Fixed bug #26819 (http_build_query() crashes on NULL output).

Fixed bug #26817 (http_build_query() does not handle private & protected
object properties correctly).

5 files changed, 66 insertions, 8 deletions

diff --git a/NEWS b/NEWS
index b6a81d65a0..f076edb62c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ PHP                                                                        NEWS
   (Derick)
 - Fixed problems with longlong values in mysqli. (Georg)
 - Fixed class name case preserving of user defined classes. (Marcus)
+- Fixed bug #26819 (http_build_query() crashes on NULL output). (Ilia)
+- Fixed bug #26817 (http_build_query() does not handle private & protected 
+  object properties correctly). (Ilia)
 - Fixed bug #26762 (unserialize() produces lowercase classnames). (Marcus)
 - Fixed bug #26743 (getElementsByTagName doesn't work properly). (Rob)
 - Fixed bug #26736 (__autoload not invoked for parent classes). (Marcus)
diff --git a/ext/standard/http.c b/ext/standard/http.c
index ee52eef141..7bf2e50c37 100644
--- a/ext/standard/http.c
+++ b/ext/standard/http.c
@@ -1,4 +1,4 @@
-/* 
+/*
    +----------------------------------------------------------------------+
    | PHP Version 4                                                        |
    +----------------------------------------------------------------------+
@@ -28,7 +28,8 @@
 PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				const char *num_prefix, int num_prefix_len,
 				const char *key_prefix, int key_prefix_len,
-				const char *key_suffix, int key_suffix_len TSRMLS_DC)
+				const char *key_suffix, int key_suffix_len,
+				zval *type TSRMLS_DC)
 {
 	char *arg_sep = NULL, *key = NULL, *ekey, *newprefix, *p;
 	int arg_sep_len, key_len, ekey_len, key_type, newprefix_len;
@@ -58,6 +59,18 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 			/* We don't want that trailing NULL */
 			key_len -= 1;
 		}
+	
+		/* handling for private & protected object properties */
+		if (*key == '\0' && type != NULL) {
+			zend_object *zobj = zend_objects_get_address(type TSRMLS_CC);
+			if (zend_check_property_access(zobj, key TSRMLS_CC) != SUCCESS) {
+				/* private or protected property access outside of the class */
+				continue;
+			}
+			char *tmp;
+			zend_unmangle_property_name(key, &tmp, &key);
+			key_len = strlen(key);		
+		}
 
 		if (zend_hash_get_current_data_ex(ht, (void **)&zdata, NULL) == FAILURE || !zdata || !(*zdata)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error traversing form data array.");
@@ -113,7 +126,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				*p = '\0';
 			}
 			ht->nApplyCount++;
-			php_url_encode_hash_ex(HASH_OF(*zdata), formstr, NULL, 0, newprefix, newprefix_len, "]", 1 TSRMLS_CC);
+			php_url_encode_hash_ex(HASH_OF(*zdata), formstr, NULL, 0, newprefix, newprefix_len, "]", 1, (Z_TYPE_PP(zdata) == IS_OBJECT ? *zdata : NULL) TSRMLS_CC);
 			ht->nApplyCount--;
 			efree(newprefix);
 		} else if (Z_TYPE_PP(zdata) == IS_NULL || Z_TYPE_PP(zdata) == IS_RESOURCE) {
@@ -134,7 +147,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				if (num_prefix) {
 					smart_str_appendl(formstr, num_prefix, num_prefix_len);
 				}
-				ekey_len = spprintf(&ekey, 12, "%ld", idx); 
+				ekey_len = spprintf(&ekey, 12, "%ld", idx);
 				smart_str_appendl(formstr, ekey, ekey_len);
 				efree(ekey);
 			}
@@ -163,7 +176,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 			smart_str_appendl(formstr, ekey, ekey_len);
 			efree(ekey);
 		}
-	} 	
+	}
 
 	return SUCCESS;
 }
@@ -187,17 +200,23 @@ PHP_FUNCTION(http_build_query)
 		RETURN_FALSE;
 	}
 
-	if (php_url_encode_hash_ex(HASH_OF(formdata), &formstr, prefix, prefix_len, NULL, 0, NULL, 0 TSRMLS_CC) == FAILURE) {
+	if (php_url_encode_hash_ex(HASH_OF(formdata), &formstr, prefix, prefix_len, NULL, 0, NULL, 0, (Z_TYPE_P(formdata) == IS_OBJECT ? formdata : NULL) TSRMLS_CC) == FAILURE) {
 		if (formstr.c) {
 			efree(formstr.c);
 		}
 		RETURN_FALSE;
 	}
+
+	if (!formstr.c) {
+		RETURN_NULL();
+	}
+
 	smart_str_0(&formstr);
+	
 	RETURN_STRINGL(formstr.c, formstr.len, 0);
 }
 /* }}} */
- 
+
 /*
  * Local variables:
  * tab-width: 4
diff --git a/ext/standard/php_http.h b/ext/standard/php_http.h
index 60a52d6d2f..fa798d1d0d 100644
--- a/ext/standard/php_http.h
+++ b/ext/standard/php_http.h
@@ -27,7 +27,8 @@
 PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				const char *num_prefix, int num_prefix_len,
 				const char *key_prefix, int key_prefix_len,
-				const char *key_suffix, int key_suffix_len TSRMLS_DC);
+				const char *key_suffix, int key_suffix_len, 
+				zval *type TSRMLS_DC);
 #define php_url_encode_hash(ht, formstr)	php_url_encode_hash_ex((ht), (formstr), NULL, 0, NULL, 0, NULL, 0 TSRMLS_CC)
 
 PHP_FUNCTION(http_build_query);
diff --git a/ext/standard/tests/strings/bug26817.phpt b/ext/standard/tests/strings/bug26817.phpt
new file mode 100644
index 0000000000..228348708c
--- /dev/null
+++ b/ext/standard/tests/strings/bug26817.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #26817 (http_build_query() did not handle private & protected object properties)
+--FILE--
+<?php
+class test { 
+	protected $foo;
+	private $bar;
+	public $test;
+
+	function foo()
+	{
+		$this->bar = 'meuh';
+		$this->foo = 'lala';
+		$this->test = 'test';
+
+		var_dump(http_build_query($this));
+	}
+}
+
+$obj = new test();
+$obj->foo();
+var_dump(http_build_query($obj));
+?>
+--EXPECT--
+string(27) "foo=lala&bar=meuh&test=test"
+string(9) "test=test"
diff --git a/ext/standard/tests/strings/bug26819.phpt b/ext/standard/tests/strings/bug26819.phpt
new file mode 100644
index 0000000000..4a53539434
--- /dev/null
+++ b/ext/standard/tests/strings/bug26819.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #26819 (http_build_query() crash on empty output)
+--FILE--
+<?php
+$a = array();
+var_dump(http_build_query($a));
+?>
+--EXPECT--
+NULL