CVE-2019-11045: DirectoryIterator class silently truncates after a null byte

Sec Bug #78863

DirectoryIterator class silently truncates after a null byte

Submitted:

2019-11-23 10:01 UTC

Modified:

2019-12-16 19:01 UTC

From:

[email protected]

Assigned:

stas (profile)

Status:

Closed

Package:

SPL related

PHP Version:

7.3.12

OS:

*

Private report:

No

CVE-ID:

2019-11045

[2019-11-23 10:01 UTC] [email protected]

Description:

ext/spl/spl_directory.c: ``` void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long ctor_flags) /* {{{ */ { … if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); } ```

PoC: ``` <?php

$dir = new DirectoryIterator(“…/…/ryat\x00/php”); foreach ($dir as $fileinfo) { if (!$fileinfo->isDot()) { var_dump($fileinfo->getFilename()); } }

?> ```

Fix: ``` if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } ```

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-11-25 16:09 UTC] [email protected]

-Status: Open +Status: Verified -Assigned To: +Assigned To: stas

[2019-11-28 09:08 UTC] [email protected]

Will do. Not sure whether it needs a CVE?

[2019-11-29 04:31 UTC] [email protected]

-CVE-ID: +CVE-ID: 2019-11044

[2019-11-30 22:06 UTC] [email protected]

-CVE-ID: 2019-11044 +CVE-ID: 2019-11045

[2019-12-16 19:02 UTC] [email protected]

-Status: Verified +Status: Closed