archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
php-src/ext/standard/tests
History
Exact
Niels Dossche 39c1a90f4a
Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 
The old code checked for suffixes but didn't take into account trailing
whitespace. Furthermore, there is peculiar behaviour with trailing dots
too. This all happens because of the special path-handling code inside
CreateProcessW.

By studying Wine's code, we can see that CreateProcessInternalW calls
get_file_name [1] in our case because we haven't provided an application
name. That code gets the first whitespace-delimited string into app_name
excluding the quotes. It's then passed to create_process_params [2]
where there is the path handling code that transforms the command line
argument to an image path [3]. Inside Wine, the extension check if
performed after these transformations [4]. By doing the same thing in
PHP we match the behaviour and can properly match the extension even in
the given edge cases.

[1] 166895ae3a/dlls/kernelbase/process.c (L542-L543)
[2] 166895ae3a/dlls/kernelbase/process.c (L565)
[3] 166895ae3a/dlls/kernelbase/process.c (L150-L151)
[4] 166895ae3a/dlls/kernelbase/process.c (L647-L654)
2024-06-04 08:55:36 -04:00
..
array Added test 2024-05-20 15:13:53 +01:00
assert
class_object
crypt crypt: Fix validation of malformed BCrypt hashes 2023-02-12 20:46:44 -07:00
dir
directory
file Fix clean section in test 2024-04-15 14:14:47 +02:00
filters Fix GH-13264: Part 1 - Memory leak on filter failure 2024-03-29 16:06:49 +00:00
general_functions Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874 2024-06-04 08:55:36 -04:00
hrtime Implement flaky test section 2023-07-06 09:45:35 +02:00
http Fix GH-11274: POST/PATCH request via file_get_contents + stream_context_create switches to GET after a HTTP 308 redirect 2023-05-19 23:37:20 +02:00
image Fix failing test for bug #75708 2023-10-22 15:31:00 +01:00
ini_info
mail Added validation of \n in $additional_headers of mail() 2024-03-04 21:30:07 +09:00
math Use -1 "precision" in gen_stub.php 2022-07-23 12:09:37 +02:00
misc
network Merge branch 'PHP-8.1' into PHP-8.2 2023-09-24 15:19:02 +01:00
password Merge branch 'PHP-8.1' into PHP-8.2 2024-04-09 23:49:31 -05:00
serialize Merge branch 'PHP-8.1' into PHP-8.2 2023-06-28 21:16:51 +02:00
streams Fix GH-13071: Copying large files using mmap-able source streams may exhaust available memory and fail 2024-01-16 23:44:58 +01:00
strings Fix tests for glibc 2.39 (#14097) 2024-05-01 20:43:00 +02:00
time
url Revert "Fix parse_url(): can not recognize port without scheme" 2022-09-23 19:44:29 +02:00
versioning
bug49244.phpt
bug64370_var1.phpt
bug64370_var2.phpt
bug71827.phpt
bug75220.phpt
bug79821.phpt
bug80915.phpt
bug81048.phpt
bug81727.phpt Fix #81727: Don't mangle HTTP variable names that clash with ones that have a specific semantic meaning. 2022-09-09 17:10:04 +01:00
forward_static_call_array.phpt
gh10885.phpt Fix GH-10885: Leaking stream_socket_server context 2023-03-20 17:42:16 +01:00
ghsa-wpj3-hf5j-x4v4.phpt Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix 2024-04-09 23:37:06 -05:00
oss_fuzz_57392.phpt Fix buffer-overflow in php_fgetcsv() with \0 delimiter and enclosure 2023-03-25 17:42:39 +01:00
php_version_win_const.phpt
setrawcookie_basic_001.phpt
setrawcookie_basic_002.phpt
skipif_root.inc