--- ext/standard/array.c	2005-06-21 14:11:19.000000000 +0200
+++ ext/standard/array.c	2005-11-01 00:40:11.000000000 +0100
@@ -22,7 +22,7 @@
 */
 
 
-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */
+/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
 
 #include "php.h"
 #include "php_ini.h"
@@ -1252,6 +1252,10 @@
 				/* break omitted intentionally */
 
 			case EXTR_OVERWRITE:
+				/* GLOBALS protection */
+				if (var_exists && !strcmp(var_name, "GLOBALS")) {
+					break;
+				}
 				smart_str_appendl(&final_name, var_name, var_name_len);
 				break;
 
@@ -1300,11 +1304,11 @@
 					zval **orig_var;
 
 					if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
-						zval_ptr_dtor(orig_var);
-
 						SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
 						zval_add_ref(entry);
 						
+						zval_ptr_dtor(orig_var);
+
 						*orig_var = *entry;
 					} else {
 						if ((*var_array)->refcount > 1) {
@@ -1831,8 +1835,8 @@
 	   hashtable and replace it with new one */
 	new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
 	zend_hash_destroy(Z_ARRVAL_P(stack));
-	efree(Z_ARRVAL_P(stack));
-	Z_ARRVAL_P(stack) = new_hash;
+	*Z_ARRVAL_P(stack) = *new_hash;
+	FREE_HASHTABLE(new_hash);
 
 	/* Clean up and return the number of elements in the stack */
 	efree(args);
@@ -1909,8 +1913,8 @@
 	
 	/* Replace input array's hashtable with the new one */
 	zend_hash_destroy(Z_ARRVAL_P(array));
-	efree(Z_ARRVAL_P(array));
-	Z_ARRVAL_P(array) = new_hash;
+	*Z_ARRVAL_P(array) = *new_hash;
+	FREE_HASHTABLE(new_hash);
 	
 	/* Clean up */
 	if (argc == 4)
@@ -2397,8 +2401,8 @@
 	
 	/* Copy the result hash into return value */
 	zend_hash_destroy(Z_ARRVAL_P(return_value));
-	efree(Z_ARRVAL_P(return_value));
-	Z_ARRVAL_P(return_value) = new_hash;
+	*Z_ARRVAL_P(return_value) = *new_hash;
+	FREE_HASHTABLE(new_hash);
 	
 	/* Clean up */
 	efree(pads);
@@ -2622,6 +2626,15 @@
 	/* copy the argument array */
 	*return_value = **args[0];
 	zval_copy_ctor(return_value);
+	if (return_value->value.ht == &EG(symbol_table)) {
+		HashTable *ht;
+		zval *tmp;
+
+		ALLOC_HASHTABLE(ht);
+		zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+		zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+		return_value->value.ht = ht;		
+	}
 
 	/* go through the lists and look for common values */
 	while (*ptrs[0]) {
@@ -2772,6 +2785,15 @@
 	/* copy the argument array */
 	*return_value = **args[0];
 	zval_copy_ctor(return_value);
+	if (return_value->value.ht == &EG(symbol_table)) {
+		HashTable *ht;
+		zval *tmp;
+
+		ALLOC_HASHTABLE(ht);
+		zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+		zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+		return_value->value.ht = ht;		
+	}
 
 	/* go through the lists and look for values of ptr[0]
 		   that are not in the others */
@@ -3299,6 +3321,7 @@
 PHP_FUNCTION(array_filter)
 {
 	zval **input, **callback = NULL;
+	zval *array, *func = NULL;
 	zval **operand;
 	zval **args[1];
 	zval *retval = NULL;
@@ -3317,9 +3340,13 @@
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
 		return;
 	}
+	if (callback) {
+		func = *callback;
+	}
+	array = *input;
 
 	if (ZEND_NUM_ARGS() > 1) {
-		if (!zend_is_callable(*callback, 0, &callback_name)) {
+		if (!zend_is_callable(func, 0, &callback_name)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
 			efree(callback_name);
 			return;
@@ -3328,16 +3355,16 @@
 	}
 
 	array_init(return_value);
-	if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
+	if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
 		return;
 
-	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
-		 zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
-		 zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
+	for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
+		 zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
+		 zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
 
-		if (callback) {
+		if (func) {
 			args[0] = operand;
-			if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+			if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
 				if (!zend_is_true(retval)) {
 					zval_ptr_dtor(&retval);
 					continue;
@@ -3351,7 +3378,7 @@
 			continue;
 
 		zval_add_ref(operand);
-		switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
+		switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
 			case HASH_KEY_IS_STRING:
 				zend_hash_update(Z_ARRVAL_P(return_value), string_key,
 								 string_key_len, operand, sizeof(zval *), NULL);
@@ -3418,6 +3445,7 @@
 			efree(array_pos);
 			return;
 		}
+		SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
 		args[i] = *pargs[i];
 		array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
 		if (array_len[i] > maxlen) {
--- ext/standard/basic_functions.c	2005-05-16 10:55:31.000000000 +0200
+++ ext/standard/basic_functions.c	2005-11-01 00:40:30.000000000 +0100
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */
+/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
 
 #include "php.h"
 #include "php_streams.h"
@@ -42,18 +42,7 @@
 #include <time.h>
 #include <stdio.h>
 
-#ifndef NETWARE
 #include <netdb.h>
-#else
-/*#include "netware/env.h"*/    /* Temporary */
-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
-#include <netinet/in.h>
-/*#include <arpa/inet.h>*/
-#include <netdb.h>
-#else
-#include <sys/socket.h>
-#endif
-#endif
 
 #if HAVE_ARPA_INET_H
 # include <arpa/inet.h>
@@ -3038,11 +3027,25 @@
 	prefix = va_arg(args, char *);
 	prefix_len = va_arg(args, uint);
 
-	new_key_len = prefix_len + hash_key->nKeyLength;
-	new_key = (char *) emalloc(new_key_len);
+	if (!prefix_len) {
+		if (!hash_key->nKeyLength) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+			return 0;
+		} else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+			return 0; 
+		}
+	}
+
+	if (hash_key->nKeyLength) {
+		new_key_len = prefix_len + hash_key->nKeyLength;
+		new_key = (char *) emalloc(new_key_len);
 
-	memcpy(new_key, prefix, prefix_len);
-	memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+		memcpy(new_key, prefix, prefix_len);
+		memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+	} else {
+		new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+	}
 
 	zend_hash_del(&EG(symbol_table), new_key, new_key_len);
 	ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
--- ext/standard/string.c	2005-06-02 10:50:52.000000000 +0200
+++ ext/standard/string.c	2005-11-01 00:40:20.000000000 +0100
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */
+/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -3179,7 +3179,6 @@
 	zval *sarg;
 	char *res = NULL;
 	int argCount;
-	int old_rg;
 
 	argCount = ARG_COUNT(ht);
 	if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@ -3192,19 +3191,18 @@
 		res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
 	}
 
-	old_rg = PG(register_globals);
 	if (argCount == 1) {
-		PG(register_globals) = 1;
-		sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+		zval tmp;
+		Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+		sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
 	} else 	{
-		PG(register_globals) = 0;
 		/* Clear out the array that was passed in. */
 		zval_dtor(*arrayArg);
 		array_init(*arrayArg);
 		
 		sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
 	}
-	PG(register_globals) = old_rg;
 }
 /* }}} */
 
--- main/php_variables.c	2005-05-17 20:42:35.000000000 +0200
+++ main/php_variables.c	2005-11-01 00:42:56.000000000 +0100
@@ -16,7 +16,7 @@
    |          Zeev Suraski <zeev@zend.com>                                |
    +----------------------------------------------------------------------+
  */
-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */
+/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
 
 #include <stdio.h>
 #include "php.h"
@@ -73,6 +73,10 @@
 		symtable1 = Z_ARRVAL_P(track_vars_array);
 	} else if (PG(register_globals)) {
 		symtable1 = EG(active_symbol_table);
+		/* GLOBALS hijack attempt, reject parameter */
+		if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+			return;
+		}
 	}
 	if (!symtable1) {
 		/* Nothing to do */
@@ -99,6 +103,13 @@
 		zval_dtor(val);
 		return;
 	}
+
+	/* GLOBALS hijack attempt, reject parameter */
+	if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+		zval_dtor(val);
+		return;
+	}
+
 	/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
 	for (p=var; *p; p++) {
 		switch(*p) {