diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2006-07-27 17:04:15 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2006-07-27 17:04:15 +0000 |
| commit | cfda15ffc10bcc366544510e7b5df923e8adba4e (patch) | |
| tree | 27c886beb2f05fb6313dc0ebca5ac84e852f2c3f | |
| parent | 7ba86d078ff3682b07b3c7375b9b279ed987bb32 (diff) | |
| download | php-git-cfda15ffc10bcc366544510e7b5df923e8adba4e.tar.gz | |
Binary safe multipart request handling
| -rw-r--r-- | main/rfc1867.c | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/main/rfc1867.c b/main/rfc1867.c index aa2c2cdf69..5961853f89 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -40,7 +40,7 @@ PHPAPI int (*php_rfc1867_callback)(unsigned int event, void *event_data, void ** #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING) #include "ext/mbstring/mbstring.h" -static void safe_php_register_variable(char *var, char *strval, zval *track_vars_array, zend_bool override_protection TSRMLS_DC); +static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC); #define SAFE_RETURN { \ php_mb_flush_gpc_variables(num_vars, val_list, len_list, array_ptr TSRMLS_CC); \ @@ -64,7 +64,7 @@ void php_mb_flush_gpc_variables(int num_vars, char **val_list, int *len_list, zv php_mb_gpc_encoding_converter(val_list, len_list, num_vars, NULL, NULL TSRMLS_CC); } for (i=0; i<num_vars; i+=2){ - safe_php_register_variable(val_list[i], val_list[i+1], array_ptr, 0 TSRMLS_CC); + safe_php_register_variable(val_list[i], val_list[i+1], len_list[i+1], array_ptr, 0 TSRMLS_CC); efree(val_list[i]); efree(val_list[i+1]); } @@ -223,10 +223,10 @@ static zend_bool is_protected_variable(char *varname TSRMLS_DC) } -static void safe_php_register_variable(char *var, char *strval, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) +static void safe_php_register_variable(char *var, char *strval, int val_len, zval *track_vars_array, zend_bool override_protection TSRMLS_DC) { if (override_protection || !is_protected_variable(var TSRMLS_CC)) { - php_register_variable(var, strval, track_vars_array TSRMLS_CC); + php_register_variable_safe(var, strval, val_len, track_vars_array TSRMLS_CC); } } @@ -244,7 +244,7 @@ static void register_http_post_files_variable(char *strvar, char *val, zval *htt int register_globals = PG(register_globals); PG(register_globals) = 0; - safe_php_register_variable(strvar, val, http_post_files, override_protection TSRMLS_CC); + safe_php_register_variable(strvar, val, strlen(val), http_post_files, override_protection TSRMLS_CC); PG(register_globals) = register_globals; } @@ -757,7 +757,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i XXX: this is horrible memory-usage-wise, but we only expect to do this on small pieces of form data. */ -static char *multipart_buffer_read_body(multipart_buffer *self TSRMLS_DC) +static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC) { char buf[FILLUNIT], *out=NULL; int total_bytes=0, read_bytes=0; @@ -769,6 +769,7 @@ static char *multipart_buffer_read_body(multipart_buffer *self TSRMLS_DC) } if (out) out[total_bytes] = '\0'; + *len = total_bytes; return out; } @@ -915,15 +916,15 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* Normal form variable, safe to read all data into memory */ if (!filename && param) { - - char *value = multipart_buffer_read_body(mbuff TSRMLS_CC); + unsigned int value_len; + char *value = multipart_buffer_read_body(mbuff, &value_len TSRMLS_CC); unsigned int new_val_len; /* Dummy variable */ if (!value) { value = estrdup(""); } - if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) { + if (sapi_module.input_filter(PARSE_POST, param, &value, value_len, &new_val_len TSRMLS_CC)) { if (php_rfc1867_callback != NULL) { multipart_event_formdata event_formdata; size_t newlength = 0; @@ -940,16 +941,16 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) } new_val_len = newlength; } - + #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING) if (php_mb_encoding_translation(TSRMLS_C)) { php_mb_gpc_stack_variable(param, value, &val_list, &len_list, &num_vars, &num_vars_max TSRMLS_CC); } else { - safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC); + safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); } #else - safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC); + safe_php_register_variable(param, value, new_val_len, array_ptr, 0 TSRMLS_CC); #endif } if (!strcasecmp(param, "MAX_FILE_SIZE")) { @@ -1198,9 +1199,9 @@ filedone: if (!is_anonymous) { if (s && s > filename) { - safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC); + safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); } else { - safe_php_register_variable(lbuf, filename, NULL, 0 TSRMLS_CC); + safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); } } @@ -1236,7 +1237,7 @@ filedone: sprintf(lbuf, "%s_type", param); } if (!is_anonymous) { - safe_php_register_variable(lbuf, cd, NULL, 0 TSRMLS_CC); + safe_php_register_variable(lbuf, cd, strlen(cd), NULL, 0 TSRMLS_CC); } /* Add $foo[type] */ @@ -1260,7 +1261,7 @@ filedone: PG(magic_quotes_gpc) = 0; /* if param is of form xxx[.*] this will cut it to xxx */ if (!is_anonymous) { - safe_php_register_variable(param, temp_filename, NULL, 1 TSRMLS_CC); + safe_php_register_variable(param, temp_filename, strlen(temp_filename), NULL, 1 TSRMLS_CC); } /* Add $foo[tmp_name] */ |