iliaa Thu Mar 30 19:16:12 2006 UTC
Modified files: (Branch: PHP_5_1)
/php-src NEWS
/php-src/ext/standard info.c
Log:
Fixed XSS inside phpinfo() with long inputs.
http://cvs.php.net/viewcvs.cgi/php-src/NEWS?r1=1.2027.2.488&r2=1.2027.2.489&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.488 php-src/NEWS:1.2027.2.489
--- php-src/NEWS:1.2027.2.488 Wed Mar 29 14:28:40 2006
+++ php-src/NEWS Thu Mar 30 19:16:12 2006
@@ -1,6 +1,7 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Mar 2006, PHP 5.1.3RC2
+- Fixed XSS inside phpinfo() with long inputs. (Ilia)
- Check 2nd parameter of tempnam() against path components. (Ilia)
- Fixed Apache2 SAPIs header handler modifying header strings. (Mike)
- Allowed 'auto_globals_jit' work together with 'register_argc_argv'. (Dmitry)
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/info.c?r1=1.249.2.7&r2=1.249.2.8&diff_format=u
Index: php-src/ext/standard/info.c
diff -u php-src/ext/standard/info.c:1.249.2.7
php-src/ext/standard/info.c:1.249.2.8
--- php-src/ext/standard/info.c:1.249.2.7 Sun Jan 1 12:50:15 2006
+++ php-src/ext/standard/info.c Thu Mar 30 19:16:12 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: info.c,v 1.249.2.7 2006/01/01 12:50:15 sniper Exp $ */
+/* $Id: info.c,v 1.249.2.8 2006/03/30 19:16:12 iliaa Exp $ */
#include "php.h"
#include "php_ini.h"
@@ -58,6 +58,21 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ TSRMLS_FETCH();
+
+ int new_len, written;
+ char *elem_esc = php_escape_html_entities((char *)str, str_length,
&new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@ -135,30 +150,13 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
-
- MAKE_STD_ZVAL(tmp3);
-
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
-
- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
-
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- if (!sapi_module.phpinfo_as_text) {
- elem_esc =
php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
+ zend_print_zval_ex((zend_write_func_t)
php_info_write_wrapper, *tmp, 0 TSRMLS_CC);
PUTS("</pre>");
} else {
- PUTS(Z_STRVAL_P(tmp3));
+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
}
- zval_ptr_dtor(&tmp3);
-
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
zval_copy_ctor(&tmp2);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
