diff options
| author | Wez Furlong <wez@php.net> | 2003-05-16 19:08:13 +0000 |
|---|---|---|
| committer | Wez Furlong <wez@php.net> | 2003-05-16 19:08:13 +0000 |
| commit | e9b62698c7540a0f4921041c62c65cc25a9e8126 (patch) | |
| tree | 891d314c4a63c630b02cd3a86313f54b2bbe0ecf /main/output.c | |
| parent | 7e2a99d0916f3d5fd398a39028e49f2a0df68f3a (diff) | |
| download | php-git-e9b62698c7540a0f4921041c62c65cc25a9e8126.tar.gz | |
Stronger validation of ob_start() parameters.
Diffstat (limited to 'main/output.c')
| -rw-r--r-- | main/output.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/main/output.c b/main/output.c index e2ffa77354..4ca19de9b2 100644 --- a/main/output.c +++ b/main/output.c @@ -238,6 +238,7 @@ PHPAPI void php_end_ob_buffer(zend_bool send_buffer, zend_bool just_flush TSRMLS params[0] = &orig_buffer; params[1] = &z_status; OG(ob_lock) = 1; + if (call_user_function_ex(CG(function_table), NULL, OG(active_ob_buffer).output_handler, &alternate_buffer, 2, params, 1, NULL TSRMLS_CC)==SUCCESS) { if (!(Z_TYPE_P(alternate_buffer)==IS_BOOL && Z_BVAL_P(alternate_buffer)==0)) { convert_to_string_ex(&alternate_buffer); @@ -407,6 +408,9 @@ PHPAPI int php_ob_init_conflict(char *handler_new, char *handler_set TSRMLS_DC) */ static int php_ob_init_named(uint initial_size, uint block_size, char *handler_name, zval *output_handler, uint chunk_size, zend_bool erase TSRMLS_DC) { + if (!zend_is_callable(output_handler, 0, NULL)) { + return FAILURE; + } if (OG(ob_nesting_level)>0) { #if HAVE_ZLIB && !defined(COMPILE_DL_ZLIB) if (!strncmp(handler_name, "ob_gzhandler", sizeof("ob_gzhandler")) && php_ob_gzhandler_check(TSRMLS_C)) { @@ -461,6 +465,8 @@ static int php_ob_init(uint initial_size, uint block_size, zval *output_handler, if (output_handler && output_handler->type == IS_STRING) { handler_name = Z_STRVAL_P(output_handler); + + result = SUCCESS; while ((next_handler_name=strchr(handler_name, ',')) != NULL) { len = next_handler_name-handler_name; next_handler_name = estrndup(handler_name, len); @@ -473,15 +479,17 @@ static int php_ob_init(uint initial_size, uint block_size, zval *output_handler, handler_name += len+1; efree(next_handler_name); } - handler_zval = php_ob_handler_from_string(handler_name TSRMLS_CC); - result = php_ob_init_named(initial_size, block_size, handler_name, handler_zval, chunk_size, erase TSRMLS_CC); - if (result != SUCCESS) { - zval_dtor(handler_zval); - FREE_ZVAL(handler_zval); + if (result == SUCCESS) { + handler_zval = php_ob_handler_from_string(handler_name TSRMLS_CC); + result = php_ob_init_named(initial_size, block_size, handler_name, handler_zval, chunk_size, erase TSRMLS_CC); + if (result != SUCCESS) { + zval_dtor(handler_zval); + FREE_ZVAL(handler_zval); + } } } else if (output_handler && output_handler->type == IS_ARRAY) { /* do we have array(object,method) */ - if (zend_is_callable(output_handler, 1, &handler_name)) { + if (zend_is_callable(output_handler, 0, &handler_name)) { SEPARATE_ZVAL(&output_handler); output_handler->refcount++; result = php_ob_init_named(initial_size, block_size, handler_name, output_handler, chunk_size, erase TSRMLS_CC); @@ -492,6 +500,9 @@ static int php_ob_init(uint initial_size, uint block_size, zval *output_handler, zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(output_handler), &pos); while (zend_hash_get_current_data_ex(Z_ARRVAL_P(output_handler), (void **)&tmp, &pos) == SUCCESS) { result = php_ob_init(initial_size, block_size, *tmp, chunk_size, erase TSRMLS_CC); + if (result == FAILURE) { + break; + } zend_hash_move_forward_ex(Z_ARRVAL_P(output_handler), &pos); } } |