Fixed bug #61043: Regression in magic_quotes_gpc fix (CVE-2012-0831)

cataphract · cataphract · commit 2d2995f34362 · 2012-03-21T21:12:31.000Z
Merge commit 'refs/pull/12/head' of git://github.com/php/php-src into 5.3

Signed-off-by: Gustavo André dos Santos Lopes &lt;cataphract@php.net&gt;
diff --git a/NEWS b/NEWS
@@ -14,6 +14,8 @@ PHP                                                                        NEWS
     (Nikic, Laruence)
   . Fixed bug #61058 (array_fill leaks if start index is PHP_INT_MAX).
 	(Laruence)
+  . Fixed bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831).
+    (Ondřej Surý)
   . Fixed bug #61000 (Exceeding max nesting level doesn't delete numerical
 	vars). (Laruence)
   . Fix bug #60895 (Possible invalid handler usage in windows random
diff --git a/main/php_variables.c b/main/php_variables.c
@@ -450,7 +450,7 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 	/* turn off magic_quotes while importing environment variables */
 	int magic_quotes_gpc = PG(magic_quotes_gpc);
 
-	if (PG(magic_quotes_gpc)) {
+	if (magic_quotes_gpc) {
 		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
 	}
 
@@ -471,7 +471,10 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 	if (t != buf && t != NULL) {
 		efree(t);
 	}
-	PG(magic_quotes_gpc) = magic_quotes_gpc;
+
+	if (magic_quotes_gpc) {
+		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
+	}
 }
 
 zend_bool php_std_auto_global_callback(char *name, uint name_len TSRMLS_DC)
@@ -595,7 +598,7 @@ static inline void php_register_server_variables(TSRMLS_D)
 		zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
 	}
 	PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;
-	if (PG(magic_quotes_gpc)) {
+	if (magic_quotes_gpc) {
 		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
 	}
 
@@ -622,7 +625,9 @@ static inline void php_register_server_variables(TSRMLS_D)
 		php_register_variable_ex("REQUEST_TIME", &new_entry, array_ptr TSRMLS_CC);
 	}
 
-	PG(magic_quotes_gpc) = magic_quotes_gpc;
+	if (magic_quotes_gpc) {
+		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
+	}
 }
 /* }}} */
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
@@ -624,7 +624,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 		int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER;
 
 		/* turn off magic_quotes while importing environment variables */
-		if (PG(magic_quotes_gpc)) {
+		if (magic_quotes_gpc) {
 			zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
 		}
 		for (zend_hash_internal_pointer_reset_ex(request->env, &pos);
@@ -638,7 +638,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 				php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC);
 			}
 		}
-		PG(magic_quotes_gpc) = magic_quotes_gpc;
+		if (magic_quotes_gpc) {
+			zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
+		}
 	}
 }
 
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
@@ -595,7 +595,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 	filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER;
 
 	/* turn off magic_quotes while importing environment variables */
-	if (PG(magic_quotes_gpc)) {
+	if (magic_quotes_gpc) {
 		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
 	}
 	for (zend_hash_internal_pointer_reset_ex(request->env, &pos);
@@ -609,7 +609,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)
 			php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC);
 		}
 	}
-	PG(magic_quotes_gpc) = magic_quotes_gpc;
+	if (magic_quotes_gpc) {
+		zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
+	}
 }
 
 static void sapi_cgi_register_variables(zval *track_vars_array TSRMLS_DC)
diff --git a/tests/basic/magic_quotes_gpc.phpt b/tests/basic/magic_quotes_gpc.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #61043 (Regression in magic_quotes_gpc fix for CVE-2012-0831)
+--INI--
+error_reporting=E_ALL & ~E_DEPRECATED
+magic_quotes_gpc=On
+--FILE--
+<?php
+var_dump(ini_get("magic_quotes_gpc"));
+?>
+--EXPECT--
+string(1) "1"

Original file line number	Diff line number	Diff line change
`@@ -450,7 +450,7 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`450`	`450`	`/* turn off magic_quotes while importing environment variables */`
`451`	`451`	`int magic_quotes_gpc = PG(magic_quotes_gpc);`
`452`	`452`
`453`		`- if (PG(magic_quotes_gpc)) {`
	`453`	`+ if (magic_quotes_gpc) {`
`454`	`454`	`zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
`455`	`455`	`}`
`456`	`456`
`@@ -471,7 +471,10 @@ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`471`	`471`	`if (t != buf && t != NULL) {`
`472`	`472`	`efree(t);`
`473`	`473`	`}`
`474`		`- PG(magic_quotes_gpc) = magic_quotes_gpc;`
	`474`	`+`
	`475`	`+ if (magic_quotes_gpc) {`
	`476`	`+ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
	`477`	`+ }`
`475`	`478`	`}`
`476`	`479`
`477`	`480`	`zend_bool php_std_auto_global_callback(char *name, uint name_len TSRMLS_DC)`
`@@ -595,7 +598,7 @@ static inline void php_register_server_variables(TSRMLS_D)`
`595`	`598`	`zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);`
`596`	`599`	`}`
`597`	`600`	`PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;`
`598`		`- if (PG(magic_quotes_gpc)) {`
	`601`	`+ if (magic_quotes_gpc) {`
`599`	`602`	`zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
`600`	`603`	`}`
`601`	`604`
`@@ -622,7 +625,9 @@ static inline void php_register_server_variables(TSRMLS_D)`
`622`	`625`	`php_register_variable_ex("REQUEST_TIME", &new_entry, array_ptr TSRMLS_CC);`
`623`	`626`	`}`
`624`	`627`
`625`		`- PG(magic_quotes_gpc) = magic_quotes_gpc;`
	`628`	`+ if (magic_quotes_gpc) {`
	`629`	`+ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
	`630`	`+ }`
`626`	`631`	`}`
`627`	`632`	`/* }}} */`
`628`	`633`
Original file line number	Diff line number	Diff line change
`@@ -624,7 +624,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`624`	`624`	`int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER;`
`625`	`625`
`626`	`626`	`/* turn off magic_quotes while importing environment variables */`
`627`		`- if (PG(magic_quotes_gpc)) {`
	`627`	`+ if (magic_quotes_gpc) {`
`628`	`628`	`zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
`629`	`629`	`}`
`630`	`630`	`for (zend_hash_internal_pointer_reset_ex(request->env, &pos);`
`@@ -638,7 +638,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`638`	`638`	`php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC);`
`639`	`639`	`}`
`640`	`640`	`}`
`641`		`- PG(magic_quotes_gpc) = magic_quotes_gpc;`
	`641`	`+ if (magic_quotes_gpc) {`
	`642`	`+ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
	`643`	`+ }`
`642`	`644`	`}`
`643`	`645`	`}`
`644`	`646`
Original file line number	Diff line number	Diff line change
`@@ -595,7 +595,7 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`595`	`595`	`filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER;`
`596`	`596`
`597`	`597`	`/* turn off magic_quotes while importing environment variables */`
`598`		`- if (PG(magic_quotes_gpc)) {`
	`598`	`+ if (magic_quotes_gpc) {`
`599`	`599`	`zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
`600`	`600`	`}`
`601`	`601`	`for (zend_hash_internal_pointer_reset_ex(request->env, &pos);`
`@@ -609,7 +609,9 @@ void cgi_php_import_environment_variables(zval *array_ptr TSRMLS_DC)`
`609`	`609`	`php_register_variable_safe(var, *val, new_val_len, array_ptr TSRMLS_CC);`
`610`	`610`	`}`
`611`	`611`	`}`
`612`		`- PG(magic_quotes_gpc) = magic_quotes_gpc;`
	`612`	`+ if (magic_quotes_gpc) {`
	`613`	`+ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "1", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);`
	`614`	`+ }`
`613`	`615`	`}`
`614`	`616`
`615`	`617`	`static void sapi_cgi_register_variables(zval *track_vars_array TSRMLS_DC)`