1 |
|
2 |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1398 |
3 |
https://bugs.php.net/bug.php?id=60227 |
4 |
|
5 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=61088ce7296f2a3b4b53e60bdf413455b870664d |
6 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e82bda330264d290a5e55580eea2eb875d4cb69 |
7 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=ca58cd01fc329f907a13b82370427715d9c5bf70 |
8 |
|
9 |
diff -up php-5.3.3/main/SAPI.c.cve1398 php-5.3.3/main/SAPI.c |
10 |
--- php-5.3.3/main/SAPI.c.cve1398 2012-10-16 14:30:26.758985400 +0200 |
11 |
+++ php-5.3.3/main/SAPI.c 2012-10-16 14:34:03.096505458 +0200 |
12 |
@@ -587,16 +587,26 @@ SAPI_API int sapi_header_op(sapi_header_ |
13 |
return FAILURE; |
14 |
} |
15 |
} else { |
16 |
- /* new line safety check */ |
17 |
- char *s = header_line, *e = header_line + header_line_len, *p; |
18 |
- while (s < e && (p = memchr(s, '\n', (e - s)))) { |
19 |
- if (*(p + 1) == ' ' || *(p + 1) == '\t') { |
20 |
- s = p + 1; |
21 |
- continue; |
22 |
+ /* new line/NUL character safety check */ |
23 |
+ int i; |
24 |
+ for (i = 0; i < header_line_len; i++) { |
25 |
+ /* RFC 2616 allows new lines if followed by SP or HT */ |
26 |
+ int illegal_break = |
27 |
+ (header_line[i+1] != ' ' && header_line[i+1] != '\t') |
28 |
+ && ( |
29 |
+ header_line[i] == '\n' |
30 |
+ || (header_line[i] == '\r' && header_line[i+1] != '\n')); |
31 |
+ if (illegal_break) { |
32 |
+ efree(header_line); |
33 |
+ sapi_module.sapi_error(E_WARNING, "Header may not contain " |
34 |
+ "more than a single header, new line detected"); |
35 |
+ return FAILURE; |
36 |
+ } |
37 |
+ if (header_line[i] == '\0') { |
38 |
+ efree(header_line); |
39 |
+ sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes"); |
40 |
+ return FAILURE; |
41 |
} |
42 |
- efree(header_line); |
43 |
- sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected."); |
44 |
- return FAILURE; |
45 |
} |
46 |
} |
47 |
|