[PHP-CVS] cvs: php-src(PHP_5_0) /main rfc1867.c

Sun, 12 Sep 2004 03:46:28 -0700 

sesser          Sun Sep 12 06:46:27 2004 EDT

  Modified files:              (Branch: PHP_5_0)
    /php-src/main       rfc1867.c 
  Log:
  MFH
  
  
  
http://cvs.php.net/diff.php/php-src/main/rfc1867.c?r1=1.159.2.2&r2=1.159.2.3&ty=u
Index: php-src/main/rfc1867.c
diff -u php-src/main/rfc1867.c:1.159.2.2 php-src/main/rfc1867.c:1.159.2.3
--- php-src/main/rfc1867.c:1.159.2.2    Wed Aug 11 00:29:26 2004
+++ php-src/main/rfc1867.c      Sun Sep 12 06:46:27 2004
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: rfc1867.c,v 1.159.2.2 2004/08/11 04:29:26 pollita Exp $ */
+/* $Id: rfc1867.c,v 1.159.2.3 2004/09/12 10:46:27 sesser Exp $ */
 
 /*
  *  This product includes software developed by the Apache Group
@@ -939,6 +939,25 @@
                        } else {
                                is_anonymous = 0;
                        }
+                       
+                       /* New Rule: never repair potential malicious user input */
+                       if (!skip_upload) {
+                               char *tmp = param;
+                               long c = 0;
+                               
+                               while (*tmp) {
+                                       if (*tmp == '[') {
+                                               c++;
+                                       } else if (*tmp == ']') {
+                                               c--;
+                                       }
+                                       if (c < 0) {
+                                               skip_upload = 1;
+                                               break;
+                                       }
+                                       tmp++;                          
+                               }
+                       }
 
                        if (!skip_upload) {
                                /* Handle file */
@@ -1013,10 +1032,6 @@
                         * start_arr is set to point to 1st [
                         */
                        is_arr_upload = (start_arr = strchr(param,'[')) && 
(param[strlen(param)-1] == ']');
-                       /* handle unterminated [ */
-                       if (!is_arr_upload && start_arr) {
-                               *start_arr = '_';
-                       }
 
                        if (is_arr_upload) {
                                array_len = strlen(start_arr);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to