]> git.pld-linux.org Git - packages/php.git/blobdiff - php-CVE-2006-0996.patch
projects / packages / php.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
This commit was manufactured by cvs2git to create branch 'RA-
[packages/php.git] / php-CVE-2006-0996.patch
diff --git a/php-CVE-2006-0996.patch b/php-CVE-2006-0996.patch
new file mode 100644 (file)
index 0000000..5a721da
--- /dev/null
+++ b/php-CVE-2006-0996.patch
@@ -0,0 +1,64 @@
+Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
+and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
+via long array variables, including (1) a large number of dimensions or
+(2) long values, which prevents HTML tags from being removed.
+
+Patch pulled from cvs.php.net
+
+--- php-5.1.2/ext/standard/info.c      2006/01/01 12:50:15     1.249.2.7
++++ php-5.1.2/ext/standard/info.c      2006/03/30 19:58:18     1.249.2.9
+@@ -58,6 +58,21 @@
+ PHPAPI extern char *php_ini_opened_path;
+ PHPAPI extern char *php_ini_scanned_files;
++      
++static int php_info_write_wrapper(const char *str, uint str_length)
++{
++      TSRMLS_FETCH();
++
++      int new_len, written;
++      char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++
++      written = php_body_write(elem_esc, new_len TSRMLS_CC);
++
++      efree(elem_esc);
++
++      return written;
++}
++
+ /* {{{ _display_module_info
+  */
+@@ -135,30 +150,13 @@
+                               PUTS(" => ");
+                       }
+                       if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+-                              zval *tmp3;
+-
+-                              MAKE_STD_ZVAL(tmp3);
+-
+                               if (!sapi_module.phpinfo_as_text) {
+                                       PUTS("<pre>");
+-                              }
+-                              php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+-                              
+-                              zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+-                              
+-                              php_ob_get_buffer(tmp3 TSRMLS_CC);
+-                              php_end_ob_buffer(0, 0 TSRMLS_CC);
+-                              
+-                              if (!sapi_module.phpinfo_as_text) {
+-                                      elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+-                                      PUTS(elem_esc);
+-                                      efree(elem_esc);
++                                      zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
+                                       PUTS("</pre>");
+                               } else {
+-                                      PUTS(Z_STRVAL_P(tmp3));
++                                      zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+                               }
+-                              zval_ptr_dtor(&tmp3);
+-
+                       } else if (Z_TYPE_PP(tmp) != IS_STRING) {
+                               tmp2 = **tmp;
+                               zval_copy_ctor(&tmp2);
PHP: Hypertext Preprocessor
This page took 0.030653 seconds and 4 git commands to generate.