summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJulien Pauli <jpauli@php.net>2015-09-02 17:51:02 +0200
committerJulien Pauli <jpauli@php.net>2015-09-02 17:51:02 +0200
commit60e2207c34c8c277a1dd34ede6b638cec8ef91c0 (patch)
tree8e89c85e9b593a0fdf88967819a8b758b03bbd72
parent7cf8df55970b0c2a44bae5c56c6a74dfb1ccfe08 (diff)
parentc07150cd1a11d3bed7e88068869d515f91d980b5 (diff)
downloadphp-git-60e2207c34c8c277a1dd34ede6b638cec8ef91c0.tar.gz
Merge branch 'PHP-5.6'
* PHP-5.6: 5.5.30 next More fixes for bug #70219 Conflicts: ext/pcre/php_pcre.c ext/session/session.c
Diffstat
-rw-r--r--ext/standard/tests/serialize/bug70219_1.phpt46
1 files changed, 46 insertions, 0 deletions
diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt
new file mode 100644
index 0000000000..f9c4c672fd
--- /dev/null
+++ b/ext/standard/tests/serialize/bug70219_1.phpt
@@ -0,0 +1,46 @@
+--TEST--
+Bug #70219 Use after free vulnerability in session deserializer
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'php_serialize');
+session_start();
+
+class obj implements Serializable {
+ var $data;
+ function serialize() {
+ return serialize($this->data);
+ }
+ function unserialize($data) {
+ session_decode($data);
+ }
+}
+
+$inner = 'r:2;';
+$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
+
+$data = unserialize($exploit);
+
+for ($i = 0; $i < 5; $i++) {
+ $v[$i] = 'hi'.$i;
+}
+
+var_dump($data);
+var_dump($_SESSION);
+?>
+--EXPECTF--
+array(2) {
+ [0]=>
+ &object(obj)#%d (1) {
+ ["data"]=>
+ NULL
+ }
+ [1]=>
+ object(obj)#%d (1) {
+ ["data"]=>
+ NULL
+ }
+}
+object(obj)#1 (1) {
+ ["data"]=>
+ NULL
+} \ No newline at end of file
View Lorry Controller Status