|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2019-11-25 16:09 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Assigned To:
+Assigned To: stas
[2019-11-25 16:09 UTC] cmb@php.net
[2019-11-28 09:08 UTC] stas@php.net
[2019-11-29 04:31 UTC] stas@php.net
-CVE-ID:
+CVE-ID: 2019-11044
[2019-11-30 22:06 UTC] stas@php.net
-CVE-ID: 2019-11044
+CVE-ID: 2019-11045
[2019-12-16 19:02 UTC] stas@php.net
[2019-12-16 19:02 UTC] stas@php.net
-Status: Verified
+Status: Closed
[2019-12-16 19:02 UTC] stas@php.net
[2019-12-17 12:14 UTC] remi@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 06:01:29 2024 UTC |
Description: ------------ ext/spl/spl_directory.c: ``` void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long ctor_flags) /* {{{ */ { ... if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); } ``` PoC: ``` <?php $dir = new DirectoryIterator("../../ryat\x00/php"); foreach ($dir as $fileinfo) { if (!$fileinfo->isDot()) { var_dump($fileinfo->getFilename()); } } ?> ``` Fix: ``` if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } ```