#13961 [Com]: some characters in incomonig variable names are silently changed

daniele at orlandi dot com · daniele at orlandi dot com

ID: 13961
Comment by: daniele at orlandi dot com
Reported By: lampa at fee dot vutbr dot cz
Status: No Feedback
Bug Type: Apache related
Operating System: FreeBSD
PHP Version: 4.0.6, 4.1.0
Assigned To: derick
New Comment:

This bug is still present in php 4.3.4 and may be harmful since all the
BrowserMatch functionality to workaround browser bugs in Apache is
essentially disabled.

As a proof of concept i patched sapi/apache2handler/sapi_apache2.c
(apache2filter is probably affected too) and the problem went away.

Note that the patch may not be perfect as I don't know how Apache and
PHP work internally very well.

--- php-4.3.4/sapi/apache2handler/sapi_apache2.c 2003-10-02
05:24:43.000000000 +0200
+++ php-4.3.4-patched/sapi/apache2handler/sapi_apache2.c
2003-11-11 23:52:06.000000000 +0100
@@ -227,9 +227,14 @@
char *key, *val;
zval **path_translated_zv;

+ char *t;
+
APR_ARRAY_FOREACH_OPEN(arr, key, val)
if (!val) val = empty_string;
- php_register_variable(key, val, track_vars_array
TSRMLS_CC);
+
+ t = estrndup(key, strlen(key));
+ php_register_variable(t, val, track_vars_array
TSRMLS_CC);
+ efree(t);
APR_ARRAY_FOREACH_CLOSE()

Previous Comments:
------------------------------------------------------------------------

[2002-10-15 01:00:02] php-bugs at lists dot php dot net

No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2002-09-29 20:41:13] [email]sniper@php.net[/email]

Please try using this CVS snapshot:

[url]http://snaps.php.net/php4-latest.tar.gz[/url]

For Windows:

[url]http://snaps.php.net/win32/php4-win32-latest.zip[/url]

This should be fixed in CVS (If I remember correctly) so could you
please try the snapshot and verify it for us?

------------------------------------------------------------------------

[2001-12-11 09:57:36] lampa at fee dot vutbr dot cz

Not fixed in 4.1.0. Why? To be clear, one call is neccessary:

for (i = 0; i < arr->nelts; i++) {
char *val,*key;

if (elts[i].val) {
val = elts[i].val;
} else {
val = empty_string;
}
key = estrdup(elts[i].key); /* HERE */
php_register_variable(key, val, track_vars_array
ELS_CC PLS_CC)
;
}

------------------------------------------------------------------------

[2001-11-07 04:33:03] [email]derick@php.net[/email]

This is not okay, PHP should not change the original key here.
Checking it out.

------------------------------------------------------------------------

[2001-11-07 01:56:30] lampa at fee dot vutbr dot cz

I don't think that FAQ solves that problem.
Look at the source code of Apache server. There
are several tests of the variable "force-response-1.0"
there. The problem is not that php code variable
is $force-response-1_0, that's OK, but the real
problem is that apache variable name in r->subprocess_env
is changed too. That's side effect and not pleasent.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
[url]http://bugs.php.net/13961[/url]

--
Edit this bug report at [url]http://bugs.php.net/?id=13961&edit=1[/url]

daniele at orlandi dot com · daniele at orlandi dot com

ID: 13961
Comment by: daniele at orlandi dot com
Reported By: lampa at fee dot vutbr dot cz
Status: No Feedback
Bug Type: Apache related
Operating System: FreeBSD
PHP Version: 4.0.6, 4.1.0
Assigned To: derick
New Comment:

Is there a way to make this bug a little more alive?

I provided the missing feedback... I don't want to file a duplicate,
I'd just like to see it as an open bug (if it is the case).

Sorry for the meta-comment

Previous Comments:
------------------------------------------------------------------------

[2003-11-11 18:15:11] daniele at orlandi dot com

This bug is still present in php 4.3.4 and may be harmful since all the
BrowserMatch functionality to workaround browser bugs in Apache is
essentially disabled.

As a proof of concept i patched sapi/apache2handler/sapi_apache2.c
(apache2filter is probably affected too) and the problem went away.

Note that the patch may not be perfect as I don't know how Apache and
PHP work internally very well.

--- php-4.3.4/sapi/apache2handler/sapi_apache2.c 2003-10-02
05:24:43.000000000 +0200
+++ php-4.3.4-patched/sapi/apache2handler/sapi_apache2.c
2003-11-11 23:52:06.000000000 +0100
@@ -227,9 +227,14 @@
char *key, *val;
zval **path_translated_zv;

+ char *t;
+
APR_ARRAY_FOREACH_OPEN(arr, key, val)
if (!val) val = empty_string;
- php_register_variable(key, val, track_vars_array
TSRMLS_CC);
+
+ t = estrndup(key, strlen(key));
+ php_register_variable(t, val, track_vars_array
TSRMLS_CC);
+ efree(t);
APR_ARRAY_FOREACH_CLOSE()

------------------------------------------------------------------------

[2002-10-15 01:00:02] php-bugs at lists dot php dot net

No feedback was provided for this bug for over 2 weeks, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2002-09-29 20:41:13] [email]sniper@php.net[/email]

Please try using this CVS snapshot:

[url]http://snaps.php.net/php4-latest.tar.gz[/url]

For Windows:

[url]http://snaps.php.net/win32/php4-win32-latest.zip[/url]

This should be fixed in CVS (If I remember correctly) so could you
please try the snapshot and verify it for us?

------------------------------------------------------------------------

[2001-12-11 09:57:36] lampa at fee dot vutbr dot cz

Not fixed in 4.1.0. Why? To be clear, one call is neccessary:

for (i = 0; i < arr->nelts; i++) {
char *val,*key;

if (elts[i].val) {
val = elts[i].val;
} else {
val = empty_string;
}
key = estrdup(elts[i].key); /* HERE */
php_register_variable(key, val, track_vars_array
ELS_CC PLS_CC)
;
}

------------------------------------------------------------------------

[2001-11-07 04:33:03] [email]derick@php.net[/email]

This is not okay, PHP should not change the original key here.
Checking it out.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
[url]http://bugs.php.net/13961[/url]

--
Edit this bug report at [url]http://bugs.php.net/?id=13961&edit=1[/url]

#13961 [Com]: some characters in incomonig variable names are silently changed

Thread Tools

Display

#13961 [Com]: some characters in incomonig variable names are silently changed

Similar Questions and Discussions

#39927 [NEW]: server variable names are silently changed

#13961 [Ver->Bgs]: some characters in server variable names are silently changed

#13961 [Opn->Ver]: some characters in server variable names are silently changed

#13961 [NoF->Opn]: some characters in server variable names are silently changed

#19404 [Com]: Post variable names stripped of first 4 characters

#13961 [Com]: some characters in incomonig variable names are silently changed

Posting Permissions