diff options
author | Nikita Popov <nikic@php.net> | 2016-07-30 15:51:23 +0200 |
---|---|---|
committer | Nikita Popov <nikic@php.net> | 2016-07-30 15:51:23 +0200 |
commit | 1f67b4c24d780c1b9018bd34b538de59e3ed2d89 (patch) | |
tree | 0d08a09d52c12e0135a282dda06cd129cc382b8d | |
parent | e5940aa7950effe1835e489024b840fb87f54a3c (diff) | |
parent | e87ac688d5e700fdb56b37fda8b011d6b05b97fc (diff) | |
download | php-git-1f67b4c24d780c1b9018bd34b538de59e3ed2d89.tar.gz |
Merge branch 'PHP-5.6' into PHP-7.0
-rw-r--r-- | ext/wddx/tests/bug72142.phpt | 13 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 9 |
2 files changed, 21 insertions, 1 deletions
diff --git a/ext/wddx/tests/bug72142.phpt b/ext/wddx/tests/bug72142.phpt new file mode 100644 index 0000000000..3976bb2554 --- /dev/null +++ b/ext/wddx/tests/bug72142.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #72142: WDDX Packet Injection Vulnerability in wddx_serialize_value() +--FILE-- +<?php + +$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>'); +var_dump($wddx); +var_dump(wddx_deserialize($wddx)); + +?> +--EXPECT-- +string(301) "<wddxPacket version='1.0'><header><comment></comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket></comment></header><data><string></string></data></wddxPacket>" +string(0) "" diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index cb0c01e524..ed96a0d4a4 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -360,11 +360,18 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, size_t comment_le { php_wddx_add_chunk_static(packet, WDDX_PACKET_S); if (comment) { + char *escaped; + size_t escaped_len; + escaped = php_escape_html_entities( + comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + php_wddx_add_chunk_static(packet, WDDX_HEADER_S); php_wddx_add_chunk_static(packet, WDDX_COMMENT_S); - php_wddx_add_chunk_ex(packet, comment, comment_len); + php_wddx_add_chunk_ex(packet, escaped, escaped_len); php_wddx_add_chunk_static(packet, WDDX_COMMENT_E); php_wddx_add_chunk_static(packet, WDDX_HEADER_E); + + str_efree(escaped); } else { php_wddx_add_chunk_static(packet, WDDX_HEADER); } |