Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57517
Return-Path: <me@ktamura.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 85272 invoked from network); 26 Jan 2012 02:00:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Jan 2012 02:00:31 -0000
Received: from [127.0.0.1] ([127.0.0.1:10177])
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM
	id 1B/E0-14924-FB3B02F4 for <internals@lists.php.net>; Wed, 25 Jan 2012 21:00:31 -0500
Authentication-Results: pb1.pair.com smtp.mail=me@ktamura.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@ktamura.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain ktamura.com from 209.85.210.170 cause and error)
X-PHP-List-Original-Sender: me@ktamura.com
X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com  
Received: from [209.85.210.170] ([209.85.210.170:61491] helo=mail-iy0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 74/82-61233-9A1A02F4 for <internals@lists.php.net>; Wed, 25 Jan 2012 19:43:21 -0500
Received: by iaoo28 with SMTP id o28so55305iao.29
        for <internals@lists.php.net>; Wed, 25 Jan 2012 16:43:18 -0800 (PST)
Received: by 10.50.236.73 with SMTP id us9mr356301igc.16.1327538598479;
        Wed, 25 Jan 2012 16:43:18 -0800 (PST)
Received: from 10-0-128-173.trialpay.com (107-0-11-193-ip-static.hfc.comcastbusiness.net. [107.0.11.193])
        by mx.google.com with ESMTPS id 5sm2143654ibe.8.2012.01.25.16.43.17
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 25 Jan 2012 16:43:17 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 25 Jan 2012 16:43:07 -0800
Message-ID: <38EE3732-F134-4C02-8F93-2E9C61FD1E81@ktamura.com>
To: internals@lists.php.net
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: A potential patch for Bug#60668
From: me@ktamura.com (Kiyoto Tamura)

vrana has raise a good point in a potentially dangerous behavior with =
ini_set() in https://bugs.php.net/bug.php?id=3D60668.

Here is my proposed patch. Feedback is appreciated. Thanks!

Kiyoto Tamura

diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index a7ec5d7..89b1287 100644
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@@ -83,6 +83,23 @@ static int =
zend_restore_ini_entry_wrapper(zend_ini_entry **ini_entry TSRMLS_DC)
 }
 /* }}} */
=20
+static uint zend_trim_after_carriage_return(char *value, uint =
value_length) /* {{{ */
+{
+    uint ii;
+    char prev_c =3D '\0', curr_c;
+    for (ii =3D 0; ii < value_length; ++ii) {
+        curr_c =3D *value;
+        if (prev_c =3D=3D '\r' && curr_c =3D=3D '\n') {
+            return ii - 1;
+        }
+        prev_c =3D curr_c;
+        ++value;
+    }
+   =20
+    return value_length;
+}
+/* }}} */
+
 /*
  * Startup / shutdown
  */
@@ -288,6 +305,11 @@ ZEND_API int zend_alter_ini_entry_ex(char *name, =
uint name_length, char *new_val
 		zend_hash_add(EG(modified_ini_directives), name, =
name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
 	}
=20
+    // per Bug #60668, truncate the string after /r/n for user_agent =
for security
+    if (strcmp(name, "user_agent") =3D=3D 0) {
+        new_value_length =3D zend_trim_after_carriage_return(new_value, =
new_value_length);      =20
+    }
+
 	duplicate =3D estrndup(new_value, new_value_length);
=20
 	if (!ini_entry->on_modify
@@ -672,6 +694,7 @@ ZEND_API ZEND_INI_MH(OnUpdateStringUnempty) /* {{{ =
*/
 	*p =3D new_value;
 	return SUCCESS;
 }
 /* }}} */
=20
 /*