[packages/php.git] / php-secbug-67498.patch

commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Jun 23 00:19:37 2014 -0700

    Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability

diff --git a/ext/standard/info.c b/ext/standard/info.c
index 70b2e2f..0f15bbe 100644
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 		}
 		php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
new file mode 100644
index 0000000..5b5951b
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==
Commit	Line	Data
ebe9f60f AM	1	commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
	2	Author: Stanislav Malyshev <stas@php.net>
	3	Date: Mon Jun 23 00:19:37 2014 -0700
	4
	5	Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
	6
	7	diff --git a/ext/standard/info.c b/ext/standard/info.c
	8	index 70b2e2f..0f15bbe 100644
	9	--- a/ext/standard/info.c
	10	+++ b/ext/standard/info.c
	11	@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
	12
	13	php_info_print_table_start();
	14	php_info_print_table_header(2, "Variable", "Value");
	15	- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
	16	+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	17	php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
	18	}
	19	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
	20	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	21	php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
	22	}
	23	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
	24	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	25	php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
	26	}
	27	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
	28	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	29	php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
	30	}
	31	php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
	32	diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
	33	new file mode 100644
	34	index 0000000..5b5951b
	35	--- /dev/null
	36	+++ b/ext/standard/tests/general_functions/bug67498.phpt
	37	@@ -0,0 +1,15 @@
	38	+--TEST--
	39	+phpinfo() Type Confusion Information Leak Vulnerability
	40	+--FILE--
	41	+<?php
	42	+$PHP_SELF = 1;
	43	+phpinfo(INFO_VARIABLES);
	44	+
	45	+?>
	46	+==DONE==
	47	+--EXPECTF--
	48	+phpinfo()
	49	+
	50	+PHP Variables
	51	+%A
	52	+==DONE==