|
1 Fix for CVE-2014-4721 |
|
2 Bug: |
|
3 https://bugs.php.net/bug.php?id=67498 |
|
4 Patch: |
|
5 https://bugs.php.net/patch-display.php?bug=67498&patch=bug67948-patch&revision=1403508072 |
|
6 Slightly modified to correct for diff context. |
|
7 |
|
8 |
|
9 diff --git a/ext/standard/info.c b/ext/standard/info.c |
|
10 index 70b2e2f..0f15bbe 100644 |
|
11 --- a/ext/standard/info.c |
|
12 +++ b/ext/standard/info.c |
|
13 @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) |
|
14 |
|
15 php_info_print_table_start(); |
|
16 php_info_print_table_header(2, "Variable", "Value"); |
|
17 - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { |
|
18 + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
|
19 php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); |
|
20 } |
|
21 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { |
|
22 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
|
23 php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); |
|
24 } |
|
25 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { |
|
26 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
|
27 php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); |
|
28 } |
|
29 - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { |
|
30 + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { |
|
31 php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); |
|
32 } |
|
33 php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); |
|
34 diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt |
|
35 new file mode 100644 |
|
36 index 0000000..5b5951b |
|
37 --- /dev/null |
|
38 +++ b/ext/standard/tests/general_functions/bug67498.phpt |
|
39 @@ -0,0 +1,15 @@ |
|
40 +--TEST-- |
|
41 +phpinfo() Type Confusion Information Leak Vulnerability |
|
42 +--FILE-- |
|
43 +<?php |
|
44 +$PHP_SELF = 1; |
|
45 +phpinfo(INFO_VARIABLES); |
|
46 + |
|
47 +?> |
|
48 +==DONE== |
|
49 +--EXPECTF-- |
|
50 +phpinfo() |
|
51 + |
|
52 +PHP Variables |
|
53 +%A |
|
54 +==DONE== |