[Pkg-php-commits] [php/debian-etch] CVE-2008-5814: XSS vulnerability via display_errors

[Sean Finney]

(cherry-picked from a71a80d0465f4e82210559c51217f03057c7e028)

this was taken from the ubuntu hardy security update.

Closes: #523028

Conflicts:

	debian/patches/series
---
 debian/patches/CVE-2008-5814.patch |   22 ++++++++++++++++++++++
 1 files changed, 22 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2008-5814.patch

diff --git a/debian/patches/CVE-2008-5814.patch b/debian/patches/CVE-2008-5814.patch
new file mode 100644
index 0000000..f297ae4
--- /dev/null
+++ b/debian/patches/CVE-2008-5814.patch
@@ -0,0 +1,22 @@
+#
+# Description: fix cross-site scripting vulnerability when display_errors is enabled.
+# Patch: http://viewcvs.php.net/viewvc.cgi/php-src/ext/standard/head.c?r1=1.84.2.1.2.8&r2=1.84.2.1.2.9&pathrev=PHP_5_2
+#
+diff -Nur php5-5.2.4/ext/standard/head.c php5-5.2.4.new/ext/standard/head.c
+--- php5-5.2.4/ext/standard/head.c	2007-02-25 21:12:36.000000000 -0500
++++ php5-5.2.4.new/ext/standard/head.c	2009-04-15 13:31:00.000000000 -0400
+@@ -69,12 +69,12 @@
+ 	int result;
+ 	
+ 	if (name && strpbrk(name, "=,; \t\r\n\013\014") != NULL) {   /* man isspace for \013 and \014 */
+-		zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014' (%s)", name );
++		zend_error( E_WARNING, "Cookie names can not contain any of the folllowing '=,; \\t\\r\\n\\013\\014'" );
+ 		return FAILURE;
+ 	}
+ 
+ 	if (!url_encode && value && strpbrk(value, ",; \t\r\n\013\014") != NULL) { /* man isspace for \013 and \014 */
+-		zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014' (%s)", value );
++		zend_error( E_WARNING, "Cookie values can not contain any of the folllowing ',; \\t\\r\\n\\013\\014'" );
+ 		return FAILURE;
+ 	}
+ 
-- 
1.5.6.5