An input filter might not simply strip stuff, it might also turn things

into entities or use some other mechanism which causes the filtered data
to be longer than the original data.  Ergo, pass in the address of the
buffer instead so the filter is free to reallocate it.

1 files changed, 2 insertions, 2 deletions

diff --git a/main/php_variables.c b/main/php_variables.c
index a82c966ef8..cb354c7dcd 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -226,7 +226,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(php_std_post_handler)
 			*val++ = '\0';
 			php_url_decode(var, strlen(var));
 			val_len = php_url_decode(val, strlen(val));
-			val_len = sapi_module.input_filter(PARSE_POST, var, val, val_len TSRMLS_CC);
+			val_len = sapi_module.input_filter(PARSE_POST, var, &val, val_len TSRMLS_CC);
 			php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
 		}
 		var = php_strtok_r(NULL, "&", &strtok_buf);
@@ -321,7 +321,7 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
 			*val++ = '\0';
 			php_url_decode(var, strlen(var));
 			val_len = php_url_decode(val, strlen(val));
-			val_len = sapi_module.input_filter(arg, var, val, val_len TSRMLS_CC);
+			val_len = sapi_module.input_filter(arg, var, &val, val_len TSRMLS_CC);
 			php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
 		} else {
 			php_url_decode(var, strlen(var));