PHP :: Bug #75077 :: syslog messages need to be checked for conformance with RFC-3164 and RFC-5424

Bug #75077

syslog messages need to be checked for conformance with RFC-3164 and RFC-5424

Submitted:

2017-08-15 20:47 UTC

Modified:

2021-07-30 10:55 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

philipp at redfish-solutions dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

Unknown/Other Function

PHP Version:

7.1.8

OS:

linux 4.9.40

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	philipp at redfish-solutions dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2017-08-15 20:47 UTC] philipp at redfish-solutions dot com

Description:
------------
This issue came up in the discussions for bz #74860.

Basically, the only type of message explicitly and unequivocally allowed by the Syslog RFC's is NVT ASCII (i.e. hex characters 0x20-0x7E).

UTF-8 maybe used in compressed (shortest form) but it must be prefixed with a BOM (0xEF,0xBB,0xBF).

Also, see the discussion for PR #2674.



Test script:
---------------
<?php

ini_set("error_log", "syslog");

error_log("h\364pital stra\337e", 0);

error_log("this string \321\032\003", 0);

?>


Expected result:
----------------
It's not obvious what the correct behavior is in legacy cases which violate the RFC's.



Actual result:
--------------
Aug 15 14:43:07 ubuntu16 php7.0: h?pital stra?e
Aug 15 14:43:07 ubuntu16 php7.0: this string ?#032#003

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-08-16 19:16 UTC] philipp at redfish-solutions dot com

The more I think about this, the less I think it should be a security bug since there's nothing specific to PHP that makes it the vulnerability.  Can we please change this to "BUG" instead?

[2017-08-19 04:35 UTC] stas@php.net

-Type: Security +Type: Bug -Package: Output Control +Package: Unknown/Other Function

[2021-07-30 10:52 UTC] cmb@php.net

-Status: Open +Status: Closed -Package: Unknown/Other Function +Package: *Network Functions -Assigned To: +Assigned To: cmb

[2021-07-30 10:52 UTC] cmb@php.net

As of PHP 7.3.0, you can set syslog.filter=ascii[1] what escapes
all non-printable ASCII characters.  It seems to me that is
sufficient to comply to these RFCs.

[1] <https://www.php.net/manual/en/errorfunc.configuration.php#ini.syslog.filter>

[2021-07-30 10:55 UTC] cmb@php.net

-Package: *Network Functions +Package: Unknown/Other Function

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2022 The PHP Group All rights reserved.	Last updated: Mon Jun 27 11:05:45 2022 UTC