hirokawa Sun Mar 12 07:54:03 2006 UTC
Modified files:
/php-src/ext/mbstring mbstring.c
Log:
fixed a possible null injection caused by missuse of
mbstring.substitute_character.
http://cvs.php.net/viewcvs.cgi/php-src/ext/mbstring/mbstring.c?r1=1.242&r2=1.243&diff_format=u
Index: php-src/ext/mbstring/mbstring.c
diff -u php-src/ext/mbstring/mbstring.c:1.242
php-src/ext/mbstring/mbstring.c:1.243
--- php-src/ext/mbstring/mbstring.c:1.242 Fri Mar 10 16:36:52 2006
+++ php-src/ext/mbstring/mbstring.c Sun Mar 12 07:54:03 2006
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: mbstring.c,v 1.242 2006/03/10 16:36:52 masugata Exp $ */
+/* $Id: mbstring.c,v 1.243 2006/03/12 07:54:03 hirokawa Exp $ */
/*
* PHP 4 Multibyte String module "mbstring"
@@ -688,6 +688,9 @@
/* {{{ static PHP_INI_MH(OnUpdate_mbstring_substitute_character) */
static PHP_INI_MH(OnUpdate_mbstring_substitute_character)
{
+ int c;
+ char *endptr = NULL;
+
if (new_value != NULL) {
if (strcasecmp("none", new_value) == 0) {
MBSTRG(filter_illegal_mode) =
MBFL_OUTPUTFILTER_ILLEGAL_MODE_NONE;
@@ -695,7 +698,12 @@
MBSTRG(filter_illegal_mode) =
MBFL_OUTPUTFILTER_ILLEGAL_MODE_LONG;
} else {
MBSTRG(filter_illegal_mode) =
MBFL_OUTPUTFILTER_ILLEGAL_MODE_CHAR;
- MBSTRG(filter_illegal_substchar) = zend_atoi(new_value,
new_value_length);
+ if (new_value_length >0) {
+ c = strtol(new_value, &endptr, 0);
+ if (*endptr == '\0') {
+ MBSTRG(filter_illegal_substchar) = c;
+ }
+ }
}
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
