php/sme8/php-5.3.3-CVE-2014-4721.patch

From fb0128af2a95ec0d1a0360be49776c5b056d1f33 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 23 Jun 2014 00:19:37 -0700
Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
 Vulnerability

---
 NEWS                                               |  2 ++
 ext/standard/info.c                                |  8 ++++----
 ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++
 3 files changed, 21 insertions(+), 4 deletions(-)
 create mode 100644 ext/standard/tests/general_functions/bug67498.phpt

diff --git a/ext/standard/info.c b/ext/standard/info.c
index 70b2e2f..0f15bbe 100644
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -972,16 +972,16 @@
 
                php_info_print_table_start();
                php_info_print_table_header(2, "Variable", "Value");
-               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                        php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
                }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                        php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
                }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                        php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
                }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                        php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
                }
                php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
new file mode 100644
index 0000000..5b5951b
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==
-- 
1.9.2

1	vip-ire	1.1	From fb0128af2a95ec0d1a0360be49776c5b056d1f33 Mon Sep 17 00:00:00 2001
2			From: Stanislav Malyshev <stas@php.net>
3			Date: Mon, 23 Jun 2014 00:19:37 -0700
4			Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
5			Vulnerability
6
7			---
8			NEWS \| 2 ++
9			ext/standard/info.c \| 8 ++++----
10			ext/standard/tests/general_functions/bug67498.phpt \| 15 +++++++++++++++
11			3 files changed, 21 insertions(+), 4 deletions(-)
12			create mode 100644 ext/standard/tests/general_functions/bug67498.phpt
13
14			diff --git a/ext/standard/info.c b/ext/standard/info.c
15			index 70b2e2f..0f15bbe 100644
16			--- a/ext/standard/info.c
17			+++ b/ext/standard/info.c
18			@@ -972,16 +972,16 @@
19
20			php_info_print_table_start();
21			php_info_print_table_header(2, "Variable", "Value");
22			- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
23			+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
24			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
25			}
26			- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
27			+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
28			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
29			}
30			- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
31			+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
32			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
33			}
34			- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
35			+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
36			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
37			}
38			php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
39			diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
40			new file mode 100644
41			index 0000000..5b5951b
42			--- /dev/null
43			+++ b/ext/standard/tests/general_functions/bug67498.phpt
44			@@ -0,0 +1,15 @@
45			+--TEST--
46			+phpinfo() Type Confusion Information Leak Vulnerability
47			+--FILE--
48			+<?php
49			+$PHP_SELF = 1;
50			+phpinfo(INFO_VARIABLES);
51			+
52			+?>
53			+==DONE==
54			+--EXPECTF--
55			+phpinfo()
56			+
57			+PHP Variables
58			+%A
59			+==DONE==
60			--
61			1.9.2
62