8000 Fix for CVE-2012-1823 · php/php-src@55869a9 · GitHub
[go: up one dir, main page]
Skip to content

Commit 55869a9

Browse files
rlerdorfdsp
rlerdorf
authored and
dsp
committed
Fix for CVE-2012-1823 
1 parent 02db993 commit 55869a9

File tree

1 file changed

+14
-1
lines changed

1 file changed

+14
-1
lines changed

sapi/cgi/cgi_main.c

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@
7070
#include "php_main.h"
7171
#include "fopen_wrappers.h"
7272
#include "ext/standard/php_standard.h"
73+
#include "ext/standard/url.h"
7374

7475
#ifdef PHP_WIN32
7576
# include <io.h>
@@ -1752,6 +1753,9 @@ int main(int argc, char *argv[])
17521753
#ifndef PHP_WIN32
17531754
int status = 0;
17541755
#endif
1756+
char *query_string;
1757+
char *decoded_query_string;
1758+
int skip_getopt = 0;
17551759

17561760
#if 0 && defined(PHP_DEBUG)
17571761
/* IIS is always making things more difficult. This allows
@@ -1802,7 +1806,16 @@ int main(int argc, char *argv[])
18021806
}
18031807
}
18041808

1805-
while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
1809+
if(query_string = getenv("QUERY_STRING")) {
1810+
decoded_query_string = strdup(query_string);
1811+
php_url_decode(decoded_query_string, strlen(decoded_query_string));
1812+
if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
1813+
skip_getopt = 1;
1814+
}
1815+
free(decoded_query_string);
1816+
}
1817+
1818+
while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0, 2)) != -1) {
18061819
switch (c) {
18071820
case 'c':
18081821
if (cgi_sapi_module.php_ini_path_override) {

0 commit comments

Comments
 (0)
0