Roxen.git / server / modules / scripting / php.pike

version» Context lines:

Roxen.git/server/modules/scripting/php.pike:1:   // - // $Id: php.pike,v 2.6 2011/09/12 10:54:42 grubba Exp $ + // $Id$   //   // Support for files with php markup.   //   // 2005-03-09 Henrik Grubbström   //      #include <module.h>   #include <roxen.h>      inherit "cgi.pike";    - constant cvs_version = "$Id: php.pike,v 2.6 2011/09/12 10:54:42 grubba Exp $"; + constant cvs_version = "$Id$";      constant module_type = MODULE_FILE_EXTENSION;   constant module_name = "Scripting: PHP scripting support";   constant module_doc = "Support for the "    "<a href=\"http://www.php.net/\">PHP</a> scripting engine.";      // #define PHP_DEBUG      #ifdef PHP_DEBUG   # define DWERR(X ...) werror("PHP: "+sprintf(X)+"\n")
Roxen.git/server/modules/scripting/php.pike:311:    environment->PHP_SELF = environment->DOCUMENT_URI =    environment->SCRIPT_NAME;       // Make sure php doesn't think it's a cgi script.    m_delete(environment, "SCRIPT_FILENAME");    m_delete(environment, "SERVER_SOFTWARE");    m_delete(environment, "SERVER_NAME");    m_delete(environment, "GATEWAY_INTERFACE");    m_delete(environment, "REQUEST_METHOD");    +  // Protect against execution of arbitrary code in broken bash. +  foreach(environment; string e; string v) { +  if (has_prefix(v, "() {")) { +  report_warning("CGI: Function definition in environment variable:\n" +  "CGI: %O=%O\n", +  e, v); +  environment[e] = " " + v; +  } +  } +    #if 0    if(environment->INDEX)    arguments = Array.map(environment->INDEX/"+", http_decode_string);    else   #endif /* 0 */    arguments = ({});    }   }      mapping handle_file_extension(object o, string e, RequestID id)   {    if (!(<"GET", "HEAD">)[id->method]) return 0;    NOCACHE();    return Roxen.http_stream(PHPScript(id, o)->run()->get_fd());   }