fix bug #61807 - Buffer Overflow in apache_request_headers

author: Stanislav Malyshev <stas@php.net> 2012-05-07 12:24:22 -0700
committer: Stanislav Malyshev <stas@php.net> 2012-05-07 12:24:22 -0700
commit: eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354 (patch)
tree: b8cc7fb57047e3750e7e0821b8f4ca44e1c72dba
parent: fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4 (diff)
download: php-git-eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354.tar.gz
3 files changed, 58 insertions, 2 deletions
diff --git a/NEWS b/NEWS
index a41a5d178a..7603cfba09 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ PHP                                                                        NEWS
 - CGI
   . Re-Fix PHP-CGI query string parameter vulnerability, CVE-2012-1823.
     (Stas)
+  . Fix bug #61807 - Buffer Overflow in apache_request_headers. 
 
 03 May 2012, PHP 5.4.2
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 71404a4e6b..a1690b1666 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1614,15 +1614,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */
 				p = var + 5;
 
 				var = q = t;
+                                // First char keep uppercase
 				*q++ = *p++;
 				while (*p) {
-					if (*p == '_') {
+					if (*p == '=') {
+                                               // End of name
+                                               break;
+                                        } else if (*p == '_') {
 						*q++ = '-';
 						p++;
-						if (*p) {
+                                                // First char after - keep uppercase
+						if (*p && *p!='=' && *p!='_') {
 							*q++ = *p++;
 						}
 					} else if (*p >= 'A' && *p <= 'Z') {
+                                                // lowercase
 						*q++ = (*p++ - 'A' + 'a');
 					} else {
 						*q++ = *p++;
diff --git a/sapi/cgi/tests/apache_request_headers.phpt b/sapi/cgi/tests/apache_request_headers.phpt
new file mode 100644
index 0000000000..37e077e949
--- /dev/null
+++ b/sapi/cgi/tests/apache_request_headers.phpt
@@ -0,0 +1,49 @@
+--TEST--
+apache_request_headers() stack overflow.
+--SKIPIF--
+<?php 
+include "skipif.inc"; 
+?>
+--FILE--
+<?php
+include "include.inc";
+
+$php = get_cgi_path();
+reset_env_vars();
+
+$file = dirname(__FILE__)."/012.test.php";
+
+file_put_contents($file, '<?php print_r(apache_request_headers()); ?>');
+
+passthru("$php $file");
+
+$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_');
+foreach ($names as $name) {
+	putenv($name."=".str_repeat("A", 256));
+	passthru("$php -q $file");
+	putenv($name);
+}
+unlink($file);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+X-Powered-By: PHP/%s
+Content-type: text/html
+
+Array
+(
+)
+Array
+(
+    [X-Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X--Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X-] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Done
author	Stanislav Malyshev <stas@php.net>	2012-05-07 12:24:22 -0700
committer	Stanislav Malyshev <stas@php.net>	2012-05-07 12:24:22 -0700
commit	eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354 (patch)
tree	b8cc7fb57047e3750e7e0821b8f4ca44e1c72dba
parent	fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4 (diff)
download	php-git-eb8f3b025b0a6dbbf6b44bf51d8cf345437b7354.tar.gz