From: vesely at tana dot it
Operating system: Any
PHP version: 4.3.0
PHP Bug Type: HTTP related
Bug description: Weak parsing in rfc1867.c
Hi,
watch out rfc1867.c around line 342, in function
next_line() there is (was?) the following code:
if (ptr) {
/* ... */
} else {
/* ... */
line[self->bufsize] = 0;
self->buf_begin = ptr; /* <=== */
self->bytes_in_buffer = 0;
}
ptr is obviously NULL, buf_begin should never be NULL
or the program may crash. So this is a potential
vulnerability for DOS attackers who submit long lines.
Since you're there, would you mind to check why at line
721, in the rfc1867_post_handler function, there is
boundary_end = strchr(boundary, ',');
Shouldn't it be ';' (semicolon) rather than ',' (comma)?
(Just wandering)
--
Edit bug report at http://bugs.php.net/?id=22657&edit=1
--
Try a CVS snapshot: http://bugs.php.net/fix.php?id=22657&r=trysnapshot
Fixed in CVS: http://bugs.php.net/fix.php?id=22657&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=22657&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=22657&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=22657&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=22657&r=support
Expected behavior: http://bugs.php.net/fix.php?id=22657&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=22657&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=22657&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=22657&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=22657&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=22657&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=22657&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=22657&r=gnused
