derick Wed Jun 28 13:12:10 2006 UTC
Modified files: (Branch: PHP_4_4)
/php-src NEWS
/php-src/ext/standard info.c
Log:
- MF51: Fixed XSS inside phpinfo() with long inputs.
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.136&r2=1.1247.2.920.2.137&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.136 php-src/NEWS:1.1247.2.920.2.137
--- php-src/NEWS:1.1247.2.920.2.136 Fri Jun 9 15:17:51 2006
+++ php-src/NEWS Wed Jun 28 13:12:09 2006
@@ -1,7 +1,8 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2006, Version 4.4.3
+?? Jun 2006, Version 4.4.3RC2
- Fixed handling of extremely long paths inside tempnam() function. (Ilia)
+- Fixed XSS inside phpinfo() with long inputs. (Ilia)
- Fixed bug #37720 (merge_php_config scrambles values). (Mike,
pumuckel at metropolis dot de)
- Fixed bug #37569 (WDDX incorrectly encodes high-ascii characters). (Ilia)
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/info.c?r1=1.218.2.18.2.6&r2=1.218.2.18.2.7&diff_format=u
Index: php-src/ext/standard/info.c
diff -u php-src/ext/standard/info.c:1.218.2.18.2.6
php-src/ext/standard/info.c:1.218.2.18.2.7
--- php-src/ext/standard/info.c:1.218.2.18.2.6 Sun Jan 1 13:46:57 2006
+++ php-src/ext/standard/info.c Wed Jun 28 13:12:09 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: info.c,v 1.218.2.18.2.6 2006/01/01 13:46:57 sniper Exp $ */
+/* $Id: info.c,v 1.218.2.18.2.7 2006/06/28 13:12:09 derick Exp $ */
#include "php.h"
#include "php_ini.h"
@@ -58,6 +58,23 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ int new_len, written;
+ char *elem_esc;
+
+ TSRMLS_FETCH();
+
+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len,
0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@ -133,23 +150,12 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
- MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
- zend_print_zval_r(*tmp, 0);
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3)
TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
- zval_ptr_dtor(&tmp3);
-
- if (!sapi_module.phpinfo_as_text) {
+
zend_print_zval_r_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("</pre>");
+ } else {
+ zend_print_zval_r(*tmp, 0);
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
