Added validation of class names in the autoload process

Author: dstogov

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2013, PHP 5.4.24
 
+- Core:
+  . Added validation of class names in the autoload process. (Dmitry)
+
 - Date:
   . Fixed bug #66060 (Heap buffer over-read in DateInterval). (Remi)
   . Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year

Zend/zend_execute_API.c

@@ -1081,6 +1081,14 @@ ZEND_API int zend_lookup_class_ex(const char *name, int name_length, const zend_
 		return FAILURE;
 	}
 
+	/* Verify class name before passing it to __autoload() */
+	if (strspn(name, "0123456789_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377\\") != name_length) {
+		if (!key) {
+			free_alloca(lc_free, use_heap);
+		}
+		return FAILURE;
+	}
+	
 	if (EG(in_autoload) == NULL) {
 		ALLOC_HASHTABLE(EG(in_autoload));
 		zend_hash_init(EG(in_autoload), 0, NULL, NULL, 0);

tests/classes/autoload_021.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Validation of class names in the autoload process
+--FILE--
+<?php
+function __autoload($name) {
+	echo "$name\n";
+}
+$a = "../BUG";
+$x = new $a;
+echo "BUG\n";
+?>
+--EXPECTF--
+Fatal error: Class '../BUG' not found in %sautoload_021.php on line 6