iliaa Mon Dec 5 22:13:53 2005 EDT Modified files: /php-src/main main.c Log: MFB51: Fixed possible XSS inside error reporting functionality. http://cvs.php.net/diff.php/php-src/main/main.c?r1=1.654&r2=1.655&ty=u Index: php-src/main/main.c diff -u php-src/main/main.c:1.654 php-src/main/main.c:1.655 --- php-src/main/main.c:1.654 Mon Dec 5 20:04:39 2005 +++ php-src/main/main.c Mon Dec 5 22:13:53 2005 @@ -18,7 +18,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: main.c,v 1.654 2005/12/06 01:04:39 sniper Exp $ */ +/* $Id: main.c,v 1.655 2005/12/06 03:13:53 iliaa Exp $ */ /* {{{ includes */ @@ -551,6 +551,7 @@ int buffer_len = 0; char *space; char *class_name = get_active_class_name(&space TSRMLS_CC); + int origin_len; char *function = NULL; char *origin; char *message; @@ -608,6 +609,13 @@ spprintf(&origin, 0, "%s", stage); } + if (PG(html_errors)) { + int len; + char *replace = php_escape_html_entities(origin, origin_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC); + efree(origin); + origin = replace; + } + /* origin and buffer available, so lets come up with the error message */ if (docref && docref[0] == '#') { docref_target = strchr(docref, '#'); @@ -877,10 +885,17 @@ } else { char *prepend_string = INI_STR("error_prepend_string"); char *append_string = INI_STR("error_append_string"); - char *error_format = PG(html_errors) ? - "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s" - : "%s\n%s: %s in %s on line %d\n%s"; - php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + + if (PG(html_errors)) { + char *buf, *buf2; + int len2, len = spprintf(&buf, 0, "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + buf2 = php_escape_html_entities(buf, len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC); + php_printf("%s", buf2); + efree(buf); + efree(buf2); + } else { + php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + } } } #if ZEND_DEBUG
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php