Patch sanitize-ini-user_agent.patch for Streams related Bug #52979

Patch version 2010-10-03 13:07 UTC

• 2010-10-03 13:07 UTC [diff to current]

Developer: marco@vmsoft-gbr.de

--- ext/standard/http_fopen_wrapper.c	2010-01-25 17:28:14.000000000 +0100
+++ ext/standard/http_fopen_wrapper.c	2010-10-03 15:06:06.703125000 +0200
@@ -84,6 +84,11 @@
 #define HTTP_WRAPPER_HEADER_INIT    1
 #define HTTP_WRAPPER_REDIRECTED     2
 
+#define PHP_ESCAPE_R_PATTERN "\r"
+#define PHP_ESCAPE_N_PATTERN "\n"
+#define PHP_ESCAPE_R_REPLACE "\\r"
+#define PHP_ESCAPE_N_REPLACE "\\n"
+
 php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context, int redirect_max, int flags STREAMS_DC TSRMLS_DC) /* {{{ */
 {
 	php_stream *stream = NULL;
@@ -462,10 +467,24 @@
 
 	if (context && 
 	    php_stream_context_get_option(context, "http", "user_agent", &ua_zval) == SUCCESS &&
-		Z_TYPE_PP(ua_zval) == IS_STRING) {
+		Z_TYPE_PP(ua_zval) == IS_STRING) { //user agent was specified using stream_context_set_option
 		ua_str = Z_STRVAL_PP(ua_zval);
-	} else if (FG(user_agent)) {
+	} else if (FG(user_agent)) { //user agent comes from php.ini variable user_agent => sanitize it to prevent exploiting
+		int ua_str_len_old;
+		int ua_str_len_new;
+		int changed_ua_str;
+		changed_ua_str=0;
 		ua_str = FG(user_agent);
+		ua_str_len_old=strlen(ua_str);
+		ua_str = php_str_to_str(ua_str,ua_str_len_old,PHP_ESCAPE_R_PATTERN,sizeof(PHP_ESCAPE_R_PATTERN)-1,PHP_ESCAPE_R_REPLACE,sizeof(PHP_ESCAPE_R_REPLACE)-1,&ua_str_len_new);
+		if(ua_str_len_new!=ua_str_len_old)
+			changed_ua_str=1;
+		ua_str_len_old=ua_str_len_new;
+		ua_str = php_str_to_str(ua_str,ua_str_len_old,PHP_ESCAPE_N_PATTERN,sizeof(PHP_ESCAPE_N_PATTERN)-1,PHP_ESCAPE_N_REPLACE,sizeof(PHP_ESCAPE_N_REPLACE)-1,&ua_str_len_new);
+		if(ua_str_len_new!=ua_str_len_old)
+			changed_ua_str=1;
+		if(changed_ua_str==1)
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "sanitized user_agent ini variable!");
 	}
 
 	if (((have_header & HTTP_HEADER_USER_AGENT) == 0) && ua_str) {