php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45568 [PATCH] ISAPI doesn't properly clear auth_digest in header
Submitted: 2008-07-19 23:31 UTC Modified: 2008-07-31 00:49 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: navara at emclient dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2.6 OS: Windows
Private report: No CVE-ID:
 [2008-07-19 23:31 UTC] navara at emclient dot com
Description:
------------
The crash happens when client sends HTTP_AUTHORIZATION header starting with "Digest " once and then makes another request with no authorization request specified. Underlying reason is that SG(request_info).auth_digest is set on the first request and later freed when the request is finished, but SG(request_info).auth_digest is never cleared. Thus on next request SG(request_info).auth_digest still contains the old pointer and once the request shutdown is performed the already freed pointer is accessed.

Patch below fixes it, though using sapi_initialize_empty_request on appropriate place might be a better fix.

--- sapi\isapi\php5isapi.c
+++ sapi\isapi\php5isapi.c
@@ -711,6 +711,7 @@
 		case SF_NOTIFY_PREPROC_HEADERS:
 			SG(request_info).auth_user = NULL;
 			SG(request_info).auth_password = NULL;
+			SG(request_info).auth_digest = NULL;
 			break;
 		case SF_NOTIFY_AUTHENTICATION: {
 				char *auth_user = ((HTTP_FILTER_AUTHENT *) pvNotification)->pszUser;
@@ -745,7 +746,7 @@
 	SG(request_info).content_length = lpECB->cbTotalBytes;
 	SG(sapi_headers).http_response_code = 200;  /* I think dwHttpStatusCode is invalid at this stage -RL */
 	if (!bFilterLoaded) { /* we don't have valid ISAPI Filter information */
-		SG(request_info).auth_user = SG(request_info).auth_password = NULL;
+		SG(request_info).auth_user = SG(request_info).auth_password = SG(request_info).auth_digest = NULL;
 	}
 
 #ifdef WITH_ZEUS



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-31 00:49 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Patch applied, thanks!
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 25 07:02:14 2014 UTC