]> git.pld-linux.org Git - packages/php.git/blob - php-CVE-2006-0996.patch
projects / packages / php.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- new - binary safeness in html_decode()
[packages/php.git] / php-CVE-2006-0996.patch
1 Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
2 and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
3 via long array variables, including (1) a large number of dimensions or
4 (2) long values, which prevents HTML tags from being removed.
5
6 Patch pulled from cvs.php.net
7
8 --- php-5.1.2/ext/standard/info.c       2006/01/01 12:50:15     1.249.2.7
9 +++ php-5.1.2/ext/standard/info.c       2006/03/30 19:58:18     1.249.2.9
10 @@ -18,7 +18,7 @@
11     +----------------------------------------------------------------------+
12  */
13  
14 -/* $Id$ */
15 +/* $Id$ */
16  
17  #include "php.h"
18  #include "php_ini.h"
19 @@ -58,6 +58,21 @@
20  
21  PHPAPI extern char *php_ini_opened_path;
22  PHPAPI extern char *php_ini_scanned_files;
23 +       
24 +static int php_info_write_wrapper(const char *str, uint str_length)
25 +{
26 +       TSRMLS_FETCH();
27 +
28 +       int new_len, written;
29 +       char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
30 +
31 +       written = php_body_write(elem_esc, new_len TSRMLS_CC);
32 +
33 +       efree(elem_esc);
34 +
35 +       return written;
36 +}
37 +
38  
39  /* {{{ _display_module_info
40   */
41 @@ -135,30 +150,13 @@
42                                 PUTS(" => ");
43                         }
44                         if (Z_TYPE_PP(tmp) == IS_ARRAY) {
45 -                               zval *tmp3;
46 -
47 -                               MAKE_STD_ZVAL(tmp3);
48 -
49                                 if (!sapi_module.phpinfo_as_text) {
50                                         PUTS("<pre>");
51 -                               }
52 -                               php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
53 -                               
54 -                               zend_print_zval_r(*tmp, 0 TSRMLS_CC);
55 -                               
56 -                               php_ob_get_buffer(tmp3 TSRMLS_CC);
57 -                               php_end_ob_buffer(0, 0 TSRMLS_CC);
58 -                               
59 -                               if (!sapi_module.phpinfo_as_text) {
60 -                                       elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
61 -                                       PUTS(elem_esc);
62 -                                       efree(elem_esc);
63 +                                       zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
64                                         PUTS("</pre>");
65                                 } else {
66 -                                       PUTS(Z_STRVAL_P(tmp3));
67 +                                       zend_print_zval_r(*tmp, 0 TSRMLS_CC);
68                                 }
69 -                               zval_ptr_dtor(&tmp3);
70 -
71                         } else if (Z_TYPE_PP(tmp) != IS_STRING) {
72                                 tmp2 = **tmp;
73                                 zval_copy_ctor(&tmp2);
PHP: Hypertext Preprocessor
This page took 0.032814 seconds and 3 git commands to generate.