Edit report at http://bugs.php.net/bug.php?id=39863&edit=1
ID: 39863 Updated by: s...@php.net Reported by: djcapelis at gmail dot com Summary: file_exists() silently truncates after a null byte Status: Open Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: Linux, MacOSX PHP Version: 4.4.4, 5.1.5 New Comment: I've merged the test as ext/standard/tests/file/bug39863.phpt Previous Comments: ------------------------------------------------------------------------ [2010-06-05 21:44:50] s...@php.net Automatic comment from SVN on behalf of sixd Revision: http://svn.php.net/viewvc/?view=revision&revision=300213 Log: New test for file_exists (bug #39863). It currently xfail's ------------------------------------------------------------------------ [2010-05-12 13:25:42] vanderaj at owasp dot org I've tested this on CentOS 5.0 with a hand built 5.2.11 and Apple's build of PHP 5.3.1 on MacOS X 10.6.3, and both have this issue. If you don't want to run a phpt, here's some a more readable version of the previous test: <?php $filename = "/etc/passwd" . chr(0). ".ridiculous"; if (file_exists($filename)) { echo "FAIL: The file [" . $filename . "] exists, but clearly shouldn't.\n"; } else { echo "PASS: The file [" . $filename . "] does not exist.\n"; } ?> I've included a PHP test script. It's my first phpt, so please be gentle. ------------------------------------------------------------------------ [2006-12-20 09:47:27] djcapelis at gmail dot com Sorry, testing was originally done using the hardened php patch here: http://www.hardened-php.net/downloads.13.html Without the patch, include_once() is just as vulnerable and silently readily embeds /etc/passwd right into the file. Perhaps it would be a good idea to include that part of the patch into the main PHP distribution and fix the rest of the functions where this is a problem. I just tested and PHP 5.1.5 is also vulnerable to both these issues. (As was a Mac OSX system.) ------------------------------------------------------------------------ [2006-12-18 08:46:13] djcapelis at gmail dot com Description: ------------ file_exists() silently truncates anything after a null byte in a string. This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code. include_once() for instance, provides the following: "ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)" This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing. Reproduce code: --------------- <?php $filename = "/etc/passwd^@" . ".someextension"; if (file_exists($filename)) { echo "The file " . $filename . "exists"; } else { echo "The file " . $filename . "does not exist"; } ?> Expected result: ---------------- Expected: $ php -n test.php The file /etc/passwd.\0someextension does not exist Actual result: -------------- Actual: $ php -n test.php The file /etc/passwd.someextension exists ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=39863&edit=1
