from:"thomas at partyflock dot nl"

Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

2013-05-03 Thread thomas at partyflock dot nl

Edit report at https://bugs.php.net/bug.php?id=63200&edit=1

 ID: 63200
 Comment by: thomas at partyflock dot nl
 Reported by:chris at whyley dot com
 Summary:Apache 2.2 crashes when PHP called with negative
 Content-Length HTTP header
 Status: Open
 Type:   Bug
 Package:Reproducible crash
 Operating System:   Windows Server 2003
 PHP Version:5.3.17
 Block user comment: N
 Private report: N

 New Comment:

I had this in 5.4.4 on my production servers but not on an identical test 
server, 
which runs on a local domain but uses the same (version) php, apache and 
modules.

The test server always returns a normal 200 page on the test server though, 
don't 
ask me why.

Removing the custom ErrorDocument indeed solves the problem.


Previous Comments:

[2013-02-18 11:08:42] chris at whyley dot com

Re-opening this bug as it still exists in the 5.3 stream.


[2013-02-18 00:36:03] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.


[2012-10-05 10:26:01] chris at whyley dot com

I have not tested this issue under version 5.4 as my environment is setup for 
5.3.17 - Are you able to recreate in 5.3.17 ?

It always crashes no matter what I have in index.php - in fact I can call any 
page and cause the crash to happen.


[2012-10-05 04:26:26] larue...@php.net

I can not reproduce this with 5.4, and from the backtrace, it seems crash in 
another place.

so, is it related with your index.php?  does it always crash no matter what the 
index.php is?


[2012-10-02 14:45:02] chris at whyley dot com

Description:

Apache 2.2 with PHP 5.3.17 on Windows Server 2003 can be made to repeatably 
crash 
by doing the following:

(1) Configure your Apache server to use a custom error handling page for the 
HTTP 
413 error (Request entity too large) by inserting this line into your 
httpd.conf:

ErrorDocument 413 /error/

(2) Run the Python test script detailed below to send an HTTP GET request to 
the 
server with a negative integer for the HTTP "Content-Length" header and with 
the 
"Accept-Encoding" header set to "gzip, deflate"

When this is run, Apache crashes with the following error:

[Tue Oct 02 13:46:16 2012] [error] [client 10.211.55.3] Invalid Content-Length
[Tue Oct 02 13:46:22 2012] [notice] Parent: child process exited with status 
3221225477 -- Restarting.

This issue is a particular problem in the wild where many modern browsers 
aren't 
capable of handling file uploads over 2GB in size - instead of posting an 
accurate filesize for the Content-Length header they use a negative integer 
instead, causing the Apache server running PHP to crash. For further 
information 
on this see http://www.motobit.com/help/scptutl/pa98.htm

The script could be used to perform DOS attacks on vulnerable systems.

Test script:
---
#!/usr/bin/python
 
import socket, sys
target = "10.211.55.3"
port   = 80;
request  = "GET / HTTP/1.1\n"
request += "Host: "+target+"\n"
request += "Accept-Encoding:gzip, deflate\n"
request += "Content-Length: -1\n\n" 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
  s.connect((target, port))
except:
  print "[-] Connection to %s:%s failed!" % (target, port)
  sys.exit(0)
print "[+] Sending HTTP request. Check for crash on target."
s.send(request)
s.close()

Expected result:

Stable Apache, no crash.

Actual result:
--
Thread 2 - System ID 3008
Entry point   msvcrt!_endthreadex+3a 
Create time   10/2/2012 2:29:08 PM 
Time spent in user mode   0 Days 0:0:0.0 
Time spent in kernel mode   0 Days 0:0:0.15 


Full Call Stack

Function Arg 1 Arg 2 Arg 3 Arg 4   Source 
php5ts!zend_hash_index_find+17 016f3460 000d 018ee6c0 
   c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_hash.c @ 985 
php5ts!_zend_list_delete+27 000d 016b0150 029811c0 016b0150 
  
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\zend\zend_list.c @ 55 + 27 
php5ts!_php_stream_free+ae 029811c0 0003 016b0150 029811c0  
 
c:\php-sdk\snap_5_3\vc9\x86\php-5.3.17\main\streams\streams.c @ 399 + a 
php5ts!php_zend_stream_mmap_closer+1a 029811c0

Bug #55691 [Com]: different results from finfo_file and finfo_buffer

2011-09-17 Thread thomas at partyflock dot nl

Edit report at https://bugs.php.net/bug.php?id=55691&edit=1

 ID: 55691
 Comment by: thomas at partyflock dot nl
 Reported by:di_herbert dot huber at yahoo dot com
 Summary:different results from finfo_file and finfo_buffer
 Status: Open
 Type:   Bug
 Package:Unknown/Other Function
 Operating System:   WinXP HE SP2
 PHP Version:5.3.8
 Block user comment: N
 Private report: N

 New Comment:

Happens to me too, and I experience this for an xls/Excel document too.


Previous Comments:

[2011-09-14 09:35:36] di_herbert dot huber at yahoo dot com

Description:

different results from finfo_file and finfo_buffer

Scenario:
1. MS Excel-File stored in mySQL database LONGBLOB-Column
2. This binary data selected from database
3. This binary data stored to tempfile
4. mime-type sniffing done by finfo_buffer on binary data
   > result: application/octet-stream
5. mime-type sniffing done by finfo_file on tempfile
   > result: application/vnd.ms-excel

PROBLEM:
different result, dependent on used Fileinfo Function

Comment: The tempfile has NO extension like ".xls" that could be used as
hint for mimetype-sniffing




Test script:
---
https://bugs.php.net/bug.php?id=55691&edit=1

#43540 [NEW]: rfc1867 handler newlength problem

2007-12-08 Thread thomas at partyflock dot nl

From: thomas at partyflock dot nl
Operating system: Linux
PHP version:  5.2.5
PHP Bug Type: Unknown/Other Function
Bug description:  rfc1867 handler newlength problem

Description:

In main/rfc1867.c, line 928, newlength is initialized to 0.

Shouldn't this be new_val_len?

Currently if your form handler does nothing and always returns SUCCESS,
all the viables get set, but with 0 length strings.



-- 
Edit bug report at http://bugs.php.net/?id=43540&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=43540&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=43540&r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=43540&r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=43540&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=43540&r=fixedcvs
Fixed in release: 
http://bugs.php.net/fix.php?id=43540&r=alreadyfixed
Need backtrace:   http://bugs.php.net/fix.php?id=43540&r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=43540&r=needscript
Try newer version:http://bugs.php.net/fix.php?id=43540&r=oldversion
Not developer issue:  http://bugs.php.net/fix.php?id=43540&r=support
Expected behavior:http://bugs.php.net/fix.php?id=43540&r=notwrong
Not enough info:  
http://bugs.php.net/fix.php?id=43540&r=notenoughinfo
Submitted twice:  
http://bugs.php.net/fix.php?id=43540&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=43540&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=43540&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=43540&r=dst
IIS Stability:http://bugs.php.net/fix.php?id=43540&r=isapi
Install GNU Sed:  http://bugs.php.net/fix.php?id=43540&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=43540&r=float
No Zend Extensions:   http://bugs.php.net/fix.php?id=43540&r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=43540&r=mysqlcfg

#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php

2006-11-03 Thread thomas at partyflock dot nl

 ID:   39201
 User updated by:  thomas at partyflock dot nl
 Reported By:  thomas at partyflock dot nl
 Status:   Assigned
 Bug Type: Apache2 related
-Operating System: Linux (2.6.18)
+Operating System: Linux (2.6.18.1)
-PHP Version:  5.1.6
+PHP Version:  5.2.0
 Assigned To:  tony2001
 New Comment:

Upped version to 5.2.0, happens there too.


Previous Comments:


[2006-11-03 13:39:56] thomas at partyflock dot nl

Found out another thing.
If I point ErrorDocument 413 to a static page, there is no segmentation
fault, but then the static page is displayed AND the PHP script as
requested by the POST command.

So

ErrorDocument 413 /something.html

And doing following POST with Content-Length with invalid extra
carriage return:

POST /somescript.php HTTP/1.0
Content-Length: 1\r

Doesn't crash, but does exhibit strange behavouir by displaying the
error document appended with the somescript.php!



[2006-10-21 23:22:39] judas dot iscariote at gmail dot com

Unable to reproduce it here ...



[2006-10-20 01:04:01] thomas at partyflock dot nl

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211164992 (LWP 15723)]
0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/200610181
225 SG(request_info).post_data[SG(read_post_bytes)] = 0; 
/* termina
(gdb) bt
#0  0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/20061
#1  0xb7b53425 in php_default_post_reader () at
/root/build/webserver/2006101814
#2  0xb7b4ee57 in sapi_activate () at
/root/build/webserver/200610181402/php/php
#3  0xb7b471ac in php_request_startup () at
/root/build/webserver/200610181402/p
#4  0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8)
at
/root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a
#5  0xb7c0f26f in php_handler (r=0x81d10e0) at
/root/build/webserver/20061018140
#6  0x0807a514 in ap_invoke_handler ()
#7  0x0806bb02 in ap_process_request ()
#8  0x08065a92 in ap_process_http_connection ()
#9  0x0808389b in ap_process_connection ()
#10 0x08077a06 in child_main ()
#11 0x08077cd6 in make_child ()
#12 0x08078034 in ap_mpm_run ()
#13 0x0807e970 in main ()
(gdb) p sapi_globals.request_info
$2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8
"SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0,
raw_post_data = 0x0,
  cookie_data = 0x0, content_length = 1, post_data_length = 0,
raw_post_data_length = 0, path_translated = 0x81d69f8
"/home/party/public_html/index.php",
  request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only
= 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0,
  content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0,
auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length
= 0, argc = 0,
  argv = 0x0, proto_num = 1000}

But I've narrowed it down a bit. It requires the following lines in
httpd.conf:

RewriteEngine on
RewriteRule ^/anywhere$ /somewherelse.php
ErrorDocument 413 /anywhere

/somewherelse.php must exists. There's no problem if a non-php file is
used.



[2006-10-19 22:48:13] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Can't reproduce.
This is the only result I see:
[Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid
Content-Length

----------------

[2006-10-19 21:46:32] thomas at partyflock dot nl

Happens in 5.2dev too.



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/39201

-- 
Edit this bug report at http://bugs.php.net/?id=39201&edit=1

#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php

2006-11-03 Thread thomas at partyflock dot nl

 ID:   39201
 User updated by:  thomas at partyflock dot nl
 Reported By:  thomas at partyflock dot nl
 Status:   Assigned
 Bug Type: Apache2 related
 Operating System: Linux (2.6.18)
 PHP Version:  5.1.6
 Assigned To:  tony2001
 New Comment:

Found out another thing.
If I point ErrorDocument 413 to a static page, there is no segmentation
fault, but then the static page is displayed AND the PHP script as
requested by the POST command.

So

ErrorDocument 413 /something.html

And doing following POST with Content-Length with invalid extra
carriage return:

POST /somescript.php HTTP/1.0
Content-Length: 1\r

Doesn't crash, but does exhibit strange behavouir by displaying the
error document appended with the somescript.php!


Previous Comments:


[2006-10-21 23:22:39] judas dot iscariote at gmail dot com

Unable to reproduce it here ...



[2006-10-20 01:04:01] thomas at partyflock dot nl

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211164992 (LWP 15723)]
0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/200610181
225 SG(request_info).post_data[SG(read_post_bytes)] = 0; 
/* termina
(gdb) bt
#0  0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/20061
#1  0xb7b53425 in php_default_post_reader () at
/root/build/webserver/2006101814
#2  0xb7b4ee57 in sapi_activate () at
/root/build/webserver/200610181402/php/php
#3  0xb7b471ac in php_request_startup () at
/root/build/webserver/200610181402/p
#4  0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8)
at
/root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a
#5  0xb7c0f26f in php_handler (r=0x81d10e0) at
/root/build/webserver/20061018140
#6  0x0807a514 in ap_invoke_handler ()
#7  0x0806bb02 in ap_process_request ()
#8  0x08065a92 in ap_process_http_connection ()
#9  0x0808389b in ap_process_connection ()
#10 0x08077a06 in child_main ()
#11 0x08077cd6 in make_child ()
#12 0x08078034 in ap_mpm_run ()
#13 0x0807e970 in main ()
(gdb) p sapi_globals.request_info
$2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8
"SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0,
raw_post_data = 0x0,
  cookie_data = 0x0, content_length = 1, post_data_length = 0,
raw_post_data_length = 0, path_translated = 0x81d69f8
"/home/party/public_html/index.php",
  request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only
= 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0,
  content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0,
auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length
= 0, argc = 0,
  argv = 0x0, proto_num = 1000}

But I've narrowed it down a bit. It requires the following lines in
httpd.conf:

RewriteEngine on
RewriteRule ^/anywhere$ /somewherelse.php
ErrorDocument 413 /anywhere

/somewherelse.php must exists. There's no problem if a non-php file is
used.



[2006-10-19 22:48:13] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Can't reproduce.
This is the only result I see:
[Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid
Content-Length

----------------

[2006-10-19 21:46:32] thomas at partyflock dot nl

Happens in 5.2dev too.



[2006-10-19 20:16:29] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip





The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/39201

-- 
Edit this bug report at http://bugs.php.net/?id=39201&edit=1

#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php

2006-10-19 Thread thomas at partyflock dot nl

 ID:   39201
 User updated by:  thomas at partyflock dot nl
 Reported By:  thomas at partyflock dot nl
-Status:   Feedback
+Status:   Open
 Bug Type: Apache2 related
 Operating System: Linux (2.6.18)
 PHP Version:  5.1.6
 New Comment:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211164992 (LWP 15723)]
0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/200610181
225 SG(request_info).post_data[SG(read_post_bytes)] = 0; 
/* termina
(gdb) bt
#0  0xb7b4e7e0 in sapi_read_standard_form_data () at
/root/build/webserver/20061
#1  0xb7b53425 in php_default_post_reader () at
/root/build/webserver/2006101814
#2  0xb7b4ee57 in sapi_activate () at
/root/build/webserver/200610181402/php/php
#3  0xb7b471ac in php_request_startup () at
/root/build/webserver/200610181402/p
#4  0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8)
at
/root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a
#5  0xb7c0f26f in php_handler (r=0x81d10e0) at
/root/build/webserver/20061018140
#6  0x0807a514 in ap_invoke_handler ()
#7  0x0806bb02 in ap_process_request ()
#8  0x08065a92 in ap_process_http_connection ()
#9  0x0808389b in ap_process_connection ()
#10 0x08077a06 in child_main ()
#11 0x08077cd6 in make_child ()
#12 0x08078034 in ap_mpm_run ()
#13 0x0807e970 in main ()
(gdb) p sapi_globals.request_info
$2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8
"SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0,
raw_post_data = 0x0,
  cookie_data = 0x0, content_length = 1, post_data_length = 0,
raw_post_data_length = 0, path_translated = 0x81d69f8
"/home/party/public_html/index.php",
  request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only
= 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0,
  content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0,
auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length
= 0, argc = 0,
  argv = 0x0, proto_num = 1000}

But I've narrowed it down a bit. It requires the following lines in
httpd.conf:

RewriteEngine on
RewriteRule ^/anywhere$ /somewherelse.php
ErrorDocument 413 /anywhere

/somewherelse.php must exists. There's no problem if a non-php file is
used.


Previous Comments:


[2006-10-19 22:48:13] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Can't reproduce.
This is the only result I see:
[Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid
Content-Length

----------------

[2006-10-19 21:46:32] thomas at partyflock dot nl

Happens in 5.2dev too.



[2006-10-19 20:16:29] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip



----------------

[2006-10-19 20:10:24] thomas at partyflock dot nl

Description:

Insert ErrorDocument directive for error code 413 in httpd.conf:

ErrorDocument 413 /anywhere

Now post something to your webserver, with following invalid
Content-Length: 1\r\r\n (extra carriage return)

sapi_globals.request_info.post_data is allocated, in
SAPI.c:sapi_read_standard_form_data on line 203. After the call to
sapi_module.read_post on line 206, the POST request is transformed to a
GET request for above error document and the
sapi_globals.request_info.post_data is 0 at that point, resulting in a
segmentation fault at SAPI.c line 223.

Reproduce code:
---
#!/usr/bin/perl -w

use strict;
use IO::Socket;

if ($#ARGV < 0) {
print STDERR "need hostname argument\n";
exit 1;
}

my $sock = IO::Socket::INET->new(
'PeerAddr'  => $ARGV[0],
'PeerPort'  => 80
);

if (!$sock) {
print STDERR "failed to connect to port 80 of $ARGV[0]\n";
exit 1;
}

print $sock "POST / HTTP/1.0\r\n";
print $sock "Content-Length: 1\r\r\n\r\n";
print $sock "a";

undef $sock;


Expected result:

Well, I'd expect it to not crash :)






-- 
Edit this bug report at http://bugs.php.net/?id=39201&edit=1

#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php

2006-10-19 Thread thomas at partyflock dot nl

 ID:   39201
 User updated by:  thomas at partyflock dot nl
 Reported By:  thomas at partyflock dot nl
-Status:   Feedback
+Status:   Open
 Bug Type: Apache2 related
 Operating System: Linux (2.6.18)
 PHP Version:  5.1.6
 New Comment:

Happens in 5.2dev too.


Previous Comments:


[2006-10-19 20:16:29] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip





[2006-10-19 20:10:24] thomas at partyflock dot nl

Description:

Insert ErrorDocument directive for error code 413 in httpd.conf:

ErrorDocument 413 /anywhere

Now post something to your webserver, with following invalid
Content-Length: 1\r\r\n (extra carriage return)

sapi_globals.request_info.post_data is allocated, in
SAPI.c:sapi_read_standard_form_data on line 203. After the call to
sapi_module.read_post on line 206, the POST request is transformed to a
GET request for above error document and the
sapi_globals.request_info.post_data is 0 at that point, resulting in a
segmentation fault at SAPI.c line 223.

Reproduce code:
---
#!/usr/bin/perl -w

use strict;
use IO::Socket;

if ($#ARGV < 0) {
print STDERR "need hostname argument\n";
exit 1;
}

my $sock = IO::Socket::INET->new(
'PeerAddr'  => $ARGV[0],
'PeerPort'  => 80
);

if (!$sock) {
print STDERR "failed to connect to port 80 of $ARGV[0]\n";
exit 1;
}

print $sock "POST / HTTP/1.0\r\n";
print $sock "Content-Length: 1\r\r\n\r\n";
print $sock "a";

undef $sock;


Expected result:

Well, I'd expect it to not crash :)






-- 
Edit this bug report at http://bugs.php.net/?id=39201&edit=1

#39201 [NEW]: POST with invalid content-length and ErrorDocument set crashes php

2006-10-19 Thread thomas at partyflock dot nl

From: thomas at partyflock dot nl
Operating system: Linux (2.6.18)
PHP version:  5.1.6
PHP Bug Type: Apache2 related
Bug description:  POST with invalid content-length and ErrorDocument set 
crashes php

Description:

Insert ErrorDocument directive for error code 413 in httpd.conf:

ErrorDocument 413 /anywhere

Now post something to your webserver, with following invalid
Content-Length: 1\r\r\n (extra carriage return)

sapi_globals.request_info.post_data is allocated, in
SAPI.c:sapi_read_standard_form_data on line 203. After the call to
sapi_module.read_post on line 206, the POST request is transformed to a
GET request for above error document and the
sapi_globals.request_info.post_data is 0 at that point, resulting in a
segmentation fault at SAPI.c line 223.

Reproduce code:
---
#!/usr/bin/perl -w

use strict;
use IO::Socket;

if ($#ARGV < 0) {
print STDERR "need hostname argument\n";
exit 1;
}

my $sock = IO::Socket::INET->new(
'PeerAddr'  => $ARGV[0],
'PeerPort'  => 80
);

if (!$sock) {
print STDERR "failed to connect to port 80 of $ARGV[0]\n";
exit 1;
}

print $sock "POST / HTTP/1.0\r\n";
print $sock "Content-Length: 1\r\r\n\r\n";
print $sock "a";

undef $sock;


Expected result:

Well, I'd expect it to not crash :)


-- 
Edit bug report at http://bugs.php.net/?id=39201&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=39201&r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=39201&r=trysnapshot52
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=39201&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=39201&r=fixedcvs
Fixed in release: 
http://bugs.php.net/fix.php?id=39201&r=alreadyfixed
Need backtrace:   http://bugs.php.net/fix.php?id=39201&r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=39201&r=needscript
Try newer version:http://bugs.php.net/fix.php?id=39201&r=oldversion
Not developer issue:  http://bugs.php.net/fix.php?id=39201&r=support
Expected behavior:http://bugs.php.net/fix.php?id=39201&r=notwrong
Not enough info:  
http://bugs.php.net/fix.php?id=39201&r=notenoughinfo
Submitted twice:  
http://bugs.php.net/fix.php?id=39201&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=39201&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=39201&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=39201&r=dst
IIS Stability:http://bugs.php.net/fix.php?id=39201&r=isapi
Install GNU Sed:  http://bugs.php.net/fix.php?id=39201&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=39201&r=float
No Zend Extensions:   http://bugs.php.net/fix.php?id=39201&r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=39201&r=mysqlcfg

Bug #63200 [Com]: Apache 2.2 crashes when PHP called with negative Content-Length HTTP header

Bug #55691 [Com]: different results from finfo_file and finfo_buffer

#43540 [NEW]: rfc1867 handler newlength problem

#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php

#39201 [Asn]: POST with invalid content-length and ErrorDocument set crashes php

#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php

#39201 [Fbk->Opn]: POST with invalid content-length and ErrorDocument set crashes php

#39201 [NEW]: POST with invalid content-length and ErrorDocument set crashes php

8 matches

Site Navigation

Mail list logo

Footer information