]>
Commit | Line | Data |
---|---|---|
44606c9b | 1 | Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 |
2 | and 4.4.2 allows remote attackers to inject arbitrary web script or HTML | |
3 | via long array variables, including (1) a large number of dimensions or | |
4 | (2) long values, which prevents HTML tags from being removed. | |
5 | ||
b1ac7c3c | 6 | Patch based on php-CVE-2006-0996.patch + gcc 2.95 compilation fix from PHP CVS |
44606c9b | 7 | |
b1ac7c3c | 8 | --- php-4.4.2/ext/standard/info.c 2006-04-19 18:55:10.405669500 +0200 |
9 | +++ php-4.4.2/ext/standard/info.c 2006-04-19 18:57:39.610994250 +0200 | |
10 | @@ -58,6 +58,23 @@ | |
44606c9b | 11 | |
12 | PHPAPI extern char *php_ini_opened_path; | |
13 | PHPAPI extern char *php_ini_scanned_files; | |
14 | + | |
15 | +static int php_info_write_wrapper(const char *str, uint str_length) | |
16 | +{ | |
b1ac7c3c | 17 | + int new_len, written; |
18 | + char *elem_esc; | |
19 | + | |
44606c9b | 20 | + TSRMLS_FETCH(); |
21 | + | |
b1ac7c3c | 22 | + elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); |
44606c9b | 23 | + |
24 | + written = php_body_write(elem_esc, new_len TSRMLS_CC); | |
25 | + | |
26 | + efree(elem_esc); | |
27 | + | |
28 | + return written; | |
29 | +} | |
30 | + | |
31 | ||
32 | /* {{{ _display_module_info | |
33 | */ | |
b1ac7c3c | 34 | @@ -133,23 +148,12 @@ |
44606c9b | 35 | PUTS(" => "); |
36 | } | |
37 | if (Z_TYPE_PP(tmp) == IS_ARRAY) { | |
38 | - zval *tmp3; | |
44606c9b | 39 | - MAKE_STD_ZVAL(tmp3); |
44606c9b | 40 | if (!sapi_module.phpinfo_as_text) { |
41 | PUTS("<pre>"); | |
42 | - } | |
43 | - php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); | |
b1ac7c3c | 44 | - zend_print_zval_r(*tmp, 0); |
44606c9b | 45 | - php_ob_get_buffer(tmp3 TSRMLS_CC); |
46 | - php_end_ob_buffer(0, 0 TSRMLS_CC); | |
47 | - | |
b1ac7c3c | 48 | - elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); |
49 | - PUTS(elem_esc); | |
50 | - efree(elem_esc); | |
51 | - zval_ptr_dtor(&tmp3); | |
52 | - | |
44606c9b | 53 | - if (!sapi_module.phpinfo_as_text) { |
44606c9b | 54 | + zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0); |
55 | PUTS("</pre>"); | |
b1ac7c3c | 56 | + } else { |
57 | + zend_print_zval_r(*tmp, 0); | |
44606c9b | 58 | } |
44606c9b | 59 | } else if (Z_TYPE_PP(tmp) != IS_STRING) { |
60 | tmp2 = **tmp; |