php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9870 PHP dies with segfault when a post request has no content-type
Submitted: 2001-03-20 09:06 UTC Modified: 2001-03-21 04:13 UTC
From: teo at gecadsoftware dot com Assigned:
Status: Closed Package: HTTP related
PHP Version: 4.0.4pl1 OS: SuSE7.0
Private report: No CVE-ID: None
 [2001-03-20 09:06 UTC] teo at gecadsoftware dot com
[Tue Mar 20 15:09:20 2001] [error] PHP Warning:  No content-type in POST request in Unknown on line 0
Unknown(0) : Warning - No content-type in POST request

Program received signal SIGSEGV, Segmentation fault.
0x400c2073 in strstr () at ../sysdeps/generic/strstr.c:125
125     ../sysdeps/generic/strstr.c: No such file or directory.
(gdb) bt
#0  0x400c2073 in strstr () at ../sysdeps/generic/strstr.c:125
#1  0x401aef39 in rfc1867_post_handler () at rfc1867.c:426
#2  0x401abdd3 in sapi_handle_post () at SAPI.c:54
#3  0x401b0532 in php_treat_data () at php_variables.c:190
#4  0x401a9274 in php_hash_environment () at main.c:1039
#5  0x401a8836 in php_request_startup () at main.c:588
#6  0x401a4fa8 in apache_php_module_main () at sapi_apache.c:98
#7  0x401a5d69 in send_php () at mod_php4.c:433
#8  0x401a5db3 in send_parsed_php () at mod_php4.c:433
#9  0x8076669 in ap_invoke_handler ()
#10 0x808c05f in process_request_internal ()
#11 0x808c0d2 in ap_process_request ()
#12 0x8082c76 in child_main ()
#13 0x8082e55 in make_child ()
#14 0x8082fd6 in startup_children ()
#15 0x808365c in standalone_main ()
#16 0x8083eac in main ()
#17 0x40083a8e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
(gdb) 

How to reproduce:
<body>
<form action="/phpinfo.php" method="post" enctype="multipart/form-data">
Some text here:<input type="text" name="v1"><br>
File here: <input type="file" name="test"><br>
<input type="submit">
</form>
</body>

Using Netscape on Linux, upload a file, then hit
reload (Meta-r) three times. NS will repost it only
two times, then complain /tmp/ns131323gibberish is not
found [a temp file in which it composes the multipart
post]

3rd time when you post it, it won't send proper Content-Type
header and hence the Warning.

The offending code is:
 boundary = strstr(content_type_dup, "boundary");
in main/rfc1867.c:441

Patch:
check content_type_dup for null before strstr()-ing it.
[suggestion]

--- rfc1867.c   Fri Dec  8 18:21:47 2000
+++ /tmp/rfc1867.c  Tue Mar 20 15:59:39 2001
@@ -438,6 +438,11 @@
        return;
    }

+   if (!content_type_dup) {
+       sapi_module.sapi_error(E_COMPILE_ERROR, "Missing headers in multipart/form-data POST data");
+       return;
+   }
+
    boundary = strstr(content_type_dup, "boundary");
    if (!boundary || !(boundary=strchr(boundary, '='))) {
        sapi_module.sapi_error(E_COMPILE_ERROR, "Missing boundary in multipart/form-data POST data");

have fun,
--teodor

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-03-20 09:19 UTC] sniper@php.net
This is fixed in CVS. A bit differently though.
The check for content_type_dup is put a bit earlier
so it doesn't even get into the handler if it's null.

Try the latest CVS snapshot from http://snaps.php.net/

--Jani

 [2001-03-21 04:13 UTC] teo at gecadsoftware dot com
K, thanks Jani

can you have a look/an opinion if this strstr() stuff
is not exploitable, given the fact that it's triggered
by malformed user data (in this case the post data) ?

 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 15:01:23 2019 UTC