sesser Sun Sep 12 06:46:27 2004 EDT Modified files: (Branch: PHP_5_0) /php-src/main rfc1867.c Log: MFH http://cvs.php.net/diff.php/php-src/main/rfc1867.c?r1=1.159.2.2&r2=1.159.2.3&ty=u Index: php-src/main/rfc1867.c diff -u php-src/main/rfc1867.c:1.159.2.2 php-src/main/rfc1867.c:1.159.2.3 --- php-src/main/rfc1867.c:1.159.2.2 Wed Aug 11 00:29:26 2004 +++ php-src/main/rfc1867.c Sun Sep 12 06:46:27 2004 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: rfc1867.c,v 1.159.2.2 2004/08/11 04:29:26 pollita Exp $ */ +/* $Id: rfc1867.c,v 1.159.2.3 2004/09/12 10:46:27 sesser Exp $ */ /* * This product includes software developed by the Apache Group @@ -939,6 +939,25 @@ } else { is_anonymous = 0; } + + /* New Rule: never repair potential malicious user input */ + if (!skip_upload) { + char *tmp = param; + long c = 0; + + while (*tmp) { + if (*tmp == '[') { + c++; + } else if (*tmp == ']') { + c--; + } + if (c < 0) { + skip_upload = 1; + break; + } + tmp++; + } + } if (!skip_upload) { /* Handle file */ @@ -1013,10 +1032,6 @@ * start_arr is set to point to 1st [ */ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); - /* handle unterminated [ */ - if (!is_arr_upload && start_arr) { - *start_arr = '_'; - } if (is_arr_upload) { array_len = strlen(start_arr);
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php