sesser Sun Sep 12 06:45:15 2004 EDT
Modified files:
/php-src/main rfc1867.c
Log:
New Rule: Never try to repair potential malicious user input
http://cvs.php.net/diff.php/php-src/main/rfc1867.c?r1=1.161&r2=1.162&ty=u
Index: php-src/main/rfc1867.c
diff -u php-src/main/rfc1867.c:1.161 php-src/main/rfc1867.c:1.162
--- php-src/main/rfc1867.c:1.161 Wed Aug 11 00:27:01 2004
+++ php-src/main/rfc1867.c Sun Sep 12 06:45:14 2004
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: rfc1867.c,v 1.161 2004/08/11 04:27:01 pollita Exp $ */
+/* $Id: rfc1867.c,v 1.162 2004/09/12 10:45:14 sesser Exp $ */
/*
* This product includes software developed by the Apache Group
@@ -939,6 +939,25 @@
} else {
is_anonymous = 0;
}
+
+ /* New Rule: never repair potential malicious user input */
+ if (!skip_upload) {
+ char *tmp = param;
+ long c = 0;
+
+ while (*tmp) {
+ if (*tmp == '[') {
+ c++;
+ } else if (*tmp == ']') {
+ c--;
+ }
+ if (c < 0) {
+ skip_upload = 1;
+ break;
+ }
+ tmp++;
+ }
+ }
if (!skip_upload) {
/* Handle file */
@@ -1013,10 +1032,6 @@
* start_arr is set to point to 1st [
*/
is_arr_upload = (start_arr = strchr(param,'[')) &&
(param[strlen(param)-1] == ']');
- /* handle unterminated [ */
- if (!is_arr_upload && start_arr) {
- *start_arr = '_';
- }
if (is_arr_upload) {
array_len = strlen(start_arr);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
