PHP :: Bug #65309 :: copy of tainted variable makes original variable forget it was a reference

Bug #65309

copy of tainted variable makes original variable forget it was a reference

Submitted:

2013-07-22 09:53 UTC

Modified:

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

bugzilla at ii dot nl

Assigned:

Status:

Open

Package:

taint (PECL)

PHP Version:

Irrelevant

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2013-07-22 09:53 UTC] bugzilla at ii dot nl

Description:
------------
A copy of https://github.com/laruence/php-taint/issues/9 , for anyone that hasn't found the link to github.

Copying a tainted function variable makes it forget that is was a reference. This is with php 5.3.10 (latest in ubuntu precise).

You'll see that the result of `checkEmailAddress` changes if we change the 'taintedness' of the variable given to the function.


Test script:
---------------
<?php

header('Content-Type: text/plain');

$string = 'foo@bar.com';

echo "input: ".$string."\n";
echo "expected result: @bar.com\n-----\n\n";

taint($string);
checkEmailAddress($string);

untaint($string);
checkEmailAddress($string);

function checkEmailAddress($address) {

        if ( is_tainted($address) ) {
                echo "with tainted variable:\n";
        } else {
                echo "with normal variable:\n";
        }

        $ret = getAddressSpec($address);

        echo "RESULT: ";
        var_dump($address);
        echo "\n\n";
}

function getAddressSpec(&$at) {

        echo "BEFORE CHANGE: ";
        var_dump($at);

        // This line is the problem. It works for tainted variables if we remove it.
        $oldat = $at;

        // Change contents of reference
        $at = '@bar.com';

        echo "AFTER CHANGE IN SAME FUNCTION: ";
        var_dump($at);
}
?>



Expected result:
----------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"


Actual result:
--------------
input: foo@bar.com
expected result: @bar.com
-----

with tainted variable:
BEFORE CHANGE: &string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(11) "foo@bar.com"


with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"

Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 01 22:01:29 2025 UTC