php-secbug-67498.patch

   1 commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
   2 Author: Stanislav Malyshev <stas@php.net>
   3 Date:   Mon Jun 23 00:19:37 2014 -0700
   4
   5     Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
   6
   7 diff --git a/ext/standard/info.c b/ext/standard/info.c
   8 index 70b2e2f..0f15bbe 100644
   9 --- a/ext/standard/info.c
  10 +++ b/ext/standard/info.c
  11 @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
  12
  13                 php_info_print_table_start();
  14                 php_info_print_table_header(2, "Variable", "Value");
  15 -               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
  16 +               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  17                         php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
  18                 }
  19 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
  20 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  21                         php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
  22                 }
  23 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
  24 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  25                         php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
  26                 }
  27 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
  28 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  29                         php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
  30                 }
  31                 php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
  32 diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
  33 new file mode 100644
  34 index 0000000..5b5951b
  35 --- /dev/null
  36 +++ b/ext/standard/tests/general_functions/bug67498.phpt
  37 @@ -0,0 +1,15 @@
  38 +--TEST--
  39 +phpinfo() Type Confusion Information Leak Vulnerability
  40 +--FILE--
  41 +<?php
  42 +$PHP_SELF = 1;
  43 +phpinfo(INFO_VARIABLES);
  44 +
  45 +?>
  46 +==DONE==
  47 +--EXPECTF--
  48 +phpinfo()
  49 +
  50 +PHP Variables
  51 +%A
  52 +==DONE==