Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/php-5_2/php-sapi/patches/62_php_19167518.patch
changeset 4073 4f086b95f18c
parent 4071 4b68c2b0134b
child 4074 3b59c13ef5ec
equal deleted inserted replaced
4071:4b68c2b0134b 4073:4f086b95f18c 
     1 Fix for CVE-2014-4721
 
       
     2 Bug:
 
       
     3 https://bugs.php.net/bug.php?id=67498
 
       
     4 Patch:
 
       
     5 https://bugs.php.net/patch-display.php?bug=67498&patch=bug67948-patch&revision=1403508072
 
       
     6 Slightly modified to correct for diff context.
 
       
     7 
       
     8 
       
     9 diff --git a/ext/standard/info.c b/ext/standard/info.c
 
       
    10 index 70b2e2f..0f15bbe 100644
 
       
    11 --- a/ext/standard/info.c
 
       
    12 +++ b/ext/standard/info.c
 
       
    13 @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 
       
    14  
       
    15  		php_info_print_table_start();
 
       
    16  		php_info_print_table_header(2, "Variable", "Value");
 
       
    17 -		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
 
       
    18 +		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 
       
    19  			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 
       
    20  		}
 
       
    21 -		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
 
       
    22 +		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 
       
    23  			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 
       
    24  		}
 
       
    25 -		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
 
       
    26 +		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 
       
    27  			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 
       
    28  		}
 
       
    29 -		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
 
       
    30 +		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 
       
    31  			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 
       
    32  		}
 
       
    33 		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
 
       
    34 diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
 
       
    35 new file mode 100644
 
       
    36 index 0000000..5b5951b
 
       
    37 --- /dev/null
 
       
    38 +++ b/ext/standard/tests/general_functions/bug67498.phpt
 
       
    39 @@ -0,0 +1,15 @@
 
       
    40 +--TEST--
 
       
    41 +phpinfo() Type Confusion Information Leak Vulnerability
 
       
    42 +--FILE--
 
       
    43 +<?php
 
       
    44 +$PHP_SELF = 1;
 
       
    45 +phpinfo(INFO_VARIABLES);
 
       
    46 +
 
       
    47 +?>
 
       
    48 +==DONE==
 
       
    49 +--EXPECTF--
 
       
    50 +phpinfo()
 
       
    51 +
 
       
    52 +PHP Variables
 
       
    53 +%A
 
       
    54 +==DONE==
upstream/oracle/userland-gate