improve fix for CVE-2012-1823

author: Stanislav Malyshev <stas@php.net> 2012-05-07 12:08:36 -0700
committer: Stanislav Malyshev <stas@php.net> 2012-05-07 12:11:52 -0700
commit: fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4 (patch)
tree: ad803e0bf3dca42e4832feb9be3b82cb60eead67
parent: 64170aa3a564331c22c8647e067b22cb274f6601 (diff)
download: php-git-fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4.tar.gz
1 files changed, 8 insertions, 3 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 84e0d63ad6..71404a4e6b 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1806,10 +1806,15 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if(query_string = getenv("QUERY_STRING")) {
+	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+		/* we've got query string that has no = - apache CGI will pass it to command line */
+		unsigned char *p;
 		decoded_query_string = strdup(query_string);
 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
-		if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
+		for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
+			/* skip all leading spaces */
+		}
+		if(*p == '-') {
 			skip_getopt = 1;
 		}
 		free(decoded_query_string);
@@ -2073,7 +2078,7 @@ consult the installation file that came with this distribution, or visit \n\
 	}
 
 	zend_first_try {
-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+		while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
 			switch (c) {
 				case 'T':
 					benchmark = 1;
author	Stanislav Malyshev <stas@php.net>	2012-05-07 12:08:36 -0700
committer	Stanislav Malyshev <stas@php.net>	2012-05-07 12:11:52 -0700
commit	fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4 (patch)
tree	ad803e0bf3dca42e4832feb9be3b82cb60eead67
parent	64170aa3a564331c22c8647e067b22cb274f6601 (diff)
download	php-git-fc3ba0552fd5c2d7b5870f3e2fec0a9a2d2996f4.tar.gz