|
|
af9dc8 |
From 51856a76f87ecb24fe1385342be43610fb6c86e4 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Dmitry Stogov <dmitry@zend.com>
|
|
|
af9dc8 |
Date: Thu, 19 Mar 2015 11:36:01 +0300
|
|
|
af9dc8 |
Subject: [PATCH] Fixed bug #69152
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
ext/soap/soap.c | 6 ++++++
|
|
|
af9dc8 |
1 file changed, 6 insertions(+)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
|
|
|
af9dc8 |
index d460c17..41aa1ad 100644
|
|
|
af9dc8 |
--- a/ext/soap/soap.c
|
|
|
af9dc8 |
+++ b/ext/soap/soap.c
|
|
|
af9dc8 |
@@ -919,6 +919,12 @@ PHP_METHOD(SoapFault, __toString)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
zend_call_function(&fci, NULL TSRMLS_CC);
|
|
|
af9dc8 |
|
|
|
af9dc8 |
+ convert_to_string(faultcode);
|
|
|
af9dc8 |
+ convert_to_string(faultstring);
|
|
|
af9dc8 |
+ convert_to_string(file);
|
|
|
af9dc8 |
+ convert_to_long(line);
|
|
|
af9dc8 |
+ convert_to_string(trace);
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
|
|
|
af9dc8 |
Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
|
|
|
af9dc8 |
Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
2.1.4
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
af9dc8 |
Date: Sun, 22 Mar 2015 18:17:47 -0700
|
|
|
af9dc8 |
Subject: [PATCH] Check that the type is correct
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
ext/standard/incomplete_class.c | 2 +-
|
|
|
af9dc8 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c
|
|
|
af9dc8 |
index 1816ac4..30c82e6 100644
|
|
|
af9dc8 |
--- a/ext/standard/incomplete_class.c
|
|
|
af9dc8 |
+++ b/ext/standard/incomplete_class.c
|
|
|
af9dc8 |
@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen)
|
|
|
af9dc8 |
|
|
|
af9dc8 |
object_properties = Z_OBJPROP_P(object);
|
|
|
af9dc8 |
|
|
|
af9dc8 |
- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) {
|
|
|
af9dc8 |
+ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) {
|
|
|
af9dc8 |
retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
|
|
|
af9dc8 |
|
|
|
af9dc8 |
if (nlen) {
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
2.1.4
|
|
|
af9dc8 |
|
|
|
af9dc8 |
From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001
|
|
|
af9dc8 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
af9dc8 |
Date: Sun, 5 Apr 2015 17:30:59 -0700
|
|
|
af9dc8 |
Subject: [PATCH] More fixes for bug #69152
|
|
|
af9dc8 |
|
|
|
af9dc8 |
---
|
|
|
af9dc8 |
Zend/zend_exceptions.c | 3 +++
|
|
|
af9dc8 |
ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++
|
|
|
af9dc8 |
2 files changed, 19 insertions(+)
|
|
|
af9dc8 |
create mode 100644 ext/standard/tests/serialize/bug69152.phpt
|
|
|
af9dc8 |
|
|
|
af9dc8 |
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
|
|
|
af9dc8 |
index bf90ae7..1ca2ead 100644
|
|
|
af9dc8 |
--- a/Zend/zend_exceptions.c
|
|
|
af9dc8 |
+++ b/Zend/zend_exceptions.c
|
|
|
af9dc8 |
@@ -536,6 +536,9 @@ ZEND_METHOD(exception, getTraceAsString)
|
|
|
af9dc8 |
str = &res;
|
|
|
af9dc8 |
|
|
|
af9dc8 |
trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
|
|
|
af9dc8 |
+ if(Z_TYPE_P(trace) != IS_ARRAY) {
|
|
|
af9dc8 |
+ RETURN_FALSE;
|
|
|
af9dc8 |
+ }
|
|
|
af9dc8 |
zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
|
|
|
af9dc8 |
|
|
|
af9dc8 |
s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);
|
|
|
af9dc8 |
diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt
|
|
|
af9dc8 |
new file mode 100644
|
|
|
af9dc8 |
index 0000000..4e74168
|
|
|
af9dc8 |
--- /dev/null
|
|
|
af9dc8 |
+++ b/ext/standard/tests/serialize/bug69152.phpt
|
|
|
af9dc8 |
@@ -0,0 +1,16 @@
|
|
|
af9dc8 |
+--TEST--
|
|
|
af9dc8 |
+Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
|
|
|
af9dc8 |
+--FILE--
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
|
|
|
af9dc8 |
+echo $x;
|
|
|
af9dc8 |
+$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
|
|
|
af9dc8 |
+$x->test();
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+?>
|
|
|
af9dc8 |
+--EXPECTF--
|
|
|
af9dc8 |
+exception 'Exception' in %s:%d
|
|
|
af9dc8 |
+Stack trace:
|
|
|
af9dc8 |
+#0 {main}
|
|
|
af9dc8 |
+
|
|
|
af9dc8 |
+Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d
|
|
|
af9dc8 |
--
|
|
|
af9dc8 |
2.1.4
|
|
|
af9dc8 |
|