PHP :: Bug #65309 :: copy of tainted variable makes original variable forget it was a reference

Bug #65309

copy of tainted variable makes original variable forget it was a reference

Submitted:

2013-07-22 09:53 UTC

Modified:

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

bugzilla at ii dot nl

Assigned:

Status:

Open

Package:

taint (PECL)

PHP Version:

Irrelevant

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugzilla at ii dot nl
New email:
PHP Version:		OS:

New Comment:

[2013-07-22 09:53 UTC] bugzilla at ii dot nl

Description:
------------
A copy of https://github.com/laruence/php-taint/issues/9 , for anyone that hasn't found the link to github.

Copying a tainted function variable makes it forget that is was a reference. This is with php 5.3.10 (latest in ubuntu precise).

You'll see that the result of `checkEmailAddress` changes if we change the 'taintedness' of the variable given to the function.


Test script:
---------------
<?php

header('Content-Type: text/plain');

$string = 'foo@bar.com';

echo "input: ".$string."\n";
echo "expected result: @bar.com\n-----\n\n";

taint($string);
checkEmailAddress($string);

untaint($string);
checkEmailAddress($string);

function checkEmailAddress($address) {

        if ( is_tainted($address) ) {
                echo "with tainted variable:\n";
        } else {
                echo "with normal variable:\n";
        }

        $ret = getAddressSpec($address);

        echo "RESULT: ";
        var_dump($address);
        echo "\n\n";
}

function getAddressSpec(&$at) {

        echo "BEFORE CHANGE: ";
        var_dump($at);

        // This line is the problem. It works for tainted variables if we remove it.
        $oldat = $at;

        // Change contents of reference
        $at = '@bar.com';

        echo "AFTER CHANGE IN SAME FUNCTION: ";
        var_dump($at);
}
?>



Expected result:
----------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


Actual result:
--------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: &string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(11) "foo@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"

Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Apr 03 01:01:30 2025 UTC