Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rkwasny
php
php-5.1.2-CVE-2007-0910.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.1.2-CVE-2007-0910.patch of Package php
--- ext/session/session.c +++ ext/session/session.c @@ -303,9 +303,12 @@ if (PG(register_globals)) { zval **sym_global = NULL; - zend_hash_find(&EG(symbol_table), name, namelen + 1, - (void *) &sym_global); - + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void *) &sym_global) == SUCCESS) { + if ((Z_TYPE_PP(sym_global) == IS_ARRAY && Z_ARRVAL_PP(sym_global) == &EG(symbol_table)) || *sym_global == PS(http_session_vars)) { + return; + } + } + if (sym_global == NULL && sym_track == NULL) { zval *empty_var; @@ -335,7 +338,10 @@ if (PG(register_globals)) { zval **old_symbol; if (zend_hash_find(&EG(symbol_table),name,namelen+1,(void *)&old_symbol) == SUCCESS) { - + if ((Z_TYPE_PP(old_symbol) == IS_ARRAY && Z_ARRVAL_PP(old_symbol) == &EG(symbol_table)) || *old_symbol == PS(http_session_vars)) { + return; + } + /* * A global symbol with the same name exists already. That * symbol might have been created by other means (e.g. $_GET). @@ -444,6 +450,7 @@ PHP_VAR_UNSERIALIZE_INIT(var_hash); for (p = val; p < endptr; ) { + zval **tmp; namelen = *p & (~PS_BIN_UNDEF); has_value = *p & PS_BIN_UNDEF ? 0 : 1; @@ -451,6 +458,13 @@ p += namelen + 1; + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { + efree(name); + continue; + } + } + if (has_value) { ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &p, endptr, &var_hash TSRMLS_CC)) { @@ -516,6 +530,7 @@ p = val; while (p < endptr) { + zval **tmp; q = p; while (*q != PS_DELIMITER) if (++q >= endptr) goto break_outer_loop; @@ -531,6 +546,12 @@ name = estrndup(p, namelen); q++; + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { + goto skip; + } + } + if (has_value) { ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &q, endptr, &var_hash TSRMLS_CC)) { @@ -539,6 +560,7 @@ zval_ptr_dtor(¤t); } PS_ADD_VARL(name, namelen); +skip: efree(name); p = q; @@ -679,7 +701,7 @@ buf = emalloc(100); /* maximum 15+19+19+10 bytes */ - sprintf(buf, "%.15s%ld%ld%0.8f", remote_addr ? remote_addr : "", + sprintf(buf, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); switch (PS(hash_func)) { --- main/php_variables.c +++ main/php_variables.c @@ -611,8 +611,6 @@ { char *p; unsigned char _gpc_flags[5] = {0, 0, 0, 0, 0}; - zval *dummy_track_vars_array = NULL; - zend_bool initialized_dummy_track_vars_array=0; zend_bool jit_initialization = (PG(auto_globals_jit) && !PG(register_globals) && !PG(register_long_arrays) && !PG(register_argc_argv)); struct auto_global_record { char *name; @@ -703,15 +701,9 @@ continue; } if (!PG(http_globals)[i]) { - if (!initialized_dummy_track_vars_array) { - ALLOC_ZVAL(dummy_track_vars_array); - array_init(dummy_track_vars_array); - INIT_PZVAL(dummy_track_vars_array); - initialized_dummy_track_vars_array = 1; - } else { - dummy_track_vars_array->refcount++; - } - PG(http_globals)[i] = dummy_track_vars_array; + ALLOC_ZVAL(PG(http_globals)[i]); + array_init(PG(http_globals)[i]); + INIT_PZVAL(PG(http_globals)[i]); } PG(http_globals)[i]->refcount++;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor