php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78863 DirectoryIterator class silently truncates after a null byte
Submitted: 2019-11-23 10:01 UTC Modified: 2019-12-16 19:01 UTC
From: ryat@php.net Assigned: stas (profile)
Status: Closed Package: SPL related
PHP Version: 7.3.12 OS: *
Private report: No CVE-ID: 2019-11045
 [2019-11-23 10:01 UTC] ryat@php.net
Description:
------------
ext/spl/spl_directory.c:
```
void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long ctor_flags) /* {{{ */
{
    ...
	if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
	} else {
		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
	}
```

PoC:
```
<?php

$dir = new DirectoryIterator("../../ryat\x00/php");
foreach ($dir as $fileinfo) {
    if (!$fileinfo->isDot()) {
        var_dump($fileinfo->getFilename());
    }
}

?>
```

Fix:
```
	if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
	} else {
		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
	}
```


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-25 16:09 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: stas
 [2019-11-25 16:09 UTC] cmb@php.net
Suggested patch:
<https://gist.github.com/cmb69/3a00d5ddfd762f08406bc43f626f64f3>.
For master `UnexpectedValueException` needs to be replaced by
`TypeError` in the PHPT.

Stas, can you please handle it?  Note that the fix has to be
postponed to 7.4.1, to be in sync with 7.1/7.2/7.3.
 [2019-11-28 09:08 UTC] stas@php.net
Will do. Not sure whether it needs a CVE?
 [2019-11-29 04:31 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11044
 [2019-11-30 22:06 UTC] stas@php.net
-CVE-ID: 2019-11044 +CVE-ID: 2019-11045
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016
Log: Fix #78863: DirectoryIterator class silently truncates after a null byte
 [2019-12-16 19:02 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a5a15965da23c8e97657278fc8dfbf1dfb20c016
Log: Fix #78863: DirectoryIterator class silently truncates after a null byte
 [2019-12-17 12:14 UTC] remi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d74907b8575e6edb83b728c2a94df434c23e1f79
Log: Fix #78863: DirectoryIterator class silently truncates after a null byte
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Mon Jan 27 18:01:24 2020 UTC