php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69487 SAPI may truncate POST data
Submitted: 2015-04-20 10:21 UTC Modified: 2015-08-10 23:53 UTC
From: erik at datahack dot se Assigned: cmb
Status: Closed Package: *Web Server problem
PHP Version: PHP 5.6.12RC1 OS: *
Private report: No CVE-ID:
 [2015-04-20 10:21 UTC] erik at datahack dot se
Description:
------------
If the SAPI fails to write the POST data to disk (eg. due to file system full or tmp folder is non-writable for other reasons), The PHP interpreter will get an incomplete/truncated POST request. This is very bad for data consistency if data is lost upon POST.

One workaround in the PHP script would be to check the content-length against the length of php://input.

if (count($_POST) &&
    (int)$_SERVER['CONTENT_LENGTH'] != strlen(file_get_contents("php://input"))) 
 ...

display_startup_errors triggers only a warning if the file can't be created (but the data is still corrupted). There are two cases that can happen and shouldn't result in corrupt data.

1. Temp file cannot be created
2. Data cannot be written to temp file

https://github.com/php/php-src/blob/master/main/SAPI.c#L288

Test script:
---------------
If sys_temp_dir can't be written to this will cause corrupt data.

<?php
if (count($_POST)) {
	echo strlen(file_get_contents("php://input"))."<br>";
	echo file_get_contents("php://input")."<br>";
}
?>
<form method="post">
<input type="hidden" name="data" value="<?php echo str_repeat("x", 16384).str_repeat("y", 16384).str_repeat("z", 16384); ?>">
<input type="submit">
</form>

Expected result:
----------------
No POST data or an internal error would be better than just continue with corrupt data...

Actual result:
--------------
PHP continues to process the request with corrupt data.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-04 21:24 UTC] cmb@php.net
-Summary: SAPI may cause truncated POST data +Summary: SAPI may truncate POST data -Status: Open +Status: Analyzed -Operating System: +Operating System: * -PHP Version: Irrelevant +PHP Version: PHP 5.6.12RC1 -Assigned To: +Assigned To: cmb
 [2015-08-04 21:24 UTC] cmb@php.net
Indeed, such data loss would be a bad thing. Of course, we should
check whether the read_bytes are actually written by
php_stream_write()[1]. What to do otherwise might be not so
obvious, but the simplest solution would be to bail out with
E_ERROR. As this error condition is supposed to be *very* rare,
the simple handling seems to be appropriate.

[1] <https://github.com/php/php-src/blob/php-7.0.0beta2/main/SAPI.c#L288>
 [2015-08-07 14:49 UTC] mike@php.net
-1 on E_ERROR

I'd rather suggest clearing the input stream an generating an E_WARNING to inform the system administrator.
 [2015-08-09 23:46 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2015-08-09 23:46 UTC] cmb@php.net
Okay, Mike. :) I've submitted PR #1465.
 [2015-08-10 23:44 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48c71cd94bc5ed580c010fc5baef6f3a19309c88
Log: Fix #69487: SAPI may truncate POST data
 [2015-08-10 23:44 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2015-08-10 23:53 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2015-08-10 23:53 UTC] cmb@php.net
The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=48c71cd94bc5ed580c010fc5baef6f3a19309c88
Log: Fix #69487: SAPI may truncate POST data
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 21:01:35 2017 UTC