MFH: Fixed possible XSS inside error reporting functionality.

diff --git a/NEWS b/NEWS
index 48faedd2f1c61ed874031e7a454a7502661ff6a1..4b98b56d98772f13923e91cd2b5bf98ccb4b04f2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,8 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.2
-- FIxed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
+- Fixed possible XSS inside error reporting functionality. (Ilia)
+- Fixed bug #35536 (mysql_field_type() doesn't handle NEWDECIMAL). (Tony)
 - Fixed bug #35410 (wddx_deserialize() doesn't handle large ints as keys 
   properly). (Ilia)
 - Fixed bug #35341 (Fix for bug #33760 breaks build with older curl). (Tony)

diff --git a/main/main.c b/main/main.c
index 723a77dfda5b485c5395489d670802610f44439c..1502f008265cfcec182510d1d536c88e17d55dc7 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -500,7 +500,10 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
                                /* no docref and no html errors -> do not point to any documentation (e.g. production boxes) */
                                php_error(type, "%s(%s): %s", get_active_function_name(TSRMLS_C), params, buffer);
                        } else if (PG(html_errors)) {
-                               php_error(type, "%s(%s) [<a href='%s%s%s'>%s</a>]: %s", get_active_function_name(TSRMLS_C), params, docref_root, docref, docref_target, docref, buffer);
+                               int len;
+                               char *replace = php_escape_html_entities(params, strlen(params), &len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+                               php_error(type, "%s(%s) [<a href='%s%s%s'>%s</a>]: %s", get_active_function_name(TSRMLS_C), replace, docref_root, docref, docref_target, docref, buffer);
+                               efree(replace);
                        } else {
                                php_error(type, "%s(%s) [%s%s%s]: %s", get_active_function_name(TSRMLS_C), params, docref_root, docref, docref_target, buffer);
                        }
@@ -651,10 +654,16 @@ static void php_error_cb(int type, const char *error_filename, const uint error_
                        && (!PG(during_request_startup) || PG(display_startup_errors))) {
                        char *prepend_string = INI_STR("error_prepend_string");
                        char *append_string = INI_STR("error_append_string");
-                       char *error_format = PG(html_errors) ?
-                               "%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s"
-                               : "%s\n%s: %s in %s on line %d\n%s";    
-                       php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+                       if (PG(html_errors)) {
+                               char *buf, *buf2;
+                               int len2, len = spprintf(&buf, 0, "%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+                               buf2 = php_escape_html_entities(buf, len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC);
+                               php_printf("%s", buf2);
+                               efree(buf);
+                               efree(buf2);
+                       } else {
+                               php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+                       }
                }
 #if ZEND_DEBUG
                {