Commit: 46d9cc3de9f2def8ab84d0b83cc89b6f85d7506a Author: Stanislav Malyshev <s...@php.net> Mon, 7 May 2012 12:08:36 -0700 Committer: Johannes Schlüter <johan...@php.net> Tue, 8 May 2012 11:15:23 +0200 Parents: 03cb63bc1da6344f65a075f25721d29b59670cfe Branches: PHP-5.3.13
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=46d9cc3de9f2def8ab84d0b83cc89b6f85d7506a Log: improve fix for CVE-2012-1823 (cherry picked from commit fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4) Changed paths: M sapi/cgi/cgi_main.c Diff: diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index bb37aba..62ccbf2 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1560,10 +1560,15 @@ int main(int argc, char *argv[]) } } - if(query_string = getenv("QUERY_STRING")) { + if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { + /* we've got query string that has no = - apache CGI will pass it to command line */ + unsigned char *p; decoded_query_string = strdup(query_string); php_url_decode(decoded_query_string, strlen(decoded_query_string)); - if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) { + for (p = decoded_query_string; *p && *p <= ' '; p++) { + /* skip all leading spaces */ + } + if(*p == '-') { skip_getopt = 1; } free(decoded_query_string); @@ -1818,7 +1823,7 @@ consult the installation file that came with this distribution, or visit \n\ } zend_first_try { - while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { + while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { switch (c) { case 'T': benchmark = 1; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
