PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more.

Linux Today
Enterprise Linux Today
Apache Today
JustLinux.com
Linux Planet
PHPBuilder
All Linux Devices
Hiermenus
DatabaseJournal
Technology Jobs

IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers

Covalent Extends Apache 2.0 to Microsoft ASP.NET
ShopWorX - Support for Windows
PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1
Network Risk Assessment
Full-Featured, Java-Based Apache GUI

Partners & Affiliates

Mass Customization
Introduction to WML, Apache, and PHP
In Case You Missed It...The Week of May 1st, 2006
Using PHP and MySQL with Flash
Templates - why and how to use them in PHP3

=================================================================== RCS file: /repository/php4/main/rfc1867.c,v retrieving revision 1.38 retrieving revision 1.45 diff -u -r1.38 -r1.45 --- php4/main/rfc1867.c 2000/08/06 06:40:28 1.38 php_4_0_2 +++ php4/main/rfc1867.c 2000/09/04 22:26:01 1.45 @@ -15,7 +15,7 @@ | Authors: Rasmus Lerdorf email protected>> | +----------------------------------------------------------------------+ */ -/* $Id: rfc1867.c,v 1.38 2000/08/06 06:40:28 rasmus Exp $ */ +/* $Id: rfc1867.c,v 1.45 2000/09/04 22:26:01 zeev Exp $ */ #include #include "php.h" @@ -28,28 +28,57 @@ #define NEW_BOUNDARY_CHECK 1 -#define SAFE_RETURN { if (namebuf) efree(namebuf); if (filenamebuf) efree(filenamebuf); if (lbuf) efree(lbuf); if (abuf) efree(abuf); if(arr_index) efree(arr_index); return; } +#define SAFE_RETURN { if (namebuf) efree(namebuf); if (filenamebuf) efree(filenamebuf); if (lbuf) efree(lbuf); if (abuf) efree(abuf); if(arr_index) efree(arr_index); zend_hash_destroy(&PG(rfc1867_protected_variables)); return; } /* The longest property name we use in an uploaded file array */ #define MAX_SIZE_OF_INDEX sizeof("[tmp_name]") +static void add_protected_variable(char *varname PLS_DC) +{ + int dummy=1; + + zend_hash_add(&PG(rfc1867_protected_variables), varname, strlen(varname)+1, &dummy, sizeof(int), NULL); +} + + +static zend_bool is_protected_variable(char *varname PLS_DC) +{ + return zend_hash_exists(&PG(rfc1867_protected_variables), varname, strlen(varname)+1); +} + + +static void safe_php_register_variable(char *var, char *strval, zval *track_vars_array, zend_bool override_protection ELS_DC PLS_DC) +{ + if (override_protection || !is_protected_variable(var PLS_CC)) { + php_register_variable(var, strval, track_vars_array ELS_CC PLS_CC); + } +} + -static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files ELS_DC PLS_DC) +static void safe_php_register_variable_ex(char *var, zval *val, pval *track_vars_array, zend_bool override_protection ELS_DC PLS_DC) +{ + if (override_protection || !is_protected_variable(var PLS_CC)) { + php_register_variable_ex(var, val, track_vars_array ELS_CC PLS_CC); + } +} + + +static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC) { int register_globals = PG(register_globals); - + PG(register_globals) = 0; - php_register_variable(strvar, val, http_post_files ELS_CC PLS_CC); + safe_php_register_variable(strvar, val, http_post_files, override_protection ELS_CC PLS_CC); PG(register_globals) = register_globals; } -static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files ELS_DC PLS_DC) +static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC) { int register_globals = PG(register_globals); - + PG(register_globals) = 0; - php_register_variable_ex(var, val, http_post_files ELS_CC PLS_CC); + safe_php_register_variable_ex(var, val, http_post_files, override_protection ELS_CC PLS_CC); PG(register_globals) = register_globals; } @@ -71,6 +100,8 @@ ELS_FETCH(); PLS_FETCH(); + zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0); + if (PG(track_vars)) { ALLOC_ZVAL(http_post_files); array_init(http_post_files); @@ -78,7 +109,6 @@ PG(http_globals).post_files = http_post_files; } - ptr = buf; rem = cnt; len = strlen(boundary); @@ -177,9 +207,9 @@ } s = strrchr(filenamebuf, '\\'); if (s && s > filenamebuf) { - php_register_variable(lbuf, s+1, NULL ELS_CC PLS_CC); + safe_php_register_variable(lbuf, s+1, NULL, 0 ELS_CC PLS_CC); } else { - php_register_variable(lbuf, filenamebuf, NULL ELS_CC PLS_CC); + safe_php_register_variable(lbuf, filenamebuf, NULL, 0 ELS_CC PLS_CC); } /* Add $foo[name] */ @@ -189,9 +219,9 @@ sprintf(lbuf, "%s[name]", namebuf); } if (s && s > filenamebuf) { - register_http_post_files_variable(lbuf, s+1, http_post_files ELS_CC PLS_CC); + register_http_post_files_variable(lbuf, s+1, http_post_files, 0 ELS_CC PLS_CC); } else { - register_http_post_files_variable(lbuf, filenamebuf, http_post_files ELS_CC PLS_CC); + register_http_post_files_variable(lbuf, filenamebuf, http_post_files, 0 ELS_CC PLS_CC); } state = 3; @@ -221,7 +251,7 @@ } else { sprintf(lbuf, "%s_type", namebuf); } - php_register_variable(lbuf, s, NULL ELS_CC PLS_CC); + safe_php_register_variable(lbuf, s, NULL, 0 ELS_CC PLS_CC); /* Add $foo[type] */ if (is_arr_upload) { @@ -229,7 +259,7 @@ } else { sprintf(lbuf, "%s[type]", namebuf); } - register_http_post_files_variable(lbuf, s, http_post_files ELS_CC PLS_CC); + register_http_post_files_variable(lbuf, s, http_post_files, 0 ELS_CC PLS_CC); if(*s != '\0') { *(loc2 - 1) = '\n'; } @@ -252,7 +282,9 @@ } *(loc - 4) = '\0'; - php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC); + /* Check to make sure we are not overwriting special file + * upload variables */ + safe_php_register_variable(namebuf, ptr, array_ptr, 0 ELS_CC PLS_CC); /* And a little kludge to pick out special MAX_FILE_SIZE */ itype = php_check_ident_type(namebuf); @@ -316,7 +348,8 @@ php_error(E_WARNING, "Only %d bytes were written, expected to write %ld", bytes, loc - ptr - 4); } } - php_register_variable(namebuf, fn, NULL ELS_CC PLS_CC); + add_protected_variable(namebuf PLS_CC); + safe_php_register_variable(namebuf, fn, NULL, 1 ELS_CC PLS_CC); /* Add $foo[tmp_name] */ if(is_arr_upload) { @@ -324,7 +357,8 @@ } else { sprintf(lbuf, "%s[tmp_name]", namebuf); } - register_http_post_files_variable(lbuf, fn, http_post_files ELS_CC PLS_CC); + add_protected_variable(lbuf PLS_CC); + register_http_post_files_variable(lbuf, fn, http_post_files, 1 ELS_CC PLS_CC); { zval file_size; @@ -337,7 +371,7 @@ } else { sprintf(lbuf, "%s_size", namebuf); } - php_register_variable_ex(lbuf, &file_size, NULL ELS_CC PLS_CC); + safe_php_register_variable_ex(lbuf, &file_size, NULL, 0 ELS_CC PLS_CC); /* Add $foo[size] */ if(is_arr_upload) { @@ -345,7 +379,7 @@ } else { sprintf(lbuf, "%s[size]", namebuf); } - register_http_post_files_variable_ex(lbuf, &file_size, http_post_files ELS_CC PLS_CC); + register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, 0 ELS_CC PLS_CC); } state = 0; rem -= (loc - ptr);