thetaphi                Wed Jul  2 09:37:39 2003 EDT

  Modified files:              (Branch: PHP_4_3)
    /php-src/sapi/nsapi nsapi.c 
  Log:
  Prevent user from making nested PHP requests with virtual()
  
Index: php-src/sapi/nsapi/nsapi.c
diff -u php-src/sapi/nsapi/nsapi.c:1.28.2.14 php-src/sapi/nsapi/nsapi.c:1.28.2.15
--- php-src/sapi/nsapi/nsapi.c:1.28.2.14        Sun Jun  1 17:15:52 2003
+++ php-src/sapi/nsapi/nsapi.c  Wed Jul  2 09:37:39 2003
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: nsapi.c,v 1.28.2.14 2003/06/01 21:15:52 thetaphi Exp $ */
+/* $Id: nsapi.c,v 1.28.2.15 2003/07/02 13:37:39 thetaphi Exp $ */
 
 /*
  * PHP includes
@@ -203,7 +203,7 @@
        NULL,
        NULL,
        PHP_MINFO(nsapi),
-       "$Id: nsapi.c,v 1.28.2.14 2003/06/01 21:15:52 thetaphi Exp $",
+       "$Revision: 1.28.2.15 $",
        STANDARD_MODULE_PROPERTIES
 };
 /* }}} */
@@ -827,6 +827,15 @@
 
        TSRMLS_FETCH();
 
+       /* check if this uri was included in an other PHP script with virtual()
+          by looking for a request context in the current thread */
+       if (SG(server_context)) {
+               /* send 500 internal server error */
+               log_error(LOG_WARN, "php4_execute", sn, rq, "Cannot make nesting PHP 
requests with virtual()");
+               protocol_status(sn, rq, 500, NULL);
+               return REQ_ABORTED;
+       }
+
        request_context = (nsapi_request_context 
*)MALLOC(sizeof(nsapi_request_context));
        request_context->pb = pb;
        request_context->sn = sn;
@@ -874,6 +883,7 @@
        nsapi_free((void*)(SG(request_info).content_type));
 
        FREE(request_context);
+       SG(server_context) = NULL;
 
        return retval;
 }



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to