php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #39863 file_exists() silently truncates after a null byte
Submitted: 2006-12-18 08:46 UTC Modified: 2011-07-03 14:30 UTC
Votes:79
Avg. Score:4.8 ± 0.8
Reproduced:73 of 76 (96.1%)
Same Version:53 (72.6%)
Same OS:50 (68.5%)
From: djcapelis at gmail dot com Assigned: pajoye
Status: Closed Package: *General Issues
PHP Version: 4.4.4, 5.1.5 OS: Linux, MacOSX
Private report: No CVE-ID: 2006-7243
 [2006-12-18 08:46 UTC] djcapelis at gmail dot com
Description:
------------
file_exists() silently truncates anything after a null byte in a string.  This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code.

include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing.

Reproduce code:
---------------
<?php
$filename = "/etc/passwd^@" . ".someextension";

if (file_exists($filename))
{
       echo "The file " . $filename . "exists";
}
else
{
       echo "The file " . $filename . "does not exist";
}

?>

Expected result:
----------------
Expected:

$ php -n test.php
The file /etc/passwd.\0someextension does not exist

Actual result:
--------------
Actual:

$ php -n test.php
The file /etc/passwd.someextension exists

Patches

bug39863.phpt (last revision 2010-05-12 11:23 UTC) by vanderaj at owasp dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-20 09:47 UTC] djcapelis at gmail dot com
Sorry, testing was originally done using the hardened php patch here:  http://www.hardened-php.net/downloads.13.html  Without the patch, include_once() is just as vulnerable and silently readily embeds /etc/passwd right into the file.

Perhaps it would be a good idea to include that part of the patch into the main PHP distribution and fix the rest of the functions where this is a problem.

I just tested and PHP 5.1.5 is also vulnerable to both these issues.  (As was a Mac OSX system.)
 [2010-05-12 13:25 UTC] vanderaj at owasp dot org
I've tested this on CentOS 5.0 with a hand built 5.2.11 and Apple's build of PHP 
5.3.1 on MacOS X 10.6.3, and both have this issue. 

If you don't want to run a phpt, here's some a more readable version of the 
previous test:

<?php
$filename = "/etc/passwd" . chr(0). ".ridiculous";

if (file_exists($filename))
{
       echo "FAIL: The file [" . $filename . "] exists, but clearly 
shouldn't.\n";
}
else
{
       echo "PASS: The file [" . $filename . "] does not exist.\n";
}
?>


I've included a PHP test script. It's my first phpt, so please be gentle.
 [2010-06-05 21:44 UTC] sixd@php.net
Automatic comment from SVN on behalf of sixd
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300213
Log: New test for file_exists (bug #39863).  It currently xfail's
 [2010-06-05 21:45 UTC] sixd@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2010-06-05 21:45 UTC] sixd@php.net
I've merged the test as ext/standard/tests/file/bug39863.phpt
 [2010-11-18 16:22 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=305507
Log: - fix #39863, do not accept paths with NULL in them. See http://news.php.net/php.internals/50191, trunk will have the patch later (adding a macro and/or changing (some) APIs. Patch by Rasmus
 [2010-11-18 17:21 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2010-11-18 17:21 UTC] pajoye@php.net
Fixed in PHP_5_3, will be part of 5.3.4.

trunk still needs the fix, it will be done soonish.
 [2010-12-09 19:53 UTC] felipe@php.net
-CVE-ID: +CVE-ID: 2006-7243
 [2011-01-19 13:13 UTC] patrick at cookie dot monster dot org
Will this be fixed too in php 5.2.17?
 [2011-04-14 15:00 UTC] paul dot kraus at ag dot ny dot gov
Just compiled 5.3.6 on Solaris 10 / SPARC and `make test` reports "Bug #39863 (file_exists() silently truncates after a null byte) [ext/standard/test/file/bug39863.phpt] (warn: XFAIL section but test passes)" so it appears that this bug is NOT fixed as of 5.3.6 on Solaris 10 (unless I am misreading the test report).
 [2011-05-16 01:06 UTC] tyra3l at gmail dot com
the testcase a little bit confusing:
it should fail until the bug is fixed, and because it was a known bug, it was 
marked as a failing test (XFAIL)
now that the bug got fixed, but the test wasn't modified to reflect this, we got a 
situation, when an test passed when it is expected to fail.
which means that the bug is fixed.
I will modify the TEST and remove the XFAIL mark, and if the pass fails in the 
future, that means that we got a regression.

Tyrael
 [2011-05-16 21:40 UTC] tyrael@php.net
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311103
Log: removing XFAIL as #39863 has already been fixed
 [2011-05-17 01:28 UTC] tyrael@php.net
Automatic comment from SVN on behalf of tyrael
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311114
Log: removing XFAIL as #39863 has already been fixed
 [2011-06-06 04:34 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311855
Log: - Restore fix for #39863 (do not accept paths with NULL in them)
# This was removed by regenerating the VM months ago
 [2011-07-03 14:30 UTC] felipe@php.net
-Status: Assigned +Status: Closed
 [2011-07-03 14:30 UTC] felipe@php.net
This already has been fixed. Thanks.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 16:02:22 2014 UTC