Edit report at http://bugs.php.net/bug.php?id=39863&edit=1
ID: 39863 Updated by: paj...@php.net Reported by: djcapelis at gmail dot com Summary: file_exists() silently truncates after a null byte -Status: Open +Status: Assigned Type: Feature/Change Request Package: *General Issues Operating System: Linux, MacOSX PHP Version: 4.4.4, 5.1.5 -Assigned To: +Assigned To: pajoye Block user comment: N Private report: N New Comment: Fixed in PHP_5_3, will be part of 5.3.4. trunk still needs the fix, it will be done soonish. Previous Comments: ------------------------------------------------------------------------ [2010-11-18 16:22:24] paj...@php.net Automatic comment from SVN on behalf of pajoye Revision: http://svn.php.net/viewvc/?view=revision&revision=305507 Log: - fix #39863, do not accept paths with NULL in them. See http://news.php.net/php.internals/50191, trunk will have the patch later (adding a macro and/or changing (some) APIs. Patch by Rasmus ------------------------------------------------------------------------ [2010-06-05 21:45:27] s...@php.net I've merged the test as ext/standard/tests/file/bug39863.phpt ------------------------------------------------------------------------ [2010-06-05 21:44:50] s...@php.net Automatic comment from SVN on behalf of sixd Revision: http://svn.php.net/viewvc/?view=revision&revision=300213 Log: New test for file_exists (bug #39863). It currently xfail's ------------------------------------------------------------------------ [2010-05-12 13:25:42] vanderaj at owasp dot org I've tested this on CentOS 5.0 with a hand built 5.2.11 and Apple's build of PHP 5.3.1 on MacOS X 10.6.3, and both have this issue. If you don't want to run a phpt, here's some a more readable version of the previous test: <?php $filename = "/etc/passwd" . chr(0). ".ridiculous"; if (file_exists($filename)) { echo "FAIL: The file [" . $filename . "] exists, but clearly shouldn't.\n"; } else { echo "PASS: The file [" . $filename . "] does not exist.\n"; } ?> I've included a PHP test script. It's my first phpt, so please be gentle. ------------------------------------------------------------------------ [2006-12-20 09:47:27] djcapelis at gmail dot com Sorry, testing was originally done using the hardened php patch here: http://www.hardened-php.net/downloads.13.html Without the patch, include_once() is just as vulnerable and silently readily embeds /etc/passwd right into the file. Perhaps it would be a good idea to include that part of the patch into the main PHP distribution and fix the rest of the functions where this is a problem. I just tested and PHP 5.1.5 is also vulnerable to both these issues. (As was a Mac OSX system.) ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=39863 -- Edit this bug report at http://bugs.php.net/bug.php?id=39863&edit=1
