SOURCES: php-CVE-2006-0996.patch (NEW) - new; fix for XSS in phpin...

adamg adamg at pld-linux.org
Wed Apr 19 18:40:34 CEST 2006 

Author: adamg                        Date: Wed Apr 19 16:40:34 2006 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- new; fix for XSS in phpinfo()

---- Files affected:
SOURCES:
   php-CVE-2006-0996.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/php-CVE-2006-0996.patch
diff -u /dev/null SOURCES/php-CVE-2006-0996.patch:1.1
--- /dev/null	Wed Apr 19 18:40:34 2006
+++ SOURCES/php-CVE-2006-0996.patch	Wed Apr 19 18:40:29 2006
@@ -0,0 +1,73 @@
+Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
+and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
+via long array variables, including (1) a large number of dimensions or
+(2) long values, which prevents HTML tags from being removed.
+
+Patch pulled from cvs.php.net
+
+--- php-5.1.2/ext/standard/info.c	2006/01/01 12:50:15	1.249.2.7
++++ php-5.1.2/ext/standard/info.c	2006/03/30 19:58:18	1.249.2.9
+@@ -18,7 +18,7 @@
+    +----------------------------------------------------------------------+
+ */
+ 
+-/* $Id$ */
++/* $Id$ */
+ 
+ #include "php.h"
+ #include "php_ini.h"
+@@ -58,6 +58,21 @@
+ 
+ PHPAPI extern char *php_ini_opened_path;
+ PHPAPI extern char *php_ini_scanned_files;
++	
++static int php_info_write_wrapper(const char *str, uint str_length)
++{
++	TSRMLS_FETCH();
++
++	int new_len, written;
++	char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++
++	written = php_body_write(elem_esc, new_len TSRMLS_CC);
++
++	efree(elem_esc);
++
++	return written;
++}
++
+ 
+ /* {{{ _display_module_info
+  */
+@@ -135,30 +150,13 @@
+ 				PUTS(" => ");
+ 			}
+ 			if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+-				zval *tmp3;
+-
+-				MAKE_STD_ZVAL(tmp3);
+-
+ 				if (!sapi_module.phpinfo_as_text) {
+ 					PUTS("<pre>");
+-				}
+-				php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+-				
+-				zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+-				
+-				php_ob_get_buffer(tmp3 TSRMLS_CC);
+-				php_end_ob_buffer(0, 0 TSRMLS_CC);
+-				
+-				if (!sapi_module.phpinfo_as_text) {
+-					elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+-					PUTS(elem_esc);
+-					efree(elem_esc);
++					zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
+ 					PUTS("</pre>");
+ 				} else {
+-					PUTS(Z_STRVAL_P(tmp3));
++					zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+ 				}
+-				zval_ptr_dtor(&tmp3);
+-
+ 			} else if (Z_TYPE_PP(tmp) != IS_STRING) {
+ 				tmp2 = **tmp;
+ 				zval_copy_ctor(&tmp2);
================================================================

More information about the pld-cvs-commit mailing list