[PHP-CVS] cvs: php-src /ext/standard basic_functions.c

Thu, 29 Sep 2005 09:30:37 -0700 

iliaa           Thu Sep 29 12:30:17 2005 EDT

  Modified files:              
    /php-src/ext/standard       basic_functions.c 
  Log:
  Fixed possible crash and/or memory corruption in import_request_variables()
  Fixed potential GLOBALS overwrite via import_request_variables().
  
  
http://cvs.php.net/diff.php/php-src/ext/standard/basic_functions.c?r1=1.733&r2=1.734&ty=u
Index: php-src/ext/standard/basic_functions.c
diff -u php-src/ext/standard/basic_functions.c:1.733 
php-src/ext/standard/basic_functions.c:1.734
--- php-src/ext/standard/basic_functions.c:1.733        Tue Sep 13 09:22:49 2005
+++ php-src/ext/standard/basic_functions.c      Thu Sep 29 12:30:15 2005
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: basic_functions.c,v 1.733 2005/09/13 13:22:49 iliaa Exp $ */
+/* $Id: basic_functions.c,v 1.734 2005/09/29 16:30:15 iliaa Exp $ */
 
 #include "php.h"
 #include "php_streams.h"
@@ -3238,11 +3238,25 @@
        prefix = va_arg(args, char *);
        prefix_len = va_arg(args, uint);
 
-       new_key_len = prefix_len + hash_key->nKeyLength;
-       new_key = (char *) emalloc(new_key_len);
+       if (!prefix_len) {
+               if (!hash_key->nKeyLength) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric 
key detected - possible security hazard.");
+                       return 0;
+               } else if (!strcmp(hash_key->u.string, "GLOBALS")) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite.");
+                       return 0; 
+               }
+       }
+
+       if (hash_key->nKeyLength) {
+               new_key_len = prefix_len + hash_key->nKeyLength;
+               new_key = (char *) emalloc(new_key_len);
 
-       memcpy(new_key, prefix, prefix_len);
-       memcpy(new_key+prefix_len, hash_key->u.string, hash_key->nKeyLength);
+               memcpy(new_key, prefix, prefix_len);
+               memcpy(new_key+prefix_len, hash_key->u.string, 
hash_key->nKeyLength);
+       } else {
+               new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, 
hash_key->h);
+       }
 
        zend_delete_global_variable(new_key, new_key_len-1 TSRMLS_CC);
        ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, 
*var, (*var)->refcount+1, 0);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to