|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45568 [PATCH] ISAPI doesn't properly clear auth_digest in header
Submitted: 2008-07-19 23:31 UTC Modified: 2008-07-31 00:49 UTC
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: navara at emclient dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.2.6 OS: Windows
Private report: No CVE-ID:
 [2008-07-19 23:31 UTC] navara at emclient dot com
The crash happens when client sends HTTP_AUTHORIZATION header starting with "Digest " once and then makes another request with no authorization request specified. Underlying reason is that SG(request_info).auth_digest is set on the first request and later freed when the request is finished, but SG(request_info).auth_digest is never cleared. Thus on next request SG(request_info).auth_digest still contains the old pointer and once the request shutdown is performed the already freed pointer is accessed.

Patch below fixes it, though using sapi_initialize_empty_request on appropriate place might be a better fix.

--- sapi\isapi\php5isapi.c
+++ sapi\isapi\php5isapi.c
@@ -711,6 +711,7 @@
 			SG(request_info).auth_user = NULL;
 			SG(request_info).auth_password = NULL;
+			SG(request_info).auth_digest = NULL;
 				char *auth_user = ((HTTP_FILTER_AUTHENT *) pvNotification)->pszUser;
@@ -745,7 +746,7 @@
 	SG(request_info).content_length = lpECB->cbTotalBytes;
 	SG(sapi_headers).http_response_code = 200;  /* I think dwHttpStatusCode is invalid at this stage -RL */
 	if (!bFilterLoaded) { /* we don't have valid ISAPI Filter information */
-		SG(request_info).auth_user = SG(request_info).auth_password = NULL;
+		SG(request_info).auth_user = SG(request_info).auth_password = SG(request_info).auth_digest = NULL;
 #ifdef WITH_ZEUS


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-31 00:49 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Patch applied, thanks!
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Oct 09 23:01:32 2015 UTC