php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65309 copy of tainted variable makes original variable forget it was a reference
Submitted: 2013-07-22 09:53 UTC Modified: -
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bugzilla at ii dot nl Assigned:
Status: Open Package: taint (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2013-07-22 09:53 UTC] bugzilla at ii dot nl
Description:
------------
A copy of https://github.com/laruence/php-taint/issues/9 , for anyone that hasn't found the link to github.

Copying a tainted function variable makes it forget that is was a reference. This is with php 5.3.10 (latest in ubuntu precise).

You'll see that the result of `checkEmailAddress` changes if we change the 'taintedness' of the variable given to the function.


Test script:
---------------
<?php

header('Content-Type: text/plain');

$string = 'foo@bar.com';

echo "input: ".$string."\n";
echo "expected result: @bar.com\n-----\n\n";

taint($string);
checkEmailAddress($string);

untaint($string);
checkEmailAddress($string);

function checkEmailAddress($address) {

        if ( is_tainted($address) ) {
                echo "with tainted variable:\n";
        } else {
                echo "with normal variable:\n";
        }

        $ret = getAddressSpec($address);

        echo "RESULT: ";
        var_dump($address);
        echo "\n\n";
}

function getAddressSpec(&$at) {

        echo "BEFORE CHANGE: ";
        var_dump($at);

        // This line is the problem. It works for tainted variables if we remove it.
        $oldat = $at;

        // Change contents of reference
        $at = '@bar.com';

        echo "AFTER CHANGE IN SAME FUNCTION: ";
        var_dump($at);
}
?>



Expected result:
----------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


Actual result:
--------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: &string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(11) "foo@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


Patches

Pull Requests

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC