diff options
Diffstat (limited to 'dev-lang/php/files/4.4.1/php4.4.1-mbstring-header_inj.patch')
-rw-r--r-- | dev-lang/php/files/4.4.1/php4.4.1-mbstring-header_inj.patch | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/dev-lang/php/files/4.4.1/php4.4.1-mbstring-header_inj.patch b/dev-lang/php/files/4.4.1/php4.4.1-mbstring-header_inj.patch new file mode 100644 index 0000000..adbf35a --- /dev/null +++ b/dev-lang/php/files/4.4.1/php4.4.1-mbstring-header_inj.patch @@ -0,0 +1,145 @@ +--- ext/mbstring/mbstring.c 2005-09-21 15:19:19.000000000 +0200 ++++ ext/mbstring/mbstring.c 2005-11-22 01:00:03.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: mbstring.c,v 1.142.2.47.2.1 2005/09/21 13:19:19 iliaa Exp $ */ ++/* $Id: mbstring.c,v 1.142.2.47.2.5 2005/11/21 23:21:19 hirokawa Exp $ */ + + /* + * PHP4 Multibyte String module "mbstring" +@@ -2924,16 +2924,17 @@ + } + /* }}} */ + +-/* {{{ proto string mb_encode_mimeheader(string str [, string charset [, string transfer-encoding [, string linefeed]]]) ++/* {{{ proto string mb_encode_mimeheader(string str [, string charset [, string transfer-encoding [, string linefeed [, int indent]]]]) + Converts the string to MIME "encoded-word" in the format of =?charset?(B|Q)?encoded_string?= */ + PHP_FUNCTION(mb_encode_mimeheader) + { +- pval **argv[4]; ++ pval **argv[5]; + enum mbfl_no_encoding charset, transenc; + mbfl_string string, result, *ret; + char *p, *linefeed; ++ int indent; + +- if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 4 || zend_get_parameters_array_ex(ZEND_NUM_ARGS(), argv) == FAILURE) { ++ if (ZEND_NUM_ARGS() < 1 || ZEND_NUM_ARGS() > 5 || zend_get_parameters_array_ex(ZEND_NUM_ARGS(), argv) == FAILURE) { + WRONG_PARAM_COUNT; + } + +@@ -2970,6 +2971,12 @@ + linefeed = Z_STRVAL_PP(argv[3]); + } + ++ indent = 0; ++ if (ZEND_NUM_ARGS() >= 5) { ++ convert_to_long_ex(argv[4]); ++ indent = Z_LVAL_PP(argv[4]); ++ } ++ + convert_to_string_ex(argv[0]); + mbfl_string_init(&string); + mbfl_string_init(&result); +@@ -2977,7 +2984,7 @@ + string.no_encoding = MBSTRG(current_internal_encoding); + string.val = Z_STRVAL_PP(argv[0]); + string.len = Z_STRLEN_PP(argv[0]); +- ret = mbfl_mime_header_encode(&string, &result, charset, transenc, linefeed, 0); ++ ret = mbfl_mime_header_encode(&string, &result, charset, transenc, linefeed, indent); + if (ret != NULL) { + RETVAL_STRINGL((char *)ret->val, ret->len, 0) /* the string is already strdup()'ed */ + } else { +@@ -3460,6 +3467,22 @@ + * Sends an email message with MIME scheme + */ + #if HAVE_SENDMAIL ++#define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \ ++ if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \ ++ pos += 3; \ ++ while (str[pos] == ' ' || str[pos] == '\t') { \ ++ pos++; \ ++ } \ ++ continue; \ ++ } \ ++ else if (str[pos] == '\n' && (str[pos + 1] == ' ' || str[pos + 1] == '\t')) { \ ++ pos += 2; \ ++ while (str[pos] == ' ' || str[pos] == '\t') { \ ++ pos++; \ ++ } \ ++ continue; \ ++ } \ ++ + PHP_FUNCTION(mb_send_mail) + { + int argc, n; +@@ -3474,8 +3497,9 @@ + body_enc; /* body transfar encoding */ + mbfl_memory_device device; /* automatic allocateable buffer for additional header */ + const mbfl_language *lang; +- char *force_extra_parameters = INI_STR("mail.force_extra_parameters"); + int err = 0; ++ char *to_r; ++ int to_len, i; + + /* initialize */ + mbfl_memory_device_init(&device, 0, 0); +@@ -3502,6 +3526,32 @@ + convert_to_string_ex(argv[0]); + if (Z_STRVAL_PP(argv[0])) { + to = Z_STRVAL_PP(argv[0]); ++ to_len = Z_STRLEN_PP(argv[0]); ++ if (to_len > 0) { ++ to_r = estrndup(to, to_len); ++ for (; to_len; to_len--) { ++ if (!isspace((unsigned char) to_r[to_len - 1])) { ++ break; ++ } ++ to_r[to_len - 1] = '\0'; ++ } ++ for (i = 0; to_r[i]; i++) { ++ if (iscntrl((unsigned char) to_r[i])) { ++ /* According to RFC 822, section 3.1.1 long headers may be ++separated into ++ * parts using CRLF followed at least one linear-white-space ++character ('\t' or ' '). ++ * To prevent these separators from being replaced with a space, ++we use the ++ * SKIP_LONG_HEADER_SEP_MBSTRING to skip over them. ++ */ ++ SKIP_LONG_HEADER_SEP_MBSTRING(to_r, i); ++ to_r[i] = ' '; ++ } ++ } ++ } else { ++ to_r = to; ++ } + } else { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing To: field"); + err = 1; +@@ -3596,18 +3646,19 @@ + extra_cmd = Z_STRVAL_PP(argv[4]); + } + +- if (force_extra_parameters) { +- extra_cmd = estrdup(force_extra_parameters); +- } else if (extra_cmd) { ++ if (extra_cmd) { + extra_cmd = php_escape_shell_cmd(extra_cmd); + } + +- if (!err && php_mail(to, subject, message, headers, extra_cmd TSRMLS_CC)) { ++ if (!err && php_mail(to_r, subject, message, headers, extra_cmd TSRMLS_CC)) { + RETVAL_TRUE; + } else { + RETVAL_FALSE; + } + ++ if (to_r != to) { ++ efree(to_r); ++ } + if (extra_cmd) { + efree(extra_cmd); + } |