summaryrefslogtreecommitdiffstats
path: root/bug70741.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-01-06 17:23:22 +0100
committerRemi Collet <fedora@famillecollet.com>2016-01-06 17:23:22 +0100
commit08069d1e5b43644dc9cac9bd4d645304320cc0d0 (patch)
treef8988aebb20c1daa63e0fce4266696746239d06b /bug70741.patch
parent70444173463d55a2a01c10de14a0a092bc6db3ef (diff)
PHP 5.4.45 with security patches from 5.5.31
Diffstat (limited to 'bug70741.patch')
-rw-r--r--bug70741.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/bug70741.patch b/bug70741.patch
new file mode 100644
index 0000000..1704bfb
--- /dev/null
+++ b/bug70741.patch
@@ -0,0 +1,64 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+From 1785d2b805f64eaaacf98c14c9e13107bf085ab1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 28 Dec 2015 12:42:44 -0800
+Subject: [PATCH] Fixed bug #70741: Session WDDX Packet Deserialization Type
+ Confusion Vulnerability
+
+---
+ NEWS | 4 ++
+ ext/wddx/tests/bug70741.phpt | 26 ++++++++
+ ext/wddx/wddx.c | 139 ++++++++++++++++++++++---------------------
+ 3 files changed, 101 insertions(+), 68 deletions(-)
+ create mode 100644 ext/wddx/tests/bug70741.phpt
+
+diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt
+new file mode 100644
+index 0000000..9c7e09b
+--- /dev/null
++++ b/ext/wddx/tests/bug70741.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++ini_set('session.serialize_handler', 'wddx');
++session_start();
++
++$hashtable = str_repeat('A', 66);
++$wddx = "<?xml version='1.0'?>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <string>$hashtable</string>
++ </data>
++</wddxPacket>";
++session_decode($wddx);
++?>
++DONE
++--EXPECTF--
++
++Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 45beaece..8017620 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -308,7 +308,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
+ MAKE_STD_ZVAL(retval);
+
+ if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
+-
++ if (Z_TYPE_P(retval) != IS_ARRAY) {
++ zval_ptr_dtor(&retval);
++ return FAILURE;
++ }
+ for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
+ zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
+ zend_hash_move_forward(Z_ARRVAL_P(retval))) {