php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73911 Missing null byte checks for paths in exif_imagetype
Submitted: 2017-01-10 20:36 UTC Modified: 2017-01-16 01:35 UTC
From: max at cert dot cx Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 5.6.29 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: max at cert dot cx
New email:
PHP Version: OS:

 

 [2017-01-10 20:36 UTC] max at cert dot cx
Description:
------------
exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path.

===============================================
Affected code:
PHP_FUNCTION(exif_imagetype)
{
    char *imagefile;
    size_t imagefile_len;
    php_stream * stream;
    int itype = 0;
 
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE
        return;
    }
===============================================

Test script:
---------------
<?php
var_dump(exif_imagetype("./image.png\x00.gallery.jpg"));
?>

Expected result:
----------------
expected parameter instead of string

Actual result:
--------------
$ php curl.php 
int(3)

Patches

fix-73911 (last revision 2017-01-12 01:30 UTC by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-12 01:30 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-12 01:30 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-73911
Revision:   1484184632
URL:        https://bugs.php.net/patch-display.php?bug=73911&patch=fix-73911&revision=1484184632
 [2017-01-12 01:31 UTC] cmb@php.net
-Operating System: BSD +Operating System: *
 [2017-01-16 01:35 UTC] stas@php.net
-Status: Verified +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2017-01-16 01:35 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 16:01:29 2024 UTC