Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:13339 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86893 invoked by uid 1010); 15 Oct 2004 12:15:31 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 86098 invoked from network); 15 Oct 2004 12:15:25 -0000 Received: from unknown (HELO mx1.redhat.com) (66.187.233.31) by pb1.pair.com with SMTP; 15 Oct 2004 12:15:25 -0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.12.11/8.12.10) with ESMTP id i9FCFFG9032504 for ; Fri, 15 Oct 2004 08:15:20 -0400 Received: from radish.cambridge.redhat.com (radish.cambridge.redhat.com [172.16.18.90]) by int-mx1.corp.redhat.com (8.11.6/8.11.6) with ESMTP id i9FCFEr16204 for ; Fri, 15 Oct 2004 08:15:14 -0400 Received: from radish.cambridge.redhat.com (localhost.localdomain [127.0.0.1]) by radish.cambridge.redhat.com (8.12.10/8.12.7) with ESMTP id i9FCFDHO024830 for ; Fri, 15 Oct 2004 13:15:13 +0100 Received: (from jorton@localhost) by radish.cambridge.redhat.com (8.12.10/8.12.10/Submit) id i9FCFDpZ024829 for internals@lists.php.net; Fri, 15 Oct 2004 13:15:13 +0100 Date: Fri, 15 Oct 2004 13:15:13 +0100 To: internals@lists.php.net Message-ID: <20041015121513.GA24715@redhat.com> Mail-Followup-To: internals@lists.php.net Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: [PATCH] array index sanitation bugs From: jorton@redhat.com (Joe Orton) We've just been looking at the security issues which were silently fixed in 4.3.9/5.0.2. The fixes for array index handling appear to be incomplete, there is now a segfault for a variable like "?foo[][=" That was just filed as #30442, patch below fixes it. Also, query strings like: "?foo[[[[[[[h]=4" and "?foo[%20%20]=7" will still produce arrays which use invalid keys, not sure if this is desirable? # [foo] => Array # ( # [[[[[[[h] => 4 # ) Index: main/php_variables.c =================================================================== RCS file: /repository/php-src/main/php_variables.c,v retrieving revision 1.82 diff -u -r1.82 php_variables.c --- main/php_variables.c 9 Sep 2004 16:10:24 -0000 1.82 +++ main/php_variables.c 15 Oct 2004 12:02:12 -0000 @@ -133,7 +133,9 @@ if (!ip) { /* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */ *(index_s - 1) = '_'; - index_len = var_len = strlen(index); + if (index) { + index_len = var_len = strlen(index); + } goto plain_var; return; }