MFH: Fixed possible GLOBALS variable override when register_globals are ON.

MFH: Fixed possible register_globals toggle via parse_str().

diff --git a/NEWS b/NEWS
index 2a1a7ef3407a4cd6931b7295bdc6590c9895b09c..50096400183beded3517cee793d0867209501156 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.1
+- Fixed possible GLOBALS variable override when register_globals are ON.
+  (Ilia, Stefan)
+- Fixed possible register_globals toggle via parse_str(). (Ilia, Stefan)
 - Added "new_link" parameter to mssql_connect(). Bug #34369. (Frank)
 - Fixed bug #34645 (ctype corrupts memory when validating large numbers). (Ilia)
 - Fixed bug #34565 (mb_send_mail does not fetch mail.force_extra_parameters).

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 5d44aebeb14fbe262030fd08cfdebcafc7ee40fb..c52e5a1621ea9847a833e10019c8da58c5247092 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3179,7 +3179,6 @@ PHP_FUNCTION(parse_str)
        zval *sarg;
        char *res = NULL;
        int argCount;
-       int old_rg;
 
        argCount = ARG_COUNT(ht);
        if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@ -3192,19 +3191,18 @@ PHP_FUNCTION(parse_str)
                res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
        }
 
-       old_rg = PG(register_globals);
        if (argCount == 1) {
-               PG(register_globals) = 1;
-               sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+               zval tmp;
+               Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+               sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
        } else  {
-               PG(register_globals) = 0;
                /* Clear out the array that was passed in. */
                zval_dtor(*arrayArg);
                array_init(*arrayArg);
                
                sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
        }
-       PG(register_globals) = old_rg;
 }
 /* }}} */
 

diff --git a/main/php_variables.c b/main/php_variables.c
index f5c8711ae7f9a0560e5bb760b05880030c746940..3176631c7b95b00627d3401a18eada89eceabc95 100644 (file)
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -73,6 +73,10 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
                symtable1 = Z_ARRVAL_P(track_vars_array);
        } else if (PG(register_globals)) {
                symtable1 = EG(active_symbol_table);
+               /* GLOBALS hijack attempt, reject parameter */
+               if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1) {
+                       return;
+               }
        }
        if (!symtable1) {
                /* Nothing to do */
@@ -99,6 +103,13 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
                zval_dtor(val);
                return;
        }
+
+       /* GLOBALS hijack attempt, reject parameter */
+       if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+               zval_dtor(val);
+               return;
+       }
+
        /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
        for (p=var; *p; p++) {
                switch(*p) {