summaryrefslogtreecommitdiff
path: root/sapi
diff options
context:
space:
mode:
authorJerome Loyet <fat@php.net>2012-05-26 17:37:24 (GMT)
committerJerome Loyet <fat@php.net>2012-05-26 17:37:24 (GMT)
commite7a7f533e32813b13255efa236b711f6d1f6325d (patch)
tree7c3170bb86f9878e207c1985d0b8face58a60604 /sapi
parent78de6eb03d3a24691d9f535e2cbe768a9ba8bd48 (diff)
downloadphp-e7a7f533e32813b13255efa236b711f6d1f6325d.tar.gz
Fixed bug #61218 (the previous patch was not enough restritive on fcgi name string checks)
Diffstat (limited to 'sapi')
-rw-r--r--sapi/fpm/fpm/fastcgi.c48
1 files changed, 42 insertions, 6 deletions
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index 9df26f1..e2e208a 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -395,12 +395,39 @@ static inline size_t fcgi_get_params_len( int *result, unsigned char *p, unsigne
return ret;
}
+static inline int fcgi_param_get_eff_len( unsigned char *p, unsigned char *end, uint *eff_len)
+{
+ int ret = 1;
+ int zero_found = 0;
+ *eff_len = 0;
+ for (; p != end; ++p) {
+ if (*p == '\0') {
+ zero_found = 1;
+ }
+ else {
+ if (zero_found) {
+ ret = 0;
+ break;
+ }
+ if (*eff_len < ((uint)-1)) {
+ ++*eff_len;
+ }
+ else {
+ ret = 0;
+ break;
+ }
+ }
+ }
+ return ret;
+}
+
static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *end)
{
char buf[128];
char *tmp = buf;
size_t buf_size = sizeof(buf);
int name_len, val_len;
+ uint eff_name_len;
char *s;
int ret = 1;
size_t bytes_consumed;
@@ -427,26 +454,35 @@ static int fcgi_get_params(fcgi_request *req, unsigned char *p, unsigned char *e
break;
}
- if (name_len >= buf_size-1) {
- if (name_len > ((uint)-1)-64) {
+ /*
+ * get the effective length of the name in case it's not a valid string
+ * don't do this on the value because it can be binary data
+ */
+ if (!fcgi_param_get_eff_len(p, p+name_len, &eff_name_len)){
+ /* Malicious request */
+ ret = 0;
+ break;
+ }
+ if (eff_name_len >= buf_size-1) {
+ if (eff_name_len > ((uint)-1)-64) {
ret = 0;
break;
}
- buf_size = name_len + 64;
+ buf_size = eff_name_len + 64;
tmp = (tmp == buf ? emalloc(buf_size): erealloc(tmp, buf_size));
if (tmp == NULL) {
ret = 0;
break;
}
}
- memcpy(tmp, p, name_len);
- tmp[name_len] = 0;
+ memcpy(tmp, p, eff_name_len);
+ tmp[eff_name_len] = 0;
s = estrndup((char*)p + name_len, val_len);
if (s == NULL) {
ret = 0;
break;
}
- zend_hash_update(req->env, tmp, name_len+1, &s, sizeof(char*), NULL);
+ zend_hash_update(req->env, tmp, eff_name_len+1, &s, sizeof(char*), NULL);
p += name_len + val_len;
}
if (tmp != buf && tmp != NULL) {