php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75077 syslog messages need to be checked for conformance with RFC-3164 and RFC-5424
Submitted: 2017-08-15 20:47 UTC Modified: 2021-07-30 10:55 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: philipp at redfish-solutions dot com Assigned: cmb (profile)
Status: Closed Package: Unknown/Other Function
PHP Version: 7.1.8 OS: linux 4.9.40
Private report: No CVE-ID: None
 [2017-08-15 20:47 UTC] philipp at redfish-solutions dot com
Description:
------------
This issue came up in the discussions for bz #74860.

Basically, the only type of message explicitly and unequivocally allowed by the Syslog RFC's is NVT ASCII (i.e. hex characters 0x20-0x7E).

UTF-8 maybe used in compressed (shortest form) but it must be prefixed with a BOM (0xEF,0xBB,0xBF).

Also, see the discussion for PR #2674.



Test script:
---------------
<?php

ini_set("error_log", "syslog");

error_log("h\364pital stra\337e", 0);

error_log("this string \321\032\003", 0);

?>


Expected result:
----------------
It's not obvious what the correct behavior is in legacy cases which violate the RFC's.



Actual result:
--------------
Aug 15 14:43:07 ubuntu16 php7.0: h?pital stra?e
Aug 15 14:43:07 ubuntu16 php7.0: this string ?#032#003


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-08-16 19:16 UTC] philipp at redfish-solutions dot com
The more I think about this, the less I think it should be a security bug since there's nothing specific to PHP that makes it the vulnerability.  Can we please change this to "BUG" instead?
 [2017-08-19 04:35 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Output Control +Package: Unknown/Other Function
 [2021-07-30 10:52 UTC] cmb@php.net
-Status: Open +Status: Closed -Package: Unknown/Other Function +Package: *Network Functions -Assigned To: +Assigned To: cmb
 [2021-07-30 10:52 UTC] cmb@php.net
As of PHP 7.3.0, you can set syslog.filter=ascii[1] what escapes
all non-printable ASCII characters.  It seems to me that is
sufficient to comply to these RFCs.

[1] <https://www.php.net/manual/en/errorfunc.configuration.php#ini.syslog.filter>
 [2021-07-30 10:55 UTC] cmb@php.net
-Package: *Network Functions +Package: Unknown/Other Function
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 18:01:31 2024 UTC