|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-09-22 08:44 UTC] stas@php.net
-Type: Security
+Type: Bug
[2019-09-22 13:06 UTC] duncan3dc@php.net
[2020-04-24 18:49 UTC] alexinbeijing at gmail dot com
[2021-09-06 17:17 UTC] cmb@php.net
-Status: Open
+Status: Verified
[2021-09-06 17:17 UTC] cmb@php.net
[2024-01-04 20:25 UTC] bukka@php.net
-Package: *Directory/Filesystem functions
+Package: SPL related
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 02 13:01:34 2025 UTC |
Description: ------------ Description: If you block `SplFileInfo` in disable_classes, and use `RecursiveDirectoryIterator` then using the test script it can segfault, as it is performing in File System it is more effective. As segfault can lead to RCE using LFI and Race condition, files don't get deleted when files get uploaded during SegFault. Here segfault is in File System so it can be much more frequent if the developer blocks the `SplFileInfo`. This bug is caused by Null Pointer Dereference. Test script: --------------- function iterate($me){ foreach($me as $whole){ echo "Great"; } } iterate(new RecursiveDirectoryIterator('/')); Expected result: ---------------- should be blocked by PHP, because of disable_classes Actual result: -------------- #0 0x000055555589d50f in spl_filesystem_object_create_type (ht=0x0, source=0x7ffff3a84000, type=0x0, ce=0x555556836900, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:509 #1 0x000055555589f590 in zim_spl_FilesystemIterator_current (execute_data=0x7ffff3a14120, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:1103 #2 0x0000555555a4d96a in zend_call_function (fci=0x7fffffffa430, fci_cache=0x7fffffffa410) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_execute_API.c:802 #3 0x0000555555a8ec1e in zend_call_method (object=0x7ffff3a85090, obj_ce=0x55555683ce00, fn_proxy=0x55555683d380, function_name=0x5555561ff519 "current", function_name_len=0x7, retval_ptr=0x7ffff3a93060, param_count=0x0, arg1=0x0, arg2=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:103 #4 0x0000555555a8ef3b in zend_user_it_get_current_data (_iter=0x7ffff3a93000) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:179 #5 0x0000555555afd546 in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER () at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:20592 #6 0x0000555555b3a346 in execute_ex (ex=0x7ffff3a14020) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:55000 #7 0x0000555555b3c276 in zend_execute (op_array=0x7ffff3a81300, return_value=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:56926 #8 0x0000555555a64a34 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend.c:1631 #9 0x00005555559ca4ea in php_execute_script (primary_file=0x7fffffffcd70) at /home/vignesh/Documents/exploits/php/php-src-master/main/main.c:2633 #10 0x0000555555b3ef0e in do_cli (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:991 #11 0x0000555555b40085 in main (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:1381