mirror of
https://github.com/php/php-src.git
synced 2024-09-21 09:57:23 +00:00
Protection from $this reassign through mb_parse_str()
This commit is contained in:
parent
59a9a6c83c
commit
cf749c42b0
19
Zend/tests/this_in_mb_parse_str.phpt
Normal file
19
Zend/tests/this_in_mb_parse_str.phpt
Normal file
@ -0,0 +1,19 @@
|
||||
--TEST--
|
||||
$this re-assign in mb_parse_str()
|
||||
--SKIPIF--
|
||||
<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
function foo() {
|
||||
mb_parse_str("this=42");
|
||||
var_dump($this);
|
||||
}
|
||||
foo();
|
||||
?>
|
||||
--EXPECTF--
|
||||
Fatal error: Uncaught Error: Cannot re-assign $this in %sthis_in_mb_parse_str.php:3
|
||||
Stack trace:
|
||||
#0 %sthis_in_mb_parse_str.php(3): mb_parse_str('this=42')
|
||||
#1 %sthis_in_mb_parse_str.php(6): foo()
|
||||
#2 {main}
|
||||
thrown in %sthis_in_mb_parse_str.php on line 3
|
@ -109,6 +109,25 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
|
||||
return;
|
||||
}
|
||||
|
||||
if (var_len == sizeof("this")-1 && EG(current_execute_data)) {
|
||||
zend_execute_data *ex = EG(current_execute_data);
|
||||
|
||||
while (ex) {
|
||||
if (ex->func && ZEND_USER_CODE(ex->func->common.type)) {
|
||||
if (ex->symbol_table == symtable1) {
|
||||
if (memcmp(var, "this", sizeof("this")-1) == 0) {
|
||||
zend_throw_error(NULL, "Cannot re-assign $this");
|
||||
zval_dtor(val);
|
||||
free_alloca(var_orig, use_heap);
|
||||
return;
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
||||
ex = ex->prev_execute_data;
|
||||
}
|
||||
}
|
||||
|
||||
/* GLOBALS hijack attempt, reject parameter */
|
||||
if (symtable1 == &EG(symbol_table) &&
|
||||
var_len == sizeof("GLOBALS")-1 &&
|
||||
|
Loading…
Reference in New Issue
Block a user