[PATCH] [REPOST] File Upload - Binary and Garbage Safety

21 years ago by snolz@hushmail.com — view source

unread

Sorry but your list does not like hushmail attachments

Sammy Nolz

--- rfc1867.c.unpatched 2002-01-01 02:02:11.000000000 +0100
+++ rfc1867.c 2002-01-01 02:04:55.000000000 +0100
@@ -230,6 +230,13 @@
}
}

+static void safe_php_register_binary_variable(char *var, char *strval,
int strlen, zval *track_vars_array, zend_bool override_protection TSRMLS_DC)
+{

if (override_protection || !is_protected_variable(var TSRMLS_CC)) {

  php_register_variable_safe(var, strval, strlen, track_vars_array TSRMLS_CC);

}
+}

static void register_http_post_files_variable(char *strvar, char *val,
zval *http_post_files, zend_bool override_protection TSRMLS_DC)
{
@@ -761,7 +768,7 @@

SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
{

char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;

char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *end_arr=NULL,
*array_index=NULL;
char *temp_filename=NULL, *lbuf=NULL, abuf=NULL;
int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0,
array_len=0;
int max_file_size=0, skip_upload=0, anonindex=0, is_anonymous;
@@ -883,23 +890,24 @@
/ Normal form variable, safe to read all data into memory */
if (!filename && param) {

  		char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);

```
  		int length = 0;
```

  		char *value = multipart_buffer_read_body(mbuff, &length TSRMLS_CC);
  		unsigned int new_val_len; /* Dummy variable */

  		if (!value) {
  			value = estrdup("");
  		}

  		if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value),

&new_val_len TSRMLS_CC)) {

  		if (sapi_module.input_filter(PARSE_POST, param, &value, length,

&new_val_len TSRMLS_CC)) {
#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
if (php_mb_encoding_translation(TSRMLS_C)) {
php_mb_gpc_stack_variable(param, value, &val_list, &len_list,

											  &num_vars, &num_vars_max TSRMLS_CC);
				} else {

  				safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);

  				safe_php_register_binary_variable(param, value, new_val_len, array_ptr,

0 TSRMLS_CC);
}
#else

  			safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);

  			safe_php_register_binary_variable(param, value, new_val_len, array_ptr,

0 TSRMLS_CC);
#endif
}
if (!strcasecmp(param, "MAX_FILE_SIZE")) {
@@ -1000,9 +1008,14 @@

		/* is_arr_upload is true when name of file upload field
		 * ends in [.*]

  	 * start_arr is set to point to 1st [

  	 * start_arr is set to point to 1st [ and

  	 * end_arr is set to point to last ]
  	 */

  	is_arr_upload =	(start_arr = strchr(param,'[')) && (param[strlen(param)-

1] == ']');

  	is_arr_upload =	(end_arr = strrchr(param, ']')) && (start_arr = strchr(param,

'[')) && (end_arr > start_arr);

```
  	/* cut away garbage after ] */
```
```
  	if (is_arr_upload && end_arr) {
```
```
  		end_arr[1] = '\0';
```

  	}
  	/* handle unterminated [ */
  	if (!is_arr_upload && start_arr) {
  		*start_arr = '_';

@@ -1014,6 +1027,8 @@
efree(array_index);
}
array_index = estrndup(start_arr+1, array_len-2);

```
  		start_arr = NULL;
```

  		end_arr = NULL;
  	}
   	
  	/* Add $foo_name */

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427