- Fixed memory corruption in ImageTTFText() with 64bit systems. (Andrey)
- Fixed bug #32956 (mysql_bind_result doesn't support MYSQL_TYPE_NULL). (Georg)
- Fixed bug #32947 (Incorrect option for mysqli default password). (Georg)
+- Fixed bug #32936 (http redirects URLs are not checked for control chars). (Ilia)
- Fixed bug #32930 (class extending DOMDocument doesn't clone properly). (Rob)
- Fixed bug #32852 (Crash with singleton and __destruct when
zend.ze1_compatibility_mode = On). (Dmitry)
} else {
strlcpy(new_path, location, sizeof(new_path));
}
+
+ php_url_free(resource);
+ /* check for invalid redirection URLs */
+ if ((resource = php_url_parse(new_path)) == NULL) {
+ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Invalid redirect url! %s", new_path);
+ goto out;
+ }
+
+#define CHECK_FOR_CNTRL_CHARS(val) { \
+ if (val) { \
+ unsigned char *s, *e; \
+ int l; \
+ l = php_url_decode(val, strlen(val)); \
+ s = val; e = s + l; \
+ while (s < e) { \
+ if (iscntrl(*s)) { \
+ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Invalid redirect url! %s", new_path); \
+ goto out; \
+ } \
+ s++; \
+ } \
+ } \
+} \
+ /* check for control characters in login, password & path */
+ CHECK_FOR_CNTRL_CHARS(resource->user)
+ CHECK_FOR_CNTRL_CHARS(resource->pass)
+ CHECK_FOR_CNTRL_CHARS(resource->path)
+
stream = php_stream_url_wrap_http_ex(NULL, new_path, mode, options, opened_path, context, --redirect_max, 0 STREAMS_CC TSRMLS_CC);
if (stream && stream->wrapperdata) {
entryp = &entry;
projects / php / commitdiff