php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #28583 create_function() with NULL string introduces unexpected results
Submitted: 2004-05-30 21:36 UTC Modified: 2004-09-09 22:17 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: jed at jed dot bz Assigned: hholzgra (profile)
Status: Not a bug Package: Unknown/Other Function
PHP Version: 5.0.0RC2 OS: Windows XP Pro
Private report: No CVE-ID: None
View Developer Edit
 [2004-05-30 21:36 UTC] jed at jed dot bz 
Description:
------------
Apache/2.0.49 (Win32) PHP/5.0.0RC2 Server

Using create_function() incorrectly, i.e.:

$y = create_function(NULL, "cos(4);");

...causes instability in PHP itself as no checking is done on the create_function() arguments. Every so often when this script is refreshed, PHP dumps all kinds of garbage followed by what appears to be HTTP headers (viewable in Mozilla Firefox 0.8):

=> d getallheaders 1 1 1 1 1 1 1 1 1 2 ) 1 1 1 1 1 1 [ 4 user 5 ] => 6 Array 1 1 1 1 1 1 1 1 2 ( 1 1 1 1 1 1 1 1 2 ) 1 2 ) 6 0 HTTP/1.1 200 OK Date: Sun, 30 May 2004 19:22:08 (...)

Then the actual script output starts, which is corrupted all the same. Internet Explorer 6 on the same page attempts to refresh the page automatically numerous times, and never finishes.

Could this possibly be the beginning of some kind of exploit in PHP? I have no idea what the output means but I submit it for the benefit of community review.

Reproduce code:
---------------
<?php
/* Refresh constantly to eventually see problem. */
$y = create_function(NULL, 'cos(4);');
print "<pre>";
$x = get_defined_functions();
print_r($x);
print "</pre>";
?>

Expected result:
----------------
Array
(
    [internal] => Array
        (
            [0] => zend_version

(...)

Actual result:
--------------
1 1 1 [ 2 65 5 ] => 8 unixtojd 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 66 5 ] => 8 jdtounix 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 67 5 ] => 9 cal_to_jd 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 68 5 ] => b cal_from_jd 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 69 5 ] => 11 cal_days_in_month 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 70 5 ] => 8 cal_info 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 71 5 ] => b variant_set 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 72 5 ] => b variant_add 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 73 5 ] => b variant_cat 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 74 5 ] => b variant_sub 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 75 5 ] => b variant_mul 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 76 5 ] => b variant_and 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 77 5 ] => b variant_div 1 1 1 1 1 1 1 1 1 1 1 1 1 1 [ 2 78 5 ] => b

(...)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-09-03 05:13 UTC] curt@php.net 
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.

I\'m unable to reproduce bug with current version of php5.
 [2004-09-09 04:34 UTC] jed at jed dot bz 
Closed, not bogus.
 [2004-09-09 08:03 UTC] derick@php.net 
We could not find a bug, so this bug report is bogus.
 [2004-09-09 22:17 UTC] jed at jed dot bz 
There needs to be more choices, then, because there definitely was a bug. And simply waiting for it to clear itself up and then instructing the submitter to upgrade, two versions and four months later, really makes the submitter feel he's done a good deed for the community.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Dec 22 07:00:01 2025 UTC