Professional Web Applications Themes

#39863 [NEW]: file_exists() silently truncates after a null byte - PHP Bugs

From: djcapelis at gmail dot com Operating system: Linux, x86 PHP version: 4.4.4 PHP Bug Type: *Directory/Filesystem functions Bug description: file_exists() silently truncates after a null byte Description: ------------ file_exists() silently truncates anything after a null byte in a string. This produces unexpected results in some cirstances and possibly would result in security problems for limited amounts of poorly written code. include_once() for instance, provides the following: "ALERT - Include filename truncated by a

Thread: #39863 [NEW]: file_exists() silently truncates after a null byte

after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)" This seems like a sane way to handle it if truncating has to be done... ...

  1. #1

    Default #39863 [NEW]: file_exists() silently truncates after a null byte

    From: djcapelis at gmail dot com
    Operating system: Linux, x86
    PHP version: 4.4.4
    PHP Bug Type: *Directory/Filesystem functions
    Bug description: file_exists() silently truncates after a null byte

    Description:
    ------------
    file_exists() silently truncates anything after a null byte in a string.
    This produces unexpected results in some cirstances and possibly would
    result in security problems for limited amounts of poorly written code.

    include_once() for instance, provides the following:
    "ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker
    'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

    This seems like a sane way to handle it if truncating has to be done...
    though frankly since truncation will *always* produce the wrong result it
    might be nice to throw an error and stop processing.

    Reproduce code:
    ---------------
    <?php
    $filename = "/etc/passwd^" . ".someextension";

    if (file_exists($filename))
    {
    echo "The file " . $filename . "exists";
    }
    else
    {
    echo "The file " . $filename . "does not exist";
    }

    ?>

    Expected result:
    ----------------
    Expected:

    $ php -n test.php
    The file /etc/passwd.\0someextension does not exist

    Actual result:
    --------------
    Actual:

    $ php -n test.php
    The file /etc/passwd.someextension exists

    --
    Edit bug report at [url]http://bugs.php.net/?id=39863&edit=1[/url]
    --
    Try a CVS snapshot (PHP 4.4): [url]http://bugs.php.net/fix.php?id=39863&r=trysnapshot44[/url]
    Try a CVS snapshot (PHP 5.2): [url]http://bugs.php.net/fix.php?id=39863&r=trysnapshot52[/url]
    Try a CVS snapshot (PHP 6.0): [url]http://bugs.php.net/fix.php?id=39863&r=trysnapshot60[/url]
    Fixed in CVS: [url]http://bugs.php.net/fix.php?id=39863&r=fixedcvs[/url]
    Fixed in release: [url]http://bugs.php.net/fix.php?id=39863&r=alreadyfixed[/url]
    Need backtrace: [url]http://bugs.php.net/fix.php?id=39863&r=needtrace[/url]
    Need Reproduce Script: [url]http://bugs.php.net/fix.php?id=39863&r=needscript[/url]
    Try newer version: [url]http://bugs.php.net/fix.php?id=39863&r=oldversion[/url]
    Not developer issue: [url]http://bugs.php.net/fix.php?id=39863&r=support[/url]
    Expected behavior: [url]http://bugs.php.net/fix.php?id=39863&r=notwrong[/url]
    Not enough info: [url]http://bugs.php.net/fix.php?id=39863&r=notenoughinfo[/url]
    Submitted twice: [url]http://bugs.php.net/fix.php?id=39863&r=submittedtwice[/url]
    register_globals: [url]http://bugs.php.net/fix.php?id=39863&r=globals[/url]
    PHP 3 support discontinued: [url]http://bugs.php.net/fix.php?id=39863&r=php3[/url]
    Daylight Savings: [url]http://bugs.php.net/fix.php?id=39863&r=dst[/url]
    IIS Stability: [url]http://bugs.php.net/fix.php?id=39863&r=isapi[/url]
    Install GNU Sed: [url]http://bugs.php.net/fix.php?id=39863&r=gnused[/url]
    Floating point limitations: [url]http://bugs.php.net/fix.php?id=39863&r=float[/url]
    No Zend Extensions: [url]http://bugs.php.net/fix.php?id=39863&r=nozend[/url]
    MySQL Configuration Error: [url]http://bugs.php.net/fix.php?id=39863&r=mysqlcfg[/url]
    djcapelis at gmail dot com Guest

  2. #2

    Default #39863 [Opn]: file_exists() silently truncates after a null byte

    ID: 39863
    User updated by: djcapelis at gmail dot com
    Reported By: djcapelis at gmail dot com
    Status: Open
    Bug Type: Feature/Change Request
    -Operating System: Linux, x86
    +Operating System: Linux, MacOSX
    -PHP Version: 4.4.4
    +PHP Version: 4.4.4, 5.1.5
    New Comment:

    Sorry, testing was originally done using the hardened php patch here:
    [url]http://www.hardened-php.net/downloads.13.html[/url] Without the patch,
    include_once() is just as vulnerable and silently readily embeds
    /etc/passwd right into the file.

    Perhaps it would be a good idea to include that part of the patch into
    the main PHP distribution and fix the rest of the functions where this
    is a problem.

    I just tested and PHP 5.1.5 is also vulnerable to both these issues.
    (As was a Mac OSX system.)


    Previous Comments:
    ------------------------------------------------------------------------

    [2006-12-18 08:46:13] djcapelis at gmail dot com

    Description:
    ------------
    file_exists() silently truncates anything after a null byte in a
    string. This produces unexpected results in some cirstances and
    possibly would result in security problems for limited amounts of
    poorly written code.

    include_once() for instance, provides the following:
    "ALERT - Include filename truncated by a \0 after '/etc/passwd'
    (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

    This seems like a sane way to handle it if truncating has to be done...
    though frankly since truncation will *always* produce the wrong result
    it might be nice to throw an error and stop processing.

    Reproduce code:
    ---------------
    <?php
    $filename = "/etc/passwd^" . ".someextension";

    if (file_exists($filename))
    {
    echo "The file " . $filename . "exists";
    }
    else
    {
    echo "The file " . $filename . "does not exist";
    }

    ?>

    Expected result:
    ----------------
    Expected:

    $ php -n test.php
    The file /etc/passwd.\0someextension does not exist

    Actual result:
    --------------
    Actual:

    $ php -n test.php
    The file /etc/passwd.someextension exists


    ------------------------------------------------------------------------


    --
    Edit this bug report at [url]http://bugs.php.net/?id=39863&edit=1[/url]
    djcapelis at gmail dot com Guest

Similar Threads

  1. #40168 [NEW]: stream_get_wrappers() appends a null-byte
    By php dot net at benjamin dot schulz dot name in forum PHP Bugs
    Replies: 1
    Last Post: January 19th, 02:51 PM
  2. #25972 [Ana]: ODBC truncates multi-byte text (w/ MSSQL)
    By kalowsky@php.net in forum PHP Development
    Replies: 4
    Last Post: November 5th, 07:47 AM
  3. #25972 [Ver->Ana]: ODBC truncates multi-byte text (w/ MSSQL)
    By moriyoshi@php.net in forum PHP Development
    Replies: 0
    Last Post: November 3rd, 10:14 PM
  4. #25972 [Opn]: ODBC truncates multi-byte text (w/ MSSQL)
    By phpbug at chipple dot net in forum PHP Development
    Replies: 0
    Last Post: October 24th, 04:10 AM
  5. #25972 [NEW]: ODBC truncates multi-byte text (w/ MSSQL)
    By phpbug at chipple dot net in forum PHP Development
    Replies: 0
    Last Post: October 24th, 03:27 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139