Commit:    e7ff3e839b4c2a3423729b07ba1d40f45f1d2983
Author:    Jerome Loyet <f...@php.net>         Sat, 26 May 2012 19:27:02 +0200
Parents:   0298b92b69e5637e8d151790ad6369f7980a406a
Branches:  PHP-5.3

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=e7ff3e839b4c2a3423729b07ba1d40f45f1d2983

Log:
Fixed bug #61218 (FPM drops connection while receiving some binary valuesin 
FastCGI requests)

Bugs:
https://bugs.php.net/61218

Changed paths:
  M  NEWS
  M  sapi/fpm/fpm/fastcgi.c


Diff:
diff --git a/NEWS b/NEWS
index 3981b1f..6863a73 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,8 @@ PHP                                                           
             NEWS
   . Fixed bug #62153 (when using unix sockets, multiples FPM instances
     can be launched without errors). (fat)
   . Fixed bug #62160 (Add process.priority to set nice(2) priorities). (fat)
+  . Fixed bug #61218 (FPM drops connection while receiving some binary values
+    in FastCGI requests). (fat)
 
 - Intl:
   . Fixed bug #62083 (grapheme_extract() memory leaks). (Gustavo)
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index 212b6ff..9df26f1 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -395,39 +395,12 @@ static inline size_t fcgi_get_params_len( int *result, 
unsigned char *p, unsigne
        return ret;
 }
 
-static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char 
*end, uint *eff_len)
-{
-       int ret = 1;
-       int zero_found = 0;
-        *eff_len = 0;
-       for (; p != end; ++p) {
-               if (*p == '\0') {
-                       zero_found = 1;
-               }
-               else {
-                       if (zero_found) {
-                               ret = 0;
-                               break;
-                       }
-                       if (*eff_len < ((uint)-1)) {
-                               ++*eff_len;
-                       }
-                       else {
-                               ret = 0;
-                               break;
-                       }
-               }
-       }
-       return ret;
-}
-
 static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char 
*end)
 {
        char buf[128];
        char *tmp = buf;
        size_t buf_size = sizeof(buf);
        int name_len, val_len;
-       uint eff_name_len, eff_val_len;
        char *s;
        int ret = 1;
        size_t bytes_consumed;
@@ -453,32 +426,27 @@ static int fcgi_get_params(fcgi_request *req, unsigned 
char *p, unsigned char *e
                        ret = 0;
                        break;
                }
-               if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len) ||
-                   !fcgi_param_get_eff_len(p+name_len, p+name_len+val_len, 
&eff_val_len)) {
-                       /* Malicious request */
-                       ret = 0;
-                       break;
-               }
-               if (eff_name_len >= buf_size-1) {
-                       if (eff_name_len > ((uint)-1)-64) { 
+
+               if (name_len >= buf_size-1) {
+                       if (name_len > ((uint)-1)-64) { 
                                ret = 0;
                                break;
                        }
-                       buf_size = eff_name_len + 64;
+                       buf_size = name_len + 64;
                        tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, 
buf_size));
                        if (tmp == NULL) {
                                ret = 0;
                                break;
                        }
                }
-               memcpy(tmp, p, eff_name_len);
-               tmp[eff_name_len] = 0;
-               s = estrndup((char*)p + name_len, eff_val_len);
+               memcpy(tmp, p, name_len);
+               tmp[name_len] = 0;
+               s = estrndup((char*)p + name_len, val_len);
                if (s == NULL) {
                        ret = 0;
                        break;
                }
-               zend_hash_update(req->env, tmp, eff_name_len+1, &s, 
sizeof(char*), NULL);
+               zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), 
NULL);
                p += name_len + val_len;
        }
        if (tmp != buf && tmp != NULL) {


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to