php-secbug-67498.patch

   1 commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
   2 Author: Stanislav Malyshev <stas@php.net>
   3 Date:   Mon Jun 23 00:19:37 2014 -0700
   4
   5     Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
   6
   7 diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/info.c php-5.2.17/ext/standard/info.c
   8 --- php-5.2.17.org/ext/standard/info.c  2021-10-23 19:14:45.793125049 +0200
   9 +++ php-5.2.17/ext/standard/info.c      2021-10-23 19:14:48.309791715 +0200
  10 @@ -780,16 +780,16 @@ PHPAPI void php_print_info(int flag TSRM
  11
  12                 php_info_print_table_start();
  13                 php_info_print_table_header(2, "Variable", "Value");
  14 -               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
  15 +               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  16                         php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
  17                 }
  18 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
  19 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  20                         php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
  21                 }
  22 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
  23 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  24                         php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
  25                 }
  26 -               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
  27 +               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
  28                         php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
  29                 }
  30                 php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
  31 diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt
  32 --- php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt   1970-01-01 01:00:00.000000000 +0100
  33 +++ php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt       2021-10-23 19:14:48.309791715 +0200
  34 @@ -0,0 +1,15 @@
  35 +--TEST--
  36 +phpinfo() Type Confusion Information Leak Vulnerability
  37 +--FILE--
  38 +<?php
  39 +$PHP_SELF = 1;
  40 +phpinfo(INFO_VARIABLES);
  41 +
  42 +?>
  43 +==DONE==
  44 +--EXPECTF--
  45 +phpinfo()
  46 +
  47 +PHP Variables
  48 +%A
  49 +==DONE==