diff options
| author | Stanislav Malyshev <stas@php.net> | 2012-05-07 12:24:22 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2012-05-08 10:19:23 -0700 |
| commit | 20364bcff9f38bed83245d785cc8ec3a072e4da5 (patch) | |
| tree | 2da06a0fcf2a1654edc9d360f0df4bccffdbd6f9 | |
| parent | 0b4d7a455d8f2bffaa9c4f9cbd7aff8e3e740fe8 (diff) | |
| download | php-git-20364bcff9f38bed83245d785cc8ec3a072e4da5.tar.gz | |
fix bug #61807 - Buffer Overflow in apache_request_headers
| -rw-r--r-- | sapi/cgi/cgi_main.c | 10 | ||||
| -rw-r--r-- | sapi/cgi/tests/apache_request_headers.phpt | 49 |
2 files changed, 57 insertions, 2 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index d25cad4164..a0a1adadc9 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1615,15 +1615,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */ p = var + 5; var = q = t; + // First char keep uppercase *q++ = *p++; while (*p) { - if (*p == '_') { + if (*p == '=') { + // End of name + break; + } else if (*p == '_') { *q++ = '-'; p++; - if (*p) { + // First char after - keep uppercase + if (*p && *p!='=' && *p!='_') { *q++ = *p++; } } else if (*p >= 'A' && *p <= 'Z') { + // lowercase *q++ = (*p++ - 'A' + 'a'); } else { *q++ = *p++; diff --git a/sapi/cgi/tests/apache_request_headers.phpt b/sapi/cgi/tests/apache_request_headers.phpt new file mode 100644 index 0000000000..37e077e949 --- /dev/null +++ b/sapi/cgi/tests/apache_request_headers.phpt @@ -0,0 +1,49 @@ +--TEST-- +apache_request_headers() stack overflow. +--SKIPIF-- +<?php +include "skipif.inc"; +?> +--FILE-- +<?php +include "include.inc"; + +$php = get_cgi_path(); +reset_env_vars(); + +$file = dirname(__FILE__)."/012.test.php"; + +file_put_contents($file, '<?php print_r(apache_request_headers()); ?>'); + +passthru("$php $file"); + +$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_'); +foreach ($names as $name) { + putenv($name."=".str_repeat("A", 256)); + passthru("$php -q $file"); + putenv($name); +} +unlink($file); + +echo "Done\n"; +?> +--EXPECTF-- +X-Powered-By: PHP/%s +Content-type: text/html + +Array +( +) +Array +( + [X-Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Array +( + [X--Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Array +( + [X-] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +) +Done |