Fixed bug #72142

author Nikita Popov <nikic@php.net>

Sat, 30 Jul 2016 13:10:54 +0000 (15:10 +0200)

committer Nikita Popov <nikic@php.net>

Sat, 30 Jul 2016 13:13:03 +0000 (15:13 +0200)
author Nikita Popov <nikic@php.net>
Sat, 30 Jul 2016 13:10:54 +0000 (15:10 +0200)
committer Nikita Popov <nikic@php.net>
Sat, 30 Jul 2016 13:13:03 +0000 (15:13 +0200)
diff --git a/NEWS b/NEWS

index 49d6c3207e4594a5b6a418822e60a5c8755b41d7..bc4df65fb402bf97fb21834045554034b187d3b2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -89,6 +89,10 @@ PHP                                                                        NEWS
    . Implemented FR #72653 (SQLite should allow opening with empty filename).
      (cmb)
  
+- Wddx:
+  . Fixed bug #72142 (WDDX Packet Injection Vulnerability in
+    wddx_serialize_value()). (Taoguang Chen)
+
  21 Jul 2016, PHP 5.6.24
  
  - Core:
diff --git a/ext/wddx/tests/bug72142.phpt b/ext/wddx/tests/bug72142.phpt

new file mode 100644 (file)

index 0000000..3976bb2
--- /dev/null
+++ b/ext/wddx/tests/bug72142.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #72142: WDDX Packet Injection Vulnerability in wddx_serialize_value()
+--FILE--
+<?php
+
+$wddx = wddx_serialize_value('', '</comment></header><data><struct><var name="php_class_name"><string>stdClass</string></var></struct></data></wddxPacket>');
+var_dump($wddx);
+var_dump(wddx_deserialize($wddx));
+
+?>
+--EXPECT--
+string(301) "<wddxPacket version='1.0'><header><comment>&lt;/comment&gt;&lt;/header&gt;&lt;data&gt;&lt;struct&gt;&lt;var name=&quot;php_class_name&quot;&gt;&lt;string&gt;stdClass&lt;/string&gt;&lt;/var&gt;&lt;/struct&gt;&lt;/data&gt;&lt;/wddxPacket&gt;</comment></header><data><string></string></data></wddxPacket>"
+string(0) ""
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c

index 6a23fa1c1ef1abcccd7af4c5e29f128772bca590..6387ca2ecdd7cda1901433859916aee365bbad04 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -371,11 +371,18 @@ void php_wddx_packet_start(wddx_packet *packet, char *comment, int comment_len)
  {
         php_wddx_add_chunk_static(packet, WDDX_PACKET_S);
         if (comment) {
+               char *escaped;
+               size_t escaped_len;
+               escaped = php_escape_html_entities(
+                       comment, comment_len, &escaped_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
                 php_wddx_add_chunk_static(packet, WDDX_HEADER_S);
                 php_wddx_add_chunk_static(packet, WDDX_COMMENT_S);
-               php_wddx_add_chunk_ex(packet, comment, comment_len);
+               php_wddx_add_chunk_ex(packet, escaped, escaped_len);
                 php_wddx_add_chunk_static(packet, WDDX_COMMENT_E);
                 php_wddx_add_chunk_static(packet, WDDX_HEADER_E);
+
+               str_efree(escaped);
         } else {
                 php_wddx_add_chunk_static(packet, WDDX_HEADER);
         }
author	Nikita Popov <nikic@php.net>
	Sat, 30 Jul 2016 13:10:54 +0000 (15:10 +0200)
committer	Nikita Popov <nikic@php.net>
	Sat, 30 Jul 2016 13:13:03 +0000 (15:13 +0200)
NEWS		patch \| blob \| history
ext/wddx/tests/bug72142.phpt	[new file with mode: 0644]	patch \| blob
ext/wddx/wddx.c		patch \| blob \| history