ID: 48597
Comment by: chrisstocktonaz at gmail dot com
Reported By: crmalibu at gmail dot com
Status: Open
Bug Type: *General Issues
Operating System: *
PHP Version: 5.*, 6CVS (2009-07-01)
New Comment:
Here is a fix.
Index: main/php_variables.c
===================================================================
--- main/php_variables.c (revision 289602)
+++ main/php_variables.c (working copy)
@@ -61,6 +61,7 @@
{
char *p = NULL;
char *ip; /* index pointer */
+ char *pmarker; /* marker to index before */
char *index, *escaped_index = NULL;
char *var, *var_orig;
int var_len, index_len;
@@ -100,12 +101,19 @@
if (*p == ' ' || *p == '.') {
*p='_';
} else if (*p == '[') {
- is_array = 1;
- ip = p;
- *p = 0;
- break;
+ for(pmarker = p; *pmarker; pmarker++) {
+ if(*pmarker == ']') {
+ is_array = 1;
+ ip = p;
+ *p = 0;
+ goto var_continue;
+ }
+ }
+ *p='_';
}
}
+
+ var_continue:
var_len = p - var;
if (var_len==0) { /* empty variable name, or variable name with a
space in it */
Previous Comments:
------------------------------------------------------------------------
[2009-09-27 02:52:19] [email protected]
See also bug #49683
------------------------------------------------------------------------
[2009-07-04 22:22:55] [email protected]
See also bug #48794
------------------------------------------------------------------------
[2009-06-18 16:17:41] crmalibu at gmail dot com
Description:
------------
I marked the version as 5.2.9 but it looks like the relevant code is
the same for 5.3 and php 6 as well.
I don't know c, so I struggle to read the source code, but I think I
found something unexpected. In main/php_variables.c in
php_register_variable_ex I think the parsing behaves inconsistent.
After reading the comments in the source code, I would think a gpc
variable name should not make it through which has ' ' or '.' or '['
character in the name. But I've found a way to do it. It seems the
routine for recognizing and parsing the array syntax is at fault.
In particular, characters after the first occurrence of a '[' char will
be left alone because it thinks it needs to parse it as the special
array syntax. But while it does later recognize that it's not proper
array syntax, it doesn't properly convert the remaining character to
underscore.
I don't know if this is a bug, or if it's serious or what. But the
source code comment about removing those chars due to not being binary
safe made me think someone needs to look at this.
Reproduce code:
---------------
<form action=>
<input name="goodvar .[">
<input name="goodarray[foo]">
<input name="badvar[ . [">
<input type=submit>
</form>
<?php
print_r($_GET);
?>
Expected result:
----------------
Array
(
[goodvar___] =>
[goodarray] => Array
(
[foo] =>
)
[badvar_____] =>
)
Actual result:
--------------
Array
(
[goodvar___] =>
[goodarray] => Array
(
[foo] =>
)
[badvar_ . [] =>
)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=48597&edit=1
