|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-08-18 12:03 UTC] jost_boekemeier at users dot sf dot net
Description:
------------
You are right, when calling fopen("php://input", "r") PHP version 5 may crash or hang. Please do not use it until this PHP5 bug is fixed.
I have looked at php 5.2.5. In php_fopen_wrapper.c line 81 it reads the raw_post_data and then increments the SG(read_post_bytes) even though it hasn't read anything. The result is that SG(read_post_bytes) is twice the CONTENT_LENGTH size, causing all sorts of strage side effects later on.
Reproduce code:
---------------
Current code from http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/php_fopen_wrapper.c?revision=276986&view=markup
if(SG(request_info).raw_post_data) { /* data has already been read by a post handler */
read_bytes = SG(request_info).raw_post_data_length - *position;
...
SG(read_post_bytes) += read_bytes;
Suggested fix; make read_bytes a local var:
size_t read_bytes = SG(request_info).raw_post_data_length - *position;
^^^^^^^
Expected result:
----------------
SG(read_post_bytes) == CONTENT_LENGTH
Actual result:
--------------
SG(read_post_bytes) 2 times CONTENT_LENGTH
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 15:01:30 2024 UTC |
diff -u /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c\~ /home/jost/php- 5.2.5/ext/standard/php_fopen_wrapper.c --- /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c~ 2007-10-04 15:31:11.000000000 +0200 +++ /home/jost/php-5.2.5/ext/standard/php_fopen_wrapper.c 2009-08-19 08:26:01.000000000 +0200 @@ -78,7 +78,7 @@ if(!stream->eof) { if(SG(request_info).raw_post_data) { /* data has already been read by a post handler */ - read_bytes = SG(request_info).raw_post_data_length - *position; + size_t read_bytes = SG(request_info).raw_post_data_length - *position; if(read_bytes <= count) { stream->eof = 1; } else { @@ -86,7 +86,9 @@ } if(read_bytes) { memcpy(buf, SG(request_info).raw_post_data + *position, read_bytes); + *position += read_bytes; } + return read_bytes; } else if(sapi_module.read_post) { read_bytes = sapi_module.read_post(buf, count TSRMLS_CC); if(read_bytes <= 0){ Diff finished. Wed Aug 19 08:26:08 2009A simple test case (for those who can't read code): REDIRECT_STATUS="200" CONTENT_TYPE="application/x-www-form-urlencoded" SCRIPT_FILENAME="test.php" REQUEST_METHOD="POST" GATEWAY_INTERFACE="CGI/1.1" CONTENT_LENGTH="1" strace /usr/bin/php-cgi.bin </dev/zero <?php $file = fopen("php://input", "r"); $str = fread($file, 1024); fclose($file); ?> => read(0, "\0"..., 1) = 1 ... read(3, "<?php\n$file = fopen(\"php://input\""..., 4096) = 88 _llseek(3, 0, [0], SEEK_SET) = 0 setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={30, 0}}, NULL) = 0 rt_sigaction(SIGPROF, {0x81ff8c0, [PROF], SA_RESTART}, {0x81ff8c0, [PROF], SA_RESTART}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [PROF], NULL, 8) = 0 ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfd94038) = -1 ENOTTY (Inappropriate ioctl for device) read(3, "<?php\n$file = fopen(\"php://input\""..., 8192) = 88 read(3, ""..., 4096) = 0 read(3, ""..., 8192) = 0 close(3) = 0 write(1, "X-Powered-By: PHP/5.2.6"..., 23X-Powered-By: PHP/5.2.6) = 23 write(1, "\r\n"..., 2 ) = 2 write(1, "Content-type: text/html"..., 23Content-type: text/html) = 23 write(1, "\r\n"..., 2 ) = 2 write(1, "\r\n"..., 2 ) = 2 write(1, "\n\n"..., 2 ) = 2 read(0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3999) = 3999 read(0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3999) = 3999 read(0, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 3999) = 3999 ....