From: [EMAIL PROTECTED]
Operating system: Debian testing
PHP version: 4.0CVS-2002-02-11
PHP Bug Type: ODBC related
Bug description: odbc_execute() param clobber fix (Patch included)
-----------------------------------------------------
Synopsis:
odbc_execute() has some undocumented functionality:
if a parameter is given enclosed in single-quotes, that
param is taken as the name of a file to read and send
instead of the actual parameter string.
In the above case, odbc_execute() will replace the last
character of the passed parameter with \0.
-----------------------------------------------------
Test script:
<?php /* -*- mode: c++; minor-mode: font -*- */
error_reporting(E_ALL);
/* Just using the default test settings for now. */
if (!$dbh = odbc_connect('myodbc3', 'root', '')) {
echo "Could not connect: error: " . odbc_errormsg() . "\n";
}
$query = 'insert into phptest (c) values(?)';
if (!$stmt = odbc_prepare($dbh, $query)) {
echo "Prepare failed: error: " . odbc_errormsg() . "\n";
}
$filename = "'/home/torben/odbc.ini'";
$params = array($filename);
echo "Before: " . addslashes($filename) . "\n";
if (!$res = odbc_execute($stmt, $params)) {
echo "Execute failed: error: " . odbc_errormsg() . "\n";
}
echo "After: " . addslashes($filename) . "\n";
odbc_close($dbh);
?>
-----------------------------------------------------
Output:
Before: \'/home/torben/odbc.ini\'
After: \'/home/torben/odbc.ini\0
-----------------------------------------------------
Patch:
Index: php_odbc.c
===================================================================
RCS file: /repository/php4/ext/odbc/php_odbc.c,v
retrieving revision 1.115
diff -u -r1.115 php_odbc.c
--- php_odbc.c 30 Jan 2002 21:54:54 -0000 1.115
+++ php_odbc.c 12 Feb 2002 02:41:25 -0000
@@ -943,12 +943,13 @@
else
ctype = SQL_C_CHAR;
- if (Z_STRVAL_PP(tmp)[0] == '\'' &&
+ if (Z_STRLEN_PP(tmp) > 2 &&
+ Z_STRVAL_PP(tmp)[0] == '\'' &&
Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') {
- filename = &Z_STRVAL_PP(tmp)[1];
- filename[Z_STRLEN_PP(tmp) - 2] = '\0';
+ filename = estrndup(&Z_STRVAL_PP(tmp)[1],
+Z_STRLEN_PP(tmp) - 2);
+ filename[strlen(filename)] = '\0';
- if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) {
+ if ((params[i-1].fp = open(filename,O_RDONLY)) == -1)
+{
php_error(E_WARNING,"Can't open file %s",
filename);
SQLFreeStmt(result->stmt, SQL_RESET_PARAMS);
for(i = 0; i < result->numparams; i++) {
@@ -957,8 +958,11 @@
}
}
efree(params);
+ efree(filename);
RETURN_FALSE;
}
+
+ efree(filename);
params[i-1].vallen = SQL_LEN_DATA_AT_EXEC(0);
--
Edit bug report at http://bugs.php.net/?id=15516&edit=1
--
Fixed in CVS: http://bugs.php.net/fix.php?id=15516&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=15516&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=15516&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=15516&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=15516&r=support
Expected behavior: http://bugs.php.net/fix.php?id=15516&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=15516&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=15516&r=submittedtwice
