php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77494 Disabling class causes segfault on member access
Submitted: 2019-01-20 23:00 UTC Modified: 2019-03-07 14:10 UTC
From: 64796c6e69 at gmail dot com Assigned: dmitry (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 7.3Git-2019-01-20 (Git) OS: Linux
Private report: No CVE-ID: None
 [2019-01-20 23:00 UTC] 64796c6e69 at gmail dot com
Description:
------------
When CURLFile is disabled using disable_classes, curl_file_create() and new CURLFile() only give warnings. The class is still constructed even when strict types are enabled.

Worse, if the object was constructed with no arguments using either method, working with it further causes a segfault when the class is disabled. The segfault happens in interactive mode and CGI. I also tested CLI, which does not have the problem.

Another strange problem is that some longer filenames do not cause a segfault. For example, name the file file123456789.php, and the var_dump() line outputs NULL.

All of the described behavior happens in PHP 7.2 and the master branch from Git.

Test script:
---------------
CLI:
php-cgi -ddisable_classes=CURLFile -ffile.php

file.php:
<?php
$a = new CURLFile();
var_dump($a->name);

Expected result:
----------------
An error about the class being disabled.

Actual result:
--------------
<br />
<b>Warning</b>:  CURLFile() has been disabled for security reasons in <b>REDACTED/file.php</b> on line <b>2</b><br />
UNKNOWN:0
Segmentation fault (core dumped)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-21 01:14 UTC] stas@php.net
-Summary: Disabling CURLFile does not work +Summary: Disabling class causes segfault on member access -Type: Security +Type: Bug -Package: cURL related +Package: Scripting Engine problem -Assigned To: +Assigned To: dmitry
 [2019-01-21 01:14 UTC] stas@php.net
Looks like the problem happens because disabled class ctor is not calling object_properties_init, thus properties remain un-initialized when disabling the class and access to them results in accessing uninitialized data. 
Not sure why cli and CGI differ here - may be how memory allocator works there? Or maybe some switch I've missed?
Doesn't seem to be security issue since requires special user-side code. 

I am not super-familiar with new object code though so I think somebody like Nikita or Dmitry should take a look and see if my diagnosis is correct.
 [2019-01-24 03:27 UTC] laruence@php.net
I think it better to make all objects as Stdclass instances when it is initialized  by disabled classes
 [2019-01-24 10:10 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2019-01-24 10:10 UTC] dmitry@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC