Headline
CVE-2019-11044: link() silently truncates after a null byte on Windows
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Sec Bug #78862
link() silently truncates after a null byte on Windows
Submitted:
2019-11-23 09:23 UTC
Modified:
2019-12-16 19:01 UTC
From:
ryat@php.net
Assigned:
stas (profile)
Status:
Closed
Package:
Filesystem function related
PHP Version:
7.3.12
OS:
Windows
Private report:
No
CVE-ID:
2019-11044
[2019-11-23 09:23 UTC] ryat@php.net
Description:
ext/standard/link_win32.c: ``` PHP_FUNCTION(link) { … if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { return; } ```
PoC for Windows: ``` <?php
link("ryat\x00php", “php\x00ryat”);
?> ```
Fix: ``` if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) ```
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2019-11-23 12:07 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Filesystem function related -Assigned To: +Assigned To: stas
[2019-11-30 22:01 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11044
[2019-12-16 19:02 UTC] stas@php.net
-Status: Verified +Status: Closed
Related news
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.