diff options
| author | Dmitry Stogov <dmitry@zend.com> | 2013-11-29 12:53:02 +0400 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@zend.com> | 2013-11-29 12:53:02 +0400 |
| commit | 2d31eadbbf147a157cb4a0c89adaf30fee7371f0 (patch) | |
| tree | 39f777d2f9e4fa0c4bc5bcb5e7f091a8d25d07f6 | |
| parent | d22cc5c816fdb6017ce9e22b4594d1566939e4ec (diff) | |
| download | php-git-2d31eadbbf147a157cb4a0c89adaf30fee7371f0.tar.gz | |
Added validation of class names in the autoload process
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | Zend/zend_execute_API.c | 8 | ||||
| -rw-r--r-- | tests/classes/autoload_021.phpt | 13 |
3 files changed, 24 insertions, 0 deletions
@@ -2,6 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2013, PHP 5.4.24 +- Core: + . Added validation of class names in the autoload process. (Dmitry) + - Date: . Fixed bug #66060 (Heap buffer over-read in DateInterval). (Remi) . Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index 6fa7e9bafb..93746b799f 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -1081,6 +1081,14 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, const zend_ return FAILURE; } + /* Verify class name before passing it to __autoload() */ + if (strspn(name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377\\") != name_length) { + if (!key) { + free_alloca(lc_free, use_heap); + } + return FAILURE; + } + if (EG(in_autoload) == NULL) { ALLOC_HASHTABLE(EG(in_autoload)); zend_hash_init(EG(in_autoload), 0, NULL, NULL, 0); diff --git a/tests/classes/autoload_021.phpt b/tests/classes/autoload_021.phpt new file mode 100644 index 0000000000..13562b4000 --- /dev/null +++ b/tests/classes/autoload_021.phpt @@ -0,0 +1,13 @@ +--TEST-- +Validation of class names in the autoload process +--FILE-- +<?php +function __autoload($name) { + echo "$name\n"; +} +$a = "../BUG"; +$x = new $a; +echo "BUG\n"; +?> +--EXPECTF-- +Fatal error: Class '../BUG' not found in %sautoload_021.php on line 6 |