php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #39863 file_exists() silently truncates after a null byte
Submitted: 2006-12-18 08:46 UTC Modified: 2011-07-03 14:30 UTC
Votes:79
Avg. Score:4.8 ± 0.8
Reproduced:73 of 76 (96.1%)
Same Version:53 (72.6%)
Same OS:50 (68.5%)
From: djcapelis at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: *General Issues
PHP Version: 4.4.4, 5.1.5 OS: Linux, MacOSX
Private report: No CVE-ID: 2006-7243
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: djcapelis at gmail dot com
New email:
PHP Version: OS:

 

 [2006-12-18 08:46 UTC] djcapelis at gmail dot com 
Description:
------------
file_exists() silently truncates anything after a null byte in a string.  This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code.

include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing.

Reproduce code:
---------------
<?php
$filename = "/etc/passwd^@" . ".someextension";

if (file_exists($filename))
{
       echo "The file " . $filename . "exists";
}
else
{
       echo "The file " . $filename . "does not exist";
}

?>

Expected result:
----------------
Expected:

$ php -n test.php
The file /etc/passwd.\0someextension does not exist

Actual result:
--------------
Actual:

$ php -n test.php
The file /etc/passwd.someextension exists

Patches

bug39863.phpt (last revision 2010-05-12 11:23 UTC by vanderaj at owasp dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-20 09:47 UTC] djcapelis at gmail dot com 
Sorry, testing was originally done using the hardened php patch here:  http://www.hardened-php.net/downloads.13.html  Without the patch, include_once() is just as vulnerable and silently readily embeds /etc/passwd right into the file.

Perhaps it would be a good idea to include that part of the patch into the main PHP distribution and fix the rest of the functions where this is a problem.

I just tested and PHP 5.1.5 is also vulnerable to both these issues.  (As was a Mac OSX system.)
 [2010-05-12 13:25 UTC] vanderaj at owasp dot org 
I've tested this on CentOS 5.0 with a hand built 5.2.11 and Apple's build of PHP 
5.3.1 on MacOS X 10.6.3, and both have this issue. 

If you don't want to run a phpt, here's some a more readable version of the 
previous test:

<?php
$filename = "/etc/passwd" . chr(0). ".ridiculous";

if (file_exists($filename))
{
       echo "FAIL: The file [" . $filename . "] exists, but clearly 
shouldn't.\n";
}
else
{
       echo "PASS: The file [" . $filename . "] does not exist.\n";
}
?>


I've included a PHP test script. It's my first phpt, so please be gentle.
 [2010-06-05 21:44 UTC] sixd@php.net 
Automatic comment from SVN on behalf of sixd
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300213
Log: New test for file_exists (bug #39863).  It currently xfail's
 [2010-06-05 21:45 UTC] sixd@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2010-06-05 21:45 UTC] sixd@php.net 
I've merged the test as ext/standard/tests/file/bug39863.phpt
 [2010-11-18 16:22 UTC] pajoye@php.net 
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305507
Log: - fix #39863, do not accept paths with NULL in them. See http://news.php.net/php.internals/50191, trunk will have the patch later (adding a macro and/or changing (some) APIs. Patch by Rasmus
 [2010-11-18 17:21 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2010-11-18 17:21 UTC] pajoye@php.net 
Fixed in PHP_5_3, will be part of 5.3.4.

trunk still needs the fix, it will be done soonish.
 [2010-12-09 19:53 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2006-7243
 [2011-01-19 13:13 UTC] patrick at cookie dot monster dot org 
Will this be fixed too in php 5.2.17?
 [2011-04-14 15:00 UTC] paul dot kraus at ag dot ny dot gov 
Just compiled 5.3.6 on Solaris 10 / SPARC and `make test` reports "Bug #39863 (file_exists() silently truncates after a null byte) [ext/standard/test/file/bug39863.phpt] (warn: XFAIL section but test passes)" so it appears that this bug is NOT fixed as of 5.3.6 on Solaris 10 (unless I am misreading the test report).
 [2011-05-16 01:06 UTC] tyra3l at gmail dot com 
the testcase a little bit confusing:
it should fail until the bug is fixed, and because it was a known bug, it was 
marked as a failing test (XFAIL)
now that the bug got fixed, but the test wasn't modified to reflect this, we got a 
situation, when an test passed when it is expected to fail.
which means that the bug is fixed.
I will modify the TEST and remove the XFAIL mark, and if the pass fails in the 
future, that means that we got a regression.

Tyrael
 [2011-05-16 21:40 UTC] tyrael@php.net 
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311103
Log: removing XFAIL as #39863 has already been fixed
 [2011-05-17 01:28 UTC] tyrael@php.net 
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311114
Log: removing XFAIL as #39863 has already been fixed
 [2011-06-06 04:34 UTC] felipe@php.net 
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311855
Log: - Restore fix for #39863 (do not accept paths with NULL in them)
# This was removed by regenerating the VM months ago
 [2011-07-03 14:30 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2011-07-03 14:30 UTC] felipe@php.net 
This already has been fixed. Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC