1 |
slords |
1.1.2.1 |
|
2 |
|
|
The first hunk of this patch is *mitigation* for use of bad wrappers |
3 |
|
|
scripts which are vulnerable to CVE-2012-2335. |
4 |
|
|
|
5 |
|
|
The second hunk of this patch fixes CVE-2012-2336: |
6 |
|
|
|
7 |
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2336 |
8 |
|
|
|
9 |
|
|
http://git.php.net/?p=php-src.git;a=commitdiff;h=7de4b75f74a817c3fead32710e04cd015bcc5360 |
10 |
|
|
|
11 |
|
|
--- php-5.3.3/sapi/cgi/cgi_main.c.cve2311 |
12 |
|
|
+++ php-5.3.3/sapi/cgi/cgi_main.c |
13 |
|
|
@@ -1553,10 +1553,15 @@ int main(int argc, char *argv[]) |
14 |
|
|
} |
15 |
|
|
} |
16 |
|
|
|
17 |
|
|
- if((query_string = getenv("QUERY_STRING")) != NULL) { |
18 |
|
|
+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { |
19 |
|
|
+ /* we've got query string that has no = - apache CGI will pass it to command line */ |
20 |
|
|
+ unsigned char *p; |
21 |
|
|
decoded_query_string = strdup(query_string); |
22 |
|
|
php_url_decode(decoded_query_string, strlen(decoded_query_string)); |
23 |
|
|
- if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) { |
24 |
|
|
+ for (p = decoded_query_string; *p && *p <= ' '; p++) { |
25 |
|
|
+ /* skip all leading spaces */ |
26 |
|
|
+ } |
27 |
|
|
+ if(*p == '-') { |
28 |
|
|
skip_getopt = 1; |
29 |
|
|
} |
30 |
|
|
free(decoded_query_string); |
31 |
|
|
@@ -1811,7 +1816,7 @@ consult the installation file that came |
32 |
|
|
} |
33 |
|
|
|
34 |
|
|
zend_first_try { |
35 |
|
|
- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { |
36 |
|
|
+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { |
37 |
|
|
switch (c) { |
38 |
|
|
case 'T': |
39 |
|
|
benchmark = 1; |