]>
Commit | Line | Data |
---|---|---|
9dc20e17 AG |
1 | Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2 |
2 | and 4.4.2 allows remote attackers to inject arbitrary web script or HTML | |
3 | via long array variables, including (1) a large number of dimensions or | |
4 | (2) long values, which prevents HTML tags from being removed. | |
5 | ||
6 | Patch pulled from cvs.php.net | |
7 | ||
8 | --- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7 | |
9 | +++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9 | |
10 | @@ -18,7 +18,7 @@ | |
11 | +----------------------------------------------------------------------+ | |
12 | */ | |
13 | ||
14 | -/* $Id$ */ | |
15 | +/* $Id$ */ | |
16 | ||
17 | #include "php.h" | |
18 | #include "php_ini.h" | |
19 | @@ -58,6 +58,21 @@ | |
20 | ||
21 | PHPAPI extern char *php_ini_opened_path; | |
22 | PHPAPI extern char *php_ini_scanned_files; | |
23 | + | |
24 | +static int php_info_write_wrapper(const char *str, uint str_length) | |
25 | +{ | |
26 | + TSRMLS_FETCH(); | |
27 | + | |
28 | + int new_len, written; | |
29 | + char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); | |
30 | + | |
31 | + written = php_body_write(elem_esc, new_len TSRMLS_CC); | |
32 | + | |
33 | + efree(elem_esc); | |
34 | + | |
35 | + return written; | |
36 | +} | |
37 | + | |
38 | ||
39 | /* {{{ _display_module_info | |
40 | */ | |
41 | @@ -135,30 +150,13 @@ | |
42 | PUTS(" => "); | |
43 | } | |
44 | if (Z_TYPE_PP(tmp) == IS_ARRAY) { | |
45 | - zval *tmp3; | |
46 | - | |
47 | - MAKE_STD_ZVAL(tmp3); | |
48 | - | |
49 | if (!sapi_module.phpinfo_as_text) { | |
50 | PUTS("<pre>"); | |
51 | - } | |
52 | - php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); | |
53 | - | |
54 | - zend_print_zval_r(*tmp, 0 TSRMLS_CC); | |
55 | - | |
56 | - php_ob_get_buffer(tmp3 TSRMLS_CC); | |
57 | - php_end_ob_buffer(0, 0 TSRMLS_CC); | |
58 | - | |
59 | - if (!sapi_module.phpinfo_as_text) { | |
60 | - elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); | |
61 | - PUTS(elem_esc); | |
62 | - efree(elem_esc); | |
63 | + zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0); | |
64 | PUTS("</pre>"); | |
65 | } else { | |
66 | - PUTS(Z_STRVAL_P(tmp3)); | |
67 | + zend_print_zval_r(*tmp, 0 TSRMLS_CC); | |
68 | } | |
69 | - zval_ptr_dtor(&tmp3); | |
70 | - | |
71 | } else if (Z_TYPE_PP(tmp) != IS_STRING) { | |
72 | tmp2 = **tmp; | |
73 | zval_copy_ctor(&tmp2); |