Author: adamg Date: Wed Apr 19 16:40:34 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- new; fix for XSS in phpinfo()
---- Files affected:
SOURCES:
php-CVE-2006-0996.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/php-CVE-2006-0996.patch
diff -u /dev/null SOURCES/php-CVE-2006-0996.patch:1.1
--- /dev/null Wed Apr 19 18:40:34 2006
+++ SOURCES/php-CVE-2006-0996.patch Wed Apr 19 18:40:29 2006
@@ -0,0 +1,73 @@
+Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
+and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
+via long array variables, including (1) a large number of dimensions or
+(2) long values, which prevents HTML tags from being removed.
+
+Patch pulled from cvs.php.net
+
+--- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
++++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id$ */
++/* $Id$ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -58,6 +58,21 @@
+
+ PHPAPI extern char *php_ini_opened_path;
+ PHPAPI extern char *php_ini_scanned_files;
++
++static int php_info_write_wrapper(const char *str, uint str_length)
++{
++ TSRMLS_FETCH();
++
++ int new_len, written;
++ char *elem_esc = php_escape_html_entities((char *)str, str_length,
&new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++
++ written = php_body_write(elem_esc, new_len TSRMLS_CC);
++
++ efree(elem_esc);
++
++ return written;
++}
++
+
+ /* {{{ _display_module_info
+ */
+@@ -135,30 +150,13 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+- zval *tmp3;
+-
+- MAKE_STD_ZVAL(tmp3);
+-
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+- }
+- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+-
+- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+-
+- php_ob_get_buffer(tmp3 TSRMLS_CC);
+- php_end_ob_buffer(0, 0 TSRMLS_CC);
+-
+- if (!sapi_module.phpinfo_as_text) {
+- elem_esc =
php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+- PUTS(elem_esc);
+- efree(elem_esc);
++ zend_print_zval_ex((zend_write_func_t)
php_info_write_wrapper, *tmp, 0);
+ PUTS("</pre>");
+ } else {
+- PUTS(Z_STRVAL_P(tmp3));
++ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+ }
+- zval_ptr_dtor(&tmp3);
+-
+ } else if (Z_TYPE_PP(tmp) != IS_STRING) {
+ tmp2 = **tmp;
+ zval_copy_ctor(&tmp2);
================================================================
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
