php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78862 link() silently truncates after a null byte on Windows
Submitted: 2019-11-23 09:23 UTC Modified: 2019-12-16 19:01 UTC
From: ryat@php.net Assigned: stas (profile)
Status: Closed Package: Filesystem function related
PHP Version: 7.3.12 OS: Windows
Private report: No CVE-ID: 2019-11044
 [2019-11-23 09:23 UTC] ryat@php.net
Description:
------------
ext/standard/link_win32.c:
```
PHP_FUNCTION(link)
{
	...
	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
		return;
	}
```

PoC for Windows:
```
<?php

link("ryat\x00php", "php\x00ryat");

?>
```

Fix:
```
if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) 
```



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-23 12:07 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Filesystem function related -Assigned To: +Assigned To: stas
 [2019-11-23 12:07 UTC] cmb@php.net
Confirmed for PHP up to and including 7.3.  PHP 7.4+ is not
affected.  Suggested patch:
<https://gist.github.com/cmb69/b059a4f104d594cbd2372101792df022>.

Stas, could you please push that into the sec repo?
 [2019-11-30 22:01 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11044
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6c0654ed06751ced134515f7629c40bd979d7f
Log: Fix #78862: link() silently truncates after a null byte on Windows
 [2019-12-16 19:02 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0e6c0654ed06751ced134515f7629c40bd979d7f
Log: Fix #78862: link() silently truncates after a null byte on Windows
 [2019-12-17 12:14 UTC] remi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2517a7e213df64e003d3e73c17be54be8fa7e3b0
Log: Fix #78862: link() silently truncates after a null byte on Windows
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC