diff options
author | Nikita Popov <nikic@php.net> | 2016-07-30 15:10:54 +0200 |
---|---|---|
committer | Nikita Popov <nikic@php.net> | 2016-07-30 15:13:03 +0200 |
commit | e87ac688d5e700fdb56b37fda8b011d6b05b97fc (patch) | |
tree | 35ef9861de24397e8a21253d2e06edf2e4de63d0 | |
parent | 1d32b809034ea4cd0e765ae9fda6ca16ae045fdd (diff) | |
download | php-git-e87ac688d5e700fdb56b37fda8b011d6b05b97fc.tar.gz |
Fixed bug #72142
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | ext/wddx/tests/bug72142.phpt | 13 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 9 |
3 files changed, 25 insertions, 1 deletions
@@ -89,6 +89,10 @@ PHP NEWS . Implemented FR #72653 (SQLite should allow opening with empty filename). (cmb) +- Wddx: + . Fixed bug #72142 (WDDX Packet Injection Vulnerability in + wddx_serialize_value()). (Taoguang Chen) + 21 Jul 2016, PHP 5.6.24 - Core: diff --git a/ext/wddx/tests/bug72142.phpt b/ext/wddx/tests/bug72142.phpt new file mode 100644 index 0000000000..3976bb2554 --- /dev/null +++ b/ext/wddx/tests/bug72142.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #72142: WDDX Packet Injection Vulnerability in wddx_serialize_value() +--FILE-- +<?php + +$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>'); +var_dump($wddx); +var_dump(wddx_deserialize($wddx)); + +?> +--EXPECT-- +string(301) "<wddxPacket version='1.0'><header><comment></comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket></comment></header><data><string></string></data></wddxPacket>" +string(0) "" diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 6a23fa1c1e..6387ca2ecd 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -371,11 +371,18 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len) { php_wddx_add_chunk_static(packet, WDDX_PACKET_S); if (comment) { + char *escaped; + size_t escaped_len; + escaped = php_escape_html_entities( + comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + php_wddx_add_chunk_static(packet, WDDX_HEADER_S); php_wddx_add_chunk_static(packet, WDDX_COMMENT_S); - php_wddx_add_chunk_ex(packet, comment, comment_len); + php_wddx_add_chunk_ex(packet, escaped, escaped_len); php_wddx_add_chunk_static(packet, WDDX_COMMENT_E); php_wddx_add_chunk_static(packet, WDDX_HEADER_E); + + str_efree(escaped); } else { php_wddx_add_chunk_static(packet, WDDX_HEADER); } |