Index: ext/standard/basic_functions.c =================================================================== RCS file: /repository/php-src/ext/standard/basic_functions.c,v retrieving revision 1.725.2.31.2.51 diff -u -p -d -r1.725.2.31.2.51 basic_functions.c --- ext/standard/basic_functions.c 17 May 2007 06:38:13 -0000 1.725.2.31.2.51 +++ ext/standard/basic_functions.c 22 May 2007 13:50:59 -0000 @@ -6261,51 +6261,25 @@ static int copy_request_variable(void *p prefix = va_arg(args, char *); prefix_len = va_arg(args, uint); - if (!prefix_len) { - if (!hash_key->nKeyLength) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); - return 0; - } else if (!strcmp(hash_key->arKey, "GLOBALS")) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); - return 0; - } else if (*hash_key->arKey == '_' && - ( - !strcmp(hash_key->arKey, "_GET") || - !strcmp(hash_key->arKey, "_POST") || - !strcmp(hash_key->arKey, "_COOKIE") || - !strcmp(hash_key->arKey, "_ENV") || - !strcmp(hash_key->arKey, "_SERVER") || - !strcmp(hash_key->arKey, "_SESSION") || - !strcmp(hash_key->arKey, "_FILES") || - !strcmp(hash_key->arKey, "_REQUEST") - ) - ) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%s) variable overwrite.", hash_key->arKey); - return 0; - } else if (*hash_key->arKey == 'H' && - ( - !strcmp(hash_key->arKey, "HTTP_POST_VARS") || - !strcmp(hash_key->arKey, "HTTP_GET_VARS") || - !strcmp(hash_key->arKey, "HTTP_COOKIE_VARS") || - !strcmp(hash_key->arKey, "HTTP_ENV_VARS") || - !strcmp(hash_key->arKey, "HTTP_SERVER_VARS") || - !strcmp(hash_key->arKey, "HTTP_RAW_POST_DATA") || - !strcmp(hash_key->arKey, "HTTP_POST_FILES") - ) - ) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%s) overwrite.", hash_key->arKey); - return 0; - } + if (!prefix_len && !hash_key->nKeyLength) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); + return 0; } if (hash_key->nKeyLength) { new_key_len = prefix_len + hash_key->nKeyLength; - new_key = (char *) emalloc(new_key_len); + new_key = (char *) emalloc(new_key_len); /* +1 comes from nKeyLength */ memcpy(new_key, prefix, prefix_len); memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); } else { new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); + new_key_len++; + } + + if (php_varname_check(new_key, new_key_len, 0 TSRMLS_CC) == FAILURE) { + efree(new_key); + return 0; } zend_delete_global_variable(new_key, new_key_len-1 TSRMLS_CC); Index: ext/standard/php_var.h =================================================================== RCS file: /repository/php-src/ext/standard/php_var.h,v retrieving revision 1.30.2.1.2.5 diff -u -p -d -r1.30.2.1.2.5 php_var.h --- ext/standard/php_var.h 1 Jan 2007 09:36:08 -0000 1.30.2.1.2.5 +++ ext/standard/php_var.h 22 May 2007 13:50:59 -0000 @@ -67,4 +67,48 @@ PHPAPI void var_destroy(php_unserialize_ PHPAPI zend_class_entry *php_create_empty_class(char *class_name, int len); +static inline int php_varname_check(char *name, int name_len, zend_bool silent TSRMLS_DC) /* {{{ */ +{ + if (name_len == sizeof("GLOBALS") && !memcmp(name, "GLOBALS", sizeof("GLOBALS"))) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite"); + } + return FAILURE; + } else if (name[0] == '_' && + ( + (name_len == sizeof("_GET") && !memcmp(name, "_GET", sizeof("_GET"))) || + (name_len == sizeof("_POST") && !memcmp(name, "_POST", sizeof("_POST"))) || + (name_len == sizeof("_COOKIE") && !memcmp(name, "_COOKIE", sizeof("_COOKIE"))) || + (name_len == sizeof("_ENV") && !memcmp(name, "_ENV", sizeof("_ENV"))) || + (name_len == sizeof("_SERVER") && !memcmp(name, "_SERVER", sizeof("_SERVER"))) || + (name_len == sizeof("_SESSION") && !memcmp(name, "_SESSION", sizeof("_SESSION"))) || + (name_len == sizeof("_FILES") && !memcmp(name, "_FILES", sizeof("_FILES"))) || + (name_len == sizeof("_REQUEST") && !memcmp(name, "_REQUEST", sizeof("_REQUEST"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted super-global (%s) variable overwrite", name); + } + return FAILURE; + } else if (name[0] == 'H' && + ( + (name_len == sizeof("HTTP_POST_VARS") && !memcmp(name, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"))) || + (name_len == sizeof("HTTP_GET_VARS") && !memcmp(name, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"))) || + (name_len == sizeof("HTTP_COOKIE_VARS") && !memcmp(name, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"))) || + (name_len == sizeof("HTTP_ENV_VARS") && !memcmp(name, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"))) || + (name_len == sizeof("HTTP_SERVER_VARS") && !memcmp(name, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"))) || + (name_len == sizeof("HTTP_SESSION_VARS") && !memcmp(name, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"))) || + (name_len == sizeof("HTTP_RAW_POST_DATA") && !memcmp(name, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"))) || + (name_len == sizeof("HTTP_POST_FILES") && !memcmp(name, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"))) + ) + ) { + if (!silent) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted long input array (%s) overwrite", name); + } + return FAILURE; + } + return SUCCESS; +} +/* }}} */ + #endif /* PHP_VAR_H */