ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
Would it be possible to post the IP addresses of the users of php.net?
Some would very much appreciate that.
Previous Comments:
------------------------------------------------------------------------
[2002-03-04 12:22:19] [EMAIL PROTECTED]
Folks, please, we need a working fix, stop bitching at each other.
Is the official response from the PHP team that "the fix is in CVS, so
it is fixed"?
------------------------------------------------------------------------
[2002-03-03 02:34:50] [EMAIL PROTECTED]
> Fuck you ...php
This posting is most probably a fake, cause there is
noone at [EMAIL PROTECTED]
And for the rest of the trolls:
The patch from [EMAIL PROTECTED] will not be applied.
All his claims were as bogus as his patch.
He just added lots of redundant code. And the best:
In his patch every single variable is double freed.
You know how dangerous that is...
------------------------------------------------------------------------
[2002-03-02 15:56:21] [EMAIL PROTECTED]
Fuck you ...php
------------------------------------------------------------------------
[2002-03-01 07:03:10] [EMAIL PROTECTED]
I have had a long look at rfc1867.c v 1.71.2.2 2002/02/21
from a download of php4.1.2 today (1 Mar 10:00 CET). There are a large
number of dubious cases of handling of the buffer being processed. The
following diffs address most of these (I believe). I am posting the
patches to the php-dev list, since it's difficult if not impossible to
create a properfly formatted diff in this edit window.
------------------------------------------------------------------------
[2002-02-28 17:50:58] [EMAIL PROTECTED]
How about this patch:
--- main/rfc1867.c.orig Thu Feb 28 14:08:25 2002
+++ main/rfc1867.c Thu Feb 28 14:33:03 2002
@@ -163,20 +163,28 @@
SAFE_RETURN;
}
/* some other headerfield
found, skip it */
- loc = (char *) memchr(ptr,
'\n', rem)+1;
+ loc = (char *) memchr(ptr,
'\n', rem);
if (!loc) {
/* broken */
php_error(E_WARNING,
"File Upload Mime headers garbled ptr: [%c%c%c%c%c]", *ptr, *(ptr + 1),
*(ptr + 2), *(ptr
+ 3), *(ptr + 4));
SAFE_RETURN;
}
+ else
+ {
+ loc++;
+ }
while (*loc == ' ' || *loc ==
'\t') {
/* other field is
folded, skip it */
- loc = (char *)
memchr(loc, '\n', rem-(loc-ptr))+1;
+ loc = (char *)
memchr(loc, '\n', rem-(loc-ptr));
if (!loc) {
/* broken */
php_error(E_WARNING, "File Upload Mime headers garbled ptr:
[%c%c%c%c%c]", *ptr, *(ptr + 1), *(ptr +
2), *(ptr + 3), *(ptr + 4));
SAFE_RETURN;
}
+ else
+ {
+ loc++;
+ }
}
rem -= (loc - ptr);
ptr = loc;
@@ -232,6 +240,10 @@
* pre 4.0.6 code here
*/
loc2 = memchr(loc + 1, '\n',
rem);
+ if (!loc2) {
+ php_error(E_WARNING,
"File Upload Mime headers - no newline");
+ SAFE_RETURN;
+ }
rem -= (loc2 - ptr) + 1;
ptr = loc2 + 1;
/* is_arr_upload is true when
name of file upload field
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/15772
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
