Skip to content

#74337 pointer returned by php_stream_fopen_tmpfile not validated #2475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
skvoboo wants to merge 1 commit into from
Closed

#74337 pointer returned by php_stream_fopen_tmpfile not validated #2475

skvoboo wants to merge 1 commit into from

Conversation

@skvoboo
Copy link
Contributor

@skvoboo skvoboo commented Apr 14, 2017
edited
Loading

The pointer returned by php_stream_fopen_tmpfile is not validated prior to use in memory.c.
In the case where a script is executed in an environment where the parent directory of system TMP directory is not readable to the user, it will cause a application crash with Access Violation.

The issue is similar to the https://bugs.php.net/bug.php?id=68986

Steps to reproduce:

  1. Create C:\TEMP folder
  2. Create system user
  3. Add Deny Full control access rights for created user on C:\
  4. Remove Deny Full control access rights for created user on C:\TEMP
  5. Add Allow Full control access rights for created user on C:\TEMP
  6. Set TEMP and TMP system environment variables value to C:\TEMP
  7. Execute script by created user:
<?php
$fp = fopen('php://temp', 'w+b');
$ch = curl_init();
curl_setopt($ch, CURLOPT_FILE, $fp);

@krakjoe krakjoe added the Bug label Apr 14, 2017
weltling
weltling reviewed Apr 14, 2017
View reviewed changes
main/streams/memory.c Outdated

file = php_stream_fopen_tmpfile();
if (file == NULL) {
php_error_docref(NULL, E_WARNING, "Unable to create temporary file. Check permissions in temporary files directory.");
Copy link
Contributor

@weltling weltling Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can fail to various reasons, so maybe could simplify the msg or even omit it if php_stream_fopen_tmpfile() already throws a warning.

Thanks.

Copy link
Contributor Author

@skvoboo skvoboo Apr 14, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can fail to various reasons, so maybe could simplify the msg or even omit it if php_stream_fopen_tmpfile() already throws a warning.

Message was simplified.

@krakjoe
Copy link
Member

krakjoe commented Apr 17, 2017

@weltling what's the status here ?

@weltling
Copy link
Contributor

weltling commented Apr 17, 2017

@krakjoe oh, i didn't realize it were assigned. LGTM, can take care before RC, if not merged earlier.

Thanks.

@weltling
Copy link
Contributor

weltling commented Apr 22, 2017

Merged as 793a8bd.

Thanks.

@weltling weltling closed this Apr 22, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@weltling weltling weltling left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@weltling weltling

Labels

Bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@skvoboo @krakjoe @weltling