We've just been looking at the security issues which were silently fixed
in 4.3.9/5.0.2. The fixes for array index handling appear to be
incomplete, there is now a segfault for a variable like "?foo[][="
That was just filed as #30442, patch below fixes it.
Also, query strings like: "?foo[[[[[[[h]=4" and "?foo[%20%20]=7" will
still produce arrays which use invalid keys, not sure if this is
desirable?
[foo] => Array
(
[[[[[[[h] => 4
)
Index: main/php_variables.c
RCS file: /repository/php-src/main/php_variables.c,v
retrieving revision 1.82
diff -u -r1.82 php_variables.c
--- main/php_variables.c 9 Sep 2004 16:10:24 -0000 1.82
+++ main/php_variables.c 15 Oct 2004 12:02:12 -0000
@@ -133,7 +133,9 @@
if (!ip) {
/* PHP variables cannot contain '[' in their names, so we replace the character with a '' */
*(index_s - 1) = '';
-
index_len = var_len = strlen(index);
-
if (index) { -
index_len = var_len = strlen(index); -
} goto plain_var; return; }