Skip to content

Instantly share code, notes, and snippets.

@kiyoto
Created January 25, 2012 10:47
Show Gist options
  • Save kiyoto/1675788 to your computer and use it in GitHub Desktop.
Save kiyoto/1675788 to your computer and use it in GitHub Desktop.
php bug 60668 fix
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index a7ec5d7..89b1287 100644
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@@ -83,6 +83,23 @@ static int zend_restore_ini_entry_wrapper(zend_ini_entry **ini_entry TSRMLS_DC)
}
/* }}} */
+static uint zend_trim_after_carriage_return(char *value, uint value_length) /* {{{ */
+{
+ uint ii;
+ char prev_c = '\0', curr_c;
+ for (ii = 0; ii < value_length; ++ii) {
+ curr_c = *value;
+ if (prev_c == '\r' && curr_c == '\n') {
+ return ii - 1;
+ }
+ prev_c = curr_c;
+ ++value;
+ }
+
+ return value_length;
+}
+/* }}} */
+
/*
* Startup / shutdown
*/
@@ -288,6 +305,11 @@ ZEND_API int zend_alter_ini_entry_ex(char *name, uint name_length, char *new_val
zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL);
}
+ // per Bug #60668, truncate the string after /r/n for user_agent for security
+ if (strcmp(name, "user_agent") == 0) {
+ new_value_length = zend_trim_after_carriage_return(new_value, new_value_length);
+ }
+
duplicate = estrndup(new_value, new_value_length);
if (!ini_entry->on_modify
@@ -672,6 +694,7 @@ ZEND_API ZEND_INI_MH(OnUpdateStringUnempty) /* {{{ */
*p = new_value;
return SUCCESS;
}
+
/* }}} */
/*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment