|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-06-18 16:17 UTC] crmalibu at gmail dot com
Description:
------------
I marked the version as 5.2.9 but it looks like the relevant code is the same for 5.3 and php 6 as well.
I don't know c, so I struggle to read the source code, but I think I found something unexpected. In main/php_variables.c in php_register_variable_ex I think the parsing behaves inconsistent.
After reading the comments in the source code, I would think a gpc variable name should not make it through which has ' ' or '.' or '[' character in the name. But I've found a way to do it. It seems the routine for recognizing and parsing the array syntax is at fault.
In particular, characters after the first occurrence of a '[' char will be left alone because it thinks it needs to parse it as the special array syntax. But while it does later recognize that it's not proper array syntax, it doesn't properly convert the remaining character to underscore.
I don't know if this is a bug, or if it's serious or what. But the source code comment about removing those chars due to not being binary safe made me think someone needs to look at this.
Reproduce code:
---------------
<form action=>
<input name="goodvar .[">
<input name="goodarray[foo]">
<input name="badvar[ . [">
<input type=submit>
</form>
<?php
print_r($_GET);
?>
Expected result:
----------------
Array
(
[goodvar___] =>
[goodarray] => Array
(
[foo] =>
)
[badvar_____] =>
)
Actual result:
--------------
Array
(
[goodvar___] =>
[goodarray] => Array
(
[foo] =>
)
[badvar_ . [] =>
)
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 02:00:01 2025 UTC |
Here is a fix. Index: main/php_variables.c =================================================================== --- main/php_variables.c (revision 289602) +++ main/php_variables.c (working copy) @@ -61,6 +61,7 @@ { char *p = NULL; char *ip; /* index pointer */ + char *pmarker; /* marker to index before */ char *index, *escaped_index = NULL; char *var, *var_orig; int var_len, index_len; @@ -100,12 +101,19 @@ if (*p == ' ' || *p == '.') { *p='_'; } else if (*p == '[') { - is_array = 1; - ip = p; - *p = 0; - break; + for(pmarker = p; *pmarker; pmarker++) { + if(*pmarker == ']') { + is_array = 1; + ip = p; + *p = 0; + goto var_continue; + } + } + *p='_'; } } + + var_continue: var_len = p - var; if (var_len==0) { /* empty variable name, or variable name with a space in it */Sorry for extra noise.. it seems my patch mixed the case of something like: <input name="badvar[[[. [ . . .]> So updated: Index: main/php_variables.c =================================================================== --- main/php_variables.c (revision 289602) +++ main/php_variables.c (working copy) @@ -61,6 +61,7 @@ { char *p = NULL; char *ip; /* index pointer */ + char *pmarker; char *index, *escaped_index = NULL; char *var, *var_orig; int var_len, index_len; @@ -100,12 +101,18 @@ if (*p == ' ' || *p == '.') { *p='_'; } else if (*p == '[') { - is_array = 1; - ip = p; - *p = 0; - break; + for(pmarker = p; *pmarker; pmarker++) { + if(*pmarker == ']') { + is_array = 1; + ip = p; + *p = 0; + goto var_continue; + } + } + *p='_'; } } + var_continue: var_len = p - var; if (var_len==0) { /* empty variable name, or variable name with a space in it */ @@ -225,6 +232,13 @@ } else { escaped_index = index; } + /* clean up the array index */ + for (pmarker = escaped_index; *pmarker; pmarker++) { + if (*pmarker == '[' || *pmarker == ']' + || *pmarker == '.' || isspace(*pmarker)) { + *pmarker = '_'; + } + } /* * According to rfc2965, more specific paths are listed above the less specific ones. * If we encounter a duplicate cookie name, we should skip it, since it is not possible