mirror of
https://github.com/php/php-src.git
synced 2024-11-27 20:03:40 +08:00
Fix #80901: Info leak in ftp extension
We ensure that inbuf is NUL terminated on `ftp_readline()` failure. Closes GH-6894.
This commit is contained in:
parent
a2771296c0
commit
09696eee9d
3
NEWS
3
NEWS
@ -10,6 +10,9 @@ PHP NEWS
|
||||
. Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
|
||||
(cmb)
|
||||
|
||||
- FTP:
|
||||
. Fixed bug #80901 (Info leak in ftp extension). (cmb)
|
||||
|
||||
- pgsql:
|
||||
. Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast(). (cmb)
|
||||
|
||||
|
@ -1349,10 +1349,12 @@ ftp_readline(ftpbuf_t *ftp)
|
||||
|
||||
data = eol;
|
||||
if ((rcvd = my_recv(ftp, ftp->fd, data, size)) < 1) {
|
||||
*data = 0;
|
||||
return 0;
|
||||
}
|
||||
} while (size);
|
||||
|
||||
*data = 0;
|
||||
return 0;
|
||||
}
|
||||
/* }}} */
|
||||
|
22
ext/ftp/tests/bug80901.phpt
Normal file
22
ext/ftp/tests/bug80901.phpt
Normal file
@ -0,0 +1,22 @@
|
||||
--TEST--
|
||||
Bug #80901 (Info leak in ftp extension)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
require 'skipif.inc';
|
||||
?>
|
||||
--INI--
|
||||
log_errors_max_len=0
|
||||
--FILE--
|
||||
<?php
|
||||
$bug80901 = true;
|
||||
require 'server.inc';
|
||||
|
||||
$ftp = ftp_connect("127.0.0.1", $port);
|
||||
if (!$ftp) die("Couldn't connect to the server");
|
||||
var_dump(ftp_login($ftp, 'user', 'pass'));
|
||||
ftp_systype($ftp);
|
||||
?>
|
||||
--EXPECTF--
|
||||
bool(true)
|
||||
|
||||
Warning: ftp_systype(): **************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************** in %s on line %d
|
@ -107,6 +107,7 @@ if ($pid) {
|
||||
fputs($s, "234 auth type accepted\r\n");
|
||||
} else {
|
||||
fputs($s, "666 dummy\r\n");
|
||||
sleep(1);
|
||||
fputs($s, "666 bogus msg\r\n");
|
||||
exit;
|
||||
}
|
||||
@ -197,6 +198,8 @@ if ($pid) {
|
||||
} elseif ($buf === "SYST\r\n") {
|
||||
if (isset($bug27809)) {
|
||||
fputs($s, "215 OS/400 is the remote operating system. The TCP/IP version is \"V5R2M0\"\r\n");
|
||||
} elseif (isset($bug80901)) {
|
||||
fputs($s, "\r\n" . str_repeat("*", 4096) . "\r\n");
|
||||
} else {
|
||||
fputs($s, "215 UNIX Type: L8.\r\n");
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user