vrana has raise a good point in a potentially dangerous behavior with ini_set() in https://bugs.php.net/bug.php?id=60668.
Here is my proposed patch. Feedback is appreciated. Thanks! Kiyoto Tamura diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c index a7ec5d7..89b1287 100644 --- a/Zend/zend_ini.c +++ b/Zend/zend_ini.c @@ -83,6 +83,23 @@ static int zend_restore_ini_entry_wrapper(zend_ini_entry **ini_entry TSRMLS_DC) } /* }}} */ +static uint zend_trim_after_carriage_return(char *value, uint value_length) /* {{{ */ +{ + uint ii; + char prev_c = '\0', curr_c; + for (ii = 0; ii < value_length; ++ii) { + curr_c = *value; + if (prev_c == '\r' && curr_c == '\n') { + return ii - 1; + } + prev_c = curr_c; + ++value; + } + + return value_length; +} +/* }}} */ + /* * Startup / shutdown */ @@ -288,6 +305,11 @@ ZEND_API int zend_alter_ini_entry_ex(char *name, uint name_length, char *new_val zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL); } + // per Bug #60668, truncate the string after /r/n for user_agent for security + if (strcmp(name, "user_agent") == 0) { + new_value_length = zend_trim_after_carriage_return(new_value, new_value_length); + } + duplicate = estrndup(new_value, new_value_length); if (!ini_entry->on_modify @@ -672,6 +694,7 @@ ZEND_API ZEND_INI_MH(OnUpdateStringUnempty) /* {{{ */ *p = new_value; return SUCCESS; } /* }}} */ /* -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php