Edit report at http://bugs.php.net/bug.php?id=47020&edit=1
ID: 47020
Comment by: spaze-bugs at exploited dot cz
Reported by: kulminaator at gmail dot com
Summary: print_r produces output with $return set to true
Status: Bogus
Type: Bug
Package: Scripting Engine problem
Operating System: Mac OS X 10.5.6
PHP Version: 5.2.8
Block user comment: N
New Comment:
The same issue was present in var_export() though that's now fixed in
5.3.3:
"Rewrote var_export() to use smart_str rather than output buffering,
prevents data disclosure if a fatal error occurs (CVE-2010-2531).
(Scott)"
Previous Comments:
------------------------------------------------------------------------
[2010-06-30 13:53:40] cxscott at uk dot insight dot com
I can confirm that this is definitely an issue, even with error
reporting set to off. I'm using PHP 5.3.2 running on 64-bit Red Hat
Linux.
------------------------------------------------------------------------
[2009-01-15 16:45:29] kulminaator at gmail dot com
After looking around a bit, this extra output of
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx like data is caused by the weird
behaviour of ob_start/ob_end and the fact that output buffers are always
flushed when a fatal error is coughed up from below.
straight from the source of ext/standard/basic_functions.c
PHP_FUNCTION(print_r)
{
zval *var;
zend_bool i = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z|b", &var,
&i) == FAILURE) {
RETURN_FALSE;
}
if (i) {
php_start_ob_buffer (NULL, 0, 1 TSRMLS_CC);
}
zend_print_zval_r(var, 0 TSRMLS_CC);
if (i) {
php_ob_get_buffer (return_value TSRMLS_CC);
php_end_ob_buffer (0, 0 TSRMLS_CC);
} else {
RETURN_TRUE;
}
}
Here the zend_print_zval_r causes creating/appending to ob , ob hits the
memory limit and bang, the output is created, although it never should
be.
Can we hope for a fix (either root out the issue of ob being flushed or
avoiding ob in the first place ?) or are supposed to remove all
sensitive data from ever reaching print_r ?
------------------------------------------------------------------------
[2009-01-15 15:45:27] kulminaator at gmail dot com
even with display_errors set to Off or zero, output is still produced
------------------------------------------------------------------------
[2009-01-15 15:22:04] [email protected]
This has nothing to do with print_r(). Fix your php.ini not to output
errors.
------------------------------------------------------------------------
[2009-01-06 15:19:37] finsoft at gmail dot com
Same thing reproduced on PHP Version 5.2.6, Windows XP Pro SP3, Apache
2.2.8
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=47020
--
Edit this bug report at http://bugs.php.net/bug.php?id=47020&edit=1
