Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability

smalyshev · smalyshev · commit ec002bd837be · 2014-07-18T16:14:42.000-07:00
diff --git a/ext/standard/info.c b/ext/standard/info.c
@@ -972,16 +972,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 		}
 		php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==

Original file line number	Diff line number	Diff line change
`@@ -972,16 +972,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)`
`972`	`972`
`973`	`973`	`php_info_print_table_start();`
`974`	`974`	`php_info_print_table_header(2, "Variable", "Value");`
`975`		`- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {`
	`975`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`976`	`976`	`php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));`
`977`	`977`	`}`
`978`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {`
	`978`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`979`	`979`	`php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));`
`980`	`980`	`}`
`981`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {`
	`981`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`982`	`982`	`php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));`
`983`	`983`	`}`
`984`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {`
	`984`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`985`	`985`	`php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));`
`986`	`986`	`}`
`987`	`987`	`php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);`