PHP :: Sec Bug #69719 :: Incorrect handling of paths with NULs, related to bug 69353

Sec Bug #69719	Incorrect handling of paths with NULs, related to bug 69353
Submitted:	2015-05-28 12:00 UTC	Modified:	2016-02-11 12:48 UTC
From:	thoger at redhat dot com	Assigned:	stas (profile)
Status:	Closed	Package:	*General Issues
PHP Version:	5.6.9	OS:
Private report:	No	CVE-ID:	2015-4598

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	thoger at redhat dot com
New email:
PHP Version:		OS:

New Comment:

[2015-05-28 12:00 UTC] thoger at redhat dot com

Description:
------------
Fix for bug 69353 addresses multiple issues of PHP APIs accepting paths with NUL character and passing truncated paths to underlying libraries.

https://bugs.php.net/bug.php?id=69353
http://git.php.net/?p=php-src.git;a=commitdiff;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80

Reviewing the changes, I noticed following inconsistencies:

* DOMDocument's load functions were fixed, but not save:

$ ./sapi/cli/php -r '$d = new DOMDocument(); $d->loadHTMLFile("/etc/issue"); @unlink("output"); $d->save("output\0extra"); var_dump(file_exists("output"));'
bool(true)

$ ./sapi/cli/php -r '$d = new DOMDocument(); $d->loadHTMLFile("/etc/issue"); @unlink("output"); $d->saveHTMLFile("output\0extra"); var_dump(file_exists("output"));'
bool(true)

* GD imagepsencodefont() was fixed. That has to be called after imagepsloadfont() and that still passes 's' format to zend_parse_parameters().  I've not tested this one as I don't have build with Type1 font support available.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-05-28 18:11 UTC] cmb@php.net

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2015-06-10 04:40 UTC] stas@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: stas

[2015-06-10 04:40 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

[2015-06-10 07:42 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8fc52d77d6f66c438c98d536e2309b5fd13f90de
Log: Fix #69719 - more checks for nulls in paths

[2015-06-10 08:50 UTC] tyrael@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e
Log: Fix #69719 - more checks for nulls in paths

[2015-06-10 09:15 UTC] jpauli@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=58e590aac6839ace470650c58bf418e5fa637eb3
Log: Fix #69719 - more checks for nulls in paths

[2016-02-11 12:48 UTC] kaplan@php.net

-CVE-ID: +CVE-ID: 2015-4598

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC