mirror of
git://git.openembedded.org/meta-openembedded
synced 2026-05-21 13:19:47 +00:00
81aecee0ed
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
36 lines
1.1 KiB
Diff
36 lines
1.1 KiB
Diff
modphp: Security Advisory - php - CVE-2014-5120
|
|
|
|
Upstream-Status: Backport
|
|
|
|
Signed-off-by Yue Tao <yue.tao@windriver.com>
|
|
|
|
From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 18 Aug 2014 22:49:10 -0700
|
|
Subject: [PATCH] Fix bug #67730 - Null byte injection possible with imagexxx
|
|
functions
|
|
|
|
---
|
|
ext/gd/gd_ctx.c | 5 +++++
|
|
2 files changed, 7 insertions(+)
|
|
|
|
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
|
|
index bff691f..eafbab5 100644
|
|
--- a/ext/gd/gd_ctx.c
|
|
+++ b/ext/gd/gd_ctx.c
|
|
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
|
|
RETURN_FALSE;
|
|
}
|
|
} else if (Z_TYPE_P(to_zval) == IS_STRING) {
|
|
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
|
|
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
|
|
+ RETURN_FALSE;
|
|
+ }
|
|
+
|
|
stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
|
|
if (stream == NULL) {
|
|
RETURN_FALSE;
|
|
--
|
|
1.7.9.5
|
|
|