Protection from $this reassign through mb_parse_str()

2024-09-21 09:57:23 +00:00 · 2016-06-15 19:06:16 +03:00 · 2016-06-15 19:06:16 +03:00 · cf749c42b0
commit cf749c42b0
parent 59a9a6c83c
2 changed files with 38 additions and 0 deletions
--- a/Zend/tests/this_in_mb_parse_str.phpt
+++ b/Zend/tests/this_in_mb_parse_str.phpt
@ -0,0 +1,19 @@
+--TEST--
+$this re-assign in mb_parse_str()
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+function foo() {
+	mb_parse_str("this=42");
+	var_dump($this);
+}
+foo();
+?>
+--EXPECTF--
+Fatal error: Uncaught Error: Cannot re-assign $this in %sthis_in_mb_parse_str.php:3
+Stack trace:
+#0 %sthis_in_mb_parse_str.php(3): mb_parse_str('this=42')
+#1 %sthis_in_mb_parse_str.php(6): foo()
+#2 {main}
+  thrown in %sthis_in_mb_parse_str.php on line 3
--- a/main/php_variables.c
+++ b/main/php_variables.c
@ -109,6 +109,25 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
 		return;
 	}

+	if (var_len == sizeof("this")-1 && EG(current_execute_data)) {
+		zend_execute_data *ex = EG(current_execute_data);
+
+		while (ex) {
+			if (ex->func && ZEND_USER_CODE(ex->func->common.type)) {
+				if (ex->symbol_table == symtable1) {
+					if (memcmp(var, "this", sizeof("this")-1) == 0) {
+						zend_throw_error(NULL, "Cannot re-assign $this");
+						zval_dtor(val);
+						free_alloca(var_orig, use_heap);
+						return;
+					}
+				}
+				break;
+			}
+			ex = ex->prev_execute_data;
+		}
+	}
+
 	/* GLOBALS hijack attempt, reject parameter */
 	if (symtable1 == &EG(symbol_table) &&
 		var_len == sizeof("GLOBALS")-1 &&