Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix bug #72681 - consume data even if we're not storing them
  • Loading branch information
smalyshev committed Aug 17, 2016
1 parent 448c9be commit 8763c60
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
17 changes: 14 additions & 3 deletions ext/session/session.c
Expand Up @@ -924,11 +924,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
int skip = 0;

PHP_VAR_UNSERIALIZE_INIT(var_hash);

for (p = val; p < endptr; ) {
zval **tmp;
skip = 0;
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);

if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
Expand All @@ -944,22 +946,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */

if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
efree(name);
continue;
skip = 1;
}
}

if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
}
} else {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return FAILURE;
}
var_push_dtor_no_addref(&var_hash, &current);
}
if (!skip) {
PS_ADD_VARL(name, namelen);
}
efree(name);
}

Expand Down Expand Up @@ -1016,6 +1021,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
int skip = 0;

PHP_VAR_UNSERIALIZE_INIT(var_hash);

Expand All @@ -1024,6 +1030,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
while (p < endptr) {
zval **tmp;
q = p;
skip = 0;
while (*q != PS_DELIMITER) {
if (++q >= endptr) goto break_outer_loop;
}
Expand All @@ -1040,14 +1047,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */

if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
goto skip;
skip = 1;
}
}

if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
}
} else {
var_push_dtor_no_addref(&var_hash, &current);
efree(name);
Expand All @@ -1056,7 +1065,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
}
var_push_dtor_no_addref(&var_hash, &current);
}
if (!skip) {
PS_ADD_VARL(name, namelen);
}
skip:
efree(name);

Expand Down
16 changes: 16 additions & 0 deletions ext/session/tests/bug72681.phpt
@@ -0,0 +1,16 @@
--TEST--
Bug #72681: PHP Session Data Injection Vulnerability
--SKIPIF--
<?php include('skipif.inc'); ?>
--FILE--
<?php
ini_set('session.serialize_handler', 'php');
session_start();
$_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}';
session_write_close();
session_start();
var_dump($_SESSION);
?>
--EXPECT--
array(0) {
}

0 comments on commit 8763c60

Please sign in to comment.