Patch CVE-2012-1823.patch for CGI/CLI related Bug #61910

Patch version 2012-05-05 20:59 UTC

Obsolete patches:

• cgi.diff-fix-check.patch, revision 2012-05-04 01:08 UTC

• 2012-05-05 20:59 UTC [diff to current]

Developer: tyukish@parallels.com

--- sapi/cgi/cgi_main.c	2012-05-06 02:55:53.245904037 +0700
+++ sapi/cgi/cgi_main.c	2012-05-06 02:58:40.703986027 +0700
@@ -62,6 +62,7 @@
 #include "php_main.h"
 #include "fopen_wrappers.h"
 #include "ext/standard/php_standard.h"
+#include "ext/standard/url.h"
 #ifdef PHP_WIN32
 #include <io.h>
 #include <fcntl.h>
@@ -1354,6 +1355,9 @@ int main(int argc, char *argv[])
 #endif
 #endif /* PHP_FASTCGI */
 
+	char *query_string;
+	char *decoded_query_string;
+	int skip_getopt = 0;
 #if 0 && defined(PHP_DEBUG)
 	/* IIS is always making things more difficult.  This allows
 	   us to stop PHP and attach a debugger before much gets started */
@@ -1406,8 +1410,15 @@ int main(int argc, char *argv[])
 #if PHP_FASTCGI
 	}
 #endif
-
-	while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
+	if(query_string = getenv("QUERY_STRING")) {
+		decoded_query_string = strdup(query_string);
+		php_url_decode(decoded_query_string, strlen(decoded_query_string));
+		if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
+			skip_getopt = 1;
+		}
+		free(decoded_query_string);
+	}
+	while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
 		switch (c) {
 			case 'c':
 				if (cgi_sapi_module.php_ini_path_override) {
@@ -1661,7 +1672,7 @@ consult the installation file that came 
 #endif /* FASTCGI */
 
 	zend_first_try {
-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
+		while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
 			switch (c) {
 #if PHP_FASTCGI
 				case 'T':