|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76066 Information leaked?
Submitted: 2018-03-08 06:13 UTC Modified: 2018-03-10 14:52 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned:
Status: Not a bug Package: Filesystem function related
PHP Version: 7.2.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:


 [2018-03-08 06:13 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Hello,PHP Security Team,
Because I am not familiar with the ssl protocol.I don't know if the leaked information is normal return information.At the same time,I also do not know whether it is a security bug or not a bug.

Test script:
first step:
 nc -lvv 8080
Listening on [] (family 0, port 8080)

second step:
./php-7.2.3/sapi/cli/php -r 'file_get_contents(""); '

Then,it will leak information.file_get_contents function could be placed other functions.

Actual result:
Listening on [] (family 0, port 8080)
Connection from [] port 8080 [tcp/http-alt] accepted (family 2, sport 53810)

R%����r�fb�/�+�0�,�����'�#��	�(�$�



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-09 21:10 UTC]
-Status: Open +Status: Not a bug
 [2018-03-09 21:10 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

Don't see any information leak in the code described.
 [2018-03-09 22:48 UTC]
This is literally how an SSL/TLS handshake is supposed to work.

The client sends a "Hello" packet advertising things like what ciphers it supports and (optionally, but in this case yes) an SNI (Server Name Indicator) to tell the remote end what hostname it's connecting to.  This is used for https to support virtualhost (multiple hostnames served by the same web server).

Not a leak, not a bug. Absolutely working as intended.
 [2018-03-10 14:52 UTC]
-Type: Security +Type: Bug
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Jun 13 03:01:24 2021 UTC