iliaa Mon Dec 5 22:09:25 2005 EDT
Modified files: (Branch: PHP_5_1)
/php-src NEWS
/php-src/main main.c
Log:
Fixed possible XSS inside error reporting functionality.
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.2027.2.275&r2=1.2027.2.276&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.275 php-src/NEWS:1.2027.2.276
--- php-src/NEWS:1.2027.2.275 Mon Dec 5 12:27:02 2005
+++ php-src/NEWS Mon Dec 5 22:09:23 2005
@@ -18,6 +18,7 @@
. Fixed isset/empty/(bool) behavior
. Fixed iterator edge cases
. Added methods getNamespaces(), getDocNamespaces()
+- Fixed possible XSS inside error reporting functionality. (Ilia)
- Fixed many bugs in OCI8. (Tony)
- Fixed crash and leak in mysqli when using 4.1.x client libraries and
connecting to 5.x server. (Andrey)
http://cvs.php.net/diff.php/php-src/main/main.c?r1=1.640.2.9&r2=1.640.2.10&ty=u
Index: php-src/main/main.c
diff -u php-src/main/main.c:1.640.2.9 php-src/main/main.c:1.640.2.10
--- php-src/main/main.c:1.640.2.9 Mon Dec 5 20:05:55 2005
+++ php-src/main/main.c Mon Dec 5 22:09:24 2005
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: main.c,v 1.640.2.9 2005/12/06 01:05:55 sniper Exp $ */
+/* $Id: main.c,v 1.640.2.10 2005/12/06 03:09:24 iliaa Exp $ */
/* {{{ includes
*/
@@ -433,6 +433,7 @@
char *space;
char *class_name = get_active_class_name(&space TSRMLS_CC);
char *function;
+ int origin_len;
char *origin;
char *message;
int is_function = 0;
@@ -490,9 +491,16 @@
/* if we still have memory then format the origin */
if (is_function) {
- spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function,
params);
+ origin_len = spprintf(&origin, 0, "%s%s%s(%s)", class_name,
space, function, params);
} else {
- spprintf(&origin, 0, "%s", function);
+ origin_len = spprintf(&origin, 0, "%s", function);
+ }
+
+ if (PG(html_errors)) {
+ int len;
+ char *replace = php_escape_html_entities(origin, origin_len,
&len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ efree(origin);
+ origin = replace;
}
/* origin and buffer available, so lets come up with the error message
*/
@@ -761,10 +769,17 @@
} else {
char *prepend_string =
INI_STR("error_prepend_string");
char *append_string =
INI_STR("error_append_string");
- char *error_format = PG(html_errors) ?
- "%s<br />\n<b>%s</b>: %s in <b>%s</b>
on line <b>%d</b><br />\n%s"
- : "%s\n%s: %s in %s on line %d\n%s";
- php_printf(error_format,
STR_PRINT(prepend_string), error_type_str, buffer, error_filename,
error_lineno, STR_PRINT(append_string));
+
+ if (PG(html_errors)) {
+ char *buf, *buf2;
+ int len2, len = spprintf(&buf, 0,
"%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s",
STR_PRINT(prepend_string), error_type_str, buffer, error_filename,
error_lineno, STR_PRINT(append_string));
+ buf2 = php_escape_html_entities(buf,
len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ php_printf("%s", buf2);
+ efree(buf);
+ efree(buf2);
+ } else {
+ php_printf("%s\n%s: %s in %s on line
%d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename,
error_lineno, STR_PRINT(append_string));
+ }
}
}
#if ZEND_DEBUG
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
