Coverage Report

Created: 2025-06-13 06:43

/src/php-src/ext/standard/head.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
   +----------------------------------------------------------------------+
3
   | Copyright (c) The PHP Group                                          |
4
   +----------------------------------------------------------------------+
5
   | This source file is subject to version 3.01 of the PHP license,      |
6
   | that is bundled with this package in the file LICENSE, and is        |
7
   | available through the world-wide-web at the following url:           |
8
   | https://www.php.net/license/3_01.txt                                 |
9
   | If you did not receive a copy of the PHP license and are unable to   |
10
   | obtain it through the world-wide-web, please send a note to          |
11
   | license@php.net so we can mail you a copy immediately.               |
12
   +----------------------------------------------------------------------+
13
   | Author: Rasmus Lerdorf <rasmus@lerdorf.on.ca>                        |
14
   +----------------------------------------------------------------------+
15
 */
16
17
#include <stdio.h>
18
#include "php.h"
19
#include "ext/standard/php_standard.h"
20
#include "ext/date/php_date.h"
21
#include "SAPI.h"
22
#include "php_main.h"
23
#include "head.h"
24
#include <time.h>
25
26
#include "php_globals.h"
27
#include "zend_smart_str.h"
28
29
30
/* Implementation of the language Header() function */
31
/* {{{ Sends a raw HTTP header */
32
PHP_FUNCTION(header)
33
138
{
34
138
  bool rep = 1;
35
138
  sapi_header_line ctr = {0};
36
138
  char *line;
37
138
  size_t len;
38
39
414
  ZEND_PARSE_PARAMETERS_START(1, 3)
40
552
    Z_PARAM_STRING(line, len)
41
138
    Z_PARAM_OPTIONAL
42
410
    Z_PARAM_BOOL(rep)
43
217
    Z_PARAM_LONG(ctr.response_code)
44
138
  ZEND_PARSE_PARAMETERS_END();
45
46
138
  ctr.line = line;
47
138
  ctr.line_len = len;
48
138
  sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr);
49
138
}
50
/* }}} */
51
52
/* {{{ Removes an HTTP header previously set using header() */
53
PHP_FUNCTION(header_remove)
54
0
{
55
0
  sapi_header_line ctr = {0};
56
0
  char *line = NULL;
57
0
  size_t len = 0;
58
59
0
  ZEND_PARSE_PARAMETERS_START(0, 1)
60
0
    Z_PARAM_OPTIONAL
61
0
    Z_PARAM_STRING_OR_NULL(line, len)
62
0
  ZEND_PARSE_PARAMETERS_END();
63
64
0
  ctr.line = line;
65
0
  ctr.line_len = len;
66
0
  sapi_header_op(line == NULL ? SAPI_HEADER_DELETE_ALL : SAPI_HEADER_DELETE, &ctr);
67
0
}
68
/* }}} */
69
70
PHPAPI bool php_header(void)
71
300k
{
72
300k
  if (sapi_send_headers()==FAILURE || SG(request_info).headers_only) {
73
0
    return false; /* don't allow output */
74
300k
  } else {
75
300k
    return true; /* allow output */
76
300k
  }
77
300k
}
78
79
0
#define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", or \"\\014\""
80
PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires,
81
  zend_string *path, zend_string *domain, bool secure, bool httponly,
82
  zend_string *samesite, bool url_encode)
83
0
{
84
0
  zend_string *dt;
85
0
  sapi_header_line ctr = {0};
86
0
  zend_result result;
87
0
  smart_str buf = {0};
88
89
0
  if (!ZSTR_LEN(name)) {
90
0
    zend_argument_must_not_be_empty_error(1);
91
0
    return FAILURE;
92
0
  }
93
0
  if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
94
0
    zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER);
95
0
    return FAILURE;
96
0
  }
97
0
  if (!url_encode && value &&
98
0
      strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
99
0
    zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
100
0
    return FAILURE;
101
0
  }
102
103
0
  if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
104
0
    zend_value_error("%s(): \"path\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
105
0
      get_active_function_name());
106
0
    return FAILURE;
107
0
  }
108
0
  if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
109
0
    zend_value_error("%s(): \"domain\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
110
0
      get_active_function_name());
111
0
    return FAILURE;
112
0
  }
113
0
#ifdef ZEND_ENABLE_ZVAL_LONG64
114
0
  if (expires >= 253402300800) {
115
0
    zend_value_error("%s(): \"expires\" option cannot have a year greater than 9999",
116
0
      get_active_function_name());
117
0
    return FAILURE;
118
0
  }
119
0
#endif
120
121
  /* Should check value of SameSite? */
122
123
0
  if (value == NULL || ZSTR_LEN(value) == 0) {
124
    /*
125
     * MSIE doesn't delete a cookie when you set it to a null value
126
     * so in order to force cookies to be deleted, even on MSIE, we
127
     * pick an expiry date in the past
128
     */
129
0
    dt = php_format_date("D, d M Y H:i:s \\G\\M\\T", sizeof("D, d M Y H:i:s \\G\\M\\T")-1, 1, 0);
130
0
    smart_str_appends(&buf, "Set-Cookie: ");
131
0
    smart_str_append(&buf, name);
132
0
    smart_str_appends(&buf, "=deleted; expires=");
133
0
    smart_str_append(&buf, dt);
134
0
    smart_str_appends(&buf, "; Max-Age=0");
135
0
    zend_string_free(dt);
136
0
  } else {
137
0
    smart_str_appends(&buf, "Set-Cookie: ");
138
0
    smart_str_append(&buf, name);
139
0
    smart_str_appendc(&buf, '=');
140
0
    if (url_encode) {
141
0
      zend_string *encoded_value = php_raw_url_encode(ZSTR_VAL(value), ZSTR_LEN(value));
142
0
      smart_str_append(&buf, encoded_value);
143
0
      zend_string_release_ex(encoded_value, 0);
144
0
    } else {
145
0
      smart_str_append(&buf, value);
146
0
    }
147
148
0
    if (expires > 0) {
149
0
      double diff;
150
151
0
      smart_str_appends(&buf, COOKIE_EXPIRES);
152
0
      dt = php_format_date("D, d M Y H:i:s \\G\\M\\T", sizeof("D, d M Y H:i:s \\G\\M\\T")-1, expires, 0);
153
154
0
      smart_str_append(&buf, dt);
155
0
      zend_string_free(dt);
156
157
0
      diff = difftime(expires, php_time());
158
0
      if (diff < 0) {
159
0
        diff = 0;
160
0
      }
161
162
0
      smart_str_appends(&buf, COOKIE_MAX_AGE);
163
0
      smart_str_append_long(&buf, (zend_long) diff);
164
0
    }
165
0
  }
166
167
0
  if (path && ZSTR_LEN(path)) {
168
0
    smart_str_appends(&buf, COOKIE_PATH);
169
0
    smart_str_append(&buf, path);
170
0
  }
171
0
  if (domain && ZSTR_LEN(domain)) {
172
0
    smart_str_appends(&buf, COOKIE_DOMAIN);
173
0
    smart_str_append(&buf, domain);
174
0
  }
175
0
  if (secure) {
176
0
    smart_str_appends(&buf, COOKIE_SECURE);
177
0
  }
178
0
  if (httponly) {
179
0
    smart_str_appends(&buf, COOKIE_HTTPONLY);
180
0
  }
181
0
  if (samesite && ZSTR_LEN(samesite)) {
182
0
    smart_str_appends(&buf, COOKIE_SAMESITE);
183
0
    smart_str_append(&buf, samesite);
184
0
  }
185
186
0
  ctr.line = ZSTR_VAL(buf.s);
187
0
  ctr.line_len = (uint32_t) ZSTR_LEN(buf.s);
188
189
0
  result = sapi_header_op(SAPI_HEADER_ADD, &ctr);
190
0
  zend_string_release(buf.s);
191
0
  return result;
192
0
}
193
194
static zend_result php_head_parse_cookie_options_array(HashTable *options, zend_long *expires, zend_string **path,
195
    zend_string **domain, bool *secure, bool *httponly, zend_string **samesite)
196
0
{
197
0
  zend_string *key;
198
0
  zval *value;
199
200
0
  ZEND_HASH_FOREACH_STR_KEY_VAL(options, key, value) {
201
0
    if (!key) {
202
0
      zend_value_error("%s(): option array cannot have numeric keys", get_active_function_name());
203
0
      return FAILURE;
204
0
    }
205
0
    if (zend_string_equals_literal_ci(key, "expires")) {
206
0
      *expires = zval_get_long(value);
207
0
    } else if (zend_string_equals_literal_ci(key, "path")) {
208
0
      *path = zval_get_string(value);
209
0
    } else if (zend_string_equals_literal_ci(key, "domain")) {
210
0
      *domain = zval_get_string(value);
211
0
    } else if (zend_string_equals_literal_ci(key, "secure")) {
212
0
      *secure = zval_is_true(value);
213
0
    } else if (zend_string_equals_literal_ci(key, "httponly")) {
214
0
      *httponly = zval_is_true(value);
215
0
    } else if (zend_string_equals_literal_ci(key, "samesite")) {
216
0
      *samesite = zval_get_string(value);
217
0
    } else {
218
0
      zend_value_error("%s(): option \"%s\" is invalid", get_active_function_name(), ZSTR_VAL(key));
219
0
      return FAILURE;
220
0
    }
221
0
  } ZEND_HASH_FOREACH_END();
222
0
  return SUCCESS;
223
0
}
224
225
static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
226
0
{
227
0
  HashTable *options = NULL;
228
0
  zend_long expires = 0;
229
0
  zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
230
0
  bool secure = 0, httponly = 0;
231
232
0
  ZEND_PARSE_PARAMETERS_START(1, 7)
233
0
    Z_PARAM_STR(name)
234
0
    Z_PARAM_OPTIONAL
235
0
    Z_PARAM_STR(value)
236
0
    Z_PARAM_ARRAY_HT_OR_LONG(options, expires)
237
0
    Z_PARAM_STR(path)
238
0
    Z_PARAM_STR(domain)
239
0
    Z_PARAM_BOOL(secure)
240
0
    Z_PARAM_BOOL(httponly)
241
0
  ZEND_PARSE_PARAMETERS_END();
242
243
0
  if (options) {
244
0
    if (UNEXPECTED(ZEND_NUM_ARGS() > 3)) {
245
0
      zend_argument_count_error("%s(): Expects exactly 3 arguments when argument #3 "
246
0
        "($expires_or_options) is an array", get_active_function_name());
247
0
      RETURN_THROWS();
248
0
    }
249
250
0
    if (FAILURE == php_head_parse_cookie_options_array(options, &expires, &path,
251
0
      &domain, &secure, &httponly, &samesite)
252
0
    ) {
253
0
      goto cleanup;
254
0
    }
255
0
  }
256
257
0
  if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) {
258
0
    RETVAL_TRUE;
259
0
  } else {
260
0
    RETVAL_FALSE;
261
0
  }
262
263
0
  if (options) {
264
0
cleanup:
265
0
    if (path) {
266
0
      zend_string_release(path);
267
0
    }
268
0
    if (domain) {
269
0
      zend_string_release(domain);
270
0
    }
271
0
    if (samesite) {
272
0
      zend_string_release(samesite);
273
0
    }
274
0
  }
275
0
}
276
277
/* {{{ setcookie(string name [, string value [, array options]])
278
   Send a cookie */
279
PHP_FUNCTION(setcookie)
280
0
{
281
0
  php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, false);
282
0
}
283
/* }}} */
284
285
/* {{{ setrawcookie(string name [, string value [, array options]])
286
   Send a cookie with no url encoding of the value */
287
PHP_FUNCTION(setrawcookie)
288
0
{
289
0
  php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, true);
290
0
}
291
/* }}} */
292
293
294
/* {{{ Returns true if headers have already been sent, false otherwise */
295
PHP_FUNCTION(headers_sent)
296
12
{
297
12
  zval *arg1 = NULL, *arg2 = NULL;
298
12
  const char *file="";
299
12
  int line=0;
300
301
36
  ZEND_PARSE_PARAMETERS_START(0, 2)
302
36
    Z_PARAM_OPTIONAL
303
48
    Z_PARAM_ZVAL(arg1)
304
48
    Z_PARAM_ZVAL(arg2)
305
34
  ZEND_PARSE_PARAMETERS_END();
306
307
12
  if (SG(headers_sent)) {
308
0
    line = php_output_get_start_lineno();
309
0
    file = php_output_get_start_filename();
310
0
  }
311
312
12
  switch(ZEND_NUM_ARGS()) {
313
5
  case 2:
314
5
    ZEND_TRY_ASSIGN_REF_LONG(arg2, line);
315
5
    ZEND_FALLTHROUGH;
316
12
  case 1:
317
12
    if (file) {
318
12
      ZEND_TRY_ASSIGN_REF_STRING(arg1, file);
319
12
    } else {
320
0
      ZEND_TRY_ASSIGN_REF_EMPTY_STRING(arg1);
321
0
    }
322
12
    break;
323
12
  }
324
325
12
  if (SG(headers_sent)) {
326
5
    RETURN_TRUE;
327
7
  } else {
328
7
    RETURN_FALSE;
329
7
  }
330
12
}
331
/* }}} */
332
333
/* {{{ php_head_apply_header_list_to_hash
334
   Turn an llist of sapi_header_struct headers into a numerically indexed zval hash */
335
static void php_head_apply_header_list_to_hash(void *data, void *arg)
336
0
{
337
0
  sapi_header_struct *sapi_header = (sapi_header_struct *)data;
338
339
0
  if (arg && sapi_header) {
340
0
    add_next_index_string((zval *)arg, (char *)(sapi_header->header));
341
0
  }
342
0
}
343
344
/* {{{ Return list of headers to be sent / already sent */
345
PHP_FUNCTION(headers_list)
346
0
{
347
0
  ZEND_PARSE_PARAMETERS_NONE();
348
349
0
  array_init(return_value);
350
0
  zend_llist_apply_with_argument(&SG(sapi_headers).headers, php_head_apply_header_list_to_hash, return_value);
351
0
}
352
/* }}} */
353
354
/* {{{ Sets a response code, or returns the current HTTP response code */
355
PHP_FUNCTION(http_response_code)
356
0
{
357
0
  zend_long response_code = 0;
358
359
0
  ZEND_PARSE_PARAMETERS_START(0, 1)
360
0
    Z_PARAM_OPTIONAL
361
0
    Z_PARAM_LONG(response_code)
362
0
  ZEND_PARSE_PARAMETERS_END();
363
364
0
  if (response_code)
365
0
  {
366
0
    if (SG(headers_sent) && !SG(request_info).no_headers) {
367
0
      const char *output_start_filename = php_output_get_start_filename();
368
0
      int output_start_lineno = php_output_get_start_lineno();
369
370
0
      if (output_start_filename) {
371
0
        php_error_docref(NULL, E_WARNING, "Cannot set response code - headers already sent "
372
0
          "(output started at %s:%d)", output_start_filename, output_start_lineno);
373
0
      } else {
374
0
        php_error_docref(NULL, E_WARNING, "Cannot set response code - headers already sent");
375
0
      }
376
0
      RETURN_FALSE;
377
0
    }
378
0
    zend_long old_response_code;
379
380
0
    old_response_code = SG(sapi_headers).http_response_code;
381
0
    SG(sapi_headers).http_response_code = (int)response_code;
382
383
0
    if (old_response_code) {
384
0
      RETURN_LONG(old_response_code);
385
0
    }
386
387
0
    RETURN_TRUE;
388
0
  }
389
390
0
  if (!SG(sapi_headers).http_response_code) {
391
0
    RETURN_FALSE;
392
0
  }
393
394
0
  RETURN_LONG(SG(sapi_headers).http_response_code);
395
0
}
396
/* }}} */