. Fixed bug #69218 (potential remote code execution with apache 2.4
apache2handler). (Patrick Schaaf)
+- cURL:
+ . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/
+ _INFILE/_WRITEHEADER). (Laruence)
+
- Fileinfo:
. Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or
segfault). (Anatol Belski))
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION");
length = -1;
} else if (retval_ptr) {
+ _php_curl_verify_handlers(ch, 1 TSRMLS_CC);
if (Z_TYPE_P(retval_ptr) != IS_LONG) {
convert_to_long_ex(&retval_ptr);
}
if (error == FAILURE) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION");
} else if (retval_ptr) {
+ _php_curl_verify_handlers(ch, 1 TSRMLS_CC);
if (Z_TYPE_P(retval_ptr) != IS_LONG) {
convert_to_long_ex(&retval_ptr);
}
length = CURL_READFUNC_ABORT;
#endif
} else if (retval_ptr) {
+ _php_curl_verify_handlers(ch, 1 TSRMLS_CC);
if (Z_TYPE_P(retval_ptr) == IS_STRING) {
length = MIN((int) (size * nmemb), Z_STRLEN_P(retval_ptr));
memcpy(data, Z_STRVAL_P(retval_ptr), length);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION");
length = -1;
} else if (retval_ptr) {
+ _php_curl_verify_handlers(ch, 1 TSRMLS_CC);
if (Z_TYPE_P(retval_ptr) != IS_LONG) {
convert_to_long_ex(&retval_ptr);
}
--- /dev/null
+--TEST--
+Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
+--SKIPIF--
+<?php
+if (!extension_loaded("curl")) exit("skip curl extension not loaded");
+if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER')) exit("skip PHP_CURL_HTTP_REMOTE_SERVER env variable is not defined");
+?>
+--FILE--
+<?php
+ function hdr_callback($ch, $data) {
+ // close the stream, causing the FILE structure to be free()'d
+ if($GLOBALS['f_file']) {
+ fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
+
+ // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
+ $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
+ curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
+ }
+ return strlen($data);
+ }
+ $host = getenv('PHP_CURL_HTTP_REMOTE_SERVER');
+
+ $temp_file = dirname(__FILE__) . '/body.tmp';
+ $url = "{$host}/get.php?test=getpost";
+ $ch = curl_init();
+ $f_file = fopen($temp_file, "w") or die("failed to open file\n");
+ curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
+ curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
+ curl_setopt($ch, CURLOPT_FILE, $f_file);
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_exec($ch);
+ curl_close($ch);
+?>
+===DONE===
+--CLEAN--
+<?php
+unlink(dirname(__FILE__) . '/body.tmp');
+?>
+--EXPECTF--
+Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
+array(1) {
+ ["test"]=>
+ string(7) "getpost"
+}
+array(0) {
+}
+===DONE===
projects / php / commitdiff