From d1fd5432e1576865dbeb7650b7c7e0fa0bd3a4e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 20 Mar 2012 10:21:07 +0100 Subject: [PATCH] Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831) --- main/php_variables.c | 13 +++++++++---- sapi/cgi/cgi_main.c | 6 ++++-- sapi/fpm/fpm/fpm_main.c | 6 ++++-- tests/basic/magic_quotes_gpc.phpt | 10 ++++++++++ 4 files changed, 27 insertions(+), 8 deletions(-) create mode 100644 tests/basic/magic_quotes_gpc.phpt diff --git a/main/php_variables.c b/main/php_variables.c index 29d4e4e9e24e9..4b97cbd85fa95 100644 --- a/main/php_variables.c +++ b/main/php_variables.c @@ -450,7 +450,7 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC) /* turn off magic_quotes while importing environment variables */ int magic_quotes_gpc = PG(magic_quotes_gpc); - if (PG(magic_quotes_gpc)) { + if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } @@ -471,7 +471,10 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC) if (t != buf && t != NULL) { efree(t); } - PG(magic_quotes_gpc) = magic_quotes_gpc; + + if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } } zend_bool php_std_auto_global_callback(char *name, uint name_len TSRMLS_DC) @@ -595,7 +598,7 @@ static inline void php_register_server_variables(TSRMLS_D) zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); } PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; - if (PG(magic_quotes_gpc)) { + if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } @@ -622,7 +625,9 @@ static inline void php_register_server_variables(TSRMLS_D) php_register_variable_ex("REQUEST_TIME", &new_entry, array_ptr TSRMLS_CC); } - PG(magic_quotes_gpc) = magic_quotes_gpc; + if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } } /* }}} */ diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 6444781747962..dfd77e49d3890 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -624,7 +624,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC) int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - if (PG(magic_quotes_gpc)) { + if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); @@ -638,7 +638,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC) php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC); } } - PG(magic_quotes_gpc) = magic_quotes_gpc; + if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } } } diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 79ec9c37f1e61..1ebeefaab1109 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -595,7 +595,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC) filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER; /* turn off magic_quotes while importing environment variables */ - if (PG(magic_quotes_gpc)) { + if (magic_quotes_gpc) { zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); } for (zend_hash_internal_pointer_reset_ex(request->env, &pos); @@ -609,7 +609,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC) php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC); } } - PG(magic_quotes_gpc) = magic_quotes_gpc; + if (magic_quotes_gpc) { + zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC); + } } static void sapi_cgi_register_variables(zval *track_vars_array TSRMLS_DC) diff --git a/tests/basic/magic_quotes_gpc.phpt b/tests/basic/magic_quotes_gpc.phpt new file mode 100644 index 0000000000000..d1c880fd39057 --- /dev/null +++ b/tests/basic/magic_quotes_gpc.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831) +--INI-- +magic_quotes_gpc=On +--FILE-- + +--EXPECT-- +string(1) "1"