diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-06-23 00:19:37 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-06-23 00:22:59 -0700 |
| commit | fb0128af2a95ec0d1a0360be49776c5b056d1f33 (patch) | |
| tree | 46e71fa3bc1049d9184c9188ee788cb6718b0be5 | |
| parent | f3dd77714de06b927677bec61aa4d13ef1035786 (diff) | |
| download | php-git-fb0128af2a95ec0d1a0360be49776c5b056d1f33.tar.gz | |
Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | ext/standard/info.c | 8 | ||||
| -rw-r--r-- | ext/standard/tests/general_functions/bug67498.phpt | 15 |
3 files changed, 21 insertions, 4 deletions
@@ -9,6 +9,8 @@ PHP NEWS . Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981) (Remi) . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) + . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). + (Stefan Esser) - CLI server: . Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi) diff --git a/ext/standard/info.c b/ext/standard/info.c index 70b2e2f617..0f15bbefd6 100644 --- a/ext/standard/info.c +++ b/ext/standard/info.c @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) php_info_print_table_start(); php_info_print_table_header(2, "Variable", "Value"); - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); } php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC); diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt new file mode 100644 index 0000000000..5b5951b0f8 --- /dev/null +++ b/ext/standard/tests/general_functions/bug67498.phpt @@ -0,0 +1,15 @@ +--TEST-- +phpinfo() Type Confusion Information Leak Vulnerability +--FILE-- +<?php +$PHP_SELF = 1; +phpinfo(INFO_VARIABLES); + +?> +==DONE== +--EXPECTF-- +phpinfo() + +PHP Variables +%A +==DONE== |