[packages/php.git] / php-CVE-2006-0996.patch

Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
via long array variables, including (1) a large number of dimensions or
(2) long values, which prevents HTML tags from being removed.

Patch based on php-CVE-2006-0996.patch + gcc 2.95 compilation fix from PHP CVS

--- php-4.4.2/ext/standard/info.c	2006-04-19 18:55:10.405669500 +0200
+++ php-4.4.2/ext/standard/info.c	2006-04-19 18:57:39.610994250 +0200
@@ -58,6 +58,23 @@
 
 PHPAPI extern char *php_ini_opened_path;
 PHPAPI extern char *php_ini_scanned_files;
+	
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+	int new_len, written;
+	char *elem_esc;
+
+	TSRMLS_FETCH();
+
+	elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+	written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+	efree(elem_esc);
+
+	return written;
+}
+
 
 /* {{{ _display_module_info
  */
@@ -133,23 +148,12 @@
 				PUTS(" => ");
 			}
 			if (Z_TYPE_PP(tmp) == IS_ARRAY) {
-				zval *tmp3;
-				MAKE_STD_ZVAL(tmp3);
 				if (!sapi_module.phpinfo_as_text) {
 					PUTS("<pre>");
-				}
-				php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
-				zend_print_zval_r(*tmp, 0);
-				php_ob_get_buffer(tmp3 TSRMLS_CC);
-				php_end_ob_buffer(0, 0 TSRMLS_CC);
-				
-				elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
-				PUTS(elem_esc);
-				efree(elem_esc);
-				zval_ptr_dtor(&tmp3);
-
-				if (!sapi_module.phpinfo_as_text) {
+					zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
 					PUTS("</pre>");
+				} else {
+					zend_print_zval_r(*tmp, 0);
 				}
 			} else if (Z_TYPE_PP(tmp) != IS_STRING) {
 				tmp2 = **tmp;
Commit	Line	Data
44606c9b	1	Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
	2	and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
	3	via long array variables, including (1) a large number of dimensions or
	4	(2) long values, which prevents HTML tags from being removed.
	5
b1ac7c3c	6	Patch based on php-CVE-2006-0996.patch + gcc 2.95 compilation fix from PHP CVS
44606c9b	7
b1ac7c3c	8	--- php-4.4.2/ext/standard/info.c 2006-04-19 18:55:10.405669500 +0200
	9	+++ php-4.4.2/ext/standard/info.c 2006-04-19 18:57:39.610994250 +0200
	10	@@ -58,6 +58,23 @@
44606c9b	11
	12	PHPAPI extern char *php_ini_opened_path;
	13	PHPAPI extern char *php_ini_scanned_files;
	14	+
	15	+static int php_info_write_wrapper(const char *str, uint str_length)
	16	+{
b1ac7c3c	17	+ int new_len, written;
	18	+ char *elem_esc;
	19	+
44606c9b	20	+ TSRMLS_FETCH();
44606c9b	21	+
b1ac7c3c	22	+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
44606c9b	23	+
	24	+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
	25	+
	26	+ efree(elem_esc);
	27	+
	28	+ return written;
	29	+}
	30	+
	31
	32	/* {{{ _display_module_info
	33	*/
b1ac7c3c	34	@@ -133,23 +148,12 @@
44606c9b	35	PUTS(" => ");
	36	}
	37	if (Z_TYPE_PP(tmp) == IS_ARRAY) {
	38	- zval *tmp3;
44606c9b	39	- MAKE_STD_ZVAL(tmp3);
44606c9b	40	if (!sapi_module.phpinfo_as_text) {
	41	PUTS("<pre>");
	42	- }
	43	- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
b1ac7c3c	44	- zend_print_zval_r(*tmp, 0);
44606c9b	45	- php_ob_get_buffer(tmp3 TSRMLS_CC);
	46	- php_end_ob_buffer(0, 0 TSRMLS_CC);
	47	-
b1ac7c3c	48	- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
	49	- PUTS(elem_esc);
	50	- efree(elem_esc);
	51	- zval_ptr_dtor(&tmp3);
	52	-
44606c9b	53	- if (!sapi_module.phpinfo_as_text) {
44606c9b	54	+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
44606c9b	55	PUTS("</pre>");
b1ac7c3c	56	+ } else {
b1ac7c3c	57	+ zend_print_zval_r(*tmp, 0);
44606c9b	58	}
44606c9b	59	} else if (Z_TYPE_PP(tmp) != IS_STRING) {
44606c9b	60	tmp2 = **tmp;