From bce951557bada0400796cc788d5fb238a4979a34 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 17 Feb 2005 04:46:52 +0000
Subject: [PATCH] MFH: MFH: Fixed bug #31440 ($GLOBALS can be overwritten via
 GPC when register_globals is enabled).

---
 NEWS        | 2 ++
 main/main.c | 8 +++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index c76dede09b..2cc049153b 100644
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,8 @@ PHP 4                                                                      NEWS
   non-existent object ref). (Tony)
 - Fixed bug #31444 (Memory leak in zend_language_scanner.c).
   (hexer at studentcenter dot org)
+- Fixed bug #31440 ($GLOBALS can be overwritten via GPC when 
+  register_globals is enabled). (Ilia)
 - Fixed bug #31413 (curl POSTFIELDS crashes on 64-bit platforms). (Joe)
 - Fixed bug #31396 (compile fails with gd 2.0.33 without freetype). (Jani)
 - Fixed bug #31371 (highlight_file() trims new line after heredoc). (Ilia)
diff --git a/main/main.c b/main/main.c
index a7eac9e5dd..e8b62669ae 100644
--- a/main/main.c
+++ b/main/main.c
@@ -1342,6 +1342,7 @@ static void php_autoglobal_merge(HashTable *dest, HashTable *src TSRMLS_DC)
 	ulong		  num_key;
 	HashPosition 	  pos;
 	int		  key_type;
+	int 		  globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
 
 	zend_hash_internal_pointer_reset_ex(src, &pos);
 	while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
@@ -1352,7 +1353,12 @@ static void php_autoglobal_merge(HashTable *dest, HashTable *src TSRMLS_DC)
 				|| Z_TYPE_PP(dest_entry) != IS_ARRAY) {
 			(*src_entry)->refcount++;
 			if (key_type == HASH_KEY_IS_STRING) {
-				zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
+				/* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
+				if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
+					zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
+				} else {
+					(*src_entry)->refcount--;
+				}
 			} else {
 				zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
 			}
-- 
2.40.0