php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75663 file_get_contents() fatal error by php:// wrapper
Submitted: 2017-12-10 16:44 UTC Modified: 2017-12-10 17:13 UTC
From: debukuk154 at gmail dot com Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 7.0.26 OS: Ubuntu
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: debukuk154 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-12-10 16:44 UTC] debukuk154 at gmail dot com
Description:
------------
Test script:
When you trying to input like php:// wrapper, You can see it will error by php://filter/.
I don't know why it's occur an error. so i just report this bug now.

if it's input by user (i mean, file_get_contents() function), it can be connection by security vulnerability.
in case, user are trying input to php://filter/ like that, the user are can make exploit to vuln maliciously.

Test script:
---------------
auth.php:
<?php
session_start(); // start session
$_SESSION['auth'] = true; // set auth variable to true value
file_get_contents("php://filter/"); // file_get_contents is have php://filter/
$_SESSION['auth'] = false; // set auth variable to false value
?>
----------------------------------------
auth_check.php:
<?php
session_start(); // start session
echo $_SESSION['auth']; // print auth variable
?>

Expected result:
----------------
It will stop by force. because file_get_contents("php://filter/") are occur an error.

Actual result:
--------------
This is occur an error and it can be break the code.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-10 17:13 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-12-10 17:13 UTC] requinix@php.net
And what do you expect PHP to do about it? You are the one who wrote incorrect and unsafe code. Don't do that.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Dec 04 03:01:23 2020 UTC