php-CVE-2006-0996.patch

   1 Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
   2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
   3 via long array variables, including (1) a large number of dimensions or
   4 (2) long values, which prevents HTML tags from being removed.
   5
   6 Patch pulled from cvs.php.net
   7
   8 --- php-5.1.2/ext/standard/info.c       2006/01/01 12:50:15     1.249.2.7
   9 +++ php-5.1.2/ext/standard/info.c       2006/03/30 19:58:18     1.249.2.9
  10 @@ -58,6 +58,21 @@
  11
  12  PHPAPI extern char *php_ini_opened_path;
  13  PHPAPI extern char *php_ini_scanned_files;
  14 +
  15 +static int php_info_write_wrapper(const char *str, uint str_length)
  16 +{
  17 +       TSRMLS_FETCH();
  18 +
  19 +       int new_len, written;
  20 +       char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
  21 +
  22 +       written = php_body_write(elem_esc, new_len TSRMLS_CC);
  23 +
  24 +       efree(elem_esc);
  25 +
  26 +       return written;
  27 +}
  28 +
  29
  30  /* {{{ _display_module_info
  31   */
  32 @@ -135,30 +150,13 @@
  33                                 PUTS(" => ");
  34                         }
  35                         if (Z_TYPE_PP(tmp) == IS_ARRAY) {
  36 -                               zval *tmp3;
  37 -
  38 -                               MAKE_STD_ZVAL(tmp3);
  39 -
  40                                 if (!sapi_module.phpinfo_as_text) {
  41                                         PUTS("<pre>");
  42 -                               }
  43 -                               php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
  44 -
  45 -                               zend_print_zval_r(*tmp, 0 TSRMLS_CC);
  46 -
  47 -                               php_ob_get_buffer(tmp3 TSRMLS_CC);
  48 -                               php_end_ob_buffer(0, 0 TSRMLS_CC);
  49 -
  50 -                               if (!sapi_module.phpinfo_as_text) {
  51 -                                       elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
  52 -                                       PUTS(elem_esc);
  53 -                                       efree(elem_esc);
  54 +                                       zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
  55                                         PUTS("</pre>");
  56                                 } else {
  57 -                                       PUTS(Z_STRVAL_P(tmp3));
  58 +                                       zend_print_zval_r(*tmp, 0 TSRMLS_CC);
  59                                 }
  60 -                               zval_ptr_dtor(&tmp3);
  61 -
  62                         } else if (Z_TYPE_PP(tmp) != IS_STRING) {
  63                                 tmp2 = **tmp;
  64                                 zval_copy_ctor(&tmp2);