iliaa Wed Feb 16 23:44:12 2005 EDT Modified files: /php-src/main php_variables.c Log: Fixed bug #31440 ($GLOBALS can be overwritten via GPC when register_globals is enabled). http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.84&r2=1.85&ty=u Index: php-src/main/php_variables.c diff -u php-src/main/php_variables.c:1.84 php-src/main/php_variables.c:1.85 --- php-src/main/php_variables.c:1.84 Sun Oct 24 13:41:13 2004 +++ php-src/main/php_variables.c Wed Feb 16 23:44:11 2005 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: php_variables.c,v 1.84 2004/10/24 17:41:13 iliaa Exp $ */ +/* $Id: php_variables.c,v 1.85 2005/02/17 04:44:11 iliaa Exp $ */ #include <stdio.h> #include "php.h" @@ -539,6 +539,7 @@ ulong num_key; HashPosition pos; int key_type; + int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table)))); zend_hash_internal_pointer_reset_ex(src, &pos); while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) { @@ -549,7 +550,12 @@ || Z_TYPE_PP(dest_entry) != IS_ARRAY) { (*src_entry)->refcount++; if (key_type == HASH_KEY_IS_STRING) { - zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL); + /* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */ + if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) { + zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL); + } else { + (*src_entry)->refcount--; + } } else { zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php