From 9d1817ed7f2c27167b62b6873896452824fa8ca0 Mon Sep 17 00:00:00 2001
From: foobar <sniper@php.net>
Date: Sun, 6 May 2001 15:20:56 +0000
Subject: [PATCH] Fix bug: #10323. Every value outputted is now escaped.

---
 ext/standard/info.c | 26 +++++++++++++-------------
 main/php_ini.c      | 29 ++++++++++++++++++-----------
 2 files changed, 31 insertions(+), 24 deletions(-)

diff --git a/ext/standard/info.c b/ext/standard/info.c
index 7b67b7a693..3f7832fd7f 100644
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -34,9 +34,6 @@
 #include "zend_highlight.h"
 
 
-#define PHP_CONF_LONG(directive,value1,value2) \
-	php_printf("<TR VALIGN=\"baseline\" BGCOLOR=\"" PHP_CONTENTS_COLOR "\"><TD BGCOLOR=\"" PHP_ENTRY_NAME_COLOR "\">%s<BR></TD><TD>%ld<BR></TD><TD>%ld<BR></TD></TR>\n",directive,value1,value2);
-
 #define SECTION(name)  PUTS("<H2 align=\"center\">" name "</H2>\n")
 
 PHPAPI extern char *php_ini_opened_path;
@@ -74,7 +71,7 @@ static void php_print_gpcse_array(char *name, uint name_length ELS_DC)
 			PUTS("[\"");
 			switch (zend_hash_get_current_key((*data)->value.ht, &string_key, &num_key, 0)) {
 				case HASH_KEY_IS_STRING:
-					PUTS(string_key);
+					zend_html_puts(string_key, strlen(string_key));
 					break;
 				case HASH_KEY_IS_LONG:
 					php_printf("%ld",num_key);
@@ -89,12 +86,12 @@ static void php_print_gpcse_array(char *name, uint name_length ELS_DC)
 				tmp2 = **tmp;
 				zval_copy_ctor(&tmp2);
 				convert_to_string(&tmp2);
-				PUTS(tmp2.value.str.val);
+				zend_html_puts(tmp2.value.str.val, tmp2.value.str.len);
 				zval_dtor(&tmp2);
 			} else {
-				PUTS((*tmp)->value.str.val);
+				zend_html_puts((*tmp)->value.str.val, (*tmp)->value.str.len);
 			}
-			PUTS("</TD></TR>\n");
+			PUTS("&nbsp;</TD></TR>\n");
 			zend_hash_move_forward((*data)->value.ht);
 		}
 	}
@@ -398,15 +395,18 @@ PHPAPI void php_info_print_table_row(int num_cols, ...)
 
 	php_printf("<TR VALIGN=\"baseline\" BGCOLOR=\"" PHP_CONTENTS_COLOR "\">");
 	for (i=0; i<num_cols; i++) {
+		php_printf("<TD %s>%s",
+			(i==0?"BGCOLOR=\"" PHP_ENTRY_NAME_COLOR "\" ":"ALIGN=\"left\""),
+			(i==0?"<B>":""));
+
 		row_element = va_arg(row_elements, char *);
 		if (!row_element || !*row_element) {
-			row_element = "&nbsp;";
+			php_printf("&nbsp;");
+		} else {
+			zend_html_puts(row_element, strlen(row_element));
 		}
-		php_printf("<TD %s>%s%s%s</td>", 
-			(i==0?"BGCOLOR=\"" PHP_ENTRY_NAME_COLOR "\" ":"ALIGN=\"left\""),
-			(i==0?"<B>":""), 
-			row_element,
-			(i==0?"</B>":""));
+
+		php_printf("%s</td>", (i==0?"</B>":""));
 	}
 	php_printf("</TR>\n");
 
diff --git a/main/php_ini.c b/main/php_ini.c
index 61eb02ab38..38e2c70985 100644
--- a/main/php_ini.c
+++ b/main/php_ini.c
@@ -1,18 +1,18 @@
 /*
    +----------------------------------------------------------------------+
-   | PHP version 4.0													  |
+   | PHP version 4.0                                                      |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2001 The PHP Group				                  |
+   | Copyright (c) 1997-2001 The PHP Group                                |
    +----------------------------------------------------------------------+
-   | This source file is subject to version 2.02 of the PHP license,	  |
-   | that is bundled with this package in the file LICENSE, and is		  |
-   | available at through the world-wide-web at						      |
-   | http://www.php.net/license/2_02.txt.								  |
+   | This source file is subject to version 2.02 of the PHP license,      |
+   | that is bundled with this package in the file LICENSE, and is        |
+   | available at through the world-wide-web at                           |
+   | http://www.php.net/license/2_02.txt.                                 |
    | If you did not receive a copy of the PHP license and are unable to   |
-   | obtain it through the world-wide-web, please send a note to		  |
-   | license@php.net so we can mail you a copy immediately.			      |
+   | obtain it through the world-wide-web, please send a note to          |
+   | license@php.net so we can mail you a copy immediately.               |
    +----------------------------------------------------------------------+
-   | Author: Zeev Suraski <zeev@zend.com>								  |
+   | Author: Zeev Suraski <zeev@zend.com>                                 |
    +----------------------------------------------------------------------+
  */
 
@@ -26,6 +26,7 @@
 #include "php_ini.h"
 #include "ext/standard/dl.h"
 #include "zend_extensions.h"
+#include "zend_highlight.h"
 
 typedef struct _php_extension_lists {
 	zend_llist engine;
@@ -45,12 +46,13 @@ static void php_ini_displayer_cb(zend_ini_entry *ini_entry, int type)
 		ini_entry->displayer(ini_entry, type);
 	} else {
 		char *display_string;
-		uint display_string_length;
+		uint display_string_length, esc_html=0;
 
 		if (type==ZEND_INI_DISPLAY_ORIG && ini_entry->modified) {
 			if (ini_entry->orig_value) {
 				display_string = ini_entry->orig_value;
 				display_string_length = ini_entry->orig_value_length;
+				esc_html=1;
 			} else {
 				display_string = "<i>no value</i>";
 				display_string_length = sizeof("<i>no value</i>")-1;
@@ -58,11 +60,16 @@ static void php_ini_displayer_cb(zend_ini_entry *ini_entry, int type)
 		} else if (ini_entry->value && ini_entry->value[0]) {
 			display_string = ini_entry->value;
 			display_string_length = ini_entry->value_length;
+			esc_html=1;
 		} else {
 			display_string = "<i>no value</i>";
 			display_string_length = sizeof("<i>no value</i>")-1;
 		}
-		PHPWRITE(display_string, display_string_length);
+		if(esc_html) {
+			zend_html_puts(display_string, display_string_length);
+		} else {
+			PHPWRITE(display_string, display_string_length);
+		}
 	}
 }
 
-- 
2.50.1