Headline

CVE-2019-11045: DirectoryIterator class silently truncates after a null byte

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

5 years ago

CVE

Open in Source

#vulnerability #git #php

Sec Bug #78863

DirectoryIterator class silently truncates after a null byte

Submitted:

2019-11-23 10:01 UTC

Modified:

2019-12-16 19:01 UTC

From:

ryat@php.net

Assigned:

stas (profile)

Status:

Closed

Package:

SPL related

PHP Version:

7.3.12

OS:

Private report:

CVE-ID:

2019-11045

[2019-11-23 10:01 UTC] ryat@php.net

Description:

ext/spl/spl_directory.c: ``` void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long ctor_flags) /* {{{ */ { … if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); } ```

PoC: ``` <?php

$dir = new DirectoryIterator(“…/…/ryat\x00/php”); foreach ($dir as $fileinfo) { if (!$fileinfo->isDot()) { var_dump($fileinfo->getFilename()); } }

?> ```

Fix: ``` if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } ```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-11-25 16:09 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: stas

[2019-11-28 09:08 UTC] stas@php.net

Will do. Not sure whether it needs a CVE?

[2019-11-29 04:31 UTC] stas@php.net

-CVE-ID: +CVE-ID: 2019-11044

[2019-11-30 22:06 UTC] stas@php.net

-CVE-ID: 2019-11044 +CVE-ID: 2019-11045

[2019-12-16 19:02 UTC] stas@php.net

-Status: Verified +Status: Closed

Related news

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.