|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2003-03-12 03:44 UTC] vesely at tana dot it
Hi,
watch out rfc1867.c around line 342, in function
next_line() there is (was?) the following code:
if (ptr) {
/* ... */
} else {
/* ... */
line[self->bufsize] = 0;
self->buf_begin = ptr; /* <=== */
self->bytes_in_buffer = 0;
}
ptr is obviously NULL, buf_begin should never be NULL
or the program may crash. So this is a potential
vulnerability for DOS attackers who submit long lines.
Since you're there, would you mind to check why at line
721, in the rfc1867_post_handler function, there is
boundary_end = strchr(boundary, ',');
Shouldn't it be ';' (semicolon) rather than ',' (comma)?
(Just wandering)
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 03:00:02 2025 UTC |
> buf_begin can be NULL, no DOS possible -> BOGUS1 it is not initialized to NULL, it is never tested for not being NULL, and around line 232, function fill_buffer if (self->bytes_in_buffer > 0 && self->buf_begin != self->buffer) { memmove(self->buffer, self->buf_begin, self->bytes_in_buffer); } should grant the job will be done. Why do you say it can be NULL? If I have some more time next week I'll try and prepare a proof of concept. > searching for ',' is correct this works around a bug > in some IE version -> BOGUS2 Ha ha! I should have guessed it... :-)