php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #79877 getimagesize function silently truncates after a null byte
Submitted: 2020-07-21 05:49 UTC Modified: 2020-08-03 08:08 UTC
From: 1157599735 at qq dot com Assigned: stas (profile)
Status: Closed Package: Filesystem function related
PHP Version: 7.2 OS: Linux
Private report: No CVE-ID: None
 [2020-07-21 05:49 UTC] 1157599735 at qq dot com
Description:
------------
PHP_FUNCTION(getimagesize)
{
	php_getimagesize_from_any(INTERNAL_FUNCTION_PARAM_PASSTHRU, FROM_PATH);
}

static void php_getimagesize_from_any(INTERNAL_FUNCTION_PARAMETERS, int mode) {  /* {{{ */
	...

	ZEND_PARSE_PARAMETERS_START(1, 2)
		Z_PARAM_STRING(input, input_len)
		Z_PARAM_OPTIONAL
		Z_PARAM_ZVAL(info)
	ZEND_PARSE_PARAMETERS_END();

Test script:
---------------
➜  php-src git:(master) ✗ ./sapi/cli/php -v
PHP 8.0.0-dev (cli) (built: Jul 21 2020 10:28:32) ( NTS DEBUG )
Copyright (c) The PHP Group
Zend Engine v4.0.0-dev, Copyright (c) Zend Technologies
➜  php-src git:(master) ✗ ./sapi/cli/php -r 'var_dump(getimagesize("/tmp/a.png\0xx"));'
array(6) {
  [0]=>
  int(292)
  [1]=>
  int(67)
  [2]=>
  int(3)
  [3]=>
  string(23) "width="292" height="67""
  ["bits"]=>
  int(8)
  ["mime"]=>
  string(9) "image/png"
}


Expected result:
----------------
expects parameter 1 to be a valid path, string given in Command line code on line 1


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-21 09:11 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 8.0.0alpha2 +PHP Version: 7.2 -Assigned To: +Assigned To: stas
 [2020-07-21 09:11 UTC] cmb@php.net
Suggested patch: <https://gist.github.com/cmb69/8913228da173d01a07a5c461d3f36b77>.

Stas, would you please handle this?
 [2020-07-21 09:30 UTC] remi@php.net
I think this minor issue can be classified as "low" and managed as normal bug per   https://wiki.php.net/security

Image path is usually not under user control (code access), and I don't see how this can be exploited as security.
 [2020-08-03 08:09 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff577b04c0d250473a0ef46f8e332960fec3ca2c
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 08:09 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2020-08-03 08:09 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff577b04c0d250473a0ef46f8e332960fec3ca2c
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 08:09 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2560dd6a115dee81821e2b0fe6751e61f5c2c0
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 08:10 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=05c5c9370537ff2fc8d37629beb6ae8e354500c8
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 09:05 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=09171dc1d73a4239192cf6b80e66bfc055841dda
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 09:16 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ff577b04c0d250473a0ef46f8e332960fec3ca2c
Log: Fix #79877: getimagesize function silently truncates after a null byte
 [2020-08-03 09:16 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4d2560dd6a115dee81821e2b0fe6751e61f5c2c0
Log: Fix #79877: getimagesize function silently truncates after a null byte
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC