[packages/php.git] / php-CVE-2006-0996.patch

Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
via long array variables, including (1) a large number of dimensions or
(2) long values, which prevents HTML tags from being removed.

Patch pulled from cvs.php.net

--- php-5.1.2/ext/standard/info.c	2006/01/01 12:50:15	1.249.2.7
+++ php-5.1.2/ext/standard/info.c	2006/03/30 19:58:18	1.249.2.9
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id$ */
+/* $Id$ */
 
 #include "php.h"
 #include "php_ini.h"
@@ -58,6 +58,21 @@
 
 PHPAPI extern char *php_ini_opened_path;
 PHPAPI extern char *php_ini_scanned_files;
+	
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+	TSRMLS_FETCH();
+
+	int new_len, written;
+	char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+	written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+	efree(elem_esc);
+
+	return written;
+}
+
 
 /* {{{ _display_module_info
  */
@@ -135,30 +150,13 @@
 				PUTS(" => ");
 			}
 			if (Z_TYPE_PP(tmp) == IS_ARRAY) {
-				zval *tmp3;
-
-				MAKE_STD_ZVAL(tmp3);
-
 				if (!sapi_module.phpinfo_as_text) {
 					PUTS("<pre>");
-				}
-				php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
-				
-				zend_print_zval_r(*tmp, 0 TSRMLS_CC);
-				
-				php_ob_get_buffer(tmp3 TSRMLS_CC);
-				php_end_ob_buffer(0, 0 TSRMLS_CC);
-				
-				if (!sapi_module.phpinfo_as_text) {
-					elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
-					PUTS(elem_esc);
-					efree(elem_esc);
+					zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
 					PUTS("</pre>");
 				} else {
-					PUTS(Z_STRVAL_P(tmp3));
+					zend_print_zval_r(*tmp, 0 TSRMLS_CC);
 				}
-				zval_ptr_dtor(&tmp3);
-
 			} else if (Z_TYPE_PP(tmp) != IS_STRING) {
 				tmp2 = **tmp;
 				zval_copy_ctor(&tmp2);
Commit	Line	Data
9dc20e17 AG	1	Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
	2	and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
	3	via long array variables, including (1) a large number of dimensions or
	4	(2) long values, which prevents HTML tags from being removed.
	5
	6	Patch pulled from cvs.php.net
	7
	8	--- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
	9	+++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
	10	@@ -18,7 +18,7 @@
	11	+----------------------------------------------------------------------+
	12	*/
	13
	14	-/* $Id$ */
	15	+/* $Id$ */
	16
	17	#include "php.h"
	18	#include "php_ini.h"
	19	@@ -58,6 +58,21 @@
	20
	21	PHPAPI extern char *php_ini_opened_path;
	22	PHPAPI extern char *php_ini_scanned_files;
	23	+
	24	+static int php_info_write_wrapper(const char *str, uint str_length)
	25	+{
	26	+ TSRMLS_FETCH();
	27	+
	28	+ int new_len, written;
	29	+ char elem_esc = php_escape_html_entities((char )str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
	30	+
	31	+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
	32	+
	33	+ efree(elem_esc);
	34	+
	35	+ return written;
	36	+}
	37	+
	38
	39	/* {{{ _display_module_info
	40	*/
	41	@@ -135,30 +150,13 @@
	42	PUTS(" => ");
	43	}
	44	if (Z_TYPE_PP(tmp) == IS_ARRAY) {
	45	- zval *tmp3;
	46	-
	47	- MAKE_STD_ZVAL(tmp3);
	48	-
	49	if (!sapi_module.phpinfo_as_text) {
	50	PUTS("<pre>");
	51	- }
	52	- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
	53	-
	54	- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
	55	-
	56	- php_ob_get_buffer(tmp3 TSRMLS_CC);
	57	- php_end_ob_buffer(0, 0 TSRMLS_CC);
	58	-
	59	- if (!sapi_module.phpinfo_as_text) {
	60	- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
	61	- PUTS(elem_esc);
	62	- efree(elem_esc);
	63	+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
	64	PUTS("</pre>");
65	} else {
66	- PUTS(Z_STRVAL_P(tmp3));
67	+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
68	}
69	- zval_ptr_dtor(&tmp3);
70	-
71	} else if (Z_TYPE_PP(tmp) != IS_STRING) {
72	tmp2 = **tmp;
73	zval_copy_ctor(&tmp2);