an HTTP header previously set using header() */ |
53 | | PHP_FUNCTION(header_remove) |
54 | 0 | { |
55 | 0 | sapi_header_line ctr = {0}; |
56 | 0 | char *line = NULL; |
57 | 0 | size_t len = 0; |
58 | |
|
59 | 0 | ZEND_PARSE_PARAMETERS_START(0, 1) |
60 | 0 | Z_PARAM_OPTIONAL |
61 | 0 | Z_PARAM_STRING_OR_NULL(line, len) |
62 | 0 | ZEND_PARSE_PARAMETERS_END(); |
63 | | |
64 | 0 | ctr.line = line; |
65 | 0 | ctr.line_len = len; |
66 | 0 | sapi_header_op(line == NULL ? SAPI_HEADER_DELETE_ALL : SAPI_HEADER_DELETE, &ctr); |
67 | 0 | } |
68 | | /* }}} */ |
69 | | |
70 | | PHPAPI bool php_header(void) |
71 | 300k | { |
72 | 300k | if (sapi_send_headers()==FAILURE || SG(request_info).headers_only) { |
73 | 0 | return false; /* don't allow output */ |
74 | 300k | } else { |
75 | 300k | return true; /* allow output */ |
76 | 300k | } |
77 | 300k | } |
78 | | |
79 | 0 | #define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", or \"\\014\"" |
80 | | PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires, |
81 | | zend_string *path, zend_string *domain, bool secure, bool httponly, |
82 | | zend_string *samesite, bool url_encode) |
83 | 0 | { |
84 | 0 | zend_string *dt; |
85 | 0 | sapi_header_line ctr = {0}; |
86 | 0 | zend_result result; |
87 | 0 | smart_str buf = {0}; |
88 | |
|
89 | 0 | if (!ZSTR_LEN(name)) { |
90 | 0 | zend_argument_must_not_be_empty_error(1); |
91 | 0 | return FAILURE; |
92 | 0 | } |
93 | 0 | if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ |
94 | 0 | zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER); |
95 | 0 | return FAILURE; |
96 | 0 | } |
97 | 0 | if (!url_encode && value && |
98 | 0 | strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ |
99 | 0 | zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER); |
100 | 0 | return FAILURE; |
101 | 0 | } |
102 | | |
103 | 0 | if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ |
104 | 0 | zend_value_error("%s(): \"path\" option cannot contain " ILLEGAL_COOKIE_CHARACTER, |
105 | 0 | get_active_function_name()); |
106 | 0 | return FAILURE; |
107 | 0 | } |
108 | 0 | if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */ |
109 | 0 | zend_value_error("%s(): \"domain\" option cannot contain " ILLEGAL_COOKIE_CHARACTER, |
110 | 0 | get_active_function_name()); |
111 | 0 | return FAILURE; |
112 | 0 | } |
113 | 0 | #ifdef ZEND_ENABLE_ZVAL_LONG64 |
114 | 0 | if (expires >= 253402300800) { |
115 | 0 | zend_value_error("%s(): \"expires\" option cannot have a year greater than 9999", |
116 | 0 | get_active_function_name()); |
117 | 0 | return FAILURE; |
118 | 0 | } |
119 | 0 | #endif |
120 | | |
121 | | /* Should check value of SameSite? */ |
122 | | |
123 | 0 | if (value == NULL || ZSTR_LEN(value) == 0) { |
124 | | /* |
125 | | * MSIE doesn't delete a cookie when you set it to a null value |
126 | | * so in order to force cookies to be deleted, even on MSIE, we |
127 | | * pick an expiry date in the past |
128 | | */ |
129 | 0 | dt = php_format_date("D, d M Y H:i:s \\G\\M\\T", sizeof("D, d M Y H:i:s \\G\\M\\T")-1, 1, 0); |
130 | 0 | smart_str_appends(&buf, "Set-Cookie: "); |
131 | 0 | smart_str_append(&buf, name); |
132 | 0 | smart_str_appends(&buf, "=deleted; expires="); |
133 | 0 | smart_str_append(&buf, dt); |
134 | 0 | smart_str_appends(&buf, "; Max-Age=0"); |
135 | 0 | zend_string_free(dt); |
136 | 0 | } else { |
137 | 0 | smart_str_appends(&buf, "Set-Cookie: "); |
138 | 0 | smart_str_append(&buf, name); |
139 | 0 | smart_str_appendc(&buf, '='); |
140 | 0 | if (url_encode) { |
141 | 0 | zend_string *encoded_value = php_raw_url_encode(ZSTR_VAL(value), ZSTR_LEN(value)); |
142 | 0 | smart_str_append(&buf, encoded_value); |
143 | 0 | zend_string_release_ex(encoded_value, 0); |
144 | 0 | } else { |
145 | 0 | smart_str_append(&buf, value); |
146 | 0 | } |
147 | |
|
148 | 0 | if (expires > 0) { |
149 | 0 | double diff; |
150 | |
|
151 | 0 | smart_str_appends(&buf, COOKIE_EXPIRES); |
152 | 0 | dt = php_format_date("D, d M Y H:i:s \\G\\M\\T", sizeof("D, d M Y H:i:s \\G\\M\\T")-1, expires, 0); |
153 | |
|
154 | 0 | smart_str_append(&buf, dt); |
155 | 0 | zend_string_free(dt); |
156 | |
|
157 | 0 | diff = difftime(expires, php_time()); |
158 | 0 | if (diff < 0) { |
159 | 0 | diff = 0; |
160 | 0 | } |
161 | |
|
162 | 0 | smart_str_appends(&buf, COOKIE_MAX_AGE); |
163 | 0 | smart_str_append_long(&buf, (zend_long) diff); |
164 | 0 | } |
165 | 0 | } |
166 | |
|
167 | 0 | if (path && ZSTR_LEN(path)) { |
168 | 0 | smart_str_appends(&buf, COOKIE_PATH); |
169 | 0 | smart_str_append(&buf, path); |
170 | 0 | } |
171 | 0 | if (domain && ZSTR_LEN(domain)) { |
172 | 0 | smart_str_appends(&buf, COOKIE_DOMAIN); |
173 | 0 | smart_str_append(&buf, domain); |
174 | 0 | } |
175 | 0 | if (secure) { |
176 | 0 | smart_str_appends(&buf, COOKIE_SECURE); |
177 | 0 | } |
178 | 0 | if (httponly) { |
179 | 0 | smart_str_appends(&buf, COOKIE_HTTPONLY); |
180 | 0 | } |
181 | 0 | if (samesite && ZSTR_LEN(samesite)) { |
182 | 0 | smart_str_appends(&buf, COOKIE_SAMESITE); |
183 | 0 | smart_str_append(&buf, samesite); |
184 | 0 | } |
185 | |
|
186 | 0 | ctr.line = ZSTR_VAL(buf.s); |
187 | 0 | ctr.line_len = (uint32_t) ZSTR_LEN(buf.s); |
188 | |
|
189 | 0 | result = sapi_header_op(SAPI_HEADER_ADD, &ctr); |
190 | 0 | zend_string_release(buf.s); |
191 | 0 | return result; |
192 | 0 | } |
193 | | |
194 | | static zend_result php_head_parse_cookie_options_array(HashTable *options, zend_long *expires, zend_string **path, |
195 | | zend_string **domain, bool *secure, bool *httponly, zend_string **samesite) |
196 | 0 | { |
197 | 0 | zend_string *key; |
198 | 0 | zval *value; |
199 | |
|
200 | 0 | ZEND_HASH_FOREACH_STR_KEY_VAL(options, key, value) { |
201 | 0 | if (!key) { |
202 | 0 | zend_value_error("%s(): option array cannot have numeric keys", get_active_function_name()); |
203 | 0 | return FAILURE; |
204 | 0 | } |
205 | 0 | if (zend_string_equals_literal_ci(key, "expires")) { |
206 | 0 | *expires = zval_get_long(value); |
207 | 0 | } else if (zend_string_equals_literal_ci(key, "path")) { |
208 | 0 | *path = zval_get_string(value); |
209 | 0 | } else if (zend_string_equals_literal_ci(key, "domain")) { |
210 | 0 | *domain = zval_get_string(value); |
211 | 0 | } else if (zend_string_equals_literal_ci(key, "secure")) { |
212 | 0 | *secure = zval_is_true(value); |
213 | 0 | } else if (zend_string_equals_literal_ci(key, "httponly")) { |
214 | 0 | *httponly = zval_is_true(value); |
215 | 0 | } else if (zend_string_equals_literal_ci(key, "samesite")) { |
216 | 0 | *samesite = zval_get_string(value); |
217 | 0 | } else { |
218 | 0 | zend_value_error("%s(): option \"%s\" is invalid", get_active_function_name(), ZSTR_VAL(key)); |
219 | 0 | return FAILURE; |
220 | 0 | } |
221 | 0 | } ZEND_HASH_FOREACH_END(); |
222 | 0 | return SUCCESS; |
223 | 0 | } |
224 | | |
225 | | static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw) |
226 | 0 | { |
227 | 0 | HashTable *options = NULL; |
228 | 0 | zend_long expires = 0; |
229 | 0 | zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL; |
230 | 0 | bool secure = 0, httponly = 0; |
231 | |
|
232 | 0 | ZEND_PARSE_PARAMETERS_START(1, 7) |
233 | 0 | Z_PARAM_STR(name) |
234 | 0 | Z_PARAM_OPTIONAL |
235 | 0 | Z_PARAM_STR(value) |
236 | 0 | Z_PARAM_ARRAY_HT_OR_LONG(options, expires) |
237 | 0 | Z_PARAM_STR(path) |
238 | 0 | Z_PARAM_STR(domain) |
239 | 0 | Z_PARAM_BOOL(secure) |
240 | 0 | Z_PARAM_BOOL(httponly) |
241 | 0 | ZEND_PARSE_PARAMETERS_END(); |
242 | | |
243 | 0 | if (options) { |
244 | 0 | if (UNEXPECTED(ZEND_NUM_ARGS() > 3)) { |
245 | 0 | zend_argument_count_error("%s(): Expects exactly 3 arguments when argument #3 " |
246 | 0 | "($expires_or_options) is an array", get_active_function_name()); |
247 | 0 | RETURN_THROWS(); |
248 | 0 | } |
249 | | |
250 | 0 | if (FAILURE == php_head_parse_cookie_options_array(options, &expires, &path, |
251 | 0 | &domain, &secure, &httponly, &samesite) |
252 | 0 | ) { |
253 | 0 | goto cleanup; |
254 | 0 | } |
255 | 0 | } |
256 | | |
257 | 0 | if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) { |
258 | 0 | RETVAL_TRUE; |
259 | 0 | } else { |
260 | 0 | RETVAL_FALSE; |
261 | 0 | } |
262 | |
|
263 | 0 | if (options) { |
264 | 0 | cleanup: |
265 | 0 | if (path) { |
266 | 0 | zend_string_release(path); |
267 | 0 | } |
268 | 0 | if (domain) { |
269 | 0 | zend_string_release(domain); |
270 | 0 | } |
271 | 0 | if (samesite) { |
272 | 0 | zend_string_release(samesite); |
273 | 0 | } |
274 | 0 | } |
275 | 0 | } |
276 | | |
277 | | /* {{{ setcookie(string name [, string value [, array options]]) |
278 | | Send a cookie */ |
279 | | PHP_FUNCTION(setcookie) |
280 | 0 | { |
281 | 0 | php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, false); |
282 | 0 | } |
283 | | /* }}} */ |
284 | | |
285 | | /* {{{ setrawcookie(string name [, string value [, array options]]) |
286 | | Send a cookie with no url encoding of the value */ |
287 | | PHP_FUNCTION(setrawcookie) |
288 | 0 | { |
289 | 0 | php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, true); |
290 | 0 | } |
291 | | /* }}} */ |
292 | | |
293 | | |
294 | | /* {{{ Returns true if headers have already been sent, false otherwise */ |
295 | | PHP_FUNCTION(headers_sent) |
296 | 12 | { |
297 | 12 | zval *arg1 = NULL, *arg2 = NULL; |
298 | 12 | const char *file=""; |
299 | 12 | int line=0; |
300 | | |
301 | 36 | ZEND_PARSE_PARAMETERS_START(0, 2) |
302 | 36 | Z_PARAM_OPTIONAL |
303 | 48 | Z_PARAM_ZVAL(arg1) |
304 | 48 | Z_PARAM_ZVAL(arg2) |
305 | 34 | ZEND_PARSE_PARAMETERS_END(); |
306 | | |
307 | 12 | if (SG(headers_sent)) { |
308 | 0 | line = php_output_get_start_lineno(); |
309 | 0 | file = php_output_get_start_filename(); |
310 | 0 | } |
311 | | |
312 | 12 | switch(ZEND_NUM_ARGS()) { |
313 | 5 | case 2: |
314 | 5 | ZEND_TRY_ASSIGN_REF_LONG(arg2, line); |
315 | 5 | ZEND_FALLTHROUGH; |
316 | 12 | case 1: |
317 | 12 | if (file) { |
318 | 12 | ZEND_TRY_ASSIGN_REF_STRING(arg1, file); |
319 | 12 | } else { |
320 | 0 | ZEND_TRY_ASSIGN_REF_EMPTY_STRING(arg1); |
321 | 0 | } |
322 | 12 | break; |
323 | 12 | } |
324 | | |
325 | 12 | if (SG(headers_sent)) { |
326 | 5 | RETURN_TRUE; |
327 | 7 | } else { |
328 | 7 | RETURN_FALSE; |
329 | 7 | } |
330 | 12 | } |
331 | | /* }}} */ |
332 | | |
333 | | /* {{{ php_head_apply_header_list_to_hash |
334 | | Turn an llist of sapi_header_struct headers into a numerically indexed zval hash */ |
335 | | static void php_head_apply_header_list_to_hash(void *data, void *arg) |
336 | 0 | { |
337 | 0 | sapi_header_struct *sapi_header = (sapi_header_struct *)data; |
338 | |
|
339 | 0 | if (arg && sapi_header) { |
340 | 0 | add_next_index_string((zval *)arg, (char *)(sapi_header->header)); |
341 | 0 | } |
342 | 0 | } |
343 | | |
344 | | /* {{{ Return list of headers to be sent / already sent */ |
345 | | PHP_FUNCTION(headers_list) |
346 | 0 | { |
347 | 0 | ZEND_PARSE_PARAMETERS_NONE(); |
348 | | |
349 | 0 | array_init(return_value); |
350 | 0 | zend_llist_apply_with_argument(&SG(sapi_headers).headers, php_head_apply_header_list_to_hash, return_value); |
351 | 0 | } |
352 | | /* }}} */ |
353 | | |
354 | | /* {{{ Sets a response code, or returns the current HTTP response code */ |
355 | | PHP_FUNCTION(http_response_code) |
356 | 0 | { |
357 | 0 | zend_long response_code = 0; |
358 | |
|
359 | 0 | ZEND_PARSE_PARAMETERS_START(0, 1) |
360 | 0 | Z_PARAM_OPTIONAL |
361 | 0 | Z_PARAM_LONG(response_code) |
362 | 0 | ZEND_PARSE_PARAMETERS_END(); |
363 | | |
364 | 0 | if (response_code) |
365 | 0 | { |
366 | 0 | if (SG(headers_sent) && !SG(request_info).no_headers) { |
367 | 0 | const char *output_start_filename = php_output_get_start_filename(); |
368 | 0 | int output_start_lineno = php_output_get_start_lineno(); |
369 | |
|
370 | 0 | if (output_start_filename) { |
371 | 0 | php_error_docref(NULL, E_WARNING, "Cannot set response code - headers already sent " |
372 | 0 | "(output started at %s:%d)", output_start_filename, output_start_lineno); |
373 | 0 | } else { |
374 | 0 | php_error_docref(NULL, E_WARNING, "Cannot set response code - headers already sent"); |
375 | 0 | } |
376 | 0 | RETURN_FALSE; |
377 | 0 | } |
378 | 0 | zend_long old_response_code; |
379 | |
|
380 | 0 | old_response_code = SG(sapi_headers).http_response_code; |
381 | 0 | SG(sapi_headers).http_response_code = (int)response_code; |
382 | |
|
383 | 0 | if (old_response_code) { |
384 | 0 | RETURN_LONG(old_response_code); |
385 | 0 | } |
386 | | |
387 | 0 | RETURN_TRUE; |
388 | 0 | } |
389 | | |
390 | 0 | if (!SG(sapi_headers).http_response_code) { |
391 | 0 | RETURN_FALSE; |
392 | 0 | } |
393 | | |
394 | 0 | RETURN_LONG(SG(sapi_headers).http_response_code); |
395 | 0 | } |
396 | | /* }}} */ |