Fixed bug #26819 (http_build_query() crashes on NULL output).

Fixed bug #26817 (http_build_query() does not handle private & protected object properties correctly).
23 years ago · d4c19ed2d2
5 changed files with 66 additions and 8 deletions
--- a/3
+++ b/3
@ -5,6 +5,9 @@ PHP                                                                        NEWS
  (Derick)
 - Fixed problems with longlong values in mysqli. (Georg)
 - Fixed class name case preserving of user defined classes. (Marcus)
+- Fixed bug #26819 (http_build_query() crashes on NULL output). (Ilia)
+- Fixed bug #26817 (http_build_query() does not handle private & protected 
+  object properties correctly). (Ilia)
 - Fixed bug #26762 (unserialize() produces lowercase classnames). (Marcus)
 - Fixed bug #26743 (getElementsByTagName doesn't work properly). (Rob)
 - Fixed bug #26736 (__autoload not invoked for parent classes). (Marcus)
--- a/ext/standard/http.c
+++ b/ext/standard/http.c
@ -1,4 +1,4 @@
-/* 
+/*
   +----------------------------------------------------------------------+
   | PHP Version 4                                                        |
   +----------------------------------------------------------------------+
@ -28,7 +28,8 @@
 PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				const char *num_prefix, int num_prefix_len,
 				const char *key_prefix, int key_prefix_len,
-				const char *key_suffix, int key_suffix_len TSRMLS_DC)
+				const char *key_suffix, int key_suffix_len,
+				zval *type TSRMLS_DC)
 {
 	char *arg_sep = NULL, *key = NULL, *ekey, *newprefix, *p;
 	int arg_sep_len, key_len, ekey_len, key_type, newprefix_len;
@ -58,6 +59,18 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 			/* We don't want that trailing NULL */
 			key_len -= 1;
 		}
+	
+		/* handling for private & protected object properties */
+		if (*key == '\0' && type != NULL) {
+			zend_object *zobj = zend_objects_get_address(type TSRMLS_CC);
+			if (zend_check_property_access(zobj, key TSRMLS_CC) != SUCCESS) {
+				/* private or protected property access outside of the class */
+				continue;
+			}
+			char *tmp;
+			zend_unmangle_property_name(key, &tmp, &key);
+			key_len = strlen(key);		
+		}

 		if (zend_hash_get_current_data_ex(ht, (void **)&zdata, NULL) == FAILURE || !zdata || !(*zdata)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error traversing form data array.");
@ -113,7 +126,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				*p = '\0';
 			}
 			ht->nApplyCount++;
-			php_url_encode_hash_ex(HASH_OF(*zdata), formstr, NULL, 0, newprefix, newprefix_len, "]", 1 TSRMLS_CC);
+			php_url_encode_hash_ex(HASH_OF(*zdata), formstr, NULL, 0, newprefix, newprefix_len, "]", 1, (Z_TYPE_PP(zdata) == IS_OBJECT ? *zdata : NULL) TSRMLS_CC);
 			ht->nApplyCount--;
 			efree(newprefix);
 		} else if (Z_TYPE_PP(zdata) == IS_NULL || Z_TYPE_PP(zdata) == IS_RESOURCE) {
@ -134,7 +147,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				if (num_prefix) {
 					smart_str_appendl(formstr, num_prefix, num_prefix_len);
 				}
-				ekey_len = spprintf(&ekey, 12, "%ld", idx); 
+				ekey_len = spprintf(&ekey, 12, "%ld", idx);
 				smart_str_appendl(formstr, ekey, ekey_len);
 				efree(ekey);
 			}
@ -163,7 +176,7 @@ PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 			smart_str_appendl(formstr, ekey, ekey_len);
 			efree(ekey);
 		}
-	} 	
+	}

 	return SUCCESS;
 }
@ -187,17 +200,23 @@ PHP_FUNCTION(http_build_query)
 		RETURN_FALSE;
 	}

-	if (php_url_encode_hash_ex(HASH_OF(formdata), &formstr, prefix, prefix_len, NULL, 0, NULL, 0 TSRMLS_CC) == FAILURE) {
+	if (php_url_encode_hash_ex(HASH_OF(formdata), &formstr, prefix, prefix_len, NULL, 0, NULL, 0, (Z_TYPE_P(formdata) == IS_OBJECT ? formdata : NULL) TSRMLS_CC) == FAILURE) {
 		if (formstr.c) {
 			efree(formstr.c);
 		}
 		RETURN_FALSE;
 	}
+
+	if (!formstr.c) {
+		RETURN_NULL();
+	}
+
 	smart_str_0(&formstr);
+	
 	RETURN_STRINGL(formstr.c, formstr.len, 0);
 }
 /* }}} */
- 
+
 /*
 * Local variables:
 * tab-width: 4
--- a/ext/standard/php_http.h
+++ b/ext/standard/php_http.h
@ -27,7 +27,8 @@
 PHPAPI int php_url_encode_hash_ex(HashTable *ht, smart_str *formstr,
 				const char *num_prefix, int num_prefix_len,
 				const char *key_prefix, int key_prefix_len,
-				const char *key_suffix, int key_suffix_len TSRMLS_DC);
+				const char *key_suffix, int key_suffix_len, 
+				zval *type TSRMLS_DC);
 #define php_url_encode_hash(ht, formstr)	php_url_encode_hash_ex((ht), (formstr), NULL, 0, NULL, 0, NULL, 0 TSRMLS_CC)

 PHP_FUNCTION(http_build_query);
--- a/ext/standard/tests/strings/bug26817.phpt
+++ b/ext/standard/tests/strings/bug26817.phpt
@ -0,0 +1,26 @@
+--TEST--
+Bug #26817 (http_build_query() did not handle private & protected object properties)
+--FILE--
+<?php
+class test { 
+	protected $foo;
+	private $bar;
+	public $test;
+
+	function foo()
+	{
+		$this->bar = 'meuh';
+		$this->foo = 'lala';
+		$this->test = 'test';
+
+		var_dump(http_build_query($this));
+	}
+}
+
+$obj = new test();
+$obj->foo();
+var_dump(http_build_query($obj));
+?>
+--EXPECT--
+string(27) "foo=lala&bar=meuh&test=test"
+string(9) "test=test"
--- a/ext/standard/tests/strings/bug26819.phpt
+++ b/ext/standard/tests/strings/bug26819.phpt
@ -0,0 +1,9 @@
+--TEST--
+Bug #26819 (http_build_query() crash on empty output)
+--FILE--
+<?php
+$a = array();
+var_dump(http_build_query($a));
+?>
+--EXPECT--
+NULL