Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability

author Stanislav Malyshev <stas@php.net>

Mon, 23 Jun 2014 07:19:37 +0000 (00:19 -0700)

committer Stanislav Malyshev <stas@php.net>

Tue, 24 Jun 2014 17:32:12 +0000 (10:32 -0700)
author Stanislav Malyshev <stas@php.net>
Mon, 23 Jun 2014 07:19:37 +0000 (00:19 -0700)
committer Stanislav Malyshev <stas@php.net>
Tue, 24 Jun 2014 17:32:12 +0000 (10:32 -0700)
diff --git a/ext/standard/info.c b/ext/standard/info.c

index 03ced35fb3d1ef5dcad10b2131336a8c3385a765..0626a7067bb4821fb8b8fa43a36ba189f78429ca 100644 (file)
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
  
                 php_info_print_table_start();
                 php_info_print_table_header(2, "Variable", "Value");
-               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                         php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
                 }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                         php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
                 }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                         php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
                 }
-               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+               if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
                         php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
                 }
                 php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt

new file mode 100644 (file)

index 0000000..5b5951b
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==
author	Stanislav Malyshev <stas@php.net>
	Mon, 23 Jun 2014 07:19:37 +0000 (00:19 -0700)
committer	Stanislav Malyshev <stas@php.net>
	Tue, 24 Jun 2014 17:32:12 +0000 (10:32 -0700)
ext/standard/info.c		patch \| blob \| history
ext/standard/tests/general_functions/bug67498.phpt	[new file with mode: 0644]	patch \| blob