|
 |
b74969 |
From 3804c0d00fa6e629173fb1c8c61f8f88d5fe39b9 Mon Sep 17 00:00:00 2001
|
|
|
b74969 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
b74969 |
Date: Mon, 23 Jun 2014 00:19:37 -0700
|
|
|
b74969 |
Subject: [PATCH] Fix bug #67498 - phpinfo() Type Confusion Information Leak
|
|
|
b74969 |
Vulnerability
|
|
|
b74969 |
|
|
|
b74969 |
---
|
|
|
b74969 |
ext/standard/info.c | 8 ++++----
|
|
|
b74969 |
ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++
|
|
|
b74969 |
2 files changed, 19 insertions(+), 4 deletions(-)
|
|
|
b74969 |
create mode 100644 ext/standard/tests/general_functions/bug67498.phpt
|
|
|
b74969 |
|
|
|
b74969 |
diff --git a/ext/standard/info.c b/ext/standard/info.c
|
|
|
b74969 |
index 03ced35..0626a70 100644
|
|
|
b74969 |
--- a/ext/standard/info.c
|
|
|
b74969 |
+++ b/ext/standard/info.c
|
|
|
b74969 |
@@ -868,16 +868,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
|
|
|
b74969 |
|
|
|
b74969 |
php_info_print_table_start();
|
|
|
b74969 |
php_info_print_table_header(2, "Variable", "Value");
|
|
|
b74969 |
- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
|
|
|
b74969 |
+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
|
|
|
b74969 |
php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
|
|
|
b74969 |
}
|
|
|
b74969 |
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
|
|
|
b74969 |
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
|
|
|
b74969 |
php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
|
|
|
b74969 |
}
|
|
|
b74969 |
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
|
|
|
b74969 |
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
|
|
|
b74969 |
php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
|
|
|
b74969 |
}
|
|
|
b74969 |
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
|
|
|
b74969 |
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
|
|
|
b74969 |
php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
|
|
|
b74969 |
}
|
|
|
b74969 |
php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
|
|
|
b74969 |
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
|
|
|
b74969 |
new file mode 100644
|
|
|
b74969 |
index 0000000..5b5951b
|
|
|
b74969 |
--- /dev/null
|
|
|
b74969 |
+++ b/ext/standard/tests/general_functions/bug67498.phpt
|
|
|
b74969 |
@@ -0,0 +1,15 @@
|
|
|
b74969 |
+--TEST--
|
|
|
b74969 |
+phpinfo() Type Confusion Information Leak Vulnerability
|
|
|
b74969 |
+--FILE--
|
|
|
b74969 |
+
|
|
|
b74969 |
+$PHP_SELF = 1;
|
|
|
b74969 |
+phpinfo(INFO_VARIABLES);
|
|
|
b74969 |
+
|
|
|
b74969 |
+?>
|
|
|
b74969 |
+==DONE==
|
|
|
b74969 |
+--EXPECTF--
|
|
|
b74969 |
+phpinfo()
|
|
|
b74969 |
+
|
|
|
b74969 |
+PHP Variables
|
|
|
b74969 |
+%A
|
|
|
b74969 |
+==DONE==
|
|
|
b74969 |
--
|
|
|
b74969 |
1.9.2
|
|
|
b74969 |
|