Bug #15772: PHP is developed and maintained by morons
From: [EMAIL PROTECTED]
Operating system: all
PHP version: 4.0.6
PHP Bug Type: *General Issues
Bug description: PHP is developed and maintained by morons
Dear morons,
Please observe the following two lines from the 'fix' you have posted for
your file-upload incompetence:
loc = (char *) memchr(ptr, '\n', rem)+1;
if (!loc) {
There's a bug in this code. Can you see what it is? Hint: the 'if'
expression will never evaluate true. Well, that's assuming the first line
doesn't crash since it invokes undefined behaviour.
Hint #2: the whole routine (not just those 2 lines) is still completely
and utterly broken as of revision 1.71.2.2. It is riddled with code that
reads beyond the end of the buffer.
Hint #3: yet again, you need to follow-up to your Bugtraq posting with a
message saying 'Not only were we too stupid to write the code right in the
first place, we were too stupid to fix it right too. Please ignore our
previous patch. Please use this new one, which will probably be wrong
also.'
HTH, HAND.
--
Edit bug report at http://bugs.php.net/?id=15772&edit=1
--
Fixed in CVS:http://bugs.php.net/fix.php?id=15772&r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=15772&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=15772&r=needtrace
Try newer version: http://bugs.php.net/fix.php?id=15772&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=15772&r=support
Expected behavior: http://bugs.php.net/fix.php?id=15772&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=15772&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=15772&r=submittedtwice
Bug #15772 Updated: PHP is developed and maintained by morons
ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Closed
+Status: Open
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
It what way is it "fixed"? Every PHP user in the entire world is going
to have to download the patches from www.php.net to fix the security
hole, and those patches contain this bug. I know that it is fixed in
CVS in that the entire file has been replaced, but as I understand it
there is no fixed release version.
As to the other bugs, just look at the main while() loop in
php_mime_split(). Pretty much every call to str* functions (including
the very first one) are reading beyond the end of the buffer. If this
happens, 'rem' may become negative and even more excitement ensues.
Previous Comments:
[2002-02-27 22:55:48] [EMAIL PROTECTED]
True, that bit of code made no sense and has been fixed. The entire
thing has been reworked for the 4.2 tree, but if you could expand on
the muriad of buffer overflows aside from the memchr()+1 mixup, and
submit a useful bug report it would be appreciated.
[2002-02-27 21:40:17] [EMAIL PROTECTED]
Dear morons,
Please observe the following two lines from the 'fix' you have posted
for your file-upload incompetence:
loc = (char *) memchr(ptr, '\n', rem)+1;
if (!loc) {
There's a bug in this code. Can you see what it is? Hint: the 'if'
expression will never evaluate true. Well, that's assuming the first
line doesn't crash since it invokes undefined behaviour.
Hint #2: the whole routine (not just those 2 lines) is still completely
and utterly broken as of revision 1.71.2.2. It is riddled with code
that reads beyond the end of the buffer.
Hint #3: yet again, you need to follow-up to your Bugtraq posting with
a message saying 'Not only were we too stupid to write the code right
in the first place, we were too stupid to fix it right too. Please
ignore our previous patch. Please use this new one, which will probably
be wrong also.'
HTH, HAND.
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
Bug #15772 Updated: PHP is developed and maintained by morons
ID: 15772
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Closed
Bug Type: *General Issues
Operating System: all
PHP Version: 4.0.6
New Comment:
Fine by me, but the problems are not fixed in CVS. You asked me for
more specifics, I gave them to you.
Previous Comments:
[2002-02-27 23:34:49] [EMAIL PROTECTED]
The specific memchr()+1 issue is fixed in CVS which was the only useful
part of this bug report. We close bugs when they are fixed in CVS, not
when we ship releases.
[2002-02-27 23:20:44] [EMAIL PROTECTED]
It what way is it "fixed"? Every PHP user in the entire world is going
to have to download the patches from www.php.net to fix the security
hole, and those patches contain this bug. I know that it is fixed in
CVS in that the entire file has been replaced, but as I understand it
there is no fixed release version.
As to the other bugs, just look at the main while() loop in
php_mime_split(). Pretty much every call to str* functions (including
the very first one) are reading beyond the end of the buffer. If this
happens, 'rem' may become negative and even more excitement ensues.
[2002-02-27 22:55:48] [EMAIL PROTECTED]
True, that bit of code made no sense and has been fixed. The entire
thing has been reworked for the 4.2 tree, but if you could expand on
the muriad of buffer overflows aside from the memchr()+1 mixup, and
submit a useful bug report it would be appreciated.
[2002-02-27 21:40:17] [EMAIL PROTECTED]
Dear morons,
Please observe the following two lines from the 'fix' you have posted
for your file-upload incompetence:
loc = (char *) memchr(ptr, '\n', rem)+1;
if (!loc) {
There's a bug in this code. Can you see what it is? Hint: the 'if'
expression will never evaluate true. Well, that's assuming the first
line doesn't crash since it invokes undefined behaviour.
Hint #2: the whole routine (not just those 2 lines) is still completely
and utterly broken as of revision 1.71.2.2. It is riddled with code
that reads beyond the end of the buffer.
Hint #3: yet again, you need to follow-up to your Bugtraq posting with
a message saying 'Not only were we too stupid to write the code right
in the first place, we were too stupid to fix it right too. Please
ignore our previous patch. Please use this new one, which will probably
be wrong also.'
HTH, HAND.
--
Edit this bug report at http://bugs.php.net/?id=15772&edit=1
Bug #15772 Updated: PHP is developed and maintained by morons
ID: 15772 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Closed Bug Type: *General Issues Operating System: all PHP Version: 4.0.6 New Comment: I'll admit that I did not examine the rest of the program to see if the buffer was '\0'-terminated, however if it is, it's not just me that thought it wasn't - whoever wrote the routine thought it wasn't either. Otherwise there wouldn't even be any point in passing the buffer length to the function, or the main loop's "while (ptr - buf < cnt)" or indeed half the function. As to providing patches, I know from experience that what you tend to do with them is ignore them, insult them, re-write them badly and apply them six months later, and then fail to credit. Plus I see no point in providing band-aids in a futile attempt to cover the gaping wounds in PHP. I *can* give you the fix I recommend to people for PHP, however, which is 'rm -rf php-*' ;-) Previous Comments: [2002-02-28 03:21:22] [EMAIL PROTECTED] We can search and fix what's wrong if there is a bug description, but it would nice if you could post patch to php-dev directly. We know PHP has many bugs and appreciate patches fixes bugs. You have skills, right :) [2002-02-28 03:02:27] [EMAIL PROTECTED] Your claims are simply wrong. Not a single str* function is able to read beyond the buffer, cause the buffer is '\0' terminated and strcmp/strcasecmp whatever will stop there. [2002-02-27 23:42:47] [EMAIL PROTECTED] Fine by me, but the problems are not fixed in CVS. You asked me for more specifics, I gave them to you. [2002-02-27 23:34:49] [EMAIL PROTECTED] The specific memchr()+1 issue is fixed in CVS which was the only useful part of this bug report. We close bugs when they are fixed in CVS, not when we ship releases. [2002-02-27 23:20:44] [EMAIL PROTECTED] It what way is it "fixed"? Every PHP user in the entire world is going to have to download the patches from www.php.net to fix the security hole, and those patches contain this bug. I know that it is fixed in CVS in that the entire file has been replaced, but as I understand it there is no fixed release version. As to the other bugs, just look at the main while() loop in php_mime_split(). Pretty much every call to str* functions (including the very first one) are reading beyond the end of the buffer. If this happens, 'rem' may become negative and even more excitement ensues. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/15772 -- Edit this bug report at http://bugs.php.net/?id=15772&edit=1
