php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

Patch gd-null-injection for GD related Bug #67730

Patch version 2014-08-04 06:48 UTC

Return to Bug #67730 | Download this patch
Patch Revisions:

Developer: stas@php.net

From ad6984989d06d141920dac97e5d6630c303797e9 Mon Sep 17 00:00:00 2001
From: Ryan Mauger <ryan@rmauger.co.uk>
Date: Wed, 30 Jul 2014 00:23:27 +0100
Subject: [PATCH] Added check for null byte in imageXXX functions, added tests

---
 ext/gd/gd_ctx.c                                |  5 ++++
 ext/gd/tests/imagegd2_nullbyte_injection.phpt  | 31 +++++++++++++++++++++
 ext/gd/tests/imagegd_nullbyte_injection.phpt   | 31 +++++++++++++++++++++
 ext/gd/tests/imagegif_nullbyte_injection.phpt  | 38 ++++++++++++++++++++++++++
 ext/gd/tests/imagejpeg_nullbyte_injection.phpt | 38 ++++++++++++++++++++++++++
 ext/gd/tests/imagepng_nullbyte_injection.phpt  | 38 ++++++++++++++++++++++++++
 ext/gd/tests/imagewbmp_nullbyte_injection.phpt | 38 ++++++++++++++++++++++++++
 ext/gd/tests/imagewebp_nullbyte_injection.phpt | 38 ++++++++++++++++++++++++++
 8 files changed, 257 insertions(+)
 create mode 100644 ext/gd/tests/imagegd2_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagegd_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagegif_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagejpeg_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagepng_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagewbmp_nullbyte_injection.phpt
 create mode 100644 ext/gd/tests/imagewebp_nullbyte_injection.phpt

diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index 59eff80..b4cf8e6 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 				RETURN_FALSE;
 			}
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+				RETURN_FALSE;
+			}
+
 			stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
 			if (stream == NULL) {
 				RETURN_FALSE;
diff --git a/ext/gd/tests/imagegd2_nullbyte_injection.phpt b/ext/gd/tests/imagegd2_nullbyte_injection.phpt
new file mode 100644
index 0000000..30717b7
--- /dev/null
+++ b/ext/gd/tests/imagegd2_nullbyte_injection.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Testing null byte injection in imagegd2
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagegd2 TEST\n";
+imagegd2($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagegd2 TEST
+
+Warning: imagegd2() expects parameter 2 to be a valid path, string given in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagegd_nullbyte_injection.phpt b/ext/gd/tests/imagegd_nullbyte_injection.phpt
new file mode 100644
index 0000000..fd9c5f3
--- /dev/null
+++ b/ext/gd/tests/imagegd_nullbyte_injection.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Testing null byte injection in imagegd
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagegd TEST\n";
+imagegd($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagegd TEST
+
+Warning: imagegd() expects parameter 2 to be a valid path, string given in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagegif_nullbyte_injection.phpt b/ext/gd/tests/imagegif_nullbyte_injection.phpt
new file mode 100644
index 0000000..ddfadc5
--- /dev/null
+++ b/ext/gd/tests/imagegif_nullbyte_injection.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Testing null byte injection in imagegif
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--SKIPIF--
+<?php
+$support = gd_info();
+if (!isset($support['GIF Create Support']) || $support['GIF Create Support'] === false) {
+	print 'skip gif support not available';
+}
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagegif TEST\n";
+imagegif($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagegif TEST
+
+Warning: imagegif(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagejpeg_nullbyte_injection.phpt b/ext/gd/tests/imagejpeg_nullbyte_injection.phpt
new file mode 100644
index 0000000..46938af
--- /dev/null
+++ b/ext/gd/tests/imagejpeg_nullbyte_injection.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Testing null byte injection in imagejpeg
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--SKIPIF--
+<?php
+$support = gd_info();
+if (!isset($support['JPEG Support']) || $support['JPEG Support'] === false) {
+	print 'skip jpeg support not available';
+}
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagejpeg TEST\n";
+imagejpeg($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagejpeg TEST
+
+Warning: imagejpeg(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagepng_nullbyte_injection.phpt b/ext/gd/tests/imagepng_nullbyte_injection.phpt
new file mode 100644
index 0000000..0bc9f4f
--- /dev/null
+++ b/ext/gd/tests/imagepng_nullbyte_injection.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Testing null byte injection in imagepng
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--SKIPIF--
+<?php
+$support = gd_info();
+if (!isset($support['PNG Support']) || $support['PNG Support'] === false) {
+	print 'skip png support not available';
+}
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagepng TEST\n";
+imagepng($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagepng TEST
+
+Warning: imagepng(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagewbmp_nullbyte_injection.phpt b/ext/gd/tests/imagewbmp_nullbyte_injection.phpt
new file mode 100644
index 0000000..cf0c92e
--- /dev/null
+++ b/ext/gd/tests/imagewbmp_nullbyte_injection.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Testing null byte injection in imagewbmp
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--SKIPIF--
+<?php
+$support = gd_info();
+if (!isset($support['WBMP Support']) || $support['WBMP Support'] === false) {
+	print 'skip wbmp support not available';
+}
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagewbmp TEST\n";
+imagewbmp($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagewbmp TEST
+
+Warning: imagewbmp(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+bool(false)
diff --git a/ext/gd/tests/imagewebp_nullbyte_injection.phpt b/ext/gd/tests/imagewebp_nullbyte_injection.phpt
new file mode 100644
index 0000000..67d68d3
--- /dev/null
+++ b/ext/gd/tests/imagewebp_nullbyte_injection.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Testing null byte injection in imagewebp
+--CLEAN--
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+rmdir($tempdir);
+--SKIPIF--
+<?php
+$support = gd_info();
+if (!isset($support['WEBP Support']) || $support['WEBP Support'] === false) {
+	print 'skip webp support not available';
+}
+?>
+--FILE--
+<?php
+$image = imagecreate(1,1);// 1px image
+
+
+$tempdir = sys_get_temp_dir(). '/php-gdtest';
+if (!file_exists($tempdir) && !is_dir($tempdir)) {
+	mkdir ($tempdir, 0777, true);
+}
+
+$userinput = "1\0"; // from post or get data
+$temp = $tempdir. "/test" . $userinput .".tmp";
+
+echo "\nimagewebp TEST\n";
+imagewebp($image, $temp);
+var_dump(file_exists($tempdir. "/test1"));
+var_dump(file_exists($tempdir. "/test1.tmp"));
+foreach (glob($tempdir . "/test*") as $file ) { unlink($file); }
+
+--EXPECTF--
+imagewbmp TEST
+
+Warning: imagewebp(): Invalid 2nd parameter, filename must not contain null bytes in %s on line %d
+bool(false)
+bool(false)
--
1.7.12
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Apr 09 05:01:23 2020 UTC