summaryrefslogtreecommitdiffstats
path: root/php-bug79091.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-01-21 10:15:12 +0100
committerRemi Collet <remi@remirepo.net>2020-01-21 10:15:12 +0100
commit0f719845b87cb975effba75cf49b2c84cf5f28a1 (patch)
tree90779ec988fc5224bddabc45d69b3a291aaa8b3c /php-bug79091.patch
parent9d0e088bae4b092768b2779b9f82cac349cb80e2 (diff)
mbstring:
Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar CVE-2020-7060 session: Fix #79091 heap use-after-free in session_create_id standard: Fix #79099 OOB read in php_strip_tags_ex CVE-2020-7059
Diffstat (limited to 'php-bug79091.patch')
-rw-r--r--php-bug79091.patch99
1 files changed, 99 insertions, 0 deletions
diff --git a/php-bug79091.patch b/php-bug79091.patch
new file mode 100644
index 0000000..ad3a5cc
--- /dev/null
+++ b/php-bug79091.patch
@@ -0,0 +1,99 @@
+From 35c8a53c098cd828413a80ed7964146d50161c6c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 20 Jan 2020 18:05:00 +0100
+Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id()
+
+If the `new_id` is released, we must not use it again.
+
+(cherry picked from commit f79c7742746907d676989cb7f97fb4f7cd26789f)
+---
+ ext/session/session.c | 1 +
+ ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+ create mode 100644 ext/session/tests/bug79091.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index 8d60ac249a..44ecb85f74 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -2049,6 +2049,7 @@ static PHP_FUNCTION(session_create_id)
+ /* Detect collision and retry */
+ if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) {
+ zend_string_release(new_id);
++ new_id = NULL;
+ continue;
+ }
+ break;
+diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt
+new file mode 100644
+index 0000000000..1d14427159
+--- /dev/null
++++ b/ext/session/tests/bug79091.phpt
+@@ -0,0 +1,67 @@
++--TEST--
++Bug #79091 (heap use-after-free in session_create_id())
++--SKIPIF--
++<?php
++if (!extension_loaded('session')) die('skip session extension not available');
++?>
++--FILE--
++<?php
++class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface
++{
++ public function close()
++ {
++ return true;
++ }
++
++ public function destroy($session_id)
++ {
++ return true;
++ }
++
++ public function gc($maxlifetime)
++ {
++ return true;
++ }
++
++ public function open($save_path, $session_name)
++ {
++ return true;
++ }
++
++ public function read($session_id)
++ {
++ return '';
++ }
++
++ public function write($session_id, $session_data)
++ {
++ return true;
++ }
++
++ public function create_sid()
++ {
++ return uniqid();
++ }
++
++ public function updateTimestamp($key, $val)
++ {
++ return true;
++ }
++
++ public function validateId($key)
++ {
++ return false;
++ }
++}
++
++ob_start();
++var_dump(session_set_save_handler(new MySessionHandler()));
++var_dump(session_start());
++ob_flush();
++session_create_id();
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++
++Warning: session_create_id(): Failed to create new ID in %s on line %d