diff options
author | Stanislav Malyshev <stas@php.net> | 2012-05-07 12:08:36 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2012-05-07 12:14:21 -0700 |
commit | 000e84aa88ce16deabbf61e7086fc8db63ca88aa (patch) | |
tree | 448b64e73b449d2b008fb4a9ae02229778f8d400 | |
parent | 2068419ae5c24781714e9d60c4baf64d254d573d (diff) | |
download | php-git-000e84aa88ce16deabbf61e7086fc8db63ca88aa.tar.gz |
improve fix for CVE-2012-1823
-rw-r--r-- | sapi/cgi/cgi_main.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 760ad668e1..a7ac26f0d0 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1561,10 +1561,15 @@ int main(int argc, char *argv[]) } } - if(query_string = getenv("QUERY_STRING")) { + if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { + /* we've got query string that has no = - apache CGI will pass it to command line */ + unsigned char *p; decoded_query_string = strdup(query_string); php_url_decode(decoded_query_string, strlen(decoded_query_string)); - if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) { + for (p = decoded_query_string; *p && *p <= ' '; p++) { + /* skip all leading spaces */ + } + if(*p == '-') { skip_getopt = 1; } free(decoded_query_string); @@ -1819,7 +1824,7 @@ consult the installation file that came with this distribution, or visit \n\ } zend_first_try { - while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { + while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { switch (c) { case 'T': benchmark = 1; |