improve variable name checks

add more tests

1 files changed, 9 insertions, 10 deletions

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 0cbb06db7b..0d42473bdf 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -6321,16 +6321,10 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h
 	prefix = va_arg(args, zval *);
 	prefix_len = Z_UNILEN_P(prefix);
 
-	if (!prefix_len) {
-		if (!hash_key->nKeyLength) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard");
-			return 0;
-		} else if (hash_key->nKeyLength == sizeof("GLOBALS") &&
-		           ZEND_U_EQUAL(hash_key->type, hash_key->arKey, hash_key->nKeyLength-1, "GLOBALS", sizeof("GLOBALS")-1)) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite");
-			return 0; 
-		}
-	}
+	if (!prefix_len && !hash_key->nKeyLength) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard");
+		return 0;
+	} 
 
 	if (hash_key->nKeyLength) {
 		php_prefix_varname(&new_key, prefix, hash_key->arKey, hash_key->nKeyLength-1, hash_key->type, 0 TSRMLS_CC);
@@ -6342,6 +6336,11 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h
 		zval_dtor(&num);
 	}
 
+	if (php_varname_check(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key), 0 TSRMLS_CC) == FAILURE) {
+		zval_dtor(&new_key);
+		return 0;
+	}
+
 	zend_u_delete_global_variable(Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) TSRMLS_CC);
 	ZEND_U_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), Z_TYPE(new_key), Z_UNIVAL(new_key), Z_UNILEN(new_key) + 1, *var, (*var)->refcount+1, 0);