diff options
| author | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-10 17:16:41 +0200 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-10-10 23:25:06 +0200 |
| commit | 62a2387a8dc262ae75a6575fabddd6170b4bdb07 (patch) | |
| tree | 9e8ba11ed165238fe6d71e9b1d371707bc31e358 | |
| parent | 8bee0fbd37c8eee0a17abe4a0afd69ad9ac7105a (diff) | |
| download | php-git-62a2387a8dc262ae75a6575fabddd6170b4bdb07.tar.gz | |
Fix #80215: imap_mail_compose() may modify by-val parameters
We separate the input arrays and all sub-arrays to avoid modification
of the passed parameters.
This should be rewritten to use `zend_string`s for the "master" branch.
Closes GH-6316.
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/imap/php_imap.c | 9 | ||||
| -rw-r--r-- | ext/imap/tests/bug80215.phpt | 69 |
3 files changed, 78 insertions, 1 deletions
@@ -11,6 +11,7 @@ PHP NEWS - IMAP: . Fixed bug #80213 (imap_mail_compose() segfaults on certain $bodies). (cmb) + . Fixed bug #80215 (imap_mail_compose() may modify by-val parameters). (cmb) - MySQLnd: . Fixed bug #80115 (mysqlnd.debug doesn't recognize absolute paths with diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 8e0cea4ef7..7901777f81 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3544,7 +3544,7 @@ PHP_FUNCTION(imap_mail_compose) int toppart = 0; int first; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "aa", &envelope, &body) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/a/", &envelope, &body) == FAILURE) { return; } @@ -3602,6 +3602,7 @@ PHP_FUNCTION(imap_mail_compose) if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "custom_headers", sizeof("custom_headers") - 1)) != NULL) { if (Z_TYPE_P(pvalue) == IS_ARRAY) { custom_headers_param = tmp_param = NULL; + SEPARATE_ARRAY(pvalue); ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pvalue), env_data) { custom_headers_param = mail_newbody_parameter(); convert_to_string_ex(env_data); @@ -3623,6 +3624,7 @@ PHP_FUNCTION(imap_mail_compose) php_error_docref(NULL, E_WARNING, "body parameter must be a non-empty array"); RETURN_FALSE; } + SEPARATE_ARRAY(data); bod = mail_newbody(); topbod = bod; @@ -3644,6 +3646,7 @@ PHP_FUNCTION(imap_mail_compose) if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type.parameters", sizeof("type.parameters") - 1)) != NULL) { if(Z_TYPE_P(pvalue) == IS_ARRAY) { disp_param = tmp_param = NULL; + SEPARATE_ARRAY(pvalue); ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { if (key == NULL) continue; disp_param = mail_newbody_parameter(); @@ -3677,6 +3680,7 @@ PHP_FUNCTION(imap_mail_compose) if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition", sizeof("disposition") - 1)) != NULL) { if (Z_TYPE_P(pvalue) == IS_ARRAY) { disp_param = tmp_param = NULL; + SEPARATE_ARRAY(pvalue); ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { if (key == NULL) continue; disp_param = mail_newbody_parameter(); @@ -3712,6 +3716,7 @@ PHP_FUNCTION(imap_mail_compose) } } else if (Z_TYPE_P(data) == IS_ARRAY) { short type = -1; + SEPARATE_ARRAY(data); if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type", sizeof("type") - 1)) != NULL) { type = (short) zval_get_long(pvalue); } @@ -3746,6 +3751,7 @@ PHP_FUNCTION(imap_mail_compose) if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type.parameters", sizeof("type.parameters") - 1)) != NULL) { if (Z_TYPE_P(pvalue) == IS_ARRAY) { disp_param = tmp_param = NULL; + SEPARATE_ARRAY(pvalue); ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { if (key == NULL) continue; disp_param = mail_newbody_parameter(); @@ -3779,6 +3785,7 @@ PHP_FUNCTION(imap_mail_compose) if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition", sizeof("disposition") - 1)) != NULL) { if (Z_TYPE_P(pvalue) == IS_ARRAY) { disp_param = tmp_param = NULL; + SEPARATE_ARRAY(pvalue); ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) { if (key == NULL) continue; disp_param = mail_newbody_parameter(); diff --git a/ext/imap/tests/bug80215.phpt b/ext/imap/tests/bug80215.phpt new file mode 100644 index 0000000000..b2d7c3ed09 --- /dev/null +++ b/ext/imap/tests/bug80215.phpt @@ -0,0 +1,69 @@ +--TEST-- +Bug #80215 (imap_mail_compose() may modify by-val parameters) +--SKIPIF-- +<?php +if (!extension_loaded('imap')) die('skip imap extension not available'); +?> +--FILE-- +<?php +$envelope = [ + "from" => 1, + "to" => 2, + "custom_headers" => [3], +]; +$body = [[ + "contents.data" => 4, + "type.parameters" => ['foo' => 5], + "disposition" => ['bar' => 6], +], [ + "contents.data" => 7, + "type.parameters" => ['foo' => 8], + "disposition" => ['bar' => 9], +]]; +imap_mail_compose($envelope, $body); +var_dump($envelope, $body); +?> +--EXPECT-- +array(3) { + ["from"]=> + int(1) + ["to"]=> + int(2) + ["custom_headers"]=> + array(1) { + [0]=> + int(3) + } +} +array(2) { + [0]=> + array(3) { + ["contents.data"]=> + int(4) + ["type.parameters"]=> + array(1) { + ["foo"]=> + int(5) + } + ["disposition"]=> + array(1) { + ["bar"]=> + int(6) + } + } + [1]=> + array(3) { + ["contents.data"]=> + int(7) + ["type.parameters"]=> + array(1) { + ["foo"]=> + int(8) + } + ["disposition"]=> + array(1) { + ["bar"]=> + int(9) + } + } +} |