Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)

author Ilia Alshanetsky <iliaa@php.net>

Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
diff --git a/NEWS b/NEWS

index 8115ff6880bb57b7aa0ab86342d0c3771acf72e3..d7e7c3254d99748192f9e998a57eaf863e26693e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,8 @@ PHP                                                                        NEWS
  
  - Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation).   
    (Ilia, hanno at hboeck dot de)
+- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes
+  long). (Ilia)
  - Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored).
    (Ilia)
  - Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP
diff --git a/ext/standard/string.c b/ext/standard/string.c

index e537b310daea33c3e387a05522829280e5f4eeaa..88b80996833f28e0ec011240aec1da6307e4e310 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4243,7 +4243,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
  {
         char *tbuf, *buf, *p, *tp, *rp, c, lc;
         int br, i=0, depth=0, in_q = 0;
-       int state = 0;
+       int state = 0, pos;
  
         if (stateptr)
                 state = *stateptr;
@@ -4256,7 +4256,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
         br = 0;
         if (allow) {
                 php_strtolower(allow, allow_len);
-               tbuf = emalloc(PHP_TAG_BUF_SIZE+1);
+               tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
                 tp = tbuf;
         } else {
                 tbuf = tp = NULL;
@@ -4277,7 +4277,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                         lc = '<';
                                         state = 1;
                                         if (allow) {
-                                               tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                               if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                       pos = tp - tbuf;
+                                                       tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                       tp = tbuf + pos;
+                                               }
                                                 *(tp++) = '<';
                                         }
                                 } else if (state == 1) {
@@ -4292,7 +4296,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                 br++;
                                         }
                                 } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                         *(tp++) = c;
                                 } else if (state == 0) {
                                         *(rp++) = c;
@@ -4306,7 +4314,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                 br--;
                                         }
                                 } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                         *(tp++) = c;
                                 } else if (state == 0) {
                                         *(rp++) = c;
@@ -4328,7 +4340,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                                 lc = '>';
                                                 in_q = state = 0;
                                                 if (allow) {
-                                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                               pos = tp - tbuf;
+                                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                               tp = tbuf + pos;
+                                                       }
                                                         *(tp++) = '>';
                                                         *tp='\0';
                                                         if (php_tag_find(tbuf, tp-tbuf, allow)) {
@@ -4378,7 +4394,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                 } else if (state == 0) {
                                         *(rp++) = c;
                                 } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                         *(tp++) = c;
                                 }
                                 if (state && p != buf && (state == 1 || *(p-1) != '\\') && (!in_q || *p == in_q)) {
@@ -4399,7 +4419,11 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
                                         if (state == 0) {
                                                 *(rp++) = c;
                                         } else if (allow && state == 1) {
-                                               tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                               if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                                       pos = tp - tbuf;
+                                                       tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                                       tp = tbuf + pos;
+                                               }
                                                 *(tp++) = c;
                                         }
                                 }
@@ -4454,7 +4478,11 @@ reg_char:
                                 if (state == 0) {
                                         *(rp++) = c;
                                 } else if (allow && state == 1) {
-                                       tp = ((tp-tbuf) >= PHP_TAG_BUF_SIZE ? tbuf: tp);
+                                       if (tp - tbuf >= PHP_TAG_BUF_SIZE) {
+                                               pos = tp - tbuf;
+                                               tbuf = erealloc(tbuf, (tp - tbuf) + PHP_TAG_BUF_SIZE + 1);
+                                               tp = tbuf + pos;
+                                       }
                                         *(tp++) = c;
                                 } 
                                 break;
diff --git a/ext/standard/tests/strings/bug50847.phpt b/ext/standard/tests/strings/bug50847.phpt

new file mode 100644 (file)

index 0000000..28e83f5
--- /dev/null
+++ b/ext/standard/tests/strings/bug50847.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #50847 (strip_tags() removes all tags greater then 1023 bytes long)
+--FILE--
+<?php
+$var = '<param value="' . str_repeat("a", 2048) . '" />';
+var_dump(strip_tags($var, "<param>"), strip_tags($var));
+?>
+--EXPECT--
+string(2066) "<param value="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" />"
+string(0) ""
author	Ilia Alshanetsky <iliaa@php.net>
	Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Mon, 1 Feb 2010 12:59:08 +0000 (12:59 +0000)
NEWS		patch \| blob \| history
ext/standard/string.c		patch \| blob \| history
ext/standard/tests/strings/bug50847.phpt	[new file with mode: 0644]	patch \| blob