[packages/php.git] / php-secbug-67498.patch

commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Jun 23 00:19:37 2014 -0700

    Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability

diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/info.c php-5.2.17/ext/standard/info.c
--- php-5.2.17.org/ext/standard/info.c	2021-10-23 19:14:45.793125049 +0200
+++ php-5.2.17/ext/standard/info.c	2021-10-23 19:14:48.309791715 +0200
@@ -780,16 +780,16 @@ PHPAPI void php_print_info(int flag TSRM
 
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 		}
 		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt
--- php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt	1970-01-01 01:00:00.000000000 +0100
+++ php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt	2021-10-23 19:14:48.309791715 +0200
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==
Commit	Line	Data
ebe9f60f AM	1	commit fb0128af2a95ec0d1a0360be49776c5b056d1f33
	2	Author: Stanislav Malyshev <stas@php.net>
	3	Date: Mon Jun 23 00:19:37 2014 -0700
	4
	5	Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
	6
f9fed404 AM	7	diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/info.c php-5.2.17/ext/standard/info.c
	8	--- php-5.2.17.org/ext/standard/info.c 2021-10-23 19:14:45.793125049 +0200
	9	+++ php-5.2.17/ext/standard/info.c 2021-10-23 19:14:48.309791715 +0200
	10	@@ -780,16 +780,16 @@ PHPAPI void php_print_info(int flag TSRM
ebe9f60f AM	11
	12	php_info_print_table_start();
	13	php_info_print_table_header(2, "Variable", "Value");
	14	- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
	15	+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	16	php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
	17	}
	18	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
	19	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	20	php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
	21	}
	22	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
	23	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	24	php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
	25	}
	26	- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
	27	+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
	28	php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
	29	}
f9fed404 AM	30	php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
	31	diff -urNp -x '*.orig' php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt
	32	--- php-5.2.17.org/ext/standard/tests/general_functions/bug67498.phpt 1970-01-01 01:00:00.000000000 +0100
	33	+++ php-5.2.17/ext/standard/tests/general_functions/bug67498.phpt 2021-10-23 19:14:48.309791715 +0200
ebe9f60f AM	34	@@ -0,0 +1,15 @@
	35	+--TEST--
	36	+phpinfo() Type Confusion Information Leak Vulnerability
	37	+--FILE--
	38	+<?php
	39	+$PHP_SELF = 1;
	40	+phpinfo(INFO_VARIABLES);
	41	+
	42	+?>
	43	+==DONE==
	44	+--EXPECTF--
	45	+phpinfo()
	46	+
	47	+PHP Variables
	48	+%A
	49	+==DONE==