|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesapache_request_headers.phpt (last revision 2012-05-05 06:20 UTC by remi@php.net)apache_request_headers.patch (last revision 2012-05-05 06:19 UTC by remi@php.net) php-apache-request-headers.patch (last revision 2012-04-22 01:12 UTC by nyt-php at countercultured dot net) Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2012-04-22 01:13 UTC] nyt-php at countercultured dot net
[2012-04-22 01:13 UTC] nyt-php at countercultured dot net
-Type: Bug
+Type: Security
-Private report: No
+Private report: Yes
[2012-05-05 06:19 UTC] remi@php.net
[2012-05-05 06:20 UTC] remi@php.net
[2012-05-05 06:23 UTC] remi@php.net
[2012-05-20 17:51 UTC] felipe@php.net
-Status: Open
+Status: Assigned
-Assigned To:
+Assigned To: stas
-CVE-ID:
+CVE-ID: 2012-2329
[2012-05-20 19:50 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2012-05-20 19:50 UTC] stas@php.net
[2014-10-07 23:26 UTC] stas@php.net
[2014-10-07 23:37 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Oct 25 21:00:01 2025 UTC |
Description: ------------ Resubmitting since the patch didn't include last time, and I cannot view or edit my own security bug. Makes sense :( apache_request_headers has a loop starting at line 1617 which copies the name of an environment variable while fixing case and converting '_' to '-'. This loop is only supposed to copy the variable name (eg: Cookie from HTTP_COOKIE), however it continues until the end of the entire environment variable. The problem is it is copying it into buffer t, which is a pointer to buf[128]. If the string being copied is longer than 128 bytes, it will overflow the buffer. This seems to be present in 5.4.x Patch in case it doesn't include again: diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 4643882..ef876fb 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1614,7 +1614,9 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */ var = q = t; *q++ = *p++; while (*p) { - if (*p == '_') { + if (*p == '=') { + break; + } else if (*p == '_') { *q++ = '-'; p++; if (*p) { Test script: --------------- Running roundcube with php 5.4 will trigger this bug due to the large amount of cookie data and other stack conditions. This is where I discovered it. The included patch fixes this bug. Expected result: ---------------- PHP should function normally Actual result: -------------- PHP seg faults in zif_apache_request_headers #5 0x000002dac7160040 in __stack_chk_fail () at stack_chk_fail.c:29 No locals. #6 0x000000000074db0e in zif_apache_request_headers (ht=0, return_value=0x2dac596e180, return_value_ptr=0x3802d971bf0, this_ptr=0x6f72203b33396636, return_value_used=1685382481) at /tmp/buildd/php5-5.4.1~rc1/sapi/cgi/cgi_main.c:1647 buf = "\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060) gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter" env = 0x3802d974638 q = 0x3802d971bf0 "undcube-sessauth=sdcc36a0f8bd6c79753726fdf6b6818a276a2581a" var = 0x6f72203b33396636 <Address 0x6f72203b33396636 out of bounds> alloc_size = 128 buf = "\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060) gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter" buf = "\023\000\000\000\000\000\000\000X-Roundcube-Request=4613f5de1ef497b2c16f60deb9be83de\000\060) gecko/20100101 firefox/11.0\000sviewsplitter=296; identviewsplitter" #7 0x6f72203b33396636 in ?? () No symbol table info available. #8 0x2d65627563646e75 in ?? () No symbol table info available.