sesser Sat Mar 8 10:20:12 2003 EDT
Modified files:
/php4/main main.c
Log:
fix possible XSS in error messages
Index: php4/main/main.c
diff -u php4/main/main.c:1.536 php4/main/main.c:1.537
--- php4/main/main.c:1.536 Fri Mar 7 00:15:26 2003
+++ php4/main/main.c Sat Mar 8 10:20:12 2003
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: main.c,v 1.536 2003/03/07 05:15:26 sniper Exp $ */
+/* $Id: main.c,v 1.537 2003/03/08 15:20:12 sesser Exp $ */
/* {{{ includes
*/
@@ -439,6 +439,14 @@
buffer_len = vspprintf(&buffer, 0, format, args);
if (buffer) {
+ if (PG(html_errors)) {
+ int len;
+ char *replace = php_escape_html_entities(buffer, buffer_len,
&len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ efree(buffer);
+ buffer = replace;
+ buffer_len = len;
+ }
+
if (docref && docref[0] == '#') {
docref_target = strchr(docref, '#');
docref = NULL;
@@ -571,6 +579,14 @@
TSRMLS_FETCH();
buffer_len = vspprintf(&buffer, PG(log_errors_max_len), format, args);
+ if (PG(html_errors)) {
+ int len;
+ char *replace = php_escape_html_entities(buffer, buffer_len, &len, 0,
ENT_COMPAT, NULL TSRMLS_CC);
+ efree(buffer);
+ buffer = replace;
+ buffer_len = len;
+ }
+
if (PG(ignore_repeated_errors)) {
if (strncmp(last_error.buf, buffer, sizeof(last_error.buf))
|| (!PG(ignore_repeated_source)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
