Commit: 20364bcff9f38bed83245d785cc8ec3a072e4da5 Author: Stanislav Malyshev <s...@php.net> Mon, 7 May 2012 12:24:22 -0700 Parents: 0b4d7a455d8f2bffaa9c4f9cbd7aff8e3e740fe8 Branches: PHP-5.4
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=20364bcff9f38bed83245d785cc8ec3a072e4da5 Log: fix bug #61807 - Buffer Overflow in apache_request_headers Bugs: https://bugs.php.net/61807 Changed paths: M sapi/cgi/cgi_main.c A sapi/cgi/tests/apache_request_headers.phpt Diff: diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index d25cad4..a0a1ada 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1615,15 +1615,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */ p = var + 5; var = q = t; + // First char keep uppercase *q++ = *p++; while (*p) { - if (*p == '_') { + if (*p == '=') { + // End of name + break; + } else if (*p == '_') { *q++ = '-'; p++; - if (*p) { + // First char after - keep uppercase + if (*p && *p!='=' && *p!='_') { *q++ = *p++; } } else if (*p >= 'A' && *p <= 'Z') { + // lowercase *q++ = (*p++ - 'A' + 'a'); } else { *q++ = *p++; diff --git a/sapi/cgi/tests/apache_request_headers.phpt b/sapi/cgi/tests/apache_request_headers.phpt new file mode 100644 index 0000000..37e077e --- /dev/null +++ b/sapi/cgi/tests/apache_request_headers.phpt @@ -0,0 +1,49 @@ +--TEST-- +apache_request_headers() stack overflow. +--SKIPIF-- +<?php +include "skipif.inc"; +?> +--FILE-- +<?php +include "include.inc"; + +$php = get_cgi_path(); +reset_env_vars(); + +$file = dirname(__FILE__)."/012.test.php"; + +file_put_contents($file, '<?php print_r(apache_request_headers()); ?>'); + +passthru("$php $file"); + +$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_'); +foreach ($names as $name) { + putenv($name."=".str_repeat("A", 256)); + passthru("$php -q $file"); + putenv($name); +} +unlink($file); + +echo "Done\n"; +?> +--EXPECTF-- +X-Powered-By: PHP/%s +Content-type: text/html + +Array +( +) +Array +( + [X-Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Array +( + [X--Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Array +( + [X-] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php