ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
> Fuck you ...php
This posting is most probably a fake, cause there is
noone at [EMAIL PROTECTED]
And for the rest of the trolls:
The patch from [EMAIL PROTECTED] will not be applied.
All his claims were as bogus as his patch.
He just added lots of redundant code. And the best:
In his patch every single variable is double freed.
You know how dangerous that is...
Previous Comments:
------------------------------------------------------------------------
[2002-03-02 15:56:21] [EMAIL PROTECTED]
Fuck you ...php
------------------------------------------------------------------------
[2002-03-01 07:03:10] [EMAIL PROTECTED]
I have had a long look at rfc1867.c v 1.71.2.2 2002/02/21
from a download of php4.1.2 today (1 Mar 10:00 CET). There are a large
number of dubious cases of handling of the buffer being processed. The
following diffs address most of these (I believe). I am posting the
patches to the php-dev list, since it's difficult if not impossible to
create a properfly formatted diff in this edit window.
------------------------------------------------------------------------
[2002-02-28 17:50:58] [EMAIL PROTECTED]
How about this patch:
--- main/rfc1867.c.orig Thu Feb 28 14:08:25 2002
+++ main/rfc1867.c Thu Feb 28 14:33:03 2002
@@ -163,20 +163,28 @@
SAFE_RETURN;
}
/* some other headerfield
found, skip it */
- loc = (char *) memchr(ptr,
'\n', rem)+1;
+ loc = (char *) memchr(ptr,
'\n', rem);
if (!loc) {
/* broken */
php_error(E_WARNING,
"File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1),
*(ptr + 2), *(ptr
+ 3), *(ptr + 4));
SAFE_RETURN;
}
+ else
+ {
+ loc++;
+ }
while (*loc == ' ' || *loc ==
'\t') {
/* other field is
folded, skip it */
- loc = (char *)
memchr(loc, '\n', rem-(loc-ptr))+1;
+ loc = (char *)
memchr(loc, '\n', rem-(loc-ptr));
if (!loc) {
/* broken */
php_error(E_WARNING, "File Upload Mime headers garbled ptr:
[%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr +
2), *(ptr + 3), *(ptr + 4));
SAFE_RETURN;
}
+ else
+ {
+ loc++;
+ }
}
rem -= (loc - ptr);
ptr = loc;
@@ -232,6 +240,10 @@
* pre 4.0.6 code here
*/
loc2 = memchr(loc + 1, '\n',
rem);
+ if (!loc2) {
+ php_error(E_WARNING,
"File Upload Mime headers - no newline");
+ SAFE_RETURN;
+ }
rem -= (loc2 - ptr) + 1;
ptr = loc2 + 1;
/* is_arr_upload is true when
name of file upload field
------------------------------------------------------------------------
[2002-02-28 05:06:42] [EMAIL PROTECTED]
You are again wrong, cnt must be supplied.
I advise you to think before you speak.
A POST fileupload block can have lots of '\0's in it.
Without the number of bytes it would be impossibe to
handle such a block.
------------------------------------------------------------------------
[2002-02-28 04:59:29] [EMAIL PROTECTED]
I'll admit that I did not examine the rest of the program to see if the
buffer was '\0'-terminated, however if it is, it's not just me that
thought it wasn't - whoever wrote the routine thought it wasn't either.
Otherwise there wouldn't even be any point in passing the buffer length
to the function, or the main loop's "while (ptr - buf < cnt)" or indeed
half the function.
As to providing patches, I know from experience that what you tend to
do with them is ignore them, insult them, re-write them badly and apply
them six months later, and then fail to credit. Plus I see no point in
providing band-aids in a futile attempt to cover the gaping wounds in
PHP. I *can* give you the fix I recommend to people for PHP, however,
which is 'rm -rf php-*' ;-)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15772
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
