tony2001                Sun May 27 14:57:20 2007 UTC

  Modified files:              (Branch: PHP_4_4)
    /php-src/ext/standard       basic_functions.c php_var.h 
  Log:
  MFH: improve variable name checks (by popular demands..)
  
  
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.12&r2=1.543.2.51.2.13&diff_format=u
Index: php-src/ext/standard/basic_functions.c
diff -u php-src/ext/standard/basic_functions.c:1.543.2.51.2.12 
php-src/ext/standard/basic_functions.c:1.543.2.51.2.13
--- php-src/ext/standard/basic_functions.c:1.543.2.51.2.12      Mon Jan  1 
09:46:47 2007
+++ php-src/ext/standard/basic_functions.c      Sun May 27 14:57:20 2007
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: basic_functions.c,v 1.543.2.51.2.12 2007/01/01 09:46:47 sebastian Exp 
$ */
+/* $Id: basic_functions.c,v 1.543.2.51.2.13 2007/05/27 14:57:20 tony2001 Exp $ 
*/
 
 #include "php.h"
 #include "php_streams.h"
@@ -3038,24 +3038,25 @@
        prefix = va_arg(args, char *);
        prefix_len = va_arg(args, uint);
 
-       if (!prefix_len) {
-               if (!hash_key->nKeyLength) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric 
key detected - possible security hazard.");
-                       return 0;
-               } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
-                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite.");
-                       return 0; 
-               }
+       if (!prefix_len && !hash_key->nKeyLength) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key 
detected - possible security hazard.");
+               return 0;
        }
 
        if (hash_key->nKeyLength) {
                new_key_len = prefix_len + hash_key->nKeyLength;
-               new_key = (char *) emalloc(new_key_len);
+               new_key = (char *) emalloc(new_key_len); /* +1 comes from 
nKeyLength */
 
                memcpy(new_key, prefix, prefix_len);
                memcpy(new_key+prefix_len, hash_key->arKey, 
hash_key->nKeyLength);
        } else {
                new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, 
hash_key->h);
+               new_key_len++;
+       }
+
+       if (php_varname_check(new_key, new_key_len, 0 TSRMLS_CC) == FAILURE) {
+               efree(new_key);
+               return 0;
        }
 
        zend_hash_del(&EG(symbol_table), new_key, new_key_len);
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_var.h?r1=1.21.4.5.2.2&r2=1.21.4.5.2.3&diff_format=u
Index: php-src/ext/standard/php_var.h
diff -u php-src/ext/standard/php_var.h:1.21.4.5.2.2 
php-src/ext/standard/php_var.h:1.21.4.5.2.3
--- php-src/ext/standard/php_var.h:1.21.4.5.2.2 Mon Jan  1 09:46:48 2007
+++ php-src/ext/standard/php_var.h      Sun May 27 14:57:20 2007
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: php_var.h,v 1.21.4.5.2.2 2007/01/01 09:46:48 sebastian Exp $ */
+/* $Id: php_var.h,v 1.21.4.5.2.3 2007/05/27 14:57:20 tony2001 Exp $ */
 
 #ifndef PHP_VAR_H
 #define PHP_VAR_H
@@ -68,4 +68,48 @@
        
 PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len);
 
+static inline int php_varname_check(char *name, int name_len, zend_bool silent 
TSRMLS_DC) /* {{{ */
+{
+       if (name_len == sizeof("GLOBALS") && !memcmp(name, "GLOBALS", 
sizeof("GLOBALS"))) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
GLOBALS variable overwrite");
+               }
+               return FAILURE;
+       } else if (name[0] == '_' &&
+                       (
+                        (name_len == sizeof("_GET") && !memcmp(name, "_GET", 
sizeof("_GET"))) ||
+                        (name_len == sizeof("_POST") && !memcmp(name, "_POST", 
sizeof("_POST"))) ||
+                        (name_len == sizeof("_COOKIE") && !memcmp(name, 
"_COOKIE", sizeof("_COOKIE"))) ||
+                        (name_len == sizeof("_ENV") && !memcmp(name, "_ENV", 
sizeof("_ENV"))) ||
+                        (name_len == sizeof("_SERVER") && !memcmp(name, 
"_SERVER", sizeof("_SERVER"))) ||
+                        (name_len == sizeof("_SESSION") && !memcmp(name, 
"_SESSION", sizeof("_SESSION"))) ||
+                        (name_len == sizeof("_FILES") && !memcmp(name, 
"_FILES", sizeof("_FILES"))) ||
+                        (name_len == sizeof("_REQUEST") && !memcmp(name, 
"_REQUEST", sizeof("_REQUEST")))
+                       )
+                       ) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
super-global (%s) variable overwrite", name);
+               }
+               return FAILURE;
+       } else if (name[0] == 'H' &&
+                       (
+                        (name_len == sizeof("HTTP_POST_VARS") && !memcmp(name, 
"HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) ||
+                        (name_len == sizeof("HTTP_GET_VARS") && !memcmp(name, 
"HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) ||
+                        (name_len == sizeof("HTTP_COOKIE_VARS") && 
!memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) ||
+                        (name_len == sizeof("HTTP_ENV_VARS") && !memcmp(name, 
"HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) ||
+                        (name_len == sizeof("HTTP_SERVER_VARS") && 
!memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) ||
+                        (name_len == sizeof("HTTP_SESSION_VARS") && 
!memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) ||
+                        (name_len == sizeof("HTTP_RAW_POST_DATA") && 
!memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) ||
+                        (name_len == sizeof("HTTP_POST_FILES") && 
!memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES")))
+                       )
+                       ) {
+               if (!silent) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted 
long input array (%s) overwrite", name);
+               }
+               return FAILURE;
+       }
+       return SUCCESS;
+}
+/* }}} */
+
 #endif /* PHP_VAR_H */

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to