PHP :: Bug #9870 :: PHP dies with segfault when a post request has no content-type

Bug #9870	PHP dies with segfault when a post request has no content-type
Submitted:	2001-03-20 09:06 UTC	Modified:	2001-03-21 04:13 UTC
From:	teo at gecadsoftware dot com	Assigned:
Status:	Closed	Package:	HTTP related
PHP Version:	4.0.4pl1	OS:	SuSE7.0
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	teo at gecadsoftware dot com
New email:
PHP Version:		OS:

New Comment:

[2001-03-20 09:06 UTC] teo at gecadsoftware dot com

[Tue Mar 20 15:09:20 2001] [error] PHP Warning:  No content-type in POST request in Unknown on line 0
Unknown(0) : Warning - No content-type in POST request

Program received signal SIGSEGV, Segmentation fault.
0x400c2073 in strstr () at ../sysdeps/generic/strstr.c:125
125     ../sysdeps/generic/strstr.c: No such file or directory.
(gdb) bt
#0  0x400c2073 in strstr () at ../sysdeps/generic/strstr.c:125
#1  0x401aef39 in rfc1867_post_handler () at rfc1867.c:426
#2  0x401abdd3 in sapi_handle_post () at SAPI.c:54
#3  0x401b0532 in php_treat_data () at php_variables.c:190
#4  0x401a9274 in php_hash_environment () at main.c:1039
#5  0x401a8836 in php_request_startup () at main.c:588
#6  0x401a4fa8 in apache_php_module_main () at sapi_apache.c:98
#7  0x401a5d69 in send_php () at mod_php4.c:433
#8  0x401a5db3 in send_parsed_php () at mod_php4.c:433
#9  0x8076669 in ap_invoke_handler ()
#10 0x808c05f in process_request_internal ()
#11 0x808c0d2 in ap_process_request ()
#12 0x8082c76 in child_main ()
#13 0x8082e55 in make_child ()
#14 0x8082fd6 in startup_children ()
#15 0x808365c in standalone_main ()
#16 0x8083eac in main ()
#17 0x40083a8e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
(gdb) 

How to reproduce:
<body>
<form action="/phpinfo.php" method="post" enctype="multipart/form-data">
Some text here:<input type="text" name="v1"><br>
File here: <input type="file" name="test"><br>
<input type="submit">
</form>
</body>

Using Netscape on Linux, upload a file, then hit
reload (Meta-r) three times. NS will repost it only
two times, then complain /tmp/ns131323gibberish is not
found [a temp file in which it composes the multipart
post]

3rd time when you post it, it won't send proper Content-Type
header and hence the Warning.

The offending code is:
 boundary = strstr(content_type_dup, "boundary");
in main/rfc1867.c:441

Patch:
check content_type_dup for null before strstr()-ing it.
[suggestion]

--- rfc1867.c   Fri Dec  8 18:21:47 2000
+++ /tmp/rfc1867.c  Tue Mar 20 15:59:39 2001
@@ -438,6 +438,11 @@
        return;
    }

+   if (!content_type_dup) {
+       sapi_module.sapi_error(E_COMPILE_ERROR, "Missing headers in multipart/form-data POST data");
+       return;
+   }
+
    boundary = strstr(content_type_dup, "boundary");
    if (!boundary || !(boundary=strchr(boundary, '='))) {
        sapi_module.sapi_error(E_COMPILE_ERROR, "Missing boundary in multipart/form-data POST data");

have fun,
--teodor

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-03-20 09:19 UTC] sniper@php.net

This is fixed in CVS. A bit differently though.
The check for content_type_dup is put a bit earlier
so it doesn't even get into the handler if it's null.

Try the latest CVS snapshot from http://snaps.php.net/

--Jani

[2001-03-21 04:13 UTC] teo at gecadsoftware dot com

K, thanks Jani

can you have a look/an opinion if this strstr() stuff
is not exploitable, given the fact that it's triggered
by malformed user data (in this case the post data) ?

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Dec 27 15:01:29 2024 UTC