via long array variables, including (1) a large number of dimensions or
(2) long values, which prevents HTML tags from being removed.
-Patch pulled from cvs.php.net
+Patch based on php-CVE-2006-0996.patch + gcc 2.95 compilation fix from PHP CVS
---- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
-+++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
-@@ -58,6 +58,21 @@
+--- php-4.4.2/ext/standard/info.c 2006-04-19 18:55:10.405669500 +0200
++++ php-4.4.2/ext/standard/info.c 2006-04-19 18:57:39.610994250 +0200
+@@ -58,6 +58,23 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
++ int new_len, written;
++ char *elem_esc;
++
+ TSRMLS_FETCH();
+
-+ int new_len, written;
-+ char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
/* {{{ _display_module_info
*/
-@@ -135,30 +150,13 @@
+@@ -133,23 +148,12 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
--
- MAKE_STD_ZVAL(tmp3);
--
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
--
-- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
--
+- zend_print_zval_r(*tmp, 0);
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
+- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+- PUTS(elem_esc);
+- efree(elem_esc);
+- zval_ptr_dtor(&tmp3);
+-
- if (!sapi_module.phpinfo_as_text) {
-- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
-- PUTS(elem_esc);
-- efree(elem_esc);
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("</pre>");
- } else {
-- PUTS(Z_STRVAL_P(tmp3));
-+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
++ } else {
++ zend_print_zval_r(*tmp, 0);
}
-- zval_ptr_dtor(&tmp3);
--
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
- zval_copy_ctor(&tmp2);