moriyoshi Tue, 19 Jul 2011 18:17:25 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=313444
Log: - Fixed bug #55107 (Null bytes in URL cause insecure behavior (code execution / code disclosure)). Bug: https://bugs.php.net/55107 (Verified) Null bytes in URL cause insecure behavior (code execution / code disclosure) Changed paths: U php/php-src/branches/PHP_5_4/sapi/cli/php_cli_server.c U php/php-src/trunk/sapi/cli/php_cli_server.c Modified: php/php-src/branches/PHP_5_4/sapi/cli/php_cli_server.c =================================================================== --- php/php-src/branches/PHP_5_4/sapi/cli/php_cli_server.c 2011-07-19 18:08:09 UTC (rev 313443) +++ php/php-src/branches/PHP_5_4/sapi/cli/php_cli_server.c 2011-07-19 18:17:25 UTC (rev 313444) @@ -242,6 +242,7 @@ }; static php_cli_server_http_reponse_status_code_pair template_map[] = { + { 400, "<h1 class=\"h\">%s</h1><p>Your browser sent a request that this server could not understand.</p>" }, { 404, "<h1 class=\"h\">%s</h1><p>The requested resource %s was not found on this server.</p>" }, { 500, "<h1 class=\"h\">%s</h1><p>The server is temporality unavaiable.</p>" } }; @@ -1600,6 +1601,11 @@ destroy_request_info(&SG(request_info)); return FAILURE; } + if (strlen(client->request.path_translated) != client->request.path_translated_len) { + /* can't handle paths that contain nul bytes */ + destroy_request_info(&SG(request_info)); + return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC); + } { zend_file_handle zfd; zfd.type = ZEND_HANDLE_FILENAME; @@ -1625,6 +1631,11 @@ int fd; int status = 200; + if (client->request.path_translated && strlen(client->request.path_translated) != client->request.path_translated_len) { + /* can't handle paths that contain nul bytes */ + return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC); + } + fd = client->request.path_translated ? open(client->request.path_translated, O_RDONLY): -1; if (fd < 0) { char *errstr = get_last_error(); Modified: php/php-src/trunk/sapi/cli/php_cli_server.c =================================================================== --- php/php-src/trunk/sapi/cli/php_cli_server.c 2011-07-19 18:08:09 UTC (rev 313443) +++ php/php-src/trunk/sapi/cli/php_cli_server.c 2011-07-19 18:17:25 UTC (rev 313444) @@ -242,6 +242,7 @@ }; static php_cli_server_http_reponse_status_code_pair template_map[] = { + { 400, "<h1 class=\"h\">%s</h1><p>Your browser sent a request that this server could not understand.</p>" }, { 404, "<h1 class=\"h\">%s</h1><p>The requested resource %s was not found on this server.</p>" }, { 500, "<h1 class=\"h\">%s</h1><p>The server is temporality unavaiable.</p>" } }; @@ -1600,6 +1601,11 @@ destroy_request_info(&SG(request_info)); return FAILURE; } + if (strlen(client->request.path_translated) != client->request.path_translated_len) { + /* can't handle paths that contain nul bytes */ + destroy_request_info(&SG(request_info)); + return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC); + } { zend_file_handle zfd; zfd.type = ZEND_HANDLE_FILENAME; @@ -1625,6 +1631,11 @@ int fd; int status = 200; + if (client->request.path_translated && strlen(client->request.path_translated) != client->request.path_translated_len) { + /* can't handle paths that contain nul bytes */ + return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC); + } + fd = client->request.path_translated ? open(client->request.path_translated, O_RDONLY): -1; if (fd < 0) { char *errstr = get_last_error();
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
