php 5.2.17 patch to CVE-2012-1823

cgi_main.diff

diff -ur php-5.2.17/sapi/cgi/cgi_main.c php-5.2.17_patched/sapi/cgi/cgi_main.c
--- php-5.2.17/sapi/cgi/cgi_main.c      2010-01-03 18:23:27.000000000 +0900
+++ php-5.2.17_patched/sapi/cgi/cgi_main.c      2012-05-24 20:16:28.000000000 +0900
@@ -62,6 +62,7 @@
 #include "php_main.h"
 #include "fopen_wrappers.h"
 #include "ext/standard/php_standard.h"
+#include "ext/standard/url.h"
 #ifdef PHP_WIN32
 #include <io.h>
 #include <fcntl.h>
@@ -1351,7 +1352,9 @@
        int status = 0;
 #endif
 #endif /* PHP_FASTCGI */
-
+       char *query_string;
+       char *decoded_query_string;
+       int skip_getopt = 0;
 #if 0 && defined(PHP_DEBUG)
        /* IIS is always making things more difficult.  This allows
           us to stop PHP and attach a debugger before much gets started */
@@ -1405,7 +1408,15 @@
        }
 #endif

-       while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
+       if(query_string = getenv("QUERY_STRING")) {
+               decoded_query_string = strdup(query_string);
+               php_url_decode(decoded_query_string, strlen(decoded_query_string));
+               if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
+                       skip_getopt = 1;
+               }
+               free(decoded_query_string);
+       }
+       if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
                switch (c) {
                        case 'c':
                                if (cgi_sapi_module.php_ini_path_override) {
@@ -1659,7 +1670,7 @@
 #endif /* FASTCGI */

        zend_first_try {
-               while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
+               if (!cgi) while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
                        switch (c) {
 #if PHP_FASTCGI
                                case 'T':

update to this article