#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: yoy dot noneoff at dfgh dot net Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. Previous Comments: [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: yoy dot noneoff at dfgh dot net Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: ie7 increased the number of cookies per domain from 20 to 50, like other browsers. so why not limiting php to set max 20 cookies per domain like NS mention? Netscape also follow these rfc if the client ignore part of the cookie it's not PHP concern. what if I built an application follow the rfc and php artificially limiting me? Previous Comments: [2007-11-16 08:51:31] crrodriguez+php at suse dot de also imagine the following code setcookie (foo, $_GET['reallybigdata']) it can also exausts the PHP process or system memory(dependding on the memory limit)for no gain because the browser will truncate it anyway. [2007-11-16 08:23:38] judas dot iscariote at gmail dot com PHP implements the netscape spec, **not** the RFC one When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes Servers should not expect clients to be able to exceed these limits In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging harder. [2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43301 [Csd-Opn]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression
ID: 43301 User updated by: yoy dot noneoff at dfgh dot net Reported By: yoy dot noneoff at dfgh dot net -Status: Closed +Status: Open Bug Type: mbstring related Operating System: win xp sp2 PHP Version: 5.3CVS-2007-11-15 (CVS) New Comment: the crash issue is indeed gone but two new problems appear I download the latest package, and I notice that now there is 2 errors raised PHP Parse error and PHP Fatal error prob 1: the rest of script execution stop I also think the PHP Fatal error is NOT required , in addition its a security risk. for example mb_ereg_replace('ptr','scriptalert(\'are you sure\')/script','text with ptr','e') return: PHP Parse error: syntax error, unexpected '' in test.php: mbregex replace on line 1 PHP Fatal error: mb_ereg_replace(): Failed evaluating code: scriptalert('are you sure')/script in test.php on line 3 Previous Comments: [2007-11-16 12:29:42] [EMAIL PROTECTED] This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. [2007-11-16 11:55:15] [EMAIL PROTECTED] Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE or '$' in /home/jani/t.php(8) : mbregex replace on line 1 Program received signal SIGSEGV, Segmentation fault. 0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 /home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35) at /home/jani/src/php-5.3/Zend/zend_variables.c:35 35 CHECK_ZVAL_STRING_REL(zvalue); (gdb) bt #0 0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c, __zend_filename=0x85d62c0 /home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35) at /home/jani/src/php-5.3/Zend/zend_variables.c:35 #1 0x082ee134 in _zval_dtor (zvalue=0xbfe4782c, __zend_filename=0x85d6198 /home/jani/src/php-5.3/Zend/zend_operators.c, __zend_lineno=599) at /home/jani/src/php-5.3/Zend/zend_variables.h:35 #2 0x082eed13 in _convert_to_string (op=0xbfe4782c, __zend_filename=0x85858cc /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c, __zend_lineno=742) at /home/jani/src/php-5.3/Zend/zend_operators.c:599 #3 0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1, options=0) at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742 #4 0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0, return_value_used=1) at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788 #5 0x0831ea96 in zend_do_fcall_common_helper_SPEC (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:194 #6 0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0xbfe47abc) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439 #7 0x0831e59a in execute (op_array=0x8ae2e7c) at /home/jani/src/php-5.3/Zend/zend_vm_execute.h:87 #8 0x082f76c6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139 #9 0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at /home/jani/src/php-5.3/main/main.c:2007 #10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at /home/jani/src/php-5.3/sapi/cli/php_cli.c:1140 [2007-11-16 04:18:39] yoy dot noneoff at dfgh dot net Function Arg 1 Arg 2 Arg 3 Source php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004 0112c838 php_mbstring!zif_mb_ereg_replace+25 0004 0112c838 php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50 0112c28b php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f 00033f50 00033f50 php5ts!execute+1b7 0112c298 00033f50 php5ts!zend_execute_scripts+107 0008 00033f50 php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e php!main+c0e 0002 00032cc0 00032f38 php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000 kernel32!RegisterWaitForInputIdle+49 00402c12 [2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net correct Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo mb_ereg_replace($ptr,'$1',$txt,'e'); ? [2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net Description: php crash on mbstring(php_mbstring.dll) when runnign as CGI. 'e' flag
#43301 [Opn]: mbstring crash cgi
ID: 43301 User updated by: yoy dot noneoff at dfgh dot net Reported By: yoy dot noneoff at dfgh dot net Status: Open Bug Type: mbstring related Operating System: win xp sp2 PHP Version: 5.3CVS-2007-11-15 (CVS) New Comment: correct Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo mb_ereg_replace($ptr,'$1',$txt,'e'); ? Previous Comments: [2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net Description: php crash on mbstring(php_mbstring.dll) when runnign as CGI. 'e' flag/option and $replacement parameter contian php-expression with syntax error. problem not present when php loaded as module(Apache) Parse error is thrown. applay on the latest php 5.3 and also on php 5.2 Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo C($ptr,'$1',$txt,'e'); ? Expected result: see Parse Error, similer to php loaded as module. Actual result: -- crash error AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll ModVer: 5.3.0.0 Offset: 00031595 -- Edit this bug report at http://bugs.php.net/?id=43301edit=1
#43301 [Fbk-Opn]: mbstring crash cgi
ID: 43301 User updated by: yoy dot noneoff at dfgh dot net Reported By: yoy dot noneoff at dfgh dot net -Status: Feedback +Status: Open Bug Type: mbstring related Operating System: win xp sp2 PHP Version: 5.3CVS-2007-11-15 (CVS) New Comment: Function Arg 1 Arg 2 Arg 3 Source php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004 0112c838 php_mbstring!zif_mb_ereg_replace+25 0004 0112c838 php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50 0112c28b php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f 00033f50 00033f50 php5ts!execute+1b7 0112c298 00033f50 php5ts!zend_execute_scripts+107 0008 00033f50 php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e php!main+c0e 0002 00032cc0 00032f38 php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000 kernel32!RegisterWaitForInputIdle+49 00402c12 Previous Comments: [2007-11-15 22:50:34] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a backtrace to see what is happening behind the scenes. To find out how to generate a backtrace, please read http://bugs.php.net/bugs-generating-backtrace.php for *NIX and http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32 Once you have generated a backtrace, please submit it to this bug report and change the status back to Open. Thank you for helping us make PHP better. [2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net correct Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo mb_ereg_replace($ptr,'$1',$txt,'e'); ? [2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net Description: php crash on mbstring(php_mbstring.dll) when runnign as CGI. 'e' flag/option and $replacement parameter contian php-expression with syntax error. problem not present when php loaded as module(Apache) Parse error is thrown. applay on the latest php 5.3 and also on php 5.2 Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo C($ptr,'$1',$txt,'e'); ? Expected result: see Parse Error, similer to php loaded as module. Actual result: -- crash error AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll ModVer: 5.3.0.0 Offset: 00031595 -- Edit this bug report at http://bugs.php.net/?id=43301edit=1
#43301 [NEW]: mbstring crash cgi
From: yoy dot noneoff at dfgh dot net Operating system: win xp sp2 PHP version: 5.3CVS-2007-11-15 (CVS) PHP Bug Type: mbstring related Bug description: mbstring crash cgi Description: php crash on mbstring(php_mbstring.dll) when runnign as CGI. 'e' flag/option and $replacement parameter contian php-expression with syntax error. problem not present when php loaded as module(Apache) Parse error is thrown. applay on the latest php 5.3 and also on php 5.2 Reproduce code: --- ?php $ptr = 'hello'; $txt = doc hello, I have got a cr*sh on you doc; echo C($ptr,'$1',$txt,'e'); ? Expected result: see Parse Error, similer to php loaded as module. Actual result: -- crash error AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll ModVer: 5.3.0.0 Offset: 00031595 -- Edit bug report at http://bugs.php.net/?id=43301edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=43301r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=43301r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=43301r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=43301r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=43301r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=43301r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=43301r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=43301r=needscript Try newer version:http://bugs.php.net/fix.php?id=43301r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=43301r=support Expected behavior:http://bugs.php.net/fix.php?id=43301r=notwrong Not enough info: http://bugs.php.net/fix.php?id=43301r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=43301r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=43301r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=43301r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=43301r=dst IIS Stability:http://bugs.php.net/fix.php?id=43301r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=43301r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=43301r=float No Zend Extensions: http://bugs.php.net/fix.php?id=43301r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=43301r=mysqlcfg