File php-4.3.9-CVE-2005-3390.patch of Package php4

http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.45.2.13.2.2&r2=1.45.2.13.2.3&ty=u
http://cvs.php.net/diff.php/php-src/ext/standard/array.c?r1=1.199.2.44.2.8&r2=1.199.2.44.2.9&ty=u
http://cvs.php.net/diff.php/php-src/ext/standard/basic_functions.c?r1=1.543.2.51.2.2&r2=1.543.2.51.2.3&ty=u
http://viewcvs.php.net/viewcvs.cgi/php-src/main/main.c.diff?r1=1.512.2.58&r2=1.512.2.59&only_with_tag=PHP_4_3

--- php-4.3.9/ext/standard/array.c.cve3390
+++ php-4.3.9/ext/standard/array.c
@@ -1243,6 +1243,10 @@
 				/* break omitted intentionally */
 
 			case EXTR_OVERWRITE:
+				/* GLOBALS protection */
+				if (var_exists && !strcmp(var_name, "GLOBALS")) {
+					break;
+				}
 				smart_str_appendl(&final_name, var_name, var_name_len);
 				break;
 
--- php-4.3.9/ext/standard/basic_functions.c.cve3390
+++ php-4.3.9/ext/standard/basic_functions.c
@@ -3001,11 +3001,25 @@
 	prefix = va_arg(args, char *);
 	prefix_len = va_arg(args, uint);
 
-	new_key_len = prefix_len + hash_key->nKeyLength;
-	new_key = (char *) emalloc(new_key_len);
+	if (!prefix_len) {
+		if (!hash_key->nKeyLength) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+			return 0;
+		} else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+			return 0;
+		}
+	}
 
-	memcpy(new_key, prefix, prefix_len);
-	memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+	if (hash_key->nKeyLength) {
+		new_key_len = prefix_len + hash_key->nKeyLength;
+		new_key = (char *) emalloc(new_key_len);
+
+		memcpy(new_key, prefix, prefix_len);
+		memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+	} else {
+		new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+	}
 
 	zend_hash_del(&EG(symbol_table), new_key, new_key_len);
 	ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
--- php-4.3.9/main/php_variables.c.cve3390
+++ php-4.3.9/main/php_variables.c
@@ -73,6 +73,10 @@
 		symtable1 = Z_ARRVAL_P(track_vars_array);
 	} else if (PG(register_globals)) {
 		symtable1 = EG(active_symbol_table);
+		/* GLOBALS hijack attempt, reject parameter */
+		if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+			return;
+		}
 	}
 	if (!symtable1) {
 		/* Nothing to do */
@@ -99,6 +103,13 @@
 		zval_dtor(val);
 		return;
 	}
+
+	/* GLOBALS hijack attempt, reject parameter */
+	if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+		zval_dtor(val);
+		return;
+	}
+
 	/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
 	for (p=var; *p; p++) {
 		switch(*p) {
--- php-4.3.9/main/main.c.cve3390
+++ php-4.3.9/main/main.c
@@ -1338,6 +1338,7 @@
 	ulong		  num_key;
 	HashPosition 	  pos;
 	int		  key_type;
+	int 		  globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
 
 	zend_hash_internal_pointer_reset_ex(src, &pos);
 	while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
@@ -1348,7 +1349,12 @@
 				|| Z_TYPE_PP(dest_entry) != IS_ARRAY) {
 			(*src_entry)->refcount++;
 			if (key_type == HASH_KEY_IS_STRING) {
-				zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
+				/* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
+				if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
+					zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
+				} else {
+					(*src_entry)->refcount--;
+				}
 			} else {
 				zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
 			}