?? ??? 2010, PHP 5.2.14
- Updated timezone database to version 2010.3. (Derick)
+- Fixed a NULL pointer dereference when processing invalid XML-RPC
+ requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
+
- Fixed bug #51269 (zlib.output_compression Overwrites Vary Header). (Adam)
- Fixed bug #51237 (milter SAPI crash on startup). (igmar at palsenberg dot com)
- Fixed bug #51213 (pdo_mssql is trimming value of the money column). (Ilia,
--- /dev/null
+--TEST--
+Bug #51288 (CVE-2010-0397, NULL pointer deref when no <methodName> in request)
+--FILE--
+<?php
+$method = NULL;
+$req = '<?xml version="1.0"?><methodCall></methodCall>';
+var_dump(xmlrpc_decode_request($req, $method));
+var_dump($method);
+echo "Done\n";
+?>
+--EXPECT--
+NULL
+NULL
+Done
zval* retval = NULL;
XMLRPC_REQUEST response;
STRUCT_XMLRPC_REQUEST_INPUT_OPTIONS opts = {{0}};
+ const char *method_name;
opts.xml_elem_opts.encoding = encoding_in ? utf8_get_encoding_id_from_string(Z_STRVAL_P(encoding_in)) : ENCODING_DEFAULT;
/* generate XMLRPC_REQUEST from raw xml */
if(XMLRPC_RequestGetRequestType(response) == xmlrpc_request_call) {
if(method_name_out) {
- zval_dtor(method_name_out);
- Z_TYPE_P(method_name_out) = IS_STRING;
- Z_STRVAL_P(method_name_out) = estrdup(XMLRPC_RequestGetMethodName(response));
- Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+ method_name = XMLRPC_RequestGetMethodName(response);
+ if (method_name) {
+ zval_dtor(method_name_out);
+ Z_TYPE_P(method_name_out) = IS_STRING;
+ Z_STRVAL_P(method_name_out) = estrdup(method_name);
+ Z_STRLEN_P(method_name_out) = strlen(Z_STRVAL_P(method_name_out));
+ } else {
+ retval = NULL;
+ }
}
}
projects / php / commitdiff