-
-
Save smalyshev/20c9459a434c1597d46d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 1785d2b805f64eaaacf98c14c9e13107bf085ab1 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Dec 28 12:42:44 2015 -0800 | |
Fixed bug #70741: Session WDDX Packet Deserialization Type Confusion Vulnerability | |
diff --git a/NEWS b/NEWS | |
index f29a710..67fbcae 100644 | |
--- a/NEWS | |
+++ b/NEWS | |
@@ -11,6 +11,10 @@ PHP NEWS | |
. Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index | |
Out of Bounds). (emmanuel dot law at gmail dot com). | |
+- WDDX: | |
+ . Fixed bug #70741 (Session WDDX Packet Deserialization Type Confusion | |
+ Vulnerability). (taoguangchen at icloud dot com) | |
+ | |
01 Oct 2015, PHP 5.5.30 | |
- Phar: | |
diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt | |
new file mode 100644 | |
index 0000000..9c7e09b | |
--- /dev/null | |
+++ b/ext/wddx/tests/bug70741.phpt | |
@@ -0,0 +1,26 @@ | |
+--TEST-- | |
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded("wddx")) print "skip"; | |
+?> | |
+--FILE-- | |
+<?php | |
+ini_set('session.serialize_handler', 'wddx'); | |
+session_start(); | |
+ | |
+$hashtable = str_repeat('A', 66); | |
+$wddx = "<?xml version='1.0'?> | |
+<wddxPacket version='1.0'> | |
+<header/> | |
+ <data> | |
+ <string>$hashtable</string> | |
+ </data> | |
+</wddxPacket>"; | |
+session_decode($wddx); | |
+?> | |
+DONE | |
+--EXPECTF-- | |
+ | |
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d | |
+DONE | |
\ No newline at end of file | |
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c | |
index 45beaec..8017620 100644 | |
--- a/ext/wddx/wddx.c | |
+++ b/ext/wddx/wddx.c | |
@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx) | |
MAKE_STD_ZVAL(retval); | |
if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) { | |
- | |
+ if (Z_TYPE_P(retval) != IS_ARRAY) { | |
+ zval_ptr_dtor(&retval); | |
+ return FAILURE; | |
+ } | |
for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval)); | |
zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS; | |
zend_hash_move_forward(Z_ARRVAL_P(retval))) { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment