From 197203727417a03d87053a47e5aa5175a76e3e0b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Thu, 17 Oct 2013 04:24:53 -0400
Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382)

---
 program/lib/utf7.inc |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/program/lib/utf7.inc b/program/lib/utf7.inc
index 9ea5f6d..d2068be 100644
--- a/program/lib/utf7.inc
+++ b/program/lib/utf7.inc
@@ -39,16 +39,17 @@
   );
 
   $u7len = strlen($str);
+  $str = strval($str);
   $p = $err = '';
 
   for ($i=0; $u7len > 0; $i++, $u7len--)
   {
-    $u7 = $str{$i};
+    $u7 = $str[$i];
     if ($u7 == '&')
     {
       $i++;
       $u7len--;
-      $u7 = $str{$i};
+      $u7 = $str[$i];
       
       if ($u7len && $u7 == '-')
       {
@@ -60,7 +61,7 @@
       $k = 10;
       for (; $u7len > 0; $i++, $u7len--)
       {
-        $u7 = $str{$i};
+        $u7 = $str[$i];
 
         if ((ord($u7) & 0x80) || ($b = $Index_64[ord($u7)]) == -1)
           break;
@@ -106,7 +107,7 @@
         return $err;
         
       /* Adjacent BASE64 sections */
-      if ($u7len > 2 && $str{$i+1} == '&' && $str{$i+2} != '-')
+      if ($u7len > 2 && $str[$i+1] == '&' && $str[$i+2] != '-')
         return $err;
     }
     /* Not printable US-ASCII */
@@ -141,7 +142,7 @@
 
   while ($u8len)
   {
-    $u8 = $str{$i};
+    $u8 = $str[$i];
     $c = ord($u8);
     
     if ($c < 0x80)
@@ -187,7 +188,7 @@
 
     for ($j=0; $j < $n; $j++)
     {
-      $o = ord($str{$i+$j});
+      $o = ord($str[$i+$j]);
       if (($o & 0xc0) != 0x80)
         return $err;
       $ch = ($ch << 6) | ($o & 0x3f);

--
Gitblit v1.9.1