diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-11-23 13:01:33 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-12-16 00:03:06 -0800 |
commit | 0e6c0654ed06751ced134515f7629c40bd979d7f (patch) | |
tree | 1aec8b3b0f77d6dad49a09bf904fc147f51f5655 | |
parent | a5a15965da23c8e97657278fc8dfbf1dfb20c016 (diff) | |
download | php-git-0e6c0654ed06751ced134515f7629c40bd979d7f.tar.gz |
Fix #78862: link() silently truncates after a null byte on Windows
Since link() is supposed to accepts paths (i.e. strings without NUL
bytes), we must not accept arbitrary strings.
-rw-r--r-- | ext/standard/link_win32.c | 2 | ||||
-rw-r--r-- | ext/standard/tests/file/windows_links/bug78862.phpt | 17 |
2 files changed, 18 insertions, 1 deletions
diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c index b46dee6a26..0197ec02af 100644 --- a/ext/standard/link_win32.c +++ b/ext/standard/link_win32.c @@ -211,7 +211,7 @@ PHP_FUNCTION(link) /*First argument to link function is the target and hence should go to frompath Second argument to link function is the link itself and hence should go to topath */ - if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { return; } diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt new file mode 100644 index 0000000000..33b4b49293 --- /dev/null +++ b/ext/standard/tests/file/windows_links/bug78862.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78862 (link() silently truncates after a null byte on Windows) +--FILE-- +<?php +file_put_contents(__DIR__ . '/bug78862.target', 'foo'); +var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more")); +var_dump(file_exists(__DIR__ . '/bug78862.link')); +?> +--EXPECTF-- +Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d +NULL +bool(false) +--CLEAN-- +<?php +unlink(__DIR__ . '/bug78862.target'); +unlink(__DIR__ . '/bug78862.link'); +?> |