from:"yoy dot noneoff at dfgh dot net"

#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes

2007-11-16 Thread yoy dot noneoff at dfgh dot net

 ID:   43311
 Comment by:   yoy dot noneoff at dfgh dot net
 Reported By:  crrodriguez at suse dot de
 Status:   Open
 Bug Type: *General Issues
 Operating System: Irrelevant
 PHP Version:  5.3CVS-2007-11-16 (CVS)
 New Comment:

http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965

RFCS linked from the setcookie function docs


...
 *  at least 300 cookies

  *  at least 4096 bytes per cookie (as measured by the characters
 that comprise the cookie non-terminal in the syntax
description
 of the Set-Cookie2 header, and as received in the Set-Cookie2
 header)
...


keyword:at least 

so basicly php should not limit cookie length, it up to the
client/browser how to handle it.


Previous Comments:


[2007-11-16 03:26:53] judas dot iscariote at gmail dot com

corrected/working patch is here now (previuos had errors ..I should
test patches before submitting them :) ) 

http://www.flyspray.org/patches/setcookie-4096btyesonly.patch



[2007-11-16 01:30:40] crrodriguez at suse dot de

Description:

The following report caught my attention 

http://www.securityfocus.com/archive/1/483705

That is indeed a bug in Konqueror, but if you look the reproduce code
it says.

Reproduce code:
---
?php

ini_set(memory_limit,200M);

setcookie(hi_fox, str_repeat(A,1999));

?

Expected result:

PHP limiting the cookie size to what both the spec says and other
browsers do, that is name_len + value_len not larger than 4096 bytes.

http://www.15seconds.com/faq/Cookies/388.htm

http://wp.netscape.com/newsref/std/cookie_spec.html


E-Warning Cookie cannot store more than %d bytes of data

Actual result:
--
PHP setting a 200MB cookie anyway.


patch here : http://rafb.net/p/zs0ojA57.html





-- 
Edit this bug report at http://bugs.php.net/?id=43311edit=1

#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes

2007-11-16 Thread yoy dot noneoff at dfgh dot net

 ID:   43311
 Comment by:   yoy dot noneoff at dfgh dot net
 Reported By:  crrodriguez at suse dot de
 Status:   Open
 Bug Type: *General Issues
 Operating System: Irrelevant
 PHP Version:  5.3CVS-2007-11-16 (CVS)
 New Comment:

ie7 increased the number of cookies per domain from 20 to 50, like
other browsers.

so why not limiting php to set max 20 cookies per domain like NS
mention?

Netscape also follow these rfc

if the client ignore part of the cookie it's not PHP concern.
what if I built an application follow the rfc and php artificially
limiting me?


Previous Comments:


[2007-11-16 08:51:31] crrodriguez+php at suse dot de

also imagine the following code

setcookie (foo, $_GET['reallybigdata']) 

it can also exausts the PHP process or system memory(dependding on the
memory limit)for no gain because the browser will truncate it anyway.



[2007-11-16 08:23:38] judas dot iscariote at gmail dot com

PHP implements the netscape spec, **not** the RFC one

When a cookie larger than 4 kilobytes is encountered the cookie should
be trimmed to fit, but the name should remain intact as long as it is
less than 4 kilobytes

Servers should not expect clients to be able to exceed these limits


In the case of PHP, sending a cookie bigger than 4kb is useless because
no browser will use it correctly, and truncating it without emitting any
warning just makes debugging  harder.



[2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net

http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965

RFCS linked from the setcookie function docs


...
 *  at least 300 cookies

  *  at least 4096 bytes per cookie (as measured by the characters
 that comprise the cookie non-terminal in the syntax
description
 of the Set-Cookie2 header, and as received in the Set-Cookie2
 header)
...


keyword:at least 

so basicly php should not limit cookie length, it up to the
client/browser how to handle it.



[2007-11-16 03:26:53] judas dot iscariote at gmail dot com

corrected/working patch is here now (previuos had errors ..I should
test patches before submitting them :) ) 

http://www.flyspray.org/patches/setcookie-4096btyesonly.patch



[2007-11-16 01:30:40] crrodriguez at suse dot de

Description:

The following report caught my attention 

http://www.securityfocus.com/archive/1/483705

That is indeed a bug in Konqueror, but if you look the reproduce code
it says.

Reproduce code:
---
?php

ini_set(memory_limit,200M);

setcookie(hi_fox, str_repeat(A,1999));

?

Expected result:

PHP limiting the cookie size to what both the spec says and other
browsers do, that is name_len + value_len not larger than 4096 bytes.

http://www.15seconds.com/faq/Cookies/388.htm

http://wp.netscape.com/newsref/std/cookie_spec.html


E-Warning Cookie cannot store more than %d bytes of data

Actual result:
--
PHP setting a 200MB cookie anyway.


patch here : http://rafb.net/p/zs0ojA57.html





-- 
Edit this bug report at http://bugs.php.net/?id=43311edit=1

#43301 [Csd-Opn]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression

2007-11-16 Thread yoy dot noneoff at dfgh dot net

 ID:   43301
 User updated by:  yoy dot noneoff at dfgh dot net
 Reported By:  yoy dot noneoff at dfgh dot net
-Status:   Closed
+Status:   Open
 Bug Type: mbstring related
 Operating System: win xp sp2
 PHP Version:  5.3CVS-2007-11-15 (CVS)
 New Comment:

the crash issue is  indeed gone but two new problems appear

I download the latest package, and I notice that now there is  2 errors
raised

PHP Parse error 
and 
PHP Fatal  error

prob 1: the rest of script execution stop

I also think the PHP Fatal error is NOT required , in addition  its a
security risk.

for example

mb_ereg_replace('ptr','scriptalert(\'are you sure\')/script','text
with ptr','e')


return:

PHP Parse error:  syntax error, unexpected '' in test.php: mbregex
replace on line 1

PHP Fatal error:  mb_ereg_replace(): Failed evaluating code: 
scriptalert('are you sure')/script in test.php on line 3


Previous Comments:


[2007-11-16 12:29:42] [EMAIL PROTECTED]

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.





[2007-11-16 11:55:15] [EMAIL PROTECTED]

Parse error: syntax error, unexpected T_LNUMBER, expecting T_VARIABLE
or '$' in /home/jani/t.php(8) : mbregex replace on line 1

Program received signal SIGSEGV, Segmentation fault.
0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
/home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35)
at /home/jani/src/php-5.3/Zend/zend_variables.c:35
35  CHECK_ZVAL_STRING_REL(zvalue);
(gdb) bt
#0  0x082f5175 in _zval_dtor_func (zvalue=0xbfe4782c,
__zend_filename=0x85d62c0
/home/jani/src/php-5.3/Zend/zend_variables.h, __zend_lineno=35)
at /home/jani/src/php-5.3/Zend/zend_variables.c:35
#1  0x082ee134 in _zval_dtor (zvalue=0xbfe4782c,
__zend_filename=0x85d6198
/home/jani/src/php-5.3/Zend/zend_operators.c, __zend_lineno=599)
at /home/jani/src/php-5.3/Zend/zend_variables.h:35
#2  0x082eed13 in _convert_to_string (op=0xbfe4782c,
__zend_filename=0x85858cc
/home/jani/src/php-5.3/ext/mbstring/php_mbregex.c, __zend_lineno=742)
at /home/jani/src/php-5.3/Zend/zend_operators.c:599
#3  0x081a569a in _php_mb_regex_ereg_replace_exec (ht=4,
return_value=0x8ae35c0, return_value_ptr=0x0, this_ptr=0x0,
return_value_used=1, options=0)
at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:742
#4  0x081a5deb in zif_mb_ereg_replace (ht=4, return_value=0x8ae35c0,
return_value_ptr=0x0, this_ptr=0x0, return_value_used=1)
at /home/jani/src/php-5.3/ext/mbstring/php_mbregex.c:788
#5  0x0831ea96 in zend_do_fcall_common_helper_SPEC
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:194
#6  0x083241f3 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xbfe47abc) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:1439
#7  0x0831e59a in execute (op_array=0x8ae2e7c) at
/home/jani/src/php-5.3/Zend/zend_vm_execute.h:87
#8  0x082f76c6 in zend_execute_scripts (type=8, retval=0x0,
file_count=3) at /home/jani/src/php-5.3/Zend/zend.c:1139
#9  0x082a0049 in php_execute_script (primary_file=0xbfe49e40) at
/home/jani/src/php-5.3/main/main.c:2007
#10 0x0837ef60 in main (argc=2, argv=0xbfe49f94) at
/home/jani/src/php-5.3/sapi/cli/php_cli.c:1140




[2007-11-16 04:18:39] yoy dot noneoff at dfgh dot net

Function Arg 1 Arg 2 Arg 3   Source 
php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004
0112c838 
php_mbstring!zif_mb_ereg_replace+25 0004 0112c838

php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50  
  0112c28b
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f  00033f50  
  00033f50
php5ts!execute+1b7 0112c298 00033f50 
php5ts!zend_execute_scripts+107 0008 00033f50  
  
php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e   

php!main+c0e 0002 00032cc0 00032f38
php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000
kernel32!RegisterWaitForInputIdle+49 00402c12 




[2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net

correct Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo mb_ereg_replace($ptr,'$1',$txt,'e');
?



[2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net

Description:

php crash on mbstring(php_mbstring.dll) when runnign as CGI.
'e' flag

#43301 [Opn]: mbstring crash cgi

2007-11-16 Thread yoy dot noneoff at dfgh dot net

 ID:   43301
 User updated by:  yoy dot noneoff at dfgh dot net
 Reported By:  yoy dot noneoff at dfgh dot net
 Status:   Open
 Bug Type: mbstring related
 Operating System: win xp sp2
 PHP Version:  5.3CVS-2007-11-15 (CVS)
 New Comment:

correct Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo mb_ereg_replace($ptr,'$1',$txt,'e');
?


Previous Comments:


[2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net

Description:

php crash on mbstring(php_mbstring.dll) when runnign as CGI.
'e' flag/option

and $replacement parameter contian php-expression with syntax error.

problem not present when php loaded as module(Apache) Parse error is
thrown.



applay on the latest php 5.3
and also on php 5.2


Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo C($ptr,'$1',$txt,'e');
?

Expected result:

see Parse Error, similer to php loaded as module.


Actual result:
--
crash error 

AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll
ModVer: 5.3.0.0  Offset: 00031595







-- 
Edit this bug report at http://bugs.php.net/?id=43301edit=1

#43301 [Fbk-Opn]: mbstring crash cgi

2007-11-15 Thread yoy dot noneoff at dfgh dot net

 ID:   43301
 User updated by:  yoy dot noneoff at dfgh dot net
 Reported By:  yoy dot noneoff at dfgh dot net
-Status:   Feedback
+Status:   Open
 Bug Type: mbstring related
 Operating System: win xp sp2
 PHP Version:  5.3CVS-2007-11-15 (CVS)
 New Comment:

Function Arg 1 Arg 2 Arg 3   Source 
php_mbstring!_php_mb_regex_ereg_replace_exec+5e5 0004
0112c838 
php_mbstring!zif_mb_ereg_replace+25 0004 0112c838

php5ts!zend_do_fcall_common_helper_SPEC+85b 00c0fbf0 00033f50  
  0112c28b
php5ts!ZEND_DO_FCALL_SPEC_CONST_HANDLER+12f  00033f50  
  00033f50
php5ts!execute+1b7 0112c298 00033f50 
php5ts!zend_execute_scripts+107 0008 00033f50  
  
php5ts!php_execute_script+20d 00c0fec8 00033f50 ed13662e   

php!main+c0e 0002 00032cc0 00032f38
php!mainCRTStartup+e3 ed13662e 01c827f6 7ffd4000
kernel32!RegisterWaitForInputIdle+49 00402c12 



Previous Comments:


[2007-11-15 22:50:34] [EMAIL PROTECTED]

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to Open. Thank you for helping
us make PHP better.





[2007-11-15 20:03:45] yoy dot noneoff at dfgh dot net

correct Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo mb_ereg_replace($ptr,'$1',$txt,'e');
?



[2007-11-15 01:35:30] yoy dot noneoff at dfgh dot net

Description:

php crash on mbstring(php_mbstring.dll) when runnign as CGI.
'e' flag/option

and $replacement parameter contian php-expression with syntax error.

problem not present when php loaded as module(Apache) Parse error is
thrown.



applay on the latest php 5.3
and also on php 5.2


Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo C($ptr,'$1',$txt,'e');
?

Expected result:

see Parse Error, similer to php loaded as module.


Actual result:
--
crash error 

AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll
ModVer: 5.3.0.0  Offset: 00031595







-- 
Edit this bug report at http://bugs.php.net/?id=43301edit=1

#43301 [NEW]: mbstring crash cgi

2007-11-14 Thread yoy dot noneoff at dfgh dot net

From: yoy dot noneoff at dfgh dot net
Operating system: win xp sp2 
PHP version:  5.3CVS-2007-11-15 (CVS)
PHP Bug Type: mbstring related
Bug description:  mbstring crash cgi 

Description:

php crash on mbstring(php_mbstring.dll) when runnign as CGI.
'e' flag/option

and $replacement parameter contian php-expression with syntax error.

problem not present when php loaded as module(Apache) Parse error is
thrown.



applay on the latest php 5.3
and also on php 5.2


Reproduce code:
---
?php
$ptr = 'hello';

$txt = doc
hello, I have got a cr*sh on you
doc;

echo C($ptr,'$1',$txt,'e');
?

Expected result:

see Parse Error, similer to php loaded as module.


Actual result:
--
crash error 

AppName: php-cgi.exe AppVer: 5.3.0.0 ModName: php_mbstring.dll
ModVer: 5.3.0.0  Offset: 00031595



-- 
Edit bug report at http://bugs.php.net/?id=43301edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=43301r=trysnapshot44
Try a CVS snapshot (PHP 5.2): 
http://bugs.php.net/fix.php?id=43301r=trysnapshot52
Try a CVS snapshot (PHP 5.3): 
http://bugs.php.net/fix.php?id=43301r=trysnapshot53
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=43301r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=43301r=fixedcvs
Fixed in release: 
http://bugs.php.net/fix.php?id=43301r=alreadyfixed
Need backtrace:   http://bugs.php.net/fix.php?id=43301r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=43301r=needscript
Try newer version:http://bugs.php.net/fix.php?id=43301r=oldversion
Not developer issue:  http://bugs.php.net/fix.php?id=43301r=support
Expected behavior:http://bugs.php.net/fix.php?id=43301r=notwrong
Not enough info:  
http://bugs.php.net/fix.php?id=43301r=notenoughinfo
Submitted twice:  
http://bugs.php.net/fix.php?id=43301r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=43301r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=43301r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=43301r=dst
IIS Stability:http://bugs.php.net/fix.php?id=43301r=isapi
Install GNU Sed:  http://bugs.php.net/fix.php?id=43301r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=43301r=float
No Zend Extensions:   http://bugs.php.net/fix.php?id=43301r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=43301r=mysqlcfg

#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes

#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes

#43301 [Csd-Opn]: mb_ereg*_replace() crashes when replacement string is invalid PHP expression

#43301 [Opn]: mbstring crash cgi

#43301 [Fbk-Opn]: mbstring crash cgi

#43301 [NEW]: mbstring crash cgi

6 matches

Site Navigation

Mail list logo

Footer information