Skip to content
Permalink
Browse files

Fix bug #72681 - consume data even if we're not storing them

  • Loading branch information
smalyshev committed Aug 3, 2016
1 parent 448c9be commit 8763c6090d627d8bb0ee1d030c30e58f406be9ce
Showing with 30 additions and 3 deletions.
  1. +14 −3 ext/session/session.c
  2. +16 −0 ext/session/tests/bug72681.phpt
@@ -924,11 +924,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
int skip = 0;

PHP_VAR_UNSERIALIZE_INIT(var_hash);

for (p = val; p < endptr; ) {
zval **tmp;
skip = 0;
namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);

if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
@@ -944,22 +946,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */

if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
efree(name);
continue;
skip = 1;
}
}

if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
}
} else {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return FAILURE;
}
var_push_dtor_no_addref(&var_hash, &current);
}
if (!skip) {
PS_ADD_VARL(name, namelen);
}
efree(name);
}

@@ -1016,6 +1021,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
int namelen;
int has_value;
php_unserialize_data_t var_hash;
int skip = 0;

PHP_VAR_UNSERIALIZE_INIT(var_hash);

@@ -1024,6 +1030,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
while (p < endptr) {
zval **tmp;
q = p;
skip = 0;
while (*q != PS_DELIMITER) {
if (++q >= endptr) goto break_outer_loop;
}
@@ -1040,14 +1047,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */

if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
goto skip;
skip = 1;
}
}

if (has_value) {
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
if (!skip) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
}
} else {
var_push_dtor_no_addref(&var_hash, &current);
efree(name);
@@ -1056,7 +1065,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
}
var_push_dtor_no_addref(&var_hash, &current);
}
if (!skip) {
PS_ADD_VARL(name, namelen);
}
skip:
efree(name);

@@ -0,0 +1,16 @@
--TEST--
Bug #72681: PHP Session Data Injection Vulnerability
--SKIPIF--
<?php include('skipif.inc'); ?>
--FILE--
<?php
ini_set('session.serialize_handler', 'php');
session_start();
$_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}';
session_write_close();
session_start();
var_dump($_SESSION);
?>
--EXPECT--
array(0) {
}

0 comments on commit 8763c60

Please sign in to comment.
You can’t perform that action at this time.