diff options
| author | Julien Pauli <jpauli@php.net> | 2015-12-22 14:28:19 +0100 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-01-04 17:31:34 +0100 |
| commit | ef4449a8e822ff6bfee96dbe48a64f6b43dcf040 (patch) | |
| tree | 49cc152298e545edbefed4a198478808d929fa35 /ext/xmlrpc | |
| parent | bc4baf608b69b1f6ba05aa136900c4467343592b (diff) | |
| download | php-git-ef4449a8e822ff6bfee96dbe48a64f6b43dcf040.tar.gz | |
Fixed #70728
Conflicts:
ext/xmlrpc/xmlrpc-epi-php.c
Diffstat (limited to 'ext/xmlrpc')
| -rw-r--r-- | ext/xmlrpc/tests/bug70728.phpt | 30 | ||||
| -rw-r--r-- | ext/xmlrpc/xmlrpc-epi-php.c | 12 |
2 files changed, 40 insertions, 2 deletions
diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt new file mode 100644 index 0000000000..5510c33936 --- /dev/null +++ b/ext/xmlrpc/tests/bug70728.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php +$obj = new stdClass; +$obj->xmlrpc_type = 'base64'; +$obj->scalar = 0x1122334455; +var_dump(xmlrpc_encode($obj)); +var_dump($obj); +?> +--EXPECTF-- +string(135) "<?xml version="1.0" encoding="utf-8"?> +<params> +<param> + <value> + <base64>NzM1ODgyMjkyMDU= </base64> + </value> +</param> +</params> +" +object(stdClass)#1 (2) { + ["xmlrpc_type"]=> + string(6) "base64" + ["scalar"]=> + int(73588229205) +} diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index f54a568202..7eae7bf8fc 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -514,7 +514,15 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep xReturn = XMLRPC_CreateValueEmpty(); XMLRPC_SetValueID(xReturn, key, 0); } else { - xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val)); + if (Z_TYPE(val) != IS_STRING) { + zval newvalue; + ZVAL_DUP(&newvalue, &val); + convert_to_string(newvalue); + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(newvalue), Z_STRLEN(newvalue)); + zval_dtor(&newvalue); + } else { + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val)); + } } break; case xmlrpc_datetime: @@ -1357,7 +1365,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */ if (newvalue) { zval* val; - if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) { + if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) { if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) { ZVAL_COPY_VALUE(newvalue, val); } |