Fixed possible XSS inside error reporting functionality.

2025-08-18 15:08:55 +02:00 · 2005-12-06 03:09:24 +00:00 · 2005-12-06 03:09:24 +00:00 · aa1b0709f2
commit aa1b0709f2
parent 684d68bb27
2 changed files with 22 additions and 6 deletions
--- a/1
+++ b/1
@ -18,6 +18,7 @@ PHP                                                                        NEWS
  . Fixed isset/empty/(bool) behavior
  . Fixed iterator edge cases
  . Added methods getNamespaces(), getDocNamespaces()
+- Fixed possible XSS inside error reporting functionality. (Ilia)
 - Fixed many bugs in OCI8. (Tony)
 - Fixed crash and leak in mysqli when using 4.1.x client libraries and
  connecting to 5.x server. (Andrey)
--- a/main/main.c
+++ b/main/main.c
@ -433,6 +433,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 	char *space;
 	char *class_name = get_active_class_name(&space TSRMLS_CC);
 	char *function;
+	int origin_len;
 	char *origin;
 	char *message;
 	int is_function = 0;
@ -490,9 +491,16 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c

 	/* if we still have memory then format the origin */
 	if (is_function) {
-		spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params);	
+		origin_len = spprintf(&origin, 0, "%s%s%s(%s)", class_name, space, function, params);	
 	} else {
-		spprintf(&origin, 0, "%s", function);	
+		origin_len = spprintf(&origin, 0, "%s", function);	
+	}
+
+	if (PG(html_errors)) {
+		int len;
+		char *replace = php_escape_html_entities(origin, origin_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+		efree(origin);
+		origin = replace;
 	}

 	/* origin and buffer available, so lets come up with the error message */
@ -761,10 +769,17 @@ static void php_error_cb(int type, const char *error_filename, const uint error_
 			} else {
 				char *prepend_string = INI_STR("error_prepend_string");
 				char *append_string = INI_STR("error_append_string");
-				char *error_format = PG(html_errors) ?
-					"%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s"
-					: "%s\n%s: %s in %s on line %d\n%s";    
-				php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+
+				if (PG(html_errors)) {
+					char *buf, *buf2;
+					int len2, len = spprintf(&buf, 0, "%s<br />\n<b>%s</b>:  %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+					buf2 = php_escape_html_entities(buf, len, &len2, 0, ENT_COMPAT, NULL TSRMLS_CC);
+					php_printf("%s", buf2);
+					efree(buf);
+					efree(buf2);
+				} else {
+					php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+				}
 			}
 		}
 #if ZEND_DEBUG