PHP :: Bug #58906 :: Non string params array value crashes PHP

Bug #58906	Non string params array value crashes PHP
Submitted:	2009-10-19 12:04 UTC	Modified:	2009-10-25 00:43 UTC
From:	andrew at topdog dot za dot net	Assigned:
Status:	Closed	Package:	oauth (PECL)
PHP Version:	5.2.10	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-10-19 12:04 UTC] andrew at topdog dot za dot net

Description:
------------
The oauth_http_build_query does not verify the data that the user submits via the extra_parameters array in the fetch method.

param_value = oauth_url_encode(Z_STRVAL_PP((zval**)cur_val)); 

This assumes that the user submits a string value in the extra_parameters array, if however the user submits an integer value as the array value, PHP crashes with out of bounds memory error. 

-Works
$arrayResp = $o->fetch("https://fireeagle.yahooapis.com/api/0.1/update",array("postal" => "95054"));

-Crashes
$arrayResp = $o->fetch("https://fireeagle.yahooapis.com/api/0.1/update",array("postal" => 95054));

Reproduce code:
---------------
This will crash.

$arrayResp = $o->fetch("https://fireeagle.yahooapis.com/api/0.1/update",array("postal" => 95054));

This does not as it is a string.

$arrayResp = $o->fetch("https://fireeagle.yahooapis.com/api/0.1/update",array("postal" => "95054"));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-25 00:43 UTC] datibbaw@php.net

This is fixed in the trunk:

http://svn.php.net/viewvc?view=revision&revision=289198

Duplicate of #16853

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Jul 12 08:01:30 2025 UTC