1 /*
2 +----------------------------------------------------------------------+
3 | Copyright (c) The PHP Group |
4 +----------------------------------------------------------------------+
5 | This source file is subject to version 3.01 of the PHP license, |
6 | that is bundled with this package in the file LICENSE, and is |
7 | available through the world-wide-web at the following url: |
8 | http://www.php.net/license/3_01.txt |
9 | If you did not receive a copy of the PHP license and are unable to |
10 | obtain it through the world-wide-web, please send a note to |
11 | license@php.net so we can mail you a copy immediately. |
12 +----------------------------------------------------------------------+
13 | Author: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
14 +----------------------------------------------------------------------+
15 */
16
17 #include <stdio.h>
18 #include "php.h"
19 #include "ext/standard/php_standard.h"
20 #include "ext/date/php_date.h"
21 #include "SAPI.h"
22 #include "php_main.h"
23 #include "head.h"
24 #include <time.h>
25
26 #include "php_globals.h"
27 #include "zend_smart_str.h"
28
29
30 /* Implementation of the language Header() function */
31 /* {{{ Sends a raw HTTP header */
PHP_FUNCTION(header)32 PHP_FUNCTION(header)
33 {
34 zend_bool rep = 1;
35 sapi_header_line ctr = {0};
36 char *line;
37 size_t len;
38
39 ZEND_PARSE_PARAMETERS_START(1, 3)
40 Z_PARAM_STRING(line, len)
41 Z_PARAM_OPTIONAL
42 Z_PARAM_BOOL(rep)
43 Z_PARAM_LONG(ctr.response_code)
44 ZEND_PARSE_PARAMETERS_END();
45
46 ctr.line = line;
47 ctr.line_len = (uint32_t)len;
48 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr);
49 }
50 /* }}} */
51
52 /* {{{ Removes an HTTP header previously set using header() */
PHP_FUNCTION(header_remove)53 PHP_FUNCTION(header_remove)
54 {
55 sapi_header_line ctr = {0};
56 char *line = NULL;
57 size_t len = 0;
58
59 ZEND_PARSE_PARAMETERS_START(0, 1)
60 Z_PARAM_OPTIONAL
61 Z_PARAM_STRING_OR_NULL(line, len)
62 ZEND_PARSE_PARAMETERS_END();
63
64 ctr.line = line;
65 ctr.line_len = (uint32_t)len;
66 sapi_header_op(line == NULL ? SAPI_HEADER_DELETE_ALL : SAPI_HEADER_DELETE, &ctr);
67 }
68 /* }}} */
69
php_header(void)70 PHPAPI int php_header(void)
71 {
72 if (sapi_send_headers()==FAILURE || SG(request_info).headers_only) {
73 return 0; /* don't allow output */
74 } else {
75 return 1; /* allow output */
76 }
77 }
78
79 #define ILLEGAL_COOKIE_CHARACTER "\",\", \";\", \" \", \"\\t\", \"\\r\", \"\\n\", \"\\013\", or \"\\014\""
php_setcookie(zend_string * name,zend_string * value,time_t expires,zend_string * path,zend_string * domain,bool secure,bool httponly,zend_string * samesite,bool url_encode)80 PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t expires,
81 zend_string *path, zend_string *domain, bool secure, bool httponly,
82 zend_string *samesite, bool url_encode)
83 {
84 zend_string *dt;
85 sapi_header_line ctr = {0};
86 zend_result result;
87 smart_str buf = {0};
88
89 if (!ZSTR_LEN(name)) {
90 zend_argument_value_error(1, "cannot be empty");
91 return FAILURE;
92 }
93 if (strpbrk(ZSTR_VAL(name), "=,; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
94 zend_argument_value_error(1, "cannot contain \"=\", " ILLEGAL_COOKIE_CHARACTER);
95 return FAILURE;
96 }
97 if (!url_encode && value &&
98 strpbrk(ZSTR_VAL(value), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
99 zend_argument_value_error(2, "cannot contain " ILLEGAL_COOKIE_CHARACTER);
100 return FAILURE;
101 }
102
103 if (path && strpbrk(ZSTR_VAL(path), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
104 zend_value_error("%s(): \"path\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
105 get_active_function_name());
106 return FAILURE;
107 }
108 if (domain && strpbrk(ZSTR_VAL(domain), ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
109 zend_value_error("%s(): \"domain\" option cannot contain " ILLEGAL_COOKIE_CHARACTER,
110 get_active_function_name());
111 return FAILURE;
112 }
113 /* Should check value of SameSite? */
114
115 if (value == NULL || ZSTR_LEN(value) == 0) {
116 /*
117 * MSIE doesn't delete a cookie when you set it to a null value
118 * so in order to force cookies to be deleted, even on MSIE, we
119 * pick an expiry date in the past
120 */
121 dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, 1, 0);
122 smart_str_appends(&buf, "Set-Cookie: ");
123 smart_str_append(&buf, name);
124 smart_str_appends(&buf, "=deleted; expires=");
125 smart_str_append(&buf, dt);
126 smart_str_appends(&buf, "; Max-Age=0");
127 zend_string_free(dt);
128 } else {
129 smart_str_appends(&buf, "Set-Cookie: ");
130 smart_str_append(&buf, name);
131 smart_str_appendc(&buf, '=');
132 if (url_encode) {
133 zend_string *encoded_value = php_raw_url_encode(ZSTR_VAL(value), ZSTR_LEN(value));
134 smart_str_append(&buf, encoded_value);
135 zend_string_release_ex(encoded_value, 0);
136 } else {
137 smart_str_append(&buf, value);
138 }
139 if (expires > 0) {
140 const char *p;
141 double diff;
142
143 smart_str_appends(&buf, COOKIE_EXPIRES);
144 dt = php_format_date("D, d-M-Y H:i:s T", sizeof("D, d-M-Y H:i:s T")-1, expires, 0);
145 /* check to make sure that the year does not exceed 4 digits in length */
146 p = zend_memrchr(ZSTR_VAL(dt), '-', ZSTR_LEN(dt));
147 if (!p || *(p + 5) != ' ') {
148 zend_string_free(dt);
149 smart_str_free(&buf);
150 zend_value_error("%s(): \"expires\" option cannot have a year greater than 9999",
151 get_active_function_name());
152 return FAILURE;
153 }
154
155 smart_str_append(&buf, dt);
156 zend_string_free(dt);
157
158 diff = difftime(expires, php_time());
159 if (diff < 0) {
160 diff = 0;
161 }
162
163 smart_str_appends(&buf, COOKIE_MAX_AGE);
164 smart_str_append_long(&buf, (zend_long) diff);
165 }
166 }
167
168 if (path && ZSTR_LEN(path)) {
169 smart_str_appends(&buf, COOKIE_PATH);
170 smart_str_append(&buf, path);
171 }
172 if (domain && ZSTR_LEN(domain)) {
173 smart_str_appends(&buf, COOKIE_DOMAIN);
174 smart_str_append(&buf, domain);
175 }
176 if (secure) {
177 smart_str_appends(&buf, COOKIE_SECURE);
178 }
179 if (httponly) {
180 smart_str_appends(&buf, COOKIE_HTTPONLY);
181 }
182 if (samesite && ZSTR_LEN(samesite)) {
183 smart_str_appends(&buf, COOKIE_SAMESITE);
184 smart_str_append(&buf, samesite);
185 }
186
187 ctr.line = ZSTR_VAL(buf.s);
188 ctr.line_len = (uint32_t) ZSTR_LEN(buf.s);
189
190 result = sapi_header_op(SAPI_HEADER_ADD, &ctr);
191 zend_string_release(buf.s);
192 return result;
193 }
194
php_head_parse_cookie_options_array(HashTable * options,zend_long * expires,zend_string ** path,zend_string ** domain,zend_bool * secure,zend_bool * httponly,zend_string ** samesite)195 static zend_result php_head_parse_cookie_options_array(HashTable *options, zend_long *expires, zend_string **path,
196 zend_string **domain, zend_bool *secure, zend_bool *httponly, zend_string **samesite)
197 {
198 zend_string *key;
199 zval *value;
200
201 ZEND_HASH_FOREACH_STR_KEY_VAL(options, key, value) {
202 if (!key) {
203 zend_value_error("%s(): option array cannot have numeric keys", get_active_function_name());
204 return FAILURE;
205 }
206 if (zend_string_equals_literal_ci(key, "expires")) {
207 *expires = zval_get_long(value);
208 } else if (zend_string_equals_literal_ci(key, "path")) {
209 *path = zval_get_string(value);
210 } else if (zend_string_equals_literal_ci(key, "domain")) {
211 *domain = zval_get_string(value);
212 } else if (zend_string_equals_literal_ci(key, "secure")) {
213 *secure = zval_is_true(value);
214 } else if (zend_string_equals_literal_ci(key, "httponly")) {
215 *httponly = zval_is_true(value);
216 } else if (zend_string_equals_literal_ci(key, "samesite")) {
217 *samesite = zval_get_string(value);
218 } else {
219 zend_value_error("%s(): option \"%s\" is invalid", get_active_function_name(), ZSTR_VAL(key));
220 return FAILURE;
221 }
222 } ZEND_HASH_FOREACH_END();
223 return SUCCESS;
224 }
225
php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS,bool is_raw)226 static void php_setcookie_common(INTERNAL_FUNCTION_PARAMETERS, bool is_raw)
227 {
228 HashTable *options = NULL;
229 zend_long expires = 0;
230 zend_string *name, *value = NULL, *path = NULL, *domain = NULL, *samesite = NULL;
231 zend_bool secure = 0, httponly = 0;
232
233 ZEND_PARSE_PARAMETERS_START(1, 7)
234 Z_PARAM_STR(name)
235 Z_PARAM_OPTIONAL
236 Z_PARAM_STR(value)
237 Z_PARAM_ARRAY_HT_OR_LONG(options, expires)
238 Z_PARAM_STR(path)
239 Z_PARAM_STR(domain)
240 Z_PARAM_BOOL(secure)
241 Z_PARAM_BOOL(httponly)
242 ZEND_PARSE_PARAMETERS_END();
243
244 if (options) {
245 if (UNEXPECTED(ZEND_NUM_ARGS() > 3)) {
246 zend_argument_count_error("%s(): Expects exactly 3 arguments when argument #3 "
247 "($expires_or_options) is an array", get_active_function_name());
248 RETURN_THROWS();
249 }
250
251 if (FAILURE == php_head_parse_cookie_options_array(options, &expires, &path,
252 &domain, &secure, &httponly, &samesite)
253 ) {
254 goto cleanup;
255 }
256 }
257
258 if (php_setcookie(name, value, expires, path, domain, secure, httponly, samesite, !is_raw) == SUCCESS) {
259 RETVAL_TRUE;
260 } else {
261 RETVAL_FALSE;
262 }
263
264 if (options) {
265 cleanup:
266 if (path) {
267 zend_string_release(path);
268 }
269 if (domain) {
270 zend_string_release(domain);
271 }
272 if (samesite) {
273 zend_string_release(samesite);
274 }
275 }
276 }
277
278 /* {{{ setcookie(string name [, string value [, array options]])
279 Send a cookie */
PHP_FUNCTION(setcookie)280 PHP_FUNCTION(setcookie)
281 {
282 php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, false);
283 }
284 /* }}} */
285
286 /* {{{ setrawcookie(string name [, string value [, array options]])
287 Send a cookie with no url encoding of the value */
PHP_FUNCTION(setrawcookie)288 PHP_FUNCTION(setrawcookie)
289 {
290 php_setcookie_common(INTERNAL_FUNCTION_PARAM_PASSTHRU, true);
291 }
292 /* }}} */
293
294
295 /* {{{ Returns true if headers have already been sent, false otherwise */
PHP_FUNCTION(headers_sent)296 PHP_FUNCTION(headers_sent)
297 {
298 zval *arg1 = NULL, *arg2 = NULL;
299 const char *file="";
300 int line=0;
301
302 ZEND_PARSE_PARAMETERS_START(0, 2)
303 Z_PARAM_OPTIONAL
304 Z_PARAM_ZVAL(arg1)
305 Z_PARAM_ZVAL(arg2)
306 ZEND_PARSE_PARAMETERS_END();
307
308 if (SG(headers_sent)) {
309 line = php_output_get_start_lineno();
310 file = php_output_get_start_filename();
311 }
312
313 switch(ZEND_NUM_ARGS()) {
314 case 2:
315 ZEND_TRY_ASSIGN_REF_LONG(arg2, line);
316 case 1:
317 if (file) {
318 ZEND_TRY_ASSIGN_REF_STRING(arg1, file);
319 } else {
320 ZEND_TRY_ASSIGN_REF_EMPTY_STRING(arg1);
321 }
322 break;
323 }
324
325 if (SG(headers_sent)) {
326 RETURN_TRUE;
327 } else {
328 RETURN_FALSE;
329 }
330 }
331 /* }}} */
332
333 /* {{{ php_head_apply_header_list_to_hash
334 Turn an llist of sapi_header_struct headers into a numerically indexed zval hash */
php_head_apply_header_list_to_hash(void * data,void * arg)335 static void php_head_apply_header_list_to_hash(void *data, void *arg)
336 {
337 sapi_header_struct *sapi_header = (sapi_header_struct *)data;
338
339 if (arg && sapi_header) {
340 add_next_index_string((zval *)arg, (char *)(sapi_header->header));
341 }
342 }
343
344 /* {{{ Return list of headers to be sent / already sent */
PHP_FUNCTION(headers_list)345 PHP_FUNCTION(headers_list)
346 {
347 ZEND_PARSE_PARAMETERS_NONE();
348
349 array_init(return_value);
350 zend_llist_apply_with_argument(&SG(sapi_headers).headers, php_head_apply_header_list_to_hash, return_value);
351 }
352 /* }}} */
353
354 /* {{{ Sets a response code, or returns the current HTTP response code */
PHP_FUNCTION(http_response_code)355 PHP_FUNCTION(http_response_code)
356 {
357 zend_long response_code = 0;
358
359 ZEND_PARSE_PARAMETERS_START(0, 1)
360 Z_PARAM_OPTIONAL
361 Z_PARAM_LONG(response_code)
362 ZEND_PARSE_PARAMETERS_END();
363
364 if (response_code)
365 {
366 zend_long old_response_code;
367
368 old_response_code = SG(sapi_headers).http_response_code;
369 SG(sapi_headers).http_response_code = (int)response_code;
370
371 if (old_response_code) {
372 RETURN_LONG(old_response_code);
373 }
374
375 RETURN_TRUE;
376 }
377
378 if (!SG(sapi_headers).http_response_code) {
379 RETURN_FALSE;
380 }
381
382 RETURN_LONG(SG(sapi_headers).http_response_code);
383 }
384 /* }}} */
385
