diff options
author | Stanislav Malyshev <stas@php.net> | 2015-07-27 01:38:27 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-08-01 22:02:26 -0700 |
commit | 4d2278143a08b7522de9471d0f014d7357c28fea (patch) | |
tree | 608e46b2c134dd09e0bd28e6bfecb56aa94308a3 | |
parent | 863bf294feb9ad425eadb94f288bc7f18673089d (diff) | |
download | php-git-4d2278143a08b7522de9471d0f014d7357c28fea.tar.gz |
Fix #69793 - limit what we accept when unserializing exception
-rw-r--r-- | Zend/zend_exceptions.c | 28 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug69152.phpt | 1 | ||||
-rw-r--r-- | ext/standard/tests/serialize/bug69793.phpt | 17 |
3 files changed, 46 insertions, 0 deletions
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c index 1a3ee8f434..82b777a958 100644 --- a/Zend/zend_exceptions.c +++ b/Zend/zend_exceptions.c @@ -218,6 +218,33 @@ ZEND_METHOD(exception, __construct) } /* }}} */ +/* {{{ proto Exception::__wakeup() + Exception unserialize checks */ +#define CHECK_EXC_TYPE(name, type) \ + value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \ + if(value && Z_TYPE_P(value) != type) { \ + zval *tmp; \ + MAKE_STD_ZVAL(tmp); \ + ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \ + Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \ + zval_ptr_dtor(&tmp); \ + } + +ZEND_METHOD(exception, __wakeup) +{ + zval *value; + zval *object = getThis(); + HashTable *intern_ht = zend_std_get_properties(getThis() TSRMLS_CC); + CHECK_EXC_TYPE("message", IS_STRING); + CHECK_EXC_TYPE("string", IS_STRING); + CHECK_EXC_TYPE("code", IS_LONG); + CHECK_EXC_TYPE("file", IS_STRING); + CHECK_EXC_TYPE("line", IS_LONG); + CHECK_EXC_TYPE("trace", IS_ARRAY); + CHECK_EXC_TYPE("previous", IS_OBJECT); +} +/* }}} */ + /* {{{ proto ErrorException::__construct(string message, int code, int severity [, string filename [, int lineno [, Exception previous]]]) ErrorException constructor */ ZEND_METHOD(error_exception, __construct) @@ -728,6 +755,7 @@ ZEND_END_ARG_INFO() const static zend_function_entry default_exception_functions[] = { ZEND_ME(exception, __clone, NULL, ZEND_ACC_PRIVATE|ZEND_ACC_FINAL) ZEND_ME(exception, __construct, arginfo_exception___construct, ZEND_ACC_PUBLIC) + ZEND_ME(exception, __wakeup, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL) ZEND_ME(exception, getMessage, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL) ZEND_ME(exception, getCode, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL) ZEND_ME(exception, getFile, NULL, ZEND_ACC_PUBLIC|ZEND_ACC_FINAL) diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt index 4e741685cc..bc2b302ddb 100644 --- a/ext/standard/tests/serialize/bug69152.phpt +++ b/ext/standard/tests/serialize/bug69152.phpt @@ -9,6 +9,7 @@ $x->test(); ?> --EXPECTF-- +Notice: Undefined property: Exception::$previous in %s on line %d exception 'Exception' in %s:%d Stack trace: #0 {main} diff --git a/ext/standard/tests/serialize/bug69793.phpt b/ext/standard/tests/serialize/bug69793.phpt new file mode 100644 index 0000000000..134b4dd696 --- /dev/null +++ b/ext/standard/tests/serialize/bug69793.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #69793: Remotely triggerable stack exhaustion via recursive method calls +--FILE-- +<?php +$e = unserialize('O:9:"Exception":7:{s:17:"'."\0".'Exception'."\0".'string";s:1:"a";s:7:"'."\0".'*'."\0".'code";i:0;s:7:"'."\0".'*'."\0".'file";R:1;s:7:"'."\0".'*'."\0".'line";i:1337;s:16:"'."\0".'Exception'."\0".'trace";a:0:{}s:19:"'."\0".'Exception'."\0".'previous";i:10;s:10:"'."\0".'*'."\0".'message";N;}'); + +var_dump($e.""); +?> +--EXPECTF-- +Notice: Undefined property: Exception::$message in %s/bug69793.php on line %d + +Notice: Undefined property: Exception::$file in %s/bug69793.php on line %d + +Notice: Undefined property: Exception::$previous in %s/bug69793.php on line %d +string(53) "exception 'Exception' in :1337 +Stack trace: +#0 {main}" |