Skip to content

Instantly share code, notes, and snippets.

/72681.diff Secret

Created Aug 3, 2016
Embed
What would you like to do?
Patch for 72681
commit 1ae2bdb9c146fdb3ca36081441aed6b517f51071
Author: Stanislav Malyshev <stas@php.net>
Date: Wed Aug 3 00:30:12 2016 -0700
Fix bug #72681 - consume data even if we're not storing them
diff --git a/ext/session/session.c b/ext/session/session.c
index c668bb7..b2d0236 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -924,11 +924,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+ int skip = 0;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
for (p = val; p < endptr; ) {
zval **tmp;
+ skip = 0;
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
@@ -944,22 +946,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
- efree(name);
- continue;
+ skip = 1;
}
}
if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+ if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
+ }
} else {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return FAILURE;
}
var_push_dtor_no_addref(&var_hash, &current);
}
+ if (!skip) {
PS_ADD_VARL(name, namelen);
+ }
efree(name);
}
@@ -1016,6 +1021,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
+ int skip = 0;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
@@ -1024,6 +1030,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
while (p < endptr) {
zval **tmp;
q = p;
+ skip = 0;
while (*q != PS_DELIMITER) {
if (++q >= endptr) goto break_outer_loop;
}
@@ -1040,14 +1047,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
- goto skip;
+ skip = 1;
}
}
if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+ if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
+ }
} else {
var_push_dtor_no_addref(&var_hash, &current);
efree(name);
@@ -1056,7 +1065,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
}
var_push_dtor_no_addref(&var_hash, &current);
}
+ if (!skip) {
PS_ADD_VARL(name, namelen);
+ }
skip:
efree(name);
diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt
new file mode 100644
index 0000000..ca38b07
--- /dev/null
+++ b/ext/session/tests/bug72681.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #72681: PHP Session Data Injection Vulnerability
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'php');
+session_start();
+$_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}';
+session_write_close();
+session_start();
+var_dump($_SESSION);
+?>
+--EXPECT--
+array(0) {
+}
@divinity76

This comment has been minimized.

Copy link

@divinity76 divinity76 commented Aug 19, 2016

use a bool though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.