1 commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
2 Author: Stanislav Malyshev <stas@php.net>
3 Date: Mon Jun 23 00:19:37 2014 -0700
5 Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
7 diff --git a/ext/standard/info.c b/ext/standard/info.c
8 index 70b2e2f..0f15bbe 100644
9 --- a/ext/standard/info.c
10 +++ b/ext/standard/info.c
11 @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
13 php_info_print_table_start();
14 php_info_print_table_header(2, "Variable", "Value");
15 - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
16 + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
17 php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
19 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
20 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
21 php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
23 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
24 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
25 php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
27 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
28 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
29 php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
31 php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
32 diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
34 index 0000000..5b5951b
36 +++ b/ext/standard/tests/general_functions/bug67498.phpt
39 +phpinfo() Type Confusion Information Leak Vulnerability
43 +phpinfo(INFO_VARIABLES);