iliaa Mon Dec 5 22:30:44 2005 EDT
Modified files: (Branch: PHP_4_4)
/php-src NEWS
/php-src/main main.c
Log:
MFH: Fixed possible XSS inside error reporting functionality.
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1247.2.920.2.92&r2=1.1247.2.920.2.93&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.92 php-src/NEWS:1.1247.2.920.2.93
--- php-src/NEWS:1.1247.2.920.2.92 Mon Dec 5 08:20:17 2005
+++ php-src/NEWS Mon Dec 5 22:30:39 2005
@@ -1,7 +1,8 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2005, Version 4.4.2
-- FIxed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
+- Fixed possible XSS inside error reporting functionality. (Ilia)
+- Fixed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
- Fixed bug #35410 (wddx_deserialize() doesn't handle large ints as keys
properly). (Ilia)
- Fixed bug #35341 (Fix for bug #33760 breaks build with older curl). (Tony)
http://cvs.php.net/diff.php/php-src/main/main.c?r1=1.512.2.63.2.4&r2=1.512.2.63.2.5&ty=u
Index: php-src/main/main.c
diff -u php-src/main/main.c:1.512.2.63.2.4 php-src/main/main.c:1.512.2.63.2.5
--- php-src/main/main.c:1.512.2.63.2.4 Thu Sep 15 10:06:15 2005
+++ php-src/main/main.c Mon Dec 5 22:30:43 2005
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: main.c,v 1.512.2.63.2.4 2005/09/15 14:06:15 hyanantha Exp $ */
+/* $Id: main.c,v 1.512.2.63.2.5 2005/12/06 03:30:43 iliaa Exp $ */
/* {{{ includes
*/
@@ -500,7 +500,10 @@
/* no docref and no html errors -> do not point
to any documentation (e.g. production boxes) */
php_error(type, "%s(%s): %s",
get_active_function_name(TSRMLS_C), params, buffer);
} else if (PG(html_errors)) {
- php_error(type, "%s(%s) [<a
href='%s%s%s'>%s</a>]: %s", get_active_function_name(TSRMLS_C), params,
docref_root, docref, docref_target, docref, buffer);
+ int len;
+ char *replace =
php_escape_html_entities(params, strlen(params), &len, 0, ENT_COMPAT, NULL
TSRMLS_CC);
+ php_error(type, "%s(%s) [<a
href='%s%s%s'>%s</a>]: %s", get_active_function_name(TSRMLS_C), replace,
docref_root, docref, docref_target, docref, buffer);
+ efree(replace);
} else {
php_error(type, "%s(%s) [%s%s%s]: %s",
get_active_function_name(TSRMLS_C), params, docref_root, docref, docref_target,
buffer);
}
@@ -651,10 +654,16 @@
&& (!PG(during_request_startup) ||
PG(display_startup_errors))) {
char *prepend_string = INI_STR("error_prepend_string");
char *append_string = INI_STR("error_append_string");
- char *error_format = PG(html_errors) ?
- "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line
<b>%d</b><br />\n%s"
- : "%s\n%s: %s in %s on line %d\n%s";
- php_printf(error_format, STR_PRINT(prepend_string),
error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+ if (PG(html_errors)) {
+ char *buf, *buf2;
+ int len2, len = spprintf(&buf, 0, "%s<br
/>\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s",
STR_PRINT(prepend_string), error_type_str, buffer, error_filename,
error_lineno, STR_PRINT(append_string));
+ buf2 = php_escape_html_entities(buf, len,
&len2, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ php_printf("%s", buf2);
+ efree(buf);
+ efree(buf2);
+ } else {
+ php_printf("%s\n%s: %s in %s on line %d\n%s",
STR_PRINT(prepend_string), error_type_str, buffer, error_filename,
error_lineno, STR_PRINT(append_string));
+ }
}
#if ZEND_DEBUG
{
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
