]> granicus.if.org Git - php/commitdiff
Fix #80215: imap_mail_compose() may modify by-val parameters
authorChristoph M. Becker <cmbecker69@gmx.de>
Sat, 10 Oct 2020 15:16:41 +0000 (17:16 +0200)
committerChristoph M. Becker <cmbecker69@gmx.de>
Sat, 10 Oct 2020 21:25:06 +0000 (23:25 +0200)
We separate the input arrays and all sub-arrays to avoid modification
of the passed parameters.

This should be rewritten to use `zend_string`s for the "master" branch.

Closes GH-6316.

NEWS
ext/imap/php_imap.c
ext/imap/tests/bug80215.phpt [new file with mode: 0644]

diff --git a/NEWS b/NEWS
index eae20bd22d6e97da90d610a729e2449fdb4a3a4c..d2b3c01a93dcafd850424137c064ce09583e2bd7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ PHP                                                                        NEWS
 
 - IMAP:
   . Fixed bug #80213 (imap_mail_compose() segfaults on certain $bodies). (cmb)
+  . Fixed bug #80215 (imap_mail_compose() may modify by-val parameters). (cmb)
 
 - MySQLnd:
   . Fixed bug #80115 (mysqlnd.debug doesn't recognize absolute paths with
index 8e0cea4ef7ad562fdfe8124989ff361cbad9d0ae..7901777f818bf3d1784eeafd773268ac73c3bf95 100644 (file)
@@ -3544,7 +3544,7 @@ PHP_FUNCTION(imap_mail_compose)
        int toppart = 0;
        int first;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS(), "aa", &envelope, &body) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS(), "a/a/", &envelope, &body) == FAILURE) {
                return;
        }
 
@@ -3602,6 +3602,7 @@ PHP_FUNCTION(imap_mail_compose)
        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(envelope), "custom_headers", sizeof("custom_headers") - 1)) != NULL) {
                if (Z_TYPE_P(pvalue) == IS_ARRAY) {
                        custom_headers_param = tmp_param = NULL;
+                       SEPARATE_ARRAY(pvalue);
                        ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(pvalue), env_data) {
                                custom_headers_param = mail_newbody_parameter();
                                convert_to_string_ex(env_data);
@@ -3623,6 +3624,7 @@ PHP_FUNCTION(imap_mail_compose)
                                php_error_docref(NULL, E_WARNING, "body parameter must be a non-empty array");
                                RETURN_FALSE;
                        }
+                       SEPARATE_ARRAY(data);
 
                        bod = mail_newbody();
                        topbod = bod;
@@ -3644,6 +3646,7 @@ PHP_FUNCTION(imap_mail_compose)
                        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type.parameters", sizeof("type.parameters") - 1)) != NULL) {
                                if(Z_TYPE_P(pvalue) == IS_ARRAY) {
                                        disp_param = tmp_param = NULL;
+                                       SEPARATE_ARRAY(pvalue);
                                        ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) {
                                                if (key == NULL) continue;
                                                disp_param = mail_newbody_parameter();
@@ -3677,6 +3680,7 @@ PHP_FUNCTION(imap_mail_compose)
                        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition", sizeof("disposition") - 1)) != NULL) {
                                if (Z_TYPE_P(pvalue) == IS_ARRAY) {
                                        disp_param = tmp_param = NULL;
+                                       SEPARATE_ARRAY(pvalue);
                                        ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) {
                                                if (key == NULL) continue;
                                                disp_param = mail_newbody_parameter();
@@ -3712,6 +3716,7 @@ PHP_FUNCTION(imap_mail_compose)
                        }
                } else if (Z_TYPE_P(data) == IS_ARRAY) {
                        short type = -1;
+                       SEPARATE_ARRAY(data);
                        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type", sizeof("type") - 1)) != NULL) {
                                type = (short) zval_get_long(pvalue);
                        }
@@ -3746,6 +3751,7 @@ PHP_FUNCTION(imap_mail_compose)
                        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "type.parameters", sizeof("type.parameters") - 1)) != NULL) {
                                if (Z_TYPE_P(pvalue) == IS_ARRAY) {
                                        disp_param = tmp_param = NULL;
+                                       SEPARATE_ARRAY(pvalue);
                                        ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) {
                                                if (key == NULL) continue;
                                                disp_param = mail_newbody_parameter();
@@ -3779,6 +3785,7 @@ PHP_FUNCTION(imap_mail_compose)
                        if ((pvalue = zend_hash_str_find(Z_ARRVAL_P(data), "disposition", sizeof("disposition") - 1)) != NULL) {
                                if (Z_TYPE_P(pvalue) == IS_ARRAY) {
                                        disp_param = tmp_param = NULL;
+                                       SEPARATE_ARRAY(pvalue);
                                        ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(pvalue), key, disp_data) {
                                                if (key == NULL) continue;
                                                disp_param = mail_newbody_parameter();
diff --git a/ext/imap/tests/bug80215.phpt b/ext/imap/tests/bug80215.phpt
new file mode 100644 (file)
index 0000000..b2d7c3e
--- /dev/null
@@ -0,0 +1,69 @@
+--TEST--
+Bug #80215 (imap_mail_compose() may modify by-val parameters)
+--SKIPIF--
+<?php
+if (!extension_loaded('imap')) die('skip imap extension not available');
+?>
+--FILE--
+<?php
+$envelope = [
+    "from" => 1,
+    "to" => 2,
+    "custom_headers" => [3],
+];
+$body = [[
+    "contents.data" => 4,
+    "type.parameters" => ['foo' => 5],
+    "disposition" => ['bar' => 6],
+], [
+    "contents.data" => 7,
+    "type.parameters" => ['foo' => 8],
+    "disposition" => ['bar' => 9],
+]];
+imap_mail_compose($envelope, $body);
+var_dump($envelope, $body);
+?>
+--EXPECT--
+array(3) {
+  ["from"]=>
+  int(1)
+  ["to"]=>
+  int(2)
+  ["custom_headers"]=>
+  array(1) {
+    [0]=>
+    int(3)
+  }
+}
+array(2) {
+  [0]=>
+  array(3) {
+    ["contents.data"]=>
+    int(4)
+    ["type.parameters"]=>
+    array(1) {
+      ["foo"]=>
+      int(5)
+    }
+    ["disposition"]=>
+    array(1) {
+      ["bar"]=>
+      int(6)
+    }
+  }
+  [1]=>
+  array(3) {
+    ["contents.data"]=>
+    int(7)
+    ["type.parameters"]=>
+    array(1) {
+      ["foo"]=>
+      int(8)
+    }
+    ["disposition"]=>
+    array(1) {
+      ["bar"]=>
+      int(9)
+    }
+  }
+}