2012/5/7 Stanislav Malyshev <s...@php.net>: > Commit: eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354 > Author: Stanislav Malyshev <s...@php.net> Mon, 7 May 2012 12:24:22 > -0700 > Parents: fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4 > Branches: PHP-5.4.3 > > Link: > http://git.php.net/?p=php-src.git;a=commitdiff;h=eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354 > > Log: > fix bug #61807 - Buffer Overflow in apache_request_headers > > Bugs: > https://bugs.php.net/61807 > > Changed paths: > M NEWS > M sapi/cgi/cgi_main.c > A sapi/cgi/tests/apache_request_headers.phpt > > > Diff: > diff --git a/NEWS b/NEWS > index a41a5d1..7603cfb 100644 > --- a/NEWS > +++ b/NEWS > @@ -5,6 +5,7 @@ PHP > NEWS > - CGI > . Re-Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823. > (Stas) > + . Fix bug #61807 - Buffer Overflow in apache_request_headers. > > 03 May 2012, PHP 5.4.2 > > diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c > index 71404a4..a1690b1 100644 > --- a/sapi/cgi/cgi_main.c > +++ b/sapi/cgi/cgi_main.c > @@ -1614,15 +1614,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */ > p = var + 5; > > var = q = t; > + // First char keep uppercase > *q++ = *p++; > while (*p) { > - if (*p == '_') { > + if (*p == '=') { > + // End of name > + break; > + } else if (*p == '_') { > *q++ = '-'; > p++; > - if (*p) { > + // First char after - keep > uppercase > + if (*p && *p!='=' && *p!='_') > { > *q++ = *p++; > } > } else if (*p >= 'A' && *p <= 'Z') { > + // lowercase > *q++ = (*p++ - 'A' + 'a'); > } else { > *q++ = *p++;
I see C++ comments. -- Regards, Felipe Pena
