Fix #7987: POST/GET: string with \0(%00) values not parsed correctly

diff --git a/main/php_variables.c b/main/php_variables.c
index 08a201e874b89eec8ea88c6ec83fb31b1a89fe3c..e4c64f973efbd092e770e14cb3ba3a6acc47d125 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -29,12 +29,17 @@
 #include "zend_globals.h"
 
 
-PHPAPI void php_register_variable(char *var, char *strval, zval *track_vars_array ELS_DC PLS_DC)
+PHPAPI void php_register_variable(char *var, char *strval, zval *track_vars_array ELS_DC PLS_DC) {
+       php_register_variable_safe(var, strval, strlen(strval), track_vars_array ELS_CC PLS_CC);
+}
+
+/* binary-safe version */
+PHPAPI void php_register_variable_safe(char *var, char *strval, int str_len, zval *track_vars_array ELS_DC PLS_DC)
 {
        zval new_entry;
 
        /* Prepare value */
-       new_entry.value.str.len = strlen(strval);
+       new_entry.value.str.len = str_len;
        if (PG(magic_quotes_gpc)) {
                new_entry.value.str.val = php_addslashes(strval, new_entry.value.str.len, &new_entry.value.str.len, 0);
        } else {
@@ -198,11 +203,12 @@ SAPI_POST_HANDLER_FUNC(php_std_post_handler)
        while (var) {
                val = strchr(var, '=');
                if (val) { /* have a value */
+                       int val_len;
+
                        *val++ = '\0';
-                       /* FIXME: XXX: not binary safe, discards returned length */
                        php_url_decode(var, strlen(var));
-                       php_url_decode(val, strlen(val));
-                       php_register_variable(var, val, array_ptr ELS_CC PLS_CC);
+                       val_len = php_url_decode(val, strlen(val));
+                       php_register_variable_safe(var, val, val_len, array_ptr ELS_CC PLS_CC);
                }
                var = php_strtok_r(NULL, "&", &strtok_buf);
        }
@@ -282,11 +288,12 @@ void php_treat_data(int arg, char *str, zval* destArray ELS_DC PLS_DC SLS_DC)
        while (var) {
                val = strchr(var, '=');
                if (val) { /* have a value */
+                       int val_len;
+
                        *val++ = '\0';
-                       /* FIXME: XXX: not binary safe, discards returned length */
                        php_url_decode(var, strlen(var));
-                       php_url_decode(val, strlen(val));
-                       php_register_variable(var, val, array_ptr ELS_CC PLS_CC);
+                       val_len = php_url_decode(val, strlen(val));
+                       php_register_variable_safe(var, val, val_len, array_ptr ELS_CC PLS_CC);
                }
                if (arg == PARSE_COOKIE) {
                        var = php_strtok_r(NULL, ";", &strtok_buf);

diff --git a/main/php_variables.h b/main/php_variables.h
index bd0a98810aa5197e1feb28cbb37c277fd122c787..40c63206a2d16740f8ee979626b6639439508451 100644 (file)
--- a/main/php_variables.h
+++ b/main/php_variables.h
@@ -33,6 +33,8 @@
 void php_treat_data(int arg, char *str, zval* destArray ELS_DC PLS_DC SLS_DC);
 PHPAPI void php_import_environment_variables(zval *array_ptr ELS_DC PLS_DC);
 PHPAPI void php_register_variable(char *var, char *val, pval *track_vars_array ELS_DC PLS_DC);
+/* binary-safe version */
+PHPAPI void php_register_variable_safe(char *var, char *val, int val_len, pval *track_vars_array ELS_DC PLS_DC);
 PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_array ELS_DC PLS_DC);