[PHP-DEV] Proposed fix for bug #21149

Mon, 23 Dec 2002 17:20:48 -0800 

The current implementation of php_register_variable_ex() improperly handles 
situations when the name of the variable passed via GET/POST/COOKIES contains 
a '[' or it's urlencoded equivalent. The result is a small memory leak 
(number of chars between '[' and '=' +1) and invalid data inside the 
GET/POST/COOKIES array.
The proposed patch makes php_register_variable_ex aware that [ may not be 
terminated and adds handling for such conditions. The end result is that the 
code no longer leaks memory & can support variable passed via 
GET/POST/COOKIES with '[' in their names.

Ilia

P.S. This patch is against HEAD and is not intended for 4.3.0
Index: php_variables.c
===================================================================
RCS file: /repository/php4/main/php_variables.c,v
retrieving revision 1.46
diff -u -3 -p -r1.46 php_variables.c
--- php_variables.c     7 Dec 2002 16:05:27 -0000       1.46
+++ php_variables.c     24 Dec 2002 00:44:59 -0000
@@ -120,7 +120,27 @@ PHPAPI void php_register_variable_ex(cha
 
        while (1) {
                if (is_array) {
-                       char *escaped_index;
+                       char *escaped_index = NULL, *index_s;
+                       int new_idx_len = 0;
+
+                       ip++;
+                       index_s = ip;
+                       if (isspace(*ip)) {
+                               ip++;
+                       }
+                       if (*ip==']') {
+                               index_s = NULL;
+                       } else {
+                               ip = strchr(ip, ']');
+                               if (!ip) {
+                                       *(index_s - 1) = '[';
+                                       index_len = var_len = strlen(var);
+                                       goto plain_var;
+                                       return;
+                               }
+                               *ip = 0;
+                               new_idx_len = strlen(index_s);  
+                       }
 
                        if (!index) {
                                MAKE_STD_ZVAL(gpc_element);
@@ -148,22 +168,9 @@ PHPAPI void php_register_variable_ex(cha
                        }
                        symtable1 = Z_ARRVAL_PP(gpc_element_p);
                        /* ip pointed to the '[' character, now obtain the key */
-                       index = ++ip;
-                       index_len = 0;
-                       if (*ip=='\n' || *ip=='\r' || *ip=='\t' || *ip==' ') {
-                               ip++;
-                       }
-                       if (*ip==']') {
-                               index = NULL;
-                       } else {
-                               ip = strchr(ip, ']');
-                               if (!ip) {
-                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Missing ] in %s variable", var);
-                                       return;
-                               }
-                               *ip = 0;
-                               index_len = strlen(index);
-                       }
+                       index = index_s;
+                       index_len = new_idx_len;
+
                        ip++;
                        if (*ip=='[') {
                                is_array = 1;
@@ -172,6 +179,7 @@ PHPAPI void php_register_variable_ex(cha
                                is_array = 0;
                        }
                } else {
+plain_var:
                        MAKE_STD_ZVAL(gpc_element);
                        gpc_element->value = val->value;
                        Z_TYPE_P(gpc_element) = Z_TYPE_P(val);


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to