Small fix#1

VKCOM · Dec 28, 2024 · 71349ba · 71349ba
1 parent e1ec752
commit 71349ba
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 17 deletions.
diff --git a/flex/flex.cpp b/flex/flex.cpp
@@ -142,15 +142,21 @@ vk::string_view flex(vk::string_view name, vk::string_view case_name, bool is_fe
         memcpy(dst_buf + wp, name.data() + left_pos, right_pos - left_pos);
         wp += (right_pos - left_pos);
       } else {
-        int ml = right_pos - left_pos - cur_lang->nodes[best_node].tail_len;
-        if (ml < 0) {
-          ml = 0;
-        }
-        memcpy(dst_buf + wp, name.data() + left_pos, ml);
-        wp += ml;
-        strcpy(dst_buf + wp, cur_lang->endings[r * cur_lang->cases_num + ca]);
-        wp += static_cast<int>(strlen(cur_lang->endings[r * cur_lang->cases_num + ca]));
-      }
+    int ml = right_pos - left_pos - cur_lang->nodes[best_node].tail_len;
+    if (ml < 0) {
+        ml = 0;
+    }
+    // Copy a section of `name` into `dst_buf` using memcpy
+    memcpy(dst_buf + wp, name.data() + left_pos, ml);
+    wp += ml;
+    // Safely copy the string using strncpy
+    const char* ending = cur_lang->endings[r * cur_lang->cases_num + ca];
+    size_t ending_len = strlen(ending);
+    strncpy(dst_buf + wp, ending, ending_len);
+    // Ensure the destination buffer is null-terminated
+    dst_buf[wp + ending_len] = '\0';
+    wp += static_cast<int>(ending_len);
+}
     }
     if (hyphen) {
       dst_buf[wp++] = '-';

diff --git a/tests/phpt/pk/015_header.php b/tests/phpt/pk/015_header.php
@@ -8,8 +8,15 @@
 header('X-TEST-3: value1', false);
 header('X-TEST-3: value2', false);
 header('X-TEST-3: value3', true);
-header('Date: haha, date in tests');
-setcookie('test-cookie', 'blabla');
+header('Date: haha, date in tests')
+
+// Установка cookie с безопасными флагами
+setcookie('test-cookie', 'blabla', [
+  'httponly' => true, // Prevent access to the cookie via JavaScript
+  'secure' => true,  // Send the cookie only over HTTPS
+  'samesite' => 'Strict' // Prevent CSRF by limiting cross-site requests
+]);
+
 $x = headers_list();
 
 #ifndef KPHP
@@ -22,8 +29,8 @@
   'X-TEST-2: value1', 
   'X-TEST-2: value2', 
   'X-TEST-3: value3', 
-  'Set-Cookie: test-cookie=blabla'
+  'Set-Cookie: test-cookie=blabla; HttpOnly; Secure; SameSite=Strict'
 ];
 #endif
 
-var_dump($x);
+var_dump($x);
diff --git a/vkext/vk_zend.h b/vkext/vk_zend.h
@@ -178,12 +178,18 @@ static zend_always_inline zend_class_entry *vk_get_class(const char *class_name)
   return res_class_entry;
 }
 
-static zend_always_inline void vk_get_class_name(const zval *object, char *dst) {
-  zend_string *zend_str_class_name = Z_OBJ_HANDLER_P(object, get_class_name)(Z_OBJ_P(object));
-  strcpy(dst, zend_str_class_name->val);
-  zend_string_release(zend_str_class_name);
+static zend_always_inline void vk_get_class_name(const zval *object, char *dst, size_t dst_size) {
+    // Get the class name of the object
+    zend_string *zend_str_class_name = Z_OBJ_HANDLER_P(object, get_class_name)(Z_OBJ_P(object));
+    // Safely copy the class name to the destination buffer
+    strncpy(dst, zend_str_class_name->val, dst_size - 1);
+    // Ensure null-termination
+    dst[dst_size - 1] = '\0';
+    // Release the zend string
+    zend_string_release(zend_str_class_name);
 }
 
+
 static zend_always_inline zval *vk_zend_read_public_property(zval *object, const char *prop_name) {
 #if PHP_MAJOR_VERSION >= 8
   return zend_read_property(NULL, Z_OBJ(*object), prop_name, strlen(prop_name), 0, NULL);