Re: [PHP-DEV] Proposed fix for bug #21149

[Melvyn Sopacua]

On Mon, 23 Dec 2002, Ilia A. wrote:

IA>>> The current implementation of php_register_variable_ex() improperly handles 
IA>>> situations when the name of the variable passed via GET/POST/COOKIES contains 
IA>>> a '[' or it's urlencoded equivalent. The result is a small memory leak 
IA>>> (number of chars between '[' and '=' +1) and invalid data inside the 
IA>>> GET/POST/COOKIES array.
IA>>> The proposed patch makes php_register_variable_ex aware that [ may not be 
IA>>> terminated and adds handling for such conditions. The end result is that the 
IA>>> code no longer leaks memory & can support variable passed via 
IA>>> GET/POST/COOKIES with '[' in their names.
IA>>> 

[02:21]  melvyn: +1 it :)
[02:23]  ilia: not sure that's gonna help with my karma factor :)
[02:23]  melvyn: doesn't matter :)

so -ehm +1?
-- 
With kind regards,

Melvyn Sopacua



-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DEV] Proposed fix for bug #21149

[Ilia A.]

The current implementation of php_register_variable_ex() improperly handles 
situations when the name of the variable passed via GET/POST/COOKIES contains 
a '[' or it's urlencoded equivalent. The result is a small memory leak 
(number of chars between '[' and '=' +1) and invalid data inside the 
GET/POST/COOKIES array.
The proposed patch makes php_register_variable_ex aware that [ may not be 
terminated and adds handling for such conditions. The end result is that the 
code no longer leaks memory & can support variable passed via 
GET/POST/COOKIES with '[' in their names.

Ilia

P.S. This patch is against HEAD and is not intended for 4.3.0
Index: php_variables.c
===
RCS file: /repository/php4/main/php_variables.c,v
retrieving revision 1.46
diff -u -3 -p -r1.46 php_variables.c
--- php_variables.c 7 Dec 2002 16:05:27 -   1.46
+++ php_variables.c 24 Dec 2002 00:44:59 -
@@ -120,7 +120,27 @@ PHPAPI void php_register_variable_ex(cha
 
while (1) {
if (is_array) {
-   char *escaped_index;
+   char *escaped_index = NULL, *index_s;
+   int new_idx_len = 0;
+
+   ip++;
+   index_s = ip;
+   if (isspace(*ip)) {
+   ip++;
+   }
+   if (*ip==']') {
+   index_s = NULL;
+   } else {
+   ip = strchr(ip, ']');
+   if (!ip) {
+   *(index_s - 1) = '[';
+   index_len = var_len = strlen(var);
+   goto plain_var;
+   return;
+   }
+   *ip = 0;
+   new_idx_len = strlen(index_s);  
+   }
 
if (!index) {
MAKE_STD_ZVAL(gpc_element);
@@ -148,22 +168,9 @@ PHPAPI void php_register_variable_ex(cha
}
symtable1 = Z_ARRVAL_PP(gpc_element_p);
/* ip pointed to the '[' character, now obtain the key */
-   index = ++ip;
-   index_len = 0;
-   if (*ip=='\n' || *ip=='\r' || *ip=='\t' || *ip==' ') {
-   ip++;
-   }
-   if (*ip==']') {
-   index = NULL;
-   } else {
-   ip = strchr(ip, ']');
-   if (!ip) {
-   php_error_docref(NULL TSRMLS_CC, E_WARNING, 
"Missing ] in %s variable", var);
-   return;
-   }
-   *ip = 0;
-   index_len = strlen(index);
-   }
+   index = index_s;
+   index_len = new_idx_len;
+
ip++;
if (*ip=='[') {
is_array = 1;
@@ -172,6 +179,7 @@ PHPAPI void php_register_variable_ex(cha
is_array = 0;
}
} else {
+plain_var:
MAKE_STD_ZVAL(gpc_element);
gpc_element->value = val->value;
Z_TYPE_P(gpc_element) = Z_TYPE_P(val);


-- 
PHP Development Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php