tony2001 Sun May 27 14:57:20 2007 UTC Modified files: (Branch: PHP_4_4) /php-src/ext/standard basic_functions.c php_var.h Log: MFH: improve variable name checks (by popular demands..) http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.12&r2=1.543.2.51.2.13&diff_format=u Index: php-src/ext/standard/basic_functions.c diff -u php-src/ext/standard/basic_functions.c:1.543.2.51.2.12 php-src/ext/standard/basic_functions.c:1.543.2.51.2.13 --- php-src/ext/standard/basic_functions.c:1.543.2.51.2.12 Mon Jan 1 09:46:47 2007 +++ php-src/ext/standard/basic_functions.c Sun May 27 14:57:20 2007 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: basic_functions.c,v 1.543.2.51.2.12 2007/01/01 09:46:47 sebastian Exp $ */ +/* $Id: basic_functions.c,v 1.543.2.51.2.13 2007/05/27 14:57:20 tony2001 Exp $ */ #include "php.h" #include "php_streams.h" @@ -3038,24 +3038,25 @@ prefix = va_arg(args, char *); prefix_len = va_arg(args, uint); - if (!prefix_len) { - if (!hash_key->nKeyLength) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); - return 0; - } else if (!strcmp(hash_key->arKey, "GLOBALS")) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); - return 0; - } + if (!prefix_len && !hash_key->nKeyLength) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); + return 0; } if (hash_key->nKeyLength) { new_key_len = prefix_len + hash_key->nKeyLength; - new_key = (char *) emalloc(new_key_len); + new_key = (char *) emalloc(new_key_len); /* +1 comes from nKeyLength */ memcpy(new_key, prefix, prefix_len); memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); } else { new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); + new_key_len++; + } + + if (php_varname_check(new_key, new_key_len, 0 TSRMLS_CC) == FAILURE) { + efree(new_key); + return 0; } zend_hash_del(&EG(symbol_table), new_key, new_key_len); http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_var.h?r1=1.21.4.5.2.2&r2=1.21.4.5.2.3&diff_format=u Index: php-src/ext/standard/php_var.h diff -u php-src/ext/standard/php_var.h:1.21.4.5.2.2 php-src/ext/standard/php_var.h:1.21.4.5.2.3 --- php-src/ext/standard/php_var.h:1.21.4.5.2.2 Mon Jan 1 09:46:48 2007 +++ php-src/ext/standard/php_var.h Sun May 27 14:57:20 2007 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php_var.h,v 1.21.4.5.2.2 2007/01/01 09:46:48 sebastian Exp $ */ +/* $Id: php_var.h,v 1.21.4.5.2.3 2007/05/27 14:57:20 tony2001 Exp $ */ #ifndef PHP_VAR_H #define PHP_VAR_H @@ -68,4 +68,48 @@ PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len); +static inline int php_varname_check(char *name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS") && !memcmp(name, "GLOBALS", sizeof("GLOBALS"))) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == '_' && + ( + (name_len == sizeof("_GET") && !memcmp(name, "_GET", sizeof("_GET"))) || + (name_len == sizeof("_POST") && !memcmp(name, "_POST", sizeof("_POST"))) || + (name_len == sizeof("_COOKIE") && !memcmp(name, "_COOKIE", sizeof("_COOKIE"))) || + (name_len == sizeof("_ENV") && !memcmp(name, "_ENV", sizeof("_ENV"))) || + (name_len == sizeof("_SERVER") && !memcmp(name, "_SERVER", sizeof("_SERVER"))) || + (name_len == sizeof("_SESSION") && !memcmp(name, "_SESSION", sizeof("_SESSION"))) || + (name_len == sizeof("_FILES") && !memcmp(name, "_FILES", sizeof("_FILES"))) || + (name_len == sizeof("_REQUEST") && !memcmp(name, "_REQUEST", sizeof("_REQUEST"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%s) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 'H' && + ( + (name_len == sizeof("HTTP_POST_VARS") && !memcmp(name, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) || + (name_len == sizeof("HTTP_GET_VARS") && !memcmp(name, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) || + (name_len == sizeof("HTTP_COOKIE_VARS") && !memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) || + (name_len == sizeof("HTTP_ENV_VARS") && !memcmp(name, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) || + (name_len == sizeof("HTTP_SERVER_VARS") && !memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) || + (name_len == sizeof("HTTP_SESSION_VARS") && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) || + (name_len == sizeof("HTTP_RAW_POST_DATA") && !memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) || + (name_len == sizeof("HTTP_POST_FILES") && !memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%s) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + #endif /* PHP_VAR_H */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php