From 36fbfd148ec65a5bfe91fcd666f3b693b06f1699 Mon Sep 17 00:00:00 2001
From: Stefan Esser
Date: Fri, 5 Sep 2014 12:04:55 +0200
Subject: Filters are allowed to change the content of a value. Always allocate
 a copy before giving it to the filters.

---
 post_handler.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/post_handler.c b/post_handler.c
index 4794a6b..8daf055 100644
--- a/post_handler.c
+++ b/post_handler.c
@@ -96,7 +96,7 @@ typedef struct post_var_data {
 
 static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSRMLS_DC)
 {
-	char *ksep, *vsep;
+	char *ksep, *vsep, *val;
 	size_t klen, vlen;
 	/* FIXME: string-size_t */
 	unsigned int new_vlen;
@@ -127,19 +127,22 @@ static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSR
 		vlen = 0;
 	}
 
-
+	/* do not forget that value needs to be allocated for the filters */
+	val = estrndup(ksep, vlen);
+	
 	php_url_decode(var->ptr, klen);
 	if (vlen) {
-		vlen = php_url_decode(ksep, vlen);
+		vlen = php_url_decode(val, vlen);
 	}
 
-	if (suhosin_input_filter(PARSE_POST, var->ptr, &ksep, vlen, &new_vlen TSRMLS_CC)) {
-		if (sapi_module.input_filter(PARSE_POST, var->ptr, &ksep, new_vlen, &new_vlen TSRMLS_CC)) {
-			php_register_variable_safe(var->ptr, ksep, new_vlen, arr TSRMLS_CC);
+	if (suhosin_input_filter(PARSE_POST, var->ptr, &val, vlen, &new_vlen TSRMLS_CC)) {
+		if (sapi_module.input_filter(PARSE_POST, var->ptr, &val, new_vlen, &new_vlen TSRMLS_CC)) {
+			php_register_variable_safe(var->ptr, val, new_vlen, arr TSRMLS_CC);
 		}
 	} else {
 		SUHOSIN_G(abort_request)=1;
 	}
+	efree(val);
 
 	var->ptr = vsep + (vsep != var->end);
 	return 1;
-- 
cgit v1.3