|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73911 Missing null byte checks for paths in exif_imagetype
Submitted: 2017-01-10 20:36 UTC Modified: 2017-01-16 01:35 UTC
From: max at cert dot cx Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 5.6.29 OS: *
Private report: No CVE-ID: None
 [2017-01-10 20:36 UTC] max at cert dot cx
exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path.

Affected code:
    char *imagefile;
    size_t imagefile_len;
    php_stream * stream;
    int itype = 0;
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE

Test script:

Expected result:
expected parameter instead of string

Actual result:
$ php curl.php 


fix-73911 (last revision 2017-01-12 01:30 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-12 01:30 UTC]
-Status: Open +Status: Verified -PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-12 01:30 UTC]
The following patch has been added/updated:

Patch Name: fix-73911
Revision:   1484184632
 [2017-01-12 01:31 UTC]
-Operating System: BSD +Operating System: *
 [2017-01-16 01:35 UTC]
-Status: Verified +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2017-01-16 01:35 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 00:01:28 2024 UTC