|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesfix-73911 (last revision 2017-01-12 01:30 UTC by cmb@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-01-12 01:30 UTC] cmb@php.net
-Status: Open
+Status: Verified
-PHP Version: 7.1.0
+PHP Version: 5.6.29
[2017-01-12 01:30 UTC] cmb@php.net
[2017-01-12 01:31 UTC] cmb@php.net
-Operating System: BSD
+Operating System: *
[2017-01-16 01:35 UTC] stas@php.net
-Status: Verified
+Status: Closed
-Type: Security
+Type: Bug
-Assigned To:
+Assigned To: stas
[2017-01-16 01:35 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 16:00:01 2025 UTC |
Description: ------------ exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path. =============================================== Affected code: PHP_FUNCTION(exif_imagetype) { char *imagefile; size_t imagefile_len; php_stream * stream; int itype = 0; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE return; } =============================================== Test script: --------------- <?php var_dump(exif_imagetype("./image.png\x00.gallery.jpg")); ?> Expected result: ---------------- expected parameter instead of string Actual result: -------------- $ php curl.php int(3)