Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_3/php-sapi/patches/380_php_21296988.patch
author Craig Mohrman <craig.mohrman@oracle.com>
Thu, 09 Jul 2015 12:46:30 -0700
changeset 4610 d6280e23d377
permissions -rw-r--r--
20803826 problem in UTILITY/PHP 21296988 problem in UTILITY/PHP

Community BUG:
https://bugs.php.net/bug.php?id=69364
Patch from another source:
https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff


### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg

--- php-5.3.29/main/rfc1867.c_orig
+++ php-5.3.29/main/rfc1867.c
@@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
 	char *line;
 	mime_header_entry prev_entry, entry;
 	int prev_len, cur_len;
+	int newlines = 0;
+	long upload_max_newlines = 100;
 
 	/* didn't find boundary, abort */
 	if (!find_boundary(self, self->boundary TSRMLS_CC)) {
@@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
 
 			entry.value = estrdup(value);
 			entry.key = estrdup(key);
+			newlines = 0;
 
 		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
 
@@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
 			entry.value[cur_len + prev_len] = '\0';
 
 			entry.key = estrdup(prev_entry.key);
+			newlines++;
+			if (newlines > upload_max_newlines) {
+				return 0;
+			}
 
 			zend_llist_remove_tail(header);
 		} else {
upstream/oracle/userland-gate