vrana has raise a good point in a potentially dangerous behavior with ini_set()
in https://bugs.php.net/bug.php?id=60668.
Here is my proposed patch. Feedback is appreciated. Thanks!
Kiyoto Tamura
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index a7ec5d7..89b1287 100644
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@@ -83,6 +83,23 @@ static int zend_restore_ini_entry_wrapper(zend_ini_entry
**ini_entry TSRMLS_DC)
}
/* }}} */
+static uint zend_trim_after_carriage_return(char *value, uint value_length) /*
{{{ */
+{
+ uint ii;
+ char prev_c = '\0', curr_c;
+ for (ii = 0; ii < value_length; ++ii) {
+ curr_c = *value;
+ if (prev_c == '\r' && curr_c == '\n') {
+ return ii - 1;
+ }
+ prev_c = curr_c;
+ ++value;
+ }
+
+ return value_length;
+}
+/* }}} */
+
/*
* Startup / shutdown
*/
@@ -288,6 +305,11 @@ ZEND_API int zend_alter_ini_entry_ex(char *name, uint
name_length, char *new_val
zend_hash_add(EG(modified_ini_directives), name, name_length,
&ini_entry, sizeof(zend_ini_entry*), NULL);
}
+ // per Bug #60668, truncate the string after /r/n for user_agent for
security
+ if (strcmp(name, "user_agent") == 0) {
+ new_value_length = zend_trim_after_carriage_return(new_value,
new_value_length);
+ }
+
duplicate = estrndup(new_value, new_value_length);
if (!ini_entry->on_modify
@@ -672,6 +694,7 @@ ZEND_API ZEND_INI_MH(OnUpdateStringUnempty) /* {{{ */
*p = new_value;
return SUCCESS;
}
/* }}} */
/*
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
