Why not MFH to PHP_4_3 ? (or doesn't this apply there..? :)
--Jani
On Mon, 14 Feb 2005, Marcus Boerger wrote:
helly Mon Feb 14 15:58:25 2005 EDT
Modified files: /php-src/ext/standard var_unserializer.re Log: - Disallow illegal class names
http://cvs.php.net/diff.php/php-src/ext/standard/var_unserializer.re?r1=1.40&r2=1.41&ty=u Index: php-src/ext/standard/var_unserializer.re diff -u php-src/ext/standard/var_unserializer.re:1.40 php-src/ext/standard/var_unserializer.re:1.41 --- php-src/ext/standard/var_unserializer.re:1.40 Sun Jan 30 11:38:53 2005 +++ php-src/ext/standard/var_unserializer.re Mon Feb 14 15:58:22 2005 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */
-/* $Id: var_unserializer.re,v 1.40 2005/01/30 16:38:53 iliaa Exp $ */ +/* $Id: var_unserializer.re,v 1.41 2005/02/14 20:58:22 helly Exp $ */
#include "php.h" #include "ext/standard/php_var.h" @@ -473,7 +473,7 @@ }
"O:" uiv ":" ["] { - size_t len, len2, maxlen; + size_t len, len2, len3, maxlen; int elements; char *class_name; zend_class_entry *ce; @@ -506,6 +506,13 @@ return 0; }
+ len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); + if (len3 != len) + { + *p = YYCURSOR + len3 - len; + return 0; + } + class_name = estrndup(class_name, len);
do {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
