Fix for CVE-2012-1823

author: Rasmus Lerdorf <rasmus@php.net> 2012-05-03 15:51:52 +0200
committer: Johannes Schlüter <johannes@php.net> 2012-05-03 15:51:52 +0200
commit: 29300b1f9dab068d477b241d8fd872e3a7c829b3 (patch)
tree: b1ebde9d5e3cffbe3b97d0959989bc89e9e219f3
parent: 704bbb3263d0ec9a6b4a767bbc516e55388f4b0e (diff)
download: php-git-29300b1f9dab068d477b241d8fd872e3a7c829b3.tar.gz
1 files changed, 14 insertions, 1 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index dfd77e49d3..bb37aba882 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -70,6 +70,7 @@
 #include "php_main.h"
 #include "fopen_wrappers.h"
 #include "ext/standard/php_standard.h"
+#include "ext/standard/url.h"
 
 #ifdef PHP_WIN32
 # include <io.h>
@@ -1507,6 +1508,9 @@ int main(int argc, char *argv[])
 #ifndef PHP_WIN32
 	int status = 0;
 #endif
+	char *query_string;
+	char *decoded_query_string;
+	int skip_getopt = 0;
 
 #if 0 && defined(PHP_DEBUG)
 	/* IIS is always making things more difficult.  This allows
@@ -1556,7 +1560,16 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+	if(query_string = getenv("QUERY_STRING")) {
+		decoded_query_string = strdup(query_string);
+		php_url_decode(decoded_query_string, strlen(decoded_query_string));
+		if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
+			skip_getopt = 1;
+		}
+		free(decoded_query_string);
+	}
+
+	while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
 		switch (c) {
 			case 'c':
 				if (cgi_sapi_module.php_ini_path_override) {
author	Rasmus Lerdorf <rasmus@php.net>	2012-05-03 15:51:52 +0200
committer	Johannes Schlüter <johannes@php.net>	2012-05-03 15:51:52 +0200
commit	29300b1f9dab068d477b241d8fd872e3a7c829b3 (patch)
tree	b1ebde9d5e3cffbe3b97d0959989bc89e9e219f3
parent	704bbb3263d0ec9a6b4a767bbc516e55388f4b0e (diff)
download	php-git-29300b1f9dab068d477b241d8fd872e3a7c829b3.tar.gz