]>
Commit | Line | Data |
---|---|---|
ebe9f60f AM |
1 | commit fb0128af2a95ec0d1a0360be49776c5b056d1f33 |
2 | Author: Stanislav Malyshev <stas@php.net> | |
3 | Date: Mon Jun 23 00:19:37 2014 -0700 | |
4 | ||
5 | Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability | |
6 | ||
f9fed404 AM |
7 | diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/info.c php-5.2.17/ext/standard/info.c |
8 | --- php-5.2.17.org/ext/standard/info.c 2021-10-23 19:14:45.793125049 +0200 | |
9 | +++ php-5.2.17/ext/standard/info.c 2021-10-23 19:14:48.309791715 +0200 | |
10 | @@ -780,16 +780,16 @@ PHPAPI void php_print_info(int flag TSRM | |
ebe9f60f AM |
11 | |
12 | php_info_print_table_start(); | |
13 | php_info_print_table_header(2, "Variable", "Value"); | |
14 | - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { | |
15 | + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { | |
16 | php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); | |
17 | } | |
18 | - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { | |
19 | + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { | |
20 | php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); | |
21 | } | |
22 | - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { | |
23 | + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { | |
24 | php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); | |
25 | } | |
26 | - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { | |
27 | + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { | |
28 | php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); | |
29 | } | |
f9fed404 AM |
30 | php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); |
31 | diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt | |
32 | --- php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt 1970-01-01 01:00:00.000000000 +0100 | |
33 | +++ php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt 2021-10-23 19:14:48.309791715 +0200 | |
ebe9f60f AM |
34 | @@ -0,0 +1,15 @@ |
35 | +--TEST-- | |
36 | +phpinfo() Type Confusion Information Leak Vulnerability | |
37 | +--FILE-- | |
38 | +<?php | |
39 | +$PHP_SELF = 1; | |
40 | +phpinfo(INFO_VARIABLES); | |
41 | + | |
42 | +?> | |
43 | +==DONE== | |
44 | +--EXPECTF-- | |
45 | +phpinfo() | |
46 | + | |
47 | +PHP Variables | |
48 | +%A | |
49 | +==DONE== |