1 |
vip-ire |
1.1 |
From fb0128af2a95ec0d1a0360be49776c5b056d1f33 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stanislav Malyshev <stas@php.net> |
3 |
|
|
Date: Mon, 23 Jun 2014 00:19:37 -0700 |
4 |
|
|
Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak |
5 |
|
|
Vulnerability |
6 |
|
|
|
7 |
|
|
--- |
8 |
|
|
NEWS | 2 ++ |
9 |
|
|
ext/standard/info.c | 8 ++++---- |
10 |
|
|
ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++ |
11 |
|
|
3 files changed, 21 insertions(+), 4 deletions(-) |
12 |
|
|
create mode 100644 ext/standard/tests/general_functions/bug67498.phpt |
13 |
|
|
|
14 |
|
|
diff --git a/ext/standard/info.c b/ext/standard/info.c |
15 |
|
|
index 70b2e2f..0f15bbe 100644 |
16 |
|
|
--- a/ext/standard/info.c |
17 |
|
|
+++ b/ext/standard/info.c |
18 |
|
|
@@ -972,16 +972,16 @@ |
19 |
|
|
|
20 |
|
|
php_info_print_table_start(); |
21 |
|
|
php_info_print_table_header(2, "Variable", "Value"); |
22 |
|
|
- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { |
23 |
|
|
+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
24 |
|
|
php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); |
25 |
|
|
} |
26 |
|
|
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { |
27 |
|
|
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
28 |
|
|
php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); |
29 |
|
|
} |
30 |
|
|
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { |
31 |
|
|
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
32 |
|
|
php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); |
33 |
|
|
} |
34 |
|
|
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { |
35 |
|
|
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
36 |
|
|
php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); |
37 |
|
|
} |
38 |
|
|
php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); |
39 |
|
|
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt |
40 |
|
|
new file mode 100644 |
41 |
|
|
index 0000000..5b5951b |
42 |
|
|
--- /dev/null |
43 |
|
|
+++ b/ext/standard/tests/general_functions/bug67498.phpt |
44 |
|
|
@@ -0,0 +1,15 @@ |
45 |
|
|
+--TEST-- |
46 |
|
|
+phpinfo() Type Confusion Information Leak Vulnerability |
47 |
|
|
+--FILE-- |
48 |
|
|
+<?php |
49 |
|
|
+$PHP_SELF = 1; |
50 |
|
|
+phpinfo(INFO_VARIABLES); |
51 |
|
|
+ |
52 |
|
|
+?> |
53 |
|
|
+==DONE== |
54 |
|
|
+--EXPECTF-- |
55 |
|
|
+phpinfo() |
56 |
|
|
+ |
57 |
|
|
+PHP Variables |
58 |
|
|
+%A |
59 |
|
|
+==DONE== |
60 |
|
|
-- |
61 |
|
|
1.9.2 |
62 |
|
|
|