diff options
| author | Stanislav Malyshev <stas@php.net> | 2012-05-07 12:08:36 -0700 |
|---|---|---|
| committer | Johannes Schlüter <johannes@php.net> | 2012-05-08 11:15:23 +0200 |
| commit | 46d9cc3de9f2def8ab84d0b83cc89b6f85d7506a (patch) | |
| tree | 9cb245f8d2198be4e8dadab67cba340100c9356d | |
| parent | 03cb63bc1da6344f65a075f25721d29b59670cfe (diff) | |
| download | php-git-46d9cc3de9f2def8ab84d0b83cc89b6f85d7506a.tar.gz | |
improve fix for CVE-2012-1823
(cherry picked from commit fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4)
| -rw-r--r-- | sapi/cgi/cgi_main.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index bb37aba882..62ccbf26a6 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1560,10 +1560,15 @@ int main(int argc, char *argv[]) } } - if(query_string = getenv("QUERY_STRING")) { + if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { + /* we've got query string that has no = - apache CGI will pass it to command line */ + unsigned char *p; decoded_query_string = strdup(query_string); php_url_decode(decoded_query_string, strlen(decoded_query_string)); - if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) { + for (p = decoded_query_string; *p && *p <= ' '; p++) { + /* skip all leading spaces */ + } + if(*p == '-') { skip_getopt = 1; } free(decoded_query_string); @@ -1818,7 +1823,7 @@ consult the installation file that came with this distribution, or visit \n\ } zend_first_try { - while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { + while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { switch (c) { case 'T': benchmark = 1; |