[Secure-testing-commits] r5714 - data/patches/MOPB

Mon Apr 23 17:15:18 UTC 2007

Author: seanius
Date: 2007-04-23 17:15:18 +0000 (Mon, 23 Apr 2007)
New Revision: 5714

Added:
   data/patches/MOPB/MOPB-18-php5.diff
Log:
fix for 18, maybe

Added: data/patches/MOPB/MOPB-18-php5.diff
===================================================================

--- data/patches/MOPB/MOPB-18-php5.diff	2007-04-23 17:09:09 UTC (rev 5713)
+++ data/patches/MOPB/MOPB-18-php5.diff	2007-04-23 17:15:18 UTC (rev 5714)
@@ -0,0 +1,166 @@
+--- sanitizing_filters.c	2006/10/03 11:42:23	1.11.2.5
++++ sanitizing_filters.c	2006/12/18 15:02:16	1.11.2.7
+@@ -27,52 +27,29 @@
+ /* }}} */
+ 
+ /* {{{ HELPER FUNCTIONS */
+-static void php_filter_encode_html(zval *value, const char* chars, int encode_nul)
++static void php_filter_encode_html(zval *value, const unsigned char *chars)
+ {
+-	register int x, y;
+ 	smart_str str = {0};
+ 	int len = Z_STRLEN_P(value);
+-	char *s = Z_STRVAL_P(value);
++	unsigned char *s = (unsigned char *)Z_STRVAL_P(value);
++	unsigned char *e = s + len;
+ 
+ 	if (Z_STRLEN_P(value) == 0) {
+ 		return;
+ 	}
+ 
+-	for (x = 0, y = 0; len--; x++, y++) {
+-		if (strchr(chars, s[x]) || (encode_nul && s[x] == 0)) {
++	while (s < e) {
++		if (chars[*s]) {
+ 			smart_str_appendl(&str, "&#", 2);
+-			smart_str_append_long(&str, s[x]);
++			smart_str_append_unsigned(&str, (unsigned long)*s);
+ 			smart_str_appendc(&str, ';');
+ 		} else {
+-			smart_str_appendc(&str, s[x]);
++			/* XXX: this needs to be optimized to work with blocks of 'safe' chars */
++			smart_str_appendc(&str, *s);
+ 		}
++		s++;
+ 	}
+-	smart_str_0(&str);
+-	efree(Z_STRVAL_P(value));
+-	Z_STRVAL_P(value) = str.c;
+-	Z_STRLEN_P(value) = str.len;
+-}
+-
+-static void php_filter_encode_html_high_low(zval *value, long flags)
+-{
+-	register int x, y;
+-	smart_str str = {0};
+-	int len = Z_STRLEN_P(value);
+-	unsigned char *s = (unsigned char *)Z_STRVAL_P(value);
+ 
+-	if (Z_STRLEN_P(value) == 0) {
+-		return;
+-	}
+-	
+-	for (x = 0, y = 0; len--; x++, y++) {
+-		if (((flags & FILTER_FLAG_ENCODE_LOW) && (s[x] < 32)) || ((flags & FILTER_FLAG_ENCODE_HIGH) && (s[x] > 127))) {
+-			smart_str_appendl(&str, "&#", 2);
+-			smart_str_append_unsigned(&str, s[x]);
+-			smart_str_appendc(&str, ';');
+-		} else {
+-			smart_str_appendc(&str, s[x]);
+-		}
+-	}
+ 	smart_str_0(&str);
+ 	efree(Z_STRVAL_P(value));
+ 	Z_STRVAL_P(value) = str.c;
+@@ -181,9 +158,28 @@
+ void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL)
+ {
+ 	size_t new_len;
+-	
++	unsigned char enc[256] = {0};
++
++	/* strip high/strip low ( see flags )*/
++	php_filter_strip(value, flags);
++
++	if (!(flags & FILTER_FLAG_NO_ENCODE_QUOTES)) {
++		enc['\''] = enc['"'] = 1;
++	}
++	if (flags & FILTER_FLAG_ENCODE_AMP) {
++		enc['&'] = 1;
++	}
++	if (flags & FILTER_FLAG_ENCODE_LOW) {
++		memset(enc, 1, 32);
++	}
++	if (flags & FILTER_FLAG_ENCODE_HIGH) {
++		memset(enc + 127, 1, sizeof(enc) - 127);
++	}
++
++	php_filter_encode_html(value, enc);
++
+ 	/* strip tags, implicitly also removes \0 chars */
+-	new_len = php_strip_tags(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0);
++	new_len = php_strip_tags_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0, 1);
+ 	Z_STRLEN_P(value) = new_len;
+ 
+ 	if (new_len == 0) {
+@@ -191,21 +187,6 @@
+ 		ZVAL_EMPTY_STRING(value);
+ 		return;
+ 	}
+-
+-	if (! (flags & FILTER_FLAG_NO_ENCODE_QUOTES)) {
+-		/* encode ' and " to numerical entity */
+-		php_filter_encode_html(value, "'\"", 0);
+-	}
+-	/* strip high/strip low ( see flags )*/
+-	php_filter_strip(value, flags);
+-
+-	/* encode low/encode high flags */
+-	php_filter_encode_html_high_low(value, flags);
+-
+-	/* also all the flags - & encode as %xx */
+-	if (flags & FILTER_FLAG_ENCODE_AMP) {
+-		php_filter_encode_html(value, "&", 0);
+-	}
+ }
+ /* }}} */
+ 
+@@ -222,11 +203,21 @@
+ /* {{{ php_filter_special_chars */
+ void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL)
+ {
++	unsigned char enc[256] = {0};
++
++	php_filter_strip(value, flags);
++
+ 	/* encodes ' " < > & \0 to numerical entities */
+-	php_filter_encode_html(value, "'\"<>&", 1);
++	enc['\''] = enc['"'] = enc['<'] = enc['>'] = enc['&'] = enc[0] = 1;
++
+ 	/* if strip low is not set, then we encode them as &#xx; */
+-	php_filter_strip(value, flags);
+-	php_filter_encode_html_high_low(value, FILTER_FLAG_ENCODE_LOW | flags);
++	memset(enc, 1, 32);
++
++	if (flags & FILTER_FLAG_ENCODE_HIGH) {
++		memset(enc + 127, 1, sizeof(enc) - 127);
++	}
++	
++	php_filter_encode_html(value, enc);	
+ }
+ /* }}} */
+ 
+@@ -235,11 +226,21 @@
+ {
+ 	/* Only if no flags are set (optimization) */
+ 	if (flags != 0 && Z_STRLEN_P(value) > 0) {
++		unsigned char enc[256] = {0};
++
+ 		php_filter_strip(value, flags);
++
+ 		if (flags & FILTER_FLAG_ENCODE_AMP) {
+-			php_filter_encode_html(value, "&", 0);
++			enc['&'] = 1;
+ 		}
+-		php_filter_encode_html_high_low(value, flags);
++		if (flags & FILTER_FLAG_ENCODE_LOW) {
++			memset(enc, 1, 32);
++		}
++		if (flags & FILTER_FLAG_ENCODE_HIGH) {
++			memset(enc + 127, 1, sizeof(enc) - 127);
++		}
++
++		php_filter_encode_html(value, enc);	
+ 	}
+ }
+ /* }}} */


