archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed bug #21149 (fixed handling of unterminated '[').

Browse source
This commit is contained in:
Ilia Alshanetsky 2002-12-29 21:02:17 +00:00
parent 88d26985b8
commit 1f50681813
2 changed files with 32 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

43
main/php_variables.c
View file

@ -120,7 +120,28 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
while (1) {
if (is_array) {
char *escaped_index;
char *escaped_index = NULL, *index_s;
int new_idx_len = 0;
ip++;
index_s = ip;
if (isspace(*ip)) {
ip++;
}
if (*ip==']') {
index_s = NULL;
} else {
ip = strchr(ip, ']');
if (!ip) {
/* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
*(index_s - 1) = '_';
index_len = var_len = strlen(var);
goto plain_var;
return;
}
*ip = 0;
new_idx_len = strlen(index_s);
}
if (!index) {
MAKE_STD_ZVAL(gpc_element);
@ -148,22 +169,9 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
}
symtable1 = Z_ARRVAL_PP(gpc_element_p);
/* ip pointed to the '[' character, now obtain the key */
index = ++ip;
index_len = 0;
if (*ip=='\n' || *ip=='\r' || *ip=='\t' || *ip==' ') {
ip++;
}
if (*ip==']') {
index = NULL;
} else {
ip = strchr(ip, ']');
if (!ip) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing ] in %s variable", var);
return;
}
*ip = 0;
index_len = strlen(index);
}
index = index_s;
index_len = new_idx_len;
ip++;
if (*ip=='[') {
is_array = 1;
@ -172,6 +180,7 @@ PHPAPI void php_register_variable_ex(char *var, zval *val, pval *track_vars_arra
is_array = 0;
}
} else {
plain_var:
MAKE_STD_ZVAL(gpc_element);
gpc_element->value = val->value;
Z_TYPE_P(gpc_element) = Z_TYPE_P(val);

9
main/rfc1867.c
View file

@ -104,7 +104,7 @@ static void normalize_protected_variable(char *varname TSRMLS_DC)
/* done? */
while (index) {
while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
index++;
}
@ -891,8 +891,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler)
* ends in [.*]
* start_arr is set to point to 1st [
*/
is_arr_upload = (start_arr = strchr(param,'[')) &&
(param[strlen(param)-1] == ']');
is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
/* handle unterminated [ */
if (!is_arr_upload && start_arr) {
*start_arr = '_';
}
if (is_arr_upload) {
array_len = strlen(start_arr);