improve fix for CVE-2012-1823

smalyshev · smalyshev · commit fc3ba0552fd5 · 2012-05-07T12:11:52.000-07:00
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
@@ -1806,10 +1806,15 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if(query_string = getenv("QUERY_STRING")) {
+	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+		/* we've got query string that has no = - apache CGI will pass it to command line */
+		unsigned char *p;
 		decoded_query_string = strdup(query_string);
 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
-		if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
+		for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
+			/* skip all leading spaces */
+		}
+		if(*p == '-') {
 			skip_getopt = 1;
 		}
 		free(decoded_query_string);
@@ -2073,7 +2078,7 @@ consult the installation file that came with this distribution, or visit \n\
 	}
 
 	zend_first_try {
-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+		while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
 			switch (c) {
 				case 'T':
 					benchmark = 1;

Original file line number	Diff line number	Diff line change
`@@ -1806,10 +1806,15 @@ int main(int argc, char *argv[])`
`1806`	`1806`	`}`
`1807`	`1807`	`}`
`1808`	`1808`
`1809`		`- if(query_string = getenv("QUERY_STRING")) {`
	`1809`	`+ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {`
	`1810`	`+ /* we've got query string that has no = - apache CGI will pass it to command line */`
	`1811`	`+ unsigned char *p;`
`1810`	`1812`	`decoded_query_string = strdup(query_string);`
`1811`	`1813`	`php_url_decode(decoded_query_string, strlen(decoded_query_string));`
`1812`		`- if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {`
	`1814`	`+ for (p = decoded_query_string; p && p <= ' '; p++) {`
	`1815`	`+ /* skip all leading spaces */`
	`1816`	`+ }`
	`1817`	`+ if(*p == '-') {`
`1813`	`1818`	`skip_getopt = 1;`
`1814`	`1819`	`}`
`1815`	`1820`	`free(decoded_query_string);`
`@@ -2073,7 +2078,7 @@ consult the installation file that came with this distribution, or visit \n\`
`2073`	`2078`	`}`
`2074`	`2079`
`2075`	`2080`	`zend_first_try {`
`2076`		`- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {`
	`2081`	`+ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {`
`2077`	`2082`	`switch (c) {`
`2078`	`2083`	`case 'T':`
`2079`	`2084`	`benchmark = 1;`