The current implementation of php_register_variable_ex() improperly handles situations when the name of the variable passed via GET/POST/COOKIES contains a '[' or it's urlencoded equivalent. The result is a small memory leak (number of chars between '[' and '=' +1) and invalid data inside the GET/POST/COOKIES array. The proposed patch makes php_register_variable_ex aware that [ may not be terminated and adds handling for such conditions. The end result is that the code no longer leaks memory & can support variable passed via GET/POST/COOKIES with '[' in their names.
Ilia P.S. This patch is against HEAD and is not intended for 4.3.0
Index: php_variables.c =================================================================== RCS file: /repository/php4/main/php_variables.c,v retrieving revision 1.46 diff -u -3 -p -r1.46 php_variables.c --- php_variables.c 7 Dec 2002 16:05:27 -0000 1.46 +++ php_variables.c 24 Dec 2002 00:44:59 -0000 @@ -120,7 +120,27 @@ PHPAPI void php_register_variable_ex(cha while (1) { if (is_array) { - char *escaped_index; + char *escaped_index = NULL, *index_s; + int new_idx_len = 0; + + ip++; + index_s = ip; + if (isspace(*ip)) { + ip++; + } + if (*ip==']') { + index_s = NULL; + } else { + ip = strchr(ip, ']'); + if (!ip) { + *(index_s - 1) = '['; + index_len = var_len = strlen(var); + goto plain_var; + return; + } + *ip = 0; + new_idx_len = strlen(index_s); + } if (!index) { MAKE_STD_ZVAL(gpc_element); @@ -148,22 +168,9 @@ PHPAPI void php_register_variable_ex(cha } symtable1 = Z_ARRVAL_PP(gpc_element_p); /* ip pointed to the '[' character, now obtain the key */ - index = ++ip; - index_len = 0; - if (*ip=='\n' || *ip=='\r' || *ip=='\t' || *ip==' ') { - ip++; - } - if (*ip==']') { - index = NULL; - } else { - ip = strchr(ip, ']'); - if (!ip) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing ] in %s variable", var); - return; - } - *ip = 0; - index_len = strlen(index); - } + index = index_s; + index_len = new_idx_len; + ip++; if (*ip=='[') { is_array = 1; @@ -172,6 +179,7 @@ PHPAPI void php_register_variable_ex(cha is_array = 0; } } else { +plain_var: MAKE_STD_ZVAL(gpc_element); gpc_element->value = val->value; Z_TYPE_P(gpc_element) = Z_TYPE_P(val);
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php