From 82dfd93b9dda35adf79a880906e631104e12ef53 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Mon, 6 Mar 2023 14:01:17 +0100
Subject: [PATCH] Throw on negative setcookie expiration timestamp

Fixes GH-10765
---
 NEWS                      |  1 +
 Zend/tests/gh10765_1.phpt | 17 +++++++++++++++++
 Zend/tests/gh10765_2.phpt | 17 +++++++++++++++++
 ext/standard/head.c       |  2 ++
 4 files changed, 37 insertions(+)
 create mode 100644 Zend/tests/gh10765_1.phpt
 create mode 100644 Zend/tests/gh10765_2.phpt

diff --git a/NEWS b/NEWS
index a988b783f6e..50c4c6d3ae6 100644
--- a/NEWS
+++ b/NEWS
@@ -130,6 +130,7 @@ PHP                                                                        NEWS
   . password_hash() will now chain the original RandomException to the ValueError
     on salt generation failure. (timwolla)
   . Fix GH-10239 (proc_close after proc_get_status always returns -1). (nielsdos)
+  . Fix GH-10765 (Throw on negative setcookie expiration date). (ilutov)
 
 - Streams:
   . Fixed bug #51056: blocking fread() will block even if data is available.
diff --git a/Zend/tests/gh10765_1.phpt b/Zend/tests/gh10765_1.phpt
new file mode 100644
index 00000000000..37504b72fe4
--- /dev/null
+++ b/Zend/tests/gh10765_1.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-10765: Throw on negative cookie expiration timestamp
+--INI--
+date.timezone=UTC
+--FILE--
+<?php
+
+try {
+    setcookie("name", "value", -1);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+setcookie(): "expires" option cannot be negative
+--EXPECTHEADERS--
diff --git a/Zend/tests/gh10765_2.phpt b/Zend/tests/gh10765_2.phpt
new file mode 100644
index 00000000000..9fa07a0ce0b
--- /dev/null
+++ b/Zend/tests/gh10765_2.phpt
@@ -0,0 +1,17 @@
+--TEST--
+GH-10765: Throw on negative cookie expiration timestamp
+--INI--
+date.timezone=UTC
+--FILE--
+<?php
+
+try {
+    setcookie("name", "value", ['expires' => -1]);
+} catch (Error $e) {
+    echo $e->getMessage(), "\n";
+}
+
+?>
+--EXPECT--
+setcookie(): "expires" option cannot be negative
+--EXPECTHEADERS--
diff --git a/ext/standard/head.c b/ext/standard/head.c
index 5bdae98dfce..0650f8b31f8 100644
--- a/ext/standard/head.c
+++ b/ext/standard/head.c
@@ -161,6 +161,8 @@ PHPAPI zend_result php_setcookie(zend_string *name, zend_string *value, time_t e
 
 			smart_str_appends(&buf, COOKIE_MAX_AGE);
 			smart_str_append_long(&buf, (zend_long) diff);
+		} else if (UNEXPECTED(expires < 0)) {
+			zend_value_error("%s(): \"expires\" option cannot be negative", get_active_function_name());
 		}
 	}