php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73911 Missing null byte checks for paths in exif_imagetype
Submitted: 2017-01-10 20:36 UTC Modified: 2017-01-16 01:35 UTC
From: max at cert dot cx Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 5.6.29 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: max at cert dot cx
New email:
PHP Version: OS:

 

 [2017-01-10 20:36 UTC] max at cert dot cx
Description:
------------
exif_imagetype doesn’t ensure that pathnames lack NULL byte, which might allow attacker to manipulate the file path.

===============================================
Affected code:
PHP_FUNCTION(exif_imagetype)
{
    char *imagefile;
    size_t imagefile_len;
    php_stream * stream;
    int itype = 0;
 
    if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &imagefile, &imagefile_len) == FAILURE) { ⇐== THIS LINE
        return;
    }
===============================================

Test script:
---------------
<?php
var_dump(exif_imagetype("./image.png\x00.gallery.jpg"));
?>

Expected result:
----------------
expected parameter instead of string

Actual result:
--------------
$ php curl.php 
int(3)

Patches

fix-73911 (last revision 2017-01-12 01:30 UTC by cmb@php.net)

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-12 01:30 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.1.0 +PHP Version: 5.6.29
 [2017-01-12 01:30 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-73911
Revision:   1484184632
URL:        https://bugs.php.net/patch-display.php?bug=73911&patch=fix-73911&revision=1484184632
 [2017-01-12 01:31 UTC] cmb@php.net
-Operating System: BSD +Operating System: *
 [2017-01-16 01:35 UTC] stas@php.net
-Status: Verified +Status: Closed -Type: Security +Type: Bug -Assigned To: +Assigned To: stas
 [2017-01-16 01:35 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Sep 09 07:01:27 2024 UTC