]>
Commit | Line | Data |
---|---|---|
44606c9b | 1 | Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 |
2 | and 4.4.2 allows remote attackers to inject arbitrary web script or HTML | |
3 | via long array variables, including (1) a large number of dimensions or | |
4 | (2) long values, which prevents HTML tags from being removed. | |
5 | ||
6 | Patch pulled from cvs.php.net | |
7 | ||
8 | --- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7 | |
9 | +++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9 | |
10 | @@ -58,6 +58,21 @@ | |
11 | ||
12 | PHPAPI extern char *php_ini_opened_path; | |
13 | PHPAPI extern char *php_ini_scanned_files; | |
14 | + | |
15 | +static int php_info_write_wrapper(const char *str, uint str_length) | |
16 | +{ | |
17 | + TSRMLS_FETCH(); | |
18 | + | |
19 | + int new_len, written; | |
20 | + char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); | |
21 | + | |
22 | + written = php_body_write(elem_esc, new_len TSRMLS_CC); | |
23 | + | |
24 | + efree(elem_esc); | |
25 | + | |
26 | + return written; | |
27 | +} | |
28 | + | |
29 | ||
30 | /* {{{ _display_module_info | |
31 | */ | |
32 | @@ -135,30 +150,13 @@ | |
33 | PUTS(" => "); | |
34 | } | |
35 | if (Z_TYPE_PP(tmp) == IS_ARRAY) { | |
36 | - zval *tmp3; | |
37 | - | |
38 | - MAKE_STD_ZVAL(tmp3); | |
39 | - | |
40 | if (!sapi_module.phpinfo_as_text) { | |
41 | PUTS("<pre>"); | |
42 | - } | |
43 | - php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); | |
44 | - | |
45 | - zend_print_zval_r(*tmp, 0 TSRMLS_CC); | |
46 | - | |
47 | - php_ob_get_buffer(tmp3 TSRMLS_CC); | |
48 | - php_end_ob_buffer(0, 0 TSRMLS_CC); | |
49 | - | |
50 | - if (!sapi_module.phpinfo_as_text) { | |
51 | - elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); | |
52 | - PUTS(elem_esc); | |
53 | - efree(elem_esc); | |
54 | + zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0); | |
55 | PUTS("</pre>"); | |
56 | } else { | |
57 | - PUTS(Z_STRVAL_P(tmp3)); | |
58 | + zend_print_zval_r(*tmp, 0 TSRMLS_CC); | |
59 | } | |
60 | - zval_ptr_dtor(&tmp3); | |
61 | - | |
62 | } else if (Z_TYPE_PP(tmp) != IS_STRING) { | |
63 | tmp2 = **tmp; | |
64 | zval_copy_ctor(&tmp2); |