From: [EMAIL PROTECTED] Operating system: Debian testing PHP version: 4.0CVS-2002-02-11 PHP Bug Type: ODBC related Bug description: odbc_execute() param clobber fix (Patch included)
----------------------------------------------------- Synopsis: odbc_execute() has some undocumented functionality: if a parameter is given enclosed in single-quotes, that param is taken as the name of a file to read and send instead of the actual parameter string. In the above case, odbc_execute() will replace the last character of the passed parameter with \0. ----------------------------------------------------- Test script: <?php /* -*- mode: c++; minor-mode: font -*- */ error_reporting(E_ALL); /* Just using the default test settings for now. */ if (!$dbh = odbc_connect('myodbc3', 'root', '')) { echo "Could not connect: error: " . odbc_errormsg() . "\n"; } $query = 'insert into phptest (c) values(?)'; if (!$stmt = odbc_prepare($dbh, $query)) { echo "Prepare failed: error: " . odbc_errormsg() . "\n"; } $filename = "'/home/torben/odbc.ini'"; $params = array($filename); echo "Before: " . addslashes($filename) . "\n"; if (!$res = odbc_execute($stmt, $params)) { echo "Execute failed: error: " . odbc_errormsg() . "\n"; } echo "After: " . addslashes($filename) . "\n"; odbc_close($dbh); ?> ----------------------------------------------------- Output: Before: \'/home/torben/odbc.ini\' After: \'/home/torben/odbc.ini\0 ----------------------------------------------------- Patch: Index: php_odbc.c =================================================================== RCS file: /repository/php4/ext/odbc/php_odbc.c,v retrieving revision 1.115 diff -u -r1.115 php_odbc.c --- php_odbc.c 30 Jan 2002 21:54:54 -0000 1.115 +++ php_odbc.c 12 Feb 2002 02:41:25 -0000 @@ -943,12 +943,13 @@ else ctype = SQL_C_CHAR; - if (Z_STRVAL_PP(tmp)[0] == '\'' && + if (Z_STRLEN_PP(tmp) > 2 && + Z_STRVAL_PP(tmp)[0] == '\'' && Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') { - filename = &Z_STRVAL_PP(tmp)[1]; - filename[Z_STRLEN_PP(tmp) - 2] = '\0'; + filename = estrndup(&Z_STRVAL_PP(tmp)[1], +Z_STRLEN_PP(tmp) - 2); + filename[strlen(filename)] = '\0'; - if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) { + if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) +{ php_error(E_WARNING,"Can't open file %s", filename); SQLFreeStmt(result->stmt, SQL_RESET_PARAMS); for(i = 0; i < result->numparams; i++) { @@ -957,8 +958,11 @@ } } efree(params); + efree(filename); RETURN_FALSE; } + + efree(filename); params[i-1].vallen = SQL_LEN_DATA_AT_EXEC(0); -- Edit bug report at http://bugs.php.net/?id=15516&edit=1 -- Fixed in CVS: http://bugs.php.net/fix.php?id=15516&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=15516&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=15516&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=15516&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=15516&r=support Expected behavior: http://bugs.php.net/fix.php?id=15516&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=15516&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=15516&r=submittedtwice