MFH: Fixed bug #31440 ($GLOBALS can be overwritten via GPC when

register_globals is enabled).

1 files changed, 7 insertions, 1 deletions

diff --git a/main/php_variables.c b/main/php_variables.c
index 84d341492e..f65f961145 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -531,6 +531,7 @@ static void php_autoglobal_merge(HashTable *dest, HashTable *src TSRMLS_DC)
 	ulong num_key;
 	HashPosition pos;
 	int key_type;
+	int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
 
 	zend_hash_internal_pointer_reset_ex(src, &pos);
 	while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
@@ -541,7 +542,12 @@ static void php_autoglobal_merge(HashTable *dest, HashTable *src TSRMLS_DC)
 			|| Z_TYPE_PP(dest_entry) != IS_ARRAY) {
 			(*src_entry)->refcount++;
 			if (key_type == HASH_KEY_IS_STRING) {
-				zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
+				/* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
+				if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
+					zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
+				} else {
+					(*src_entry)->refcount--;
+				}
 			} else {
 				zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
 			}