Fixed CRLF injection inside ftp_putcmd().

# Reported on BugTraq by loveshell[at]Bug.Center.Team
author: Ilia Alshanetsky <iliaa@php.net> 2007-03-24 16:25:42 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2007-03-24 16:25:42 +0000
commit: bc1f7356d70aae99bd909a98b80128d71cef35a2 (patch)
tree: a3da42e0dd5c71f7ffabb017f213cde171fd4c8b /ext/ftp
parent: 88f48476f917e76a8123e3ff1c3dc5a97911bf8e (diff)
download: php-git-bc1f7356d70aae99bd909a98b80128d71cef35a2.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
index 666f23c582..b6fd56bdb0 100644
--- a/ext/ftp/ftp.c
+++ b/ext/ftp/ftp.c
@@ -1096,12 +1096,18 @@ ftp_putcmd(ftpbuf_t *ftp, const char *cmd, const char *args)
 	int		size;
 	char		*data;
 
+	if (strpbrk(cmd, "\r\n")) {
+		return 0;
+	} 
 	/* build the output buffer */
 	if (args && args[0]) {
 		/* "cmd args\r\n\0" */
 		if (strlen(cmd) + strlen(args) + 4 > FTP_BUFSIZE) {
 			return 0;
 		}
+		if (strpbrk(args, "\r\n")) {
+			return 0;
+		}
 		size = slprintf(ftp->outbuf, sizeof(ftp->outbuf), "%s %s\r\n", cmd, args);
 	} else {
 		/* "cmd\r\n\0" */
author	Ilia Alshanetsky <iliaa@php.net>	2007-03-24 16:25:42 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2007-03-24 16:25:42 +0000
commit	bc1f7356d70aae99bd909a98b80128d71cef35a2 (patch)
tree	a3da42e0dd5c71f7ffabb017f213cde171fd4c8b /ext/ftp
parent	88f48476f917e76a8123e3ff1c3dc5a97911bf8e (diff)
download	php-git-bc1f7356d70aae99bd909a98b80128d71cef35a2.tar.gz