Commit:    eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354
Author:    Stanislav Malyshev <s...@php.net>         Mon, 7 May 2012 12:24:22 
-0700
Parents:   fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4
Branches:  PHP-5.4.3

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354

Log:
fix bug #61807 - Buffer Overflow in apache_request_headers

Bugs:
https://bugs.php.net/61807

Changed paths:
  M  NEWS
  M  sapi/cgi/cgi_main.c
  A  sapi/cgi/tests/apache_request_headers.phpt


Diff:
diff --git a/NEWS b/NEWS
index a41a5d1..7603cfb 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                             
           NEWS
 - CGI
   . Re-Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823.
     (Stas)
+  . Fix bug #61807 - Buffer Overflow in apache_request_headers. 
 
 03 May 2012, PHP 5.4.2
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 71404a4..a1690b1 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1614,15 +1614,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */
                                p = var + 5;
 
                                var = q = t;
+                                // First char keep uppercase
                                *q++ = *p++;
                                while (*p) {
-                                       if (*p == '_') {
+                                       if (*p == '=') {
+                                               // End of name
+                                               break;
+                                        } else if (*p == '_') {
                                                *q++ = '-';
                                                p++;
-                                               if (*p) {
+                                                // First char after - keep 
uppercase
+                                               if (*p && *p!='=' && *p!='_') {
                                                        *q++ = *p++;
                                                }
                                        } else if (*p >= 'A' && *p <= 'Z') {
+                                                // lowercase
                                                *q++ = (*p++ - 'A' + 'a');
                                        } else {
                                                *q++ = *p++;
diff --git a/sapi/cgi/tests/apache_request_headers.phpt 
b/sapi/cgi/tests/apache_request_headers.phpt
new file mode 100644
index 0000000..37e077e
--- /dev/null
+++ b/sapi/cgi/tests/apache_request_headers.phpt
@@ -0,0 +1,49 @@
+--TEST--
+apache_request_headers() stack overflow.
+--SKIPIF--
+<?php 
+include "skipif.inc"; 
+?>
+--FILE--
+<?php
+include "include.inc";
+
+$php = get_cgi_path();
+reset_env_vars();
+
+$file = dirname(__FILE__)."/012.test.php";
+
+file_put_contents($file, '<?php print_r(apache_request_headers()); ?>');
+
+passthru("$php $file");
+
+$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_');
+foreach ($names as $name) {
+       putenv($name."=".str_repeat("A", 256));
+       passthru("$php -q $file");
+       putenv($name);
+}
+unlink($file);
+
+echo "Done\n";
+?>
+--EXPECTF--    
+X-Powered-By: PHP/%s
+Content-type: text/html
+
+Array
+(
+)
+Array
+(
+    [X-Test] => 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X--Test] => 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X-] => 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Done


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to