diff options
| author | Derick Rethans <derick@php.net> | 2006-06-28 13:12:09 +0000 |
|---|---|---|
| committer | Derick Rethans <derick@php.net> | 2006-06-28 13:12:09 +0000 |
| commit | b2f943dea35c4da222d86a51306be1b6abfa129d (patch) | |
| tree | ef3f04b244d8ac4c2e9743d9fa1c17eeb7195739 | |
| parent | 90862d7e7f6ba481977a5bf6e71108219529b74f (diff) | |
| download | php-git-b2f943dea35c4da222d86a51306be1b6abfa129d.tar.gz | |
- MF51: Fixed XSS inside phpinfo() with long inputs.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/standard/info.c | 34 |
2 files changed, 22 insertions, 15 deletions
@@ -1,7 +1,8 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2006, Version 4.4.3 +?? Jun 2006, Version 4.4.3RC2 - Fixed handling of extremely long paths inside tempnam() function. (Ilia) +- Fixed XSS inside phpinfo() with long inputs. (Ilia) - Fixed bug #37720 (merge_php_config scrambles values). (Mike, pumuckel at metropolis dot de) - Fixed bug #37569 (WDDX incorrectly encodes high-ascii characters). (Ilia) diff --git a/ext/standard/info.c b/ext/standard/info.c index 6b41f10408..6aa803abeb 100644 --- a/ext/standard/info.c +++ b/ext/standard/info.c @@ -58,6 +58,23 @@ ZEND_EXTERN_MODULE_GLOBALS(iconv) PHPAPI extern char *php_ini_opened_path; PHPAPI extern char *php_ini_scanned_files; + +static int php_info_write_wrapper(const char *str, uint str_length) +{ + int new_len, written; + char *elem_esc; + + TSRMLS_FETCH(); + + elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + + written = php_body_write(elem_esc, new_len TSRMLS_CC); + + efree(elem_esc); + + return written; +} + /* {{{ _display_module_info */ @@ -133,23 +150,12 @@ static void php_print_gpcse_array(char *name, uint name_length TSRMLS_DC) PUTS(" => "); } if (Z_TYPE_PP(tmp) == IS_ARRAY) { - zval *tmp3; - MAKE_STD_ZVAL(tmp3); if (!sapi_module.phpinfo_as_text) { PUTS("<pre>"); - } - php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); - zend_print_zval_r(*tmp, 0); - php_ob_get_buffer(tmp3 TSRMLS_CC); - php_end_ob_buffer(0, 0 TSRMLS_CC); - - elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); - PUTS(elem_esc); - efree(elem_esc); - zval_ptr_dtor(&tmp3); - - if (!sapi_module.phpinfo_as_text) { + zend_print_zval_r_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0); PUTS("</pre>"); + } else { + zend_print_zval_r(*tmp, 0); } } else if (Z_TYPE_PP(tmp) != IS_STRING) { tmp2 = **tmp; |