Permalink
Browse files

Fix for CVE-2012-1823

(cherry picked from commit 29300b1)
  • Loading branch information...
1 parent 8a10259 commit 168e8920be77f3b55a3ae688270b752579681f6e @rlerdorf rlerdorf committed with dsp May 3, 2012
Showing with 14 additions and 1 deletion.
  1. +14 −1 sapi/cgi/cgi_main.c
View
15 sapi/cgi/cgi_main.c
@@ -70,6 +70,7 @@
#include "php_main.h"
#include "fopen_wrappers.h"
#include "ext/standard/php_standard.h"
+#include "ext/standard/url.h"
#ifdef PHP_WIN32
# include <io.h>
@@ -1508,6 +1509,9 @@ int main(int argc, char *argv[])
#ifndef PHP_WIN32
int status = 0;
#endif
+ char *query_string;
+ char *decoded_query_string;
+ int skip_getopt = 0;
#if 0 && defined(PHP_DEBUG)
/* IIS is always making things more difficult. This allows
@@ -1557,7 +1561,16 @@ int main(int argc, char *argv[])
}
}
- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
+ if(query_string = getenv("QUERY_STRING")) {
+ decoded_query_string = strdup(query_string);
+ php_url_decode(decoded_query_string, strlen(decoded_query_string));
+ if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
+ skip_getopt = 1;
+ }
+ free(decoded_query_string);
+ }
+
+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
switch (c) {
case 'c':
if (cgi_sapi_module.php_ini_path_override) {

0 comments on commit 168e892

Please sign in to comment.