| 1 |
|
| 2 |
The first hunk of this patch is *mitigation* for use of bad wrappers |
| 3 |
scripts which are vulnerable to CVE-2012-2335. |
| 4 |
|
| 5 |
The second hunk of this patch fixes CVE-2012-2336: |
| 6 |
|
| 7 |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2336 |
| 8 |
|
| 9 |
http://git.php.net/?p=php-src.git;a=commitdiff;h=7de4b75f74a817c3fead32710e04cd015bcc5360 |
| 10 |
|
| 11 |
--- php-5.3.3/sapi/cgi/cgi_main.c.cve2311 |
| 12 |
+++ php-5.3.3/sapi/cgi/cgi_main.c |
| 13 |
@@ -1553,10 +1553,15 @@ int main(int argc, char *argv[]) |
| 14 |
} |
| 15 |
} |
| 16 |
|
| 17 |
- if((query_string = getenv("QUERY_STRING")) != NULL) { |
| 18 |
+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) { |
| 19 |
+ /* we've got query string that has no = - apache CGI will pass it to command line */ |
| 20 |
+ unsigned char *p; |
| 21 |
decoded_query_string = strdup(query_string); |
| 22 |
php_url_decode(decoded_query_string, strlen(decoded_query_string)); |
| 23 |
- if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) { |
| 24 |
+ for (p = decoded_query_string; *p && *p <= ' '; p++) { |
| 25 |
+ /* skip all leading spaces */ |
| 26 |
+ } |
| 27 |
+ if(*p == '-') { |
| 28 |
skip_getopt = 1; |
| 29 |
} |
| 30 |
free(decoded_query_string); |
| 31 |
@@ -1811,7 +1816,7 @@ consult the installation file that came |
| 32 |
} |
| 33 |
|
| 34 |
zend_first_try { |
| 35 |
- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { |
| 36 |
+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) { |
| 37 |
switch (c) { |
| 38 |
case 'T': |
| 39 |
benchmark = 1; |
Parent Directory
| 
Revision Log
| 
Revision Graph
