diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2005-12-06 03:09:24 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2005-12-06 03:09:24 +0000 |
| commit | aa1b0709f211f1e986c911df1bda29f25b652efa (patch) | |
| tree | 7cdb2ceaa03d372cc908e6dd35e763170acafa8a /main | |
| parent | 684d68bb2706c5167f5eee43c455a6b3e6a4ae27 (diff) | |
| download | php-git-aa1b0709f211f1e986c911df1bda29f25b652efa.tar.gz | |
Fixed possible XSS inside error reporting functionality.
Diffstat (limited to 'main')
| -rw-r--r-- | main/main.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/main/main.c b/main/main.c index b048ea5332..82706abfc3 100644 --- a/main/main.c +++ b/main/main.c @@ -433,6 +433,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c char *space; char *class_name = get_active_class_name(&space TSRMLS_CC); char *function; + int origin_len; char *origin; char *message; int is_function = 0; @@ -490,9 +491,16 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c /* if we still have memory then format the origin */ if (is_function) { - spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params); + origin_len = spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params); } else { - spprintf(&origin, 0, "%s", function); + origin_len = spprintf(&origin, 0, "%s", function); + } + + if (PG(html_errors)) { + int len; + char *replace = php_escape_html_entities(origin, origin_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC); + efree(origin); + origin = replace; } /* origin and buffer available, so lets come up with the error message */ @@ -761,10 +769,17 @@ static void php_error_cb(int type, const char *error_filename, const uint error_ } else { char *prepend_string = INI_STR("error_prepend_string"); char *append_string = INI_STR("error_append_string"); - char *error_format = PG(html_errors) ? - "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s" - : "%s\n%s: %s in %s on line %d\n%s"; - php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + + if (PG(html_errors)) { + char *buf, *buf2; + int len2, len = spprintf(&buf, 0, "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + buf2 = php_escape_html_entities(buf, len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC); + php_printf("%s", buf2); + efree(buf); + efree(buf2); + } else { + php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string)); + } } } #if ZEND_DEBUG |