21 years ago by Joe Orton — view source — reply

unread

We've just been looking at the security issues which were silently fixed
in 4.3.9/5.0.2. The fixes for array index handling appear to be
incomplete, there is now a segfault for a variable like "?foo[][="

That was just filed as #30442, patch below fixes it.

Also, query strings like: "?foo[[[[[[[h]=4" and "?foo[%20%20]=7" will
still produce arrays which use invalid keys, not sure if this is
desirable?

[foo] => Array

(

[[[[[[[h] => 4

)

Index: main/php_variables.c

RCS file: /repository/php-src/main/php_variables.c,v
retrieving revision 1.82
diff -u -r1.82 php_variables.c
--- main/php_variables.c 9 Sep 2004 16:10:24 -0000 1.82
+++ main/php_variables.c 15 Oct 2004 12:02:12 -0000
@@ -133,7 +133,9 @@
if (!ip) {
/* PHP variables cannot contain '[' in their names, so we replace the character with a '' */
*(index_s - 1) = '';

  			index_len = var_len = strlen(index);

```
  			if (index) {
```

  				index_len = var_len = strlen(index);

  			}
  			goto plain_var;
  			return;
  		}

[PATCH] array index sanitation bugs

[foo] => Array

(

[[[[[[[h] => 4

)

Index: main/php_variables.c