|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-01-16 01:35 UTC] stas@php.net
-Status: Open
+Status: Closed
-Type: Security
+Type: Bug
-PHP Version: 7.1.0
+PHP Version: 5.6.29
-Assigned To:
+Assigned To: stas
[2017-01-16 01:35 UTC] stas@php.net
[2017-01-16 07:03 UTC] max at cert dot cx
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri May 09 17:01:28 2025 UTC |
Description: ------------ Missing null byte checks for paths in curlfile_ctor() curl_file_create() doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the upload file name and path. Affected code: ================================== static void curlfile_ctor(INTERNAL_FUNCTION_PARAMETERS) { char *fname = NULL, *mime = NULL, *postname = NULL; size_t fname_len, mime_len, postname_len; zval *cf = return_value; if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) { ⇐==== return; } ================================== Affected function: ================================== CURLFile curl_file_create ( string $filename [, string $mimetype [, string $postname ]] ) ================================== type of parameters filename to change. From a security perspective, You may consider changing the type of parameter postname Best, Maksymilian Arciemowicz Test script: --------------- <?php $request = curl_init('http://127.0.0.1/print.php'); curl_setopt($request, CURLOPT_POST, true); $args['file'] = curl_file_create("./test.test\0.file.to.send.png", "image/png", "test.test\0.file.to.send.png"); curl_setopt($request, CURLOPT_POSTFIELDS, $args); echo curl_exec($request); curl_close($request); Expected result: ---------------- warning Actual result: -------------- uploaded test.test and name Array ( [file] => Array ( [name] => test.test