ID: 22340 User updated by: tbrown at baremetal dot com Reported By: tbrown at baremetal dot com Status: Open Bug Type: CGI related Operating System: linux PHP Version: 4.3.1 New Comment:
sorry, forgot a few details... [tbrown@am3 /raid/home/tbrown/php4]$ uname -a Linux am3.baremetal.com 2.4.19 #1 SMP Fri Nov 1 20:43:44 PST 2002 i686 unknown [tbrown@am3 /raid/home/tbrown/php4]$ rpm -qi glibc Name : glibc Relocations: (not relocateable) Version : 2.2.4 Vendor: Red Hat, Inc. Release : 31 Build Date: Thu 10 Oct 2002 10:09:11 AM PDT Install date: Mon 18 Nov 2002 08:12:02 PM PST Build Host: stripples.devel.redhat.com Group : System Environment/Libraries Source RPM: glibc-2.2.4-31.src.rpm Size : 16370437 License: LGPL Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : The GNU libc libraries. Description : this C program demonstrates the problem... [root@am3 ~]# more putenv.c #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[] ) { char buf[] = "TEST=initial value"; putenv(buf); printf("done store...\n"); printf("getenv(TEST) returns: %s\n", getenv("TEST")); strcpy(buf,"TEST=new val"); printf("done update...\n"); printf("getenv(TEST) returns: %s\n", getenv("TEST")); } [root@am3 ~]# ./a.out done store... getenv(TEST) returns: initial value done update... getenv(TEST) returns: new val Previous Comments: ------------------------------------------------------------------------ [2003-02-20 17:05:36] tbrown at baremetal dot com the symptom is that with register_globals=on some variables are being incorrectly initialized. This seems to be because the are being initialized from the environment instead from _POST The environment is messed up, because the values passed to putenv() are being free'd an the memory is being recycled... it happens that the contents of the POST data are being copied into that location... e.g. username=admin&password=password&LOGIN=+++Login+++ this shows up as an environment variable username, with the value admin&password=password&LOGIN=+++Login+++ which stomps on the POST value of "admin" ... the fix seems to be cvs diff -u sapi/cgi/cgi_main.c Index: sapi/cgi/cgi_main.c =================================================================== RCS file: /repository/php4/sapi/cgi/cgi_main.c,v retrieving revision 1.190.2.9.4.2 diff -u -u -r1.190.2.9.4.2 cgi_main.c --- sapi/cgi/cgi_main.c 15 Feb 2003 22:56:04 -0000 1.190.2.9.4.2 +++ sapi/cgi/cgi_main.c 20 Feb 2003 23:04:14 -0000 @@ -388,7 +388,7 @@ /* if cgi, or fastcgi and not found in fcgi env check the regular environment */ putenv(buf); - efree(buf); + /* Not safe! and in CGI, not a leak: efree(buf); */ return 0; } although I don't know enough about fast-cgi to know if that is a memory leak or not... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=22340&edit=1
