ID: 22340 User updated by: tbrown at baremetal dot com Reported By: tbrown at baremetal dot com -Status: Feedback +Status: Open Bug Type: CGI related Operating System: linux PHP Version: 4.3.1 New Comment:
yes, it does look like it is fixed in php4-STABLE-200302210830 and that fix is a bit better, since it doesn't keep "delete requests" around. Previous Comments: ------------------------------------------------------------------------ [2003-02-21 03:14:26] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php4-STABLE-latest.tar.gz For Windows: http://snaps.php.net/win32/php4-win32-STABLE-latest.zip This should be fixed already.. ------------------------------------------------------------------------ [2003-02-20 17:21:54] tbrown at baremetal dot com On the problem machine, this is enough to reproduce the problem... it is fairly finicky though, as to be expected for a memory layout issue... the spaces in the submit button value are significant... <?php if ($username) { // system("/var/www/cgi-bin/printenv"); print "ENV[username] = $_ENV[username] <br>\n"; print "POST[username] = $_POST[username] <br>\n"; } ?> <form method=post> <input name=username value=admin8020> <input name=password value=password> <input type="submit" name="LOGIN" value=" Login "> </form> the result is. ENV[username] = admin&password=password&LOGIN=+++Login+++ POST[username] = admin ------------------------------------------------------------------------ [2003-02-20 17:09:33] tbrown at baremetal dot com sorry, forgot a few details... [tbrown@am3 /raid/home/tbrown/php4]$ uname -a Linux am3.baremetal.com 2.4.19 #1 SMP Fri Nov 1 20:43:44 PST 2002 i686 unknown [tbrown@am3 /raid/home/tbrown/php4]$ rpm -qi glibc Name : glibc Relocations: (not relocateable) Version : 2.2.4 Vendor: Red Hat, Inc. Release : 31 Build Date: Thu 10 Oct 2002 10:09:11 AM PDT Install date: Mon 18 Nov 2002 08:12:02 PM PST Build Host: stripples.devel.redhat.com Group : System Environment/Libraries Source RPM: glibc-2.2.4-31.src.rpm Size : 16370437 License: LGPL Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Summary : The GNU libc libraries. Description : this C program demonstrates the problem... [root@am3 ~]# more putenv.c #include <stdio.h> #include <stdlib.h> int main( int argc, char *argv[] ) { char buf[] = "TEST=initial value"; putenv(buf); printf("done store...\n"); printf("getenv(TEST) returns: %s\n", getenv("TEST")); strcpy(buf,"TEST=new val"); printf("done update...\n"); printf("getenv(TEST) returns: %s\n", getenv("TEST")); } [root@am3 ~]# ./a.out done store... getenv(TEST) returns: initial value done update... getenv(TEST) returns: new val ------------------------------------------------------------------------ [2003-02-20 17:05:36] tbrown at baremetal dot com the symptom is that with register_globals=on some variables are being incorrectly initialized. This seems to be because the are being initialized from the environment instead from _POST The environment is messed up, because the values passed to putenv() are being free'd an the memory is being recycled... it happens that the contents of the POST data are being copied into that location... e.g. username=admin&password=password&LOGIN=+++Login+++ this shows up as an environment variable username, with the value admin&password=password&LOGIN=+++Login+++ which stomps on the POST value of "admin" ... the fix seems to be cvs diff -u sapi/cgi/cgi_main.c Index: sapi/cgi/cgi_main.c =================================================================== RCS file: /repository/php4/sapi/cgi/cgi_main.c,v retrieving revision 1.190.2.9.4.2 diff -u -u -r1.190.2.9.4.2 cgi_main.c --- sapi/cgi/cgi_main.c 15 Feb 2003 22:56:04 -0000 1.190.2.9.4.2 +++ sapi/cgi/cgi_main.c 20 Feb 2003 23:04:14 -0000 @@ -388,7 +388,7 @@ /* if cgi, or fastcgi and not found in fcgi env check the regular environment */ putenv(buf); - efree(buf); + /* Not safe! and in CGI, not a leak: efree(buf); */ return 0; } although I don't know enough about fast-cgi to know if that is a memory leak or not... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=22340&edit=1
