mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Protect arrays as well.
This commit is contained in:
parent
ade2c31625
commit
efdd39207c
@ -47,38 +47,38 @@ static zend_bool is_protected_variable(char *varname PLS_DC)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void safe_php_register_variable(char *var, char *strval, zval *track_vars_array ELS_DC PLS_DC)
|
static void safe_php_register_variable(char *var, char *strval, zval *track_vars_array, zend_bool override_protection ELS_DC PLS_DC)
|
||||||
{
|
{
|
||||||
if (!is_protected_variable(var PLS_CC)) {
|
if (override_protection || !is_protected_variable(var PLS_CC)) {
|
||||||
php_register_variable(var, strval, track_vars_array ELS_CC PLS_CC);
|
php_register_variable(var, strval, track_vars_array ELS_CC PLS_CC);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void safe_php_register_variable_ex(char *var, zval *val, pval *track_vars_array ELS_DC PLS_DC)
|
static void safe_php_register_variable_ex(char *var, zval *val, pval *track_vars_array, zend_bool override_protection ELS_DC PLS_DC)
|
||||||
{
|
{
|
||||||
if (!is_protected_variable(var PLS_CC)) {
|
if (override_protection || !is_protected_variable(var PLS_CC)) {
|
||||||
php_register_variable_ex(var, val, track_vars_array ELS_CC PLS_CC);
|
php_register_variable_ex(var, val, track_vars_array ELS_CC PLS_CC);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files ELS_DC PLS_DC)
|
static void register_http_post_files_variable(char *strvar, char *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC)
|
||||||
{
|
{
|
||||||
int register_globals = PG(register_globals);
|
int register_globals = PG(register_globals);
|
||||||
|
|
||||||
PG(register_globals) = 0;
|
PG(register_globals) = 0;
|
||||||
safe_php_register_variable(strvar, val, http_post_files ELS_CC PLS_CC);
|
safe_php_register_variable(strvar, val, http_post_files, override_protection ELS_CC PLS_CC);
|
||||||
PG(register_globals) = register_globals;
|
PG(register_globals) = register_globals;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files ELS_DC PLS_DC)
|
static void register_http_post_files_variable_ex(char *var, zval *val, zval *http_post_files, zend_bool override_protection ELS_DC PLS_DC)
|
||||||
{
|
{
|
||||||
int register_globals = PG(register_globals);
|
int register_globals = PG(register_globals);
|
||||||
|
|
||||||
PG(register_globals) = 0;
|
PG(register_globals) = 0;
|
||||||
safe_php_register_variable_ex(var, val, http_post_files ELS_CC PLS_CC);
|
safe_php_register_variable_ex(var, val, http_post_files, override_protection ELS_CC PLS_CC);
|
||||||
PG(register_globals) = register_globals;
|
PG(register_globals) = register_globals;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -207,9 +207,9 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
}
|
}
|
||||||
s = strrchr(filenamebuf, '\\');
|
s = strrchr(filenamebuf, '\\');
|
||||||
if (s && s > filenamebuf) {
|
if (s && s > filenamebuf) {
|
||||||
safe_php_register_variable(lbuf, s+1, NULL ELS_CC PLS_CC);
|
safe_php_register_variable(lbuf, s+1, NULL, 0 ELS_CC PLS_CC);
|
||||||
} else {
|
} else {
|
||||||
safe_php_register_variable(lbuf, filenamebuf, NULL ELS_CC PLS_CC);
|
safe_php_register_variable(lbuf, filenamebuf, NULL, 0 ELS_CC PLS_CC);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Add $foo[name] */
|
/* Add $foo[name] */
|
||||||
@ -219,9 +219,9 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
sprintf(lbuf, "%s[name]", namebuf);
|
sprintf(lbuf, "%s[name]", namebuf);
|
||||||
}
|
}
|
||||||
if (s && s > filenamebuf) {
|
if (s && s > filenamebuf) {
|
||||||
register_http_post_files_variable(lbuf, s+1, http_post_files ELS_CC PLS_CC);
|
register_http_post_files_variable(lbuf, s+1, http_post_files, 0 ELS_CC PLS_CC);
|
||||||
} else {
|
} else {
|
||||||
register_http_post_files_variable(lbuf, filenamebuf, http_post_files ELS_CC PLS_CC);
|
register_http_post_files_variable(lbuf, filenamebuf, http_post_files, 0 ELS_CC PLS_CC);
|
||||||
}
|
}
|
||||||
|
|
||||||
state = 3;
|
state = 3;
|
||||||
@ -251,7 +251,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
} else {
|
} else {
|
||||||
sprintf(lbuf, "%s_type", namebuf);
|
sprintf(lbuf, "%s_type", namebuf);
|
||||||
}
|
}
|
||||||
safe_php_register_variable(lbuf, s, NULL ELS_CC PLS_CC);
|
safe_php_register_variable(lbuf, s, NULL, 0 ELS_CC PLS_CC);
|
||||||
|
|
||||||
/* Add $foo[type] */
|
/* Add $foo[type] */
|
||||||
if (is_arr_upload) {
|
if (is_arr_upload) {
|
||||||
@ -259,7 +259,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
} else {
|
} else {
|
||||||
sprintf(lbuf, "%s[type]", namebuf);
|
sprintf(lbuf, "%s[type]", namebuf);
|
||||||
}
|
}
|
||||||
register_http_post_files_variable(lbuf, s, http_post_files ELS_CC PLS_CC);
|
register_http_post_files_variable(lbuf, s, http_post_files, 0 ELS_CC PLS_CC);
|
||||||
if(*s != '\0') {
|
if(*s != '\0') {
|
||||||
*(loc2 - 1) = '\n';
|
*(loc2 - 1) = '\n';
|
||||||
}
|
}
|
||||||
@ -284,7 +284,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
|
|
||||||
/* Check to make sure we are not overwriting special file
|
/* Check to make sure we are not overwriting special file
|
||||||
* upload variables */
|
* upload variables */
|
||||||
safe_php_register_variable(namebuf, ptr, array_ptr ELS_CC PLS_CC);
|
safe_php_register_variable(namebuf, ptr, array_ptr, 0 ELS_CC PLS_CC);
|
||||||
|
|
||||||
/* And a little kludge to pick out special MAX_FILE_SIZE */
|
/* And a little kludge to pick out special MAX_FILE_SIZE */
|
||||||
itype = php_check_ident_type(namebuf);
|
itype = php_check_ident_type(namebuf);
|
||||||
@ -348,8 +348,8 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
php_error(E_WARNING, "Only %d bytes were written, expected to write %ld", bytes, loc - ptr - 4);
|
php_error(E_WARNING, "Only %d bytes were written, expected to write %ld", bytes, loc - ptr - 4);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
safe_php_register_variable(namebuf, fn, NULL ELS_CC PLS_CC);
|
|
||||||
add_protected_variable(namebuf PLS_CC);
|
add_protected_variable(namebuf PLS_CC);
|
||||||
|
safe_php_register_variable(namebuf, fn, NULL, 1 ELS_CC PLS_CC);
|
||||||
|
|
||||||
/* Add $foo[tmp_name] */
|
/* Add $foo[tmp_name] */
|
||||||
if(is_arr_upload) {
|
if(is_arr_upload) {
|
||||||
@ -357,8 +357,8 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
} else {
|
} else {
|
||||||
sprintf(lbuf, "%s[tmp_name]", namebuf);
|
sprintf(lbuf, "%s[tmp_name]", namebuf);
|
||||||
}
|
}
|
||||||
register_http_post_files_variable(lbuf, fn, http_post_files ELS_CC PLS_CC);
|
|
||||||
add_protected_variable(lbuf PLS_CC);
|
add_protected_variable(lbuf PLS_CC);
|
||||||
|
register_http_post_files_variable(lbuf, fn, http_post_files, 1 ELS_CC PLS_CC);
|
||||||
{
|
{
|
||||||
zval file_size;
|
zval file_size;
|
||||||
|
|
||||||
@ -371,7 +371,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
} else {
|
} else {
|
||||||
sprintf(lbuf, "%s_size", namebuf);
|
sprintf(lbuf, "%s_size", namebuf);
|
||||||
}
|
}
|
||||||
safe_php_register_variable_ex(lbuf, &file_size, NULL ELS_CC PLS_CC);
|
safe_php_register_variable_ex(lbuf, &file_size, NULL, 0 ELS_CC PLS_CC);
|
||||||
|
|
||||||
/* Add $foo[size] */
|
/* Add $foo[size] */
|
||||||
if(is_arr_upload) {
|
if(is_arr_upload) {
|
||||||
@ -379,7 +379,7 @@ static void php_mime_split(char *buf, int cnt, char *boundary, zval *array_ptr)
|
|||||||
} else {
|
} else {
|
||||||
sprintf(lbuf, "%s[size]", namebuf);
|
sprintf(lbuf, "%s[size]", namebuf);
|
||||||
}
|
}
|
||||||
register_http_post_files_variable_ex(lbuf, &file_size, http_post_files ELS_CC PLS_CC);
|
register_http_post_files_variable_ex(lbuf, &file_size, http_post_files, 0 ELS_CC PLS_CC);
|
||||||
}
|
}
|
||||||
state = 0;
|
state = 0;
|
||||||
rem -= (loc - ptr);
|
rem -= (loc - ptr);
|
||||||
|
Loading…
Reference in New Issue
Block a user