diff options
author | Stanislav Malyshev <stas@php.net> | 2015-04-05 16:01:24 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-04-11 16:53:22 -0700 |
commit | 4435b9142ff9813845d5c97ab29a5d637bedb257 (patch) | |
tree | a6451ac31e1418813a46f73dfffe805421e5a55e | |
parent | 9faaee66fa493372c7340b1ab05f8fd115131a42 (diff) | |
download | php-git-4435b9142ff9813845d5c97ab29a5d637bedb257.tar.gz |
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
-rw-r--r-- | ext/dom/document.c | 5 | ||||
-rw-r--r-- | ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 | ||||
-rw-r--r-- | ext/fileinfo/fileinfo.c | 5 | ||||
-rw-r--r-- | ext/fileinfo/tests/finfo_file_basic.phpt | 4 | ||||
-rw-r--r-- | ext/gd/gd.c | 8 | ||||
-rw-r--r-- | ext/hash/hash.c | 7 | ||||
-rw-r--r-- | ext/hash/tests/hash_hmac_file_error.phpt | 7 | ||||
-rw-r--r-- | ext/pgsql/pgsql.c | 2 | ||||
-rw-r--r-- | ext/standard/link.c | 2 | ||||
-rw-r--r-- | ext/standard/streamsfuncs.c | 2 | ||||
-rw-r--r-- | ext/xmlwriter/php_xmlwriter.c | 4 | ||||
-rw-r--r-- | ext/zlib/zlib.c | 4 |
12 files changed, 42 insertions, 13 deletions
diff --git a/ext/dom/document.c b/ext/dom/document.c index f105f6d7fe..4666746ad2 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1580,6 +1580,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc xmlInitParser(); if (mode == DOM_LOAD_FILE) { + if (CHECK_NULL_PATH(source, source_len)) { + return NULL; + } char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (file_dest) { ctxt = xmlCreateFileParserCtxt(file_dest); @@ -2168,7 +2171,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ id = getThis(); - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { return; } diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt index e59ff56c5a..75004e2a74 100644 --- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt @@ -13,6 +13,11 @@ assert.bail=true $doc = new DOMDocument(); $result = $doc->loadHTMLFile(""); assert('$result === false'); +$doc = new DOMDocument(); +$result = $doc->loadHTMLFile("text.html\0something"); +assert('$result === null'); ?> --EXPECTF-- %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s + +%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c index 2d523ab498..5fd9511745 100644 --- a/ext/fileinfo/fileinfo.c +++ b/ext/fileinfo/fileinfo.c @@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime RETVAL_FALSE; goto clean; } + if (CHECK_NULL_PATH(buffer, buffer_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETVAL_FALSE; + goto clean; + } wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt index 20223fd88e..ee70e2e253 100644 --- a/ext/fileinfo/tests/finfo_file_basic.phpt +++ b/ext/fileinfo/tests/finfo_file_basic.phpt @@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; var_dump( finfo_file( $finfo, __FILE__) ); var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); var_dump( finfo_file( $finfo, $magicFile ) ); +var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); ?> ===DONE=== @@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); string(28) "text/x-php; charset=us-ascii" string(22) "PHP script, ASCII text" string(25) "text/plain; charset=utf-8" + +Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d +bool(false) ===DONE=== diff --git a/ext/gd/gd.c b/ext/gd/gd.c index e5657f7424..d258c3dbc7 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1495,7 +1495,7 @@ PHP_FUNCTION(imageloadfont) gdFontPtr font; php_stream *stream; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) { return; } @@ -2438,7 +2438,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, long ignore_warning; #endif if (image_type == PHP_GDIMG_TYPE_GD2PART) { - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { return; } if (width < 1 || height < 1) { @@ -2446,7 +2446,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else { - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { return; } } @@ -4178,7 +4178,7 @@ PHP_FUNCTION(imagepsencodefont) char *enc, **enc_vector; int enc_len, *f_ind; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) { return; } diff --git a/ext/hash/hash.c b/ext/hash/hash.c index bd9dcca59f..f5988c9c66 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -142,6 +142,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_ } if (isfilename) { if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); RETURN_FALSE; } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); @@ -222,6 +223,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename, RETURN_FALSE; } if (isfilename) { + if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETURN_FALSE; + } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); if (!stream) { /* Stream will report errors opening file */ @@ -449,7 +454,7 @@ PHP_FUNCTION(hash_update_file) char *filename, buf[1024]; int filename_len, n; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { return; } diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt index 42ab122285..26ba8aacbe 100644 --- a/ext/hash/tests/hash_hmac_file_error.phpt +++ b/ext/hash/tests/hash_hmac_file_error.phpt @@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; hash_hmac_file('foo', $file, $key, TRUE); +echo "\n-- Testing hash_hmac_file() function with bad path --\n"; +hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); + ?> ===Done=== --EXPECTF-- @@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d -- Testing hash_hmac_file() function with invalid hash algorithm -- Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d + +-- Testing hash_hmac_file() function with bad path -- + +Warning: hash_hmac_file(): Invalid path in %s on line %d ===Done===
\ No newline at end of file diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index eb55777758..cd51143c90 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -3014,7 +3014,7 @@ PHP_FUNCTION(pg_trace) php_stream *stream; id = PGG(default_link); - if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { + if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { return; } diff --git a/ext/standard/link.c b/ext/standard/link.c index c57484e766..686dd3e306 100644 --- a/ext/standard/link.c +++ b/ext/standard/link.c @@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) char buff[MAXPATHLEN]; int ret; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) { return; } diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index b1b318044e..b8f15e32c2 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -1549,7 +1549,7 @@ PHP_FUNCTION(stream_resolve_include_path) char *filename, *resolved_path; int filename_len; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) { return; } diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 7bc35dabc4..acb87541d8 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) /* }}} */ #endif -/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) +/* {{{ proto resource xmlwriter_open_uri(string source) Create new xmlwriter using source uri for output */ static PHP_FUNCTION(xmlwriter_open_uri) { @@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) void *ioctx; #endif - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) { return; } diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c index 705fb5dd5f..431dfde547 100644 --- a/ext/zlib/zlib.c +++ b/ext/zlib/zlib.c @@ -581,7 +581,7 @@ static PHP_FUNCTION(gzopen) php_stream *stream; long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { return; } @@ -609,7 +609,7 @@ static PHP_FUNCTION(readgzfile) int size; long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { return; } |