|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2015-04-10 12:46 UTC] thoger at redhat dot com
Description:
------------
After seeing CVE-2015-2348 and CVE-2014-5120, which are both 5.4+ regressions of parts of the CVE-2006-7243 fix, I ran some quick testing to catch more similar regressions (only for ext/standard). Here are few more issues I noticed. Tested on 5.5.23, quick look at git 5.6 branch suggests 5.6 should be affected similarly.
* set_include_path - not sure if this can use 5.4-like fix using zend_parse_parameters() 'p' format, or needs 5.3-like fix with strlen(new_value) != new_value_len
$ php -r 'var_dump(set_include_path("/path/to/php\0extra")); echo get_include_path()."\n";'
string(32) ".:/usr/share/pear:/usr/share/php"
/path/to/php
* tempnam - dir is checked to be path and not contain \0, prefix is not
$ php -r 'var_dump(tempnam("/tmp\0extra", "prefix"));'
PHP Warning: tempnam() expects parameter 1 to be a valid path, string given in Command line code on line 1
NULL
$ php -r 'var_dump(tempnam("/tmp/", "prefix\0extra"));'
string(17) "/tmp/prefixh3EaGL"
* rmdir
$ php -r 'var_dump(rmdir("/tmp/foo\0extra"));'
PHP Warning: rmdir(/tmp/foo): No such file or directory in Command line code on line 1
bool(false)
* readlink
$ php -r 'var_dump(readlink("/bin/sh\0extra"));'
string(4) "bash"
For reference, here are links for CVE-2006-7243 fixes in 5.3 and 5.4:
5.3 http://git.php.net/?p=php-src.git;a=commitdiff;h=ce96fd6
5.4 http://git.php.net/?p=php-src.git;a=commitdiff;h=32b5f8a
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
[yohgaki@dev php-src]$ php -r 'ini_set("open_basedir","/tmp/foo\0bar"); var_dump(ini_get("open_basedir"));' string(8) "/tmp/foo" Looks like we need to check path related codes to be complete.