|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-07-02 08:21 UTC] stas@php.net
-Type: Security
+Type: Bug
[2016-07-02 08:21 UTC] stas@php.net
[2016-07-02 08:22 UTC] stas@php.net
-Package: Directory function related
+Package: Session related
[2016-07-03 01:31 UTC] laruence@php.net
[2016-07-03 01:31 UTC] laruence@php.net
-Status: Open
+Status: Closed
[2016-07-06 05:47 UTC] davey@php.net
[2016-07-20 11:30 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 27 16:01:27 2024 UTC |
Description: ------------ ext/session/mod_files.c:276 static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime) { ... char buf[MAXPATHLEN]; ... dirname_len = strlen(dirname); memcpy(buf, dirname, dirname_len); ... buf is static buffer declared with size MAXPATHLEN ( 256 bytes ) length of dirname never check with MAXPATHLEN when dirname len > 256 it will overflow When run php under debugger we observered: Breakpoint 2, ps_files_cleanup_dir (dirname=0xf7a72000 'A' <repeats 200 times>..., maxlifetime=0x5a0) at /home/suto/php-src-master/ext/session/mod_files.c:298 298 memcpy(buf, dirname, dirname_len); gdb$ p dirname_len $1 = 0xfb0 0xfb0 is len of directory we created and larger more than 256. Test script: --------------- $fname = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/"; $dirname = str_repeat($fname,16); //wp_mkdir_p($dirname); Make a directory with name $fname ini_set('session.save_path',$dirname); ini_set('session.gc_probability', 1000); session_start();