Edit report at http://bugs.php.net/bug.php?id=52998&edit=1
ID: 52998
Comment by: kees at outflux dot net
Reported by: kees at outflux dot net
Summary: memory content leak when using invalid utf-8 with
XMLWriter::writeAttribute
Status: Open
Type: Bug
Package: XML Writer
Operating System: Ubuntu 10.10
PHP Version: 5.3.3
Block user comment: N
New Comment:
This was discovered in Ubuntu, btw:
https://bugs.launchpad.net/php/+bug/655442
Previous Comments:
------------------------------------------------------------------------
[2010-10-06 03:52:16] kees at outflux dot net
Description:
------------
It seems that PHP is not correctly using libxml2's xmlwriter routines,
and allows passing in invalid utf-8 strings which are then misparsed by
libxml2, allowing memory contents to leak into the resulting output.
Test script:
---------------
<?php
# Copyright 2010, Canonical, Ltd.
# Author: Kees Cook <[email protected]>
# License: GPLv3
#
# Proof-of-concept memory content leak
$xw = new XMLWriter();
$xw->openURI('php://output');
$xw->startElement('input');
$xw->writeAttribute('value', "\xe0\x81");
$xw->endElement();
?>
Expected result:
----------------
<input value="à&#e81"/>
Actual result:
--------------
PHP Warning: XMLWriter::writeAttribute(): string is not in UTF-8 in
/tmp/xmlwriter.php on line 12
<input value="@±ï¿½Ë[����ĹJ����R����Q"/>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52998&edit=1
