]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c375228)
Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
authorIlia Alshanetsky <iliaa@php.net>
Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
committerIlia Alshanetsky <iliaa@php.net>
Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
NEWS patch | blob | history
ext/standard/string.c patch | blob | history
ext/standard/tests/strings/bug50847.phpt [new file with mode: 0644] patch | blob

diff --git a/NEWS b/NEWS
index 3a3089300b32768d505b7be8eb77e951e40f6e2f..d2a9ca2895094751ce95b77bfb354aded899e907 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ PHP                                                                        NEWS
 - Fixed a possible open_basedir/safe_mode bypass in session extension
   identified by Grzegorz Stachowiak. (Ilia)
 
+- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
+  long). (Ilia)
 - Fixed bug #50727 (Accesing mysqli->affected_rows on no connection causes
   segfault). (Andrey, Johannes)
 
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 1f9577157e36733dbe2d2c0257c9185d6dd9f5c9..694c0a5fb0888af9a7edf5c6fa232388f24d49a0 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4335,7 +4335,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 {
        char *tbuf, *buf, *p, *tp, *rp, c, lc;
        int br, i=0, depth=0, in_q = 0;
-       int state = 0;
+       int state = 0, pos;
 
        if (stateptr)
                state = *stateptr;
@@ -4348,7 +4348,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
        br = 0;
        if (allow) {
                php_strtolower(allow, allow_len);
-               tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+               tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
                tp = tbuf;
        } else {
                tbuf = tp = NULL;
@@ -4369,7 +4369,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                        lc = '<';
                                        state = 1;
                                        if (allow) {
-                                               tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                               if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                       pos = tp - tbuf;
+                                                       tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                       tp = tbuf + pos;
+                                               }
                                                *(tp++) = '<';
                                        }
                                } else if (state == 1) {
@@ -4384,7 +4388,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                br++;
                                        }
                                } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                        *(tp++) = c;
                                } else if (state == 0) {
                                        *(rp++) = c;
@@ -4398,7 +4406,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                br--;
                                        }
                                } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                        *(tp++) = c;
                                } else if (state == 0) {
                                        *(rp++) = c;
@@ -4420,7 +4432,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                lc = '>';
                                                in_q = state = 0;
                                                if (allow) {
-                                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                               pos = tp - tbuf;
+                                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                               tp = tbuf + pos;
+                                                       }
                                                        *(tp++) = '>';
                                                        *tp='\0';
                                                        if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -4467,7 +4483,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                } else if (state == 0) {
                                        *(rp++) = c;
                                } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                        *(tp++) = c;
                                }
                                if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -4488,7 +4508,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                        if (state == 0) {
                                                *(rp++) = c;
                                        } else if (allow && state == 1) {
-                                               tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                               if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                       pos = tp - tbuf;
+                                                       tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                       tp = tbuf + pos;
+                                               }
                                                *(tp++) = c;
                                        }
                                }
@@ -4543,7 +4567,11 @@ reg_char:
                                if (state == 0) {
                                        *(rp++) = c;
                                } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                        *(tp++) = c;
                                } 
                                break;
diff --git a/ext/standard/tests/strings/bug50847.phpt b/ext/standard/tests/strings/bug50847.phpt
new file mode 100644 (file)
index 0000000..28e83f5
--- /dev/null
+++ b/ext/standard/tests/strings/bug50847.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
Unnamed repository; edit this file 'description' to name the repository.