iliaa Wed Sep 28 18:34:06 2005 EDT
Modified files: (Branch: PHP_4_4)
/php-src/main php_variables.c
/php-src/ext/standard string.c
/php-src NEWS
Log:
MFH: Fixed possible GLOBALS variable override when register_globals are ON.
MFH: Fixed possible register_globals toggle via parse_str().
http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.45.2.13.2.2&r2=1.45.2.13.2.3&ty=u
Index: php-src/main/php_variables.c
diff -u php-src/main/php_variables.c:1.45.2.13.2.2
php-src/main/php_variables.c:1.45.2.13.2.3
--- php-src/main/php_variables.c:1.45.2.13.2.2 Mon Jul 18 15:18:29 2005
+++ php-src/main/php_variables.c Wed Sep 28 18:34:02 2005
@@ -16,7 +16,7 @@
| Zeev Suraski <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_variables.c,v 1.45.2.13.2.2 2005/07/18 19:18:29 iliaa Exp $ */
+/* $Id: php_variables.c,v 1.45.2.13.2.3 2005/09/28 22:34:02 iliaa Exp $ */
#include <stdio.h>
#include "php.h"
@@ -73,6 +73,10 @@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) ||
!strncmp("GLOBALS", var, sizeof("GLOBALS[")-1) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@ -99,6 +103,13 @@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not
binary safe) */
for (p=var; *p; p++) {
switch(*p) {
http://cvs.php.net/diff.php/php-src/ext/standard/string.c?r1=1.333.2.52&r2=1.333.2.52.2.1&ty=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.333.2.52
php-src/ext/standard/string.c:1.333.2.52.2.1
--- php-src/ext/standard/string.c:1.333.2.52 Thu Jun 2 04:50:52 2005
+++ php-src/ext/standard/string.c Wed Sep 28 18:34:04 2005
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */
+/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -3179,7 +3179,6 @@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount,
&arg, &arrayArg) == FAILURE) {
@@ -3192,19 +3191,18 @@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1247.2.920.2.42&r2=1.1247.2.920.2.43&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.42 php-src/NEWS:1.1247.2.920.2.43
--- php-src/NEWS:1.1247.2.920.2.42 Tue Sep 27 11:08:43 2005
+++ php-src/NEWS Wed Sep 28 18:34:04 2005
@@ -1,6 +1,9 @@
PHP 4 NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2005, Version 4.4.1
+- Fixed possible GLOBALS variable override when register_globals are ON.
+ (Ilia, Stefan)
+- Fixed possible register_globals toggle via parse_str(). (Ilia, Stefan)
- Added "new_link" parameter to mssql_connect(). Bug #34369. (Frank)
- Fixed bug #34645 (ctype corrupts memory when validating large numbers).
(Ilia)
- Fixed bug #34565 (mb_send_mail does not fetch mail.force_extra_parameters).
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
