POST with invalid content-length and ErrorDocument set crashes php

Bug #39201	POST with invalid content-length and ErrorDocument set crashes php
Submitted:	2006-10-19 20:10 UTC	Modified:	2006-12-13 00:41 UTC
From:	thomas at partyflock dot nl	Assigned:	iliaa (profile)
Status:	Closed	Package:	Apache2 related
PHP Version:	5.2.0	OS:	Linux (2.6.18.1)
Private report:	No	CVE-ID:	None

[2006-10-19 20:10 UTC] thomas at partyflock dot nl

Description:
------------
Insert ErrorDocument directive for error code 413 in httpd.conf:

ErrorDocument 413 /anywhere

Now post something to your webserver, with following invalid Content-Length: 1\r\r\n (extra carriage return)

sapi_globals.request_info.post_data is allocated, in SAPI.c:sapi_read_standard_form_data on line 203. After the call to sapi_module.read_post on line 206, the POST request is transformed to a GET request for above error document and the sapi_globals.request_info.post_data is 0 at that point, resulting in a segmentation fault at SAPI.c line 223.

Reproduce code:
---------------
#!/usr/bin/perl -w

use strict;
use IO::Socket;

if ($#ARGV < 0) {
        print STDERR "need hostname argument\n";
        exit 1;
}

my $sock = IO::Socket::INET->new(
        'PeerAddr'      => $ARGV[0],
        'PeerPort'      => 80
);

if (!$sock) {
        print STDERR "failed to connect to port 80 of $ARGV[0]\n";
        exit 1;
}

print $sock "POST / HTTP/1.0\r\n";
print $sock "Content-Length: 1\r\r\n\r\n";
print $sock "a";

undef $sock;


Expected result:
----------------
Well, I'd expect it to not crash :)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-10-19 21:46 UTC] thomas at partyflock dot nl

Happens in 5.2dev too.

[2006-10-19 22:48 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.

Can't reproduce.
This is the only result I see:
[Fri Oct 20 02:46:09 2006] [error] [client 127.0.0.1] Invalid Content-Length

[2006-10-20 01:04 UTC] thomas at partyflock dot nl

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1211164992 (LWP 15723)]
0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/200610181
225             SG(request_info).post_data[SG(read_post_bytes)] = 0;  /* termina
(gdb) bt
#0  0xb7b4e7e0 in sapi_read_standard_form_data () at /root/build/webserver/20061
#1  0xb7b53425 in php_default_post_reader () at /root/build/webserver/2006101814
#2  0xb7b4ee57 in sapi_activate () at /root/build/webserver/200610181402/php/php
#3  0xb7b471ac in php_request_startup () at /root/build/webserver/200610181402/p
#4  0xb7c0ed45 in php_apache_request_ctor (r=0x81d10e0, ctx=0x81d23e8)
    at /root/build/webserver/200610181402/php/php-5.2/sapi/apache2handler/sapi_a
#5  0xb7c0f26f in php_handler (r=0x81d10e0) at /root/build/webserver/20061018140
#6  0x0807a514 in ap_invoke_handler ()
#7  0x0806bb02 in ap_process_request ()
#8  0x08065a92 in ap_process_http_connection ()
#9  0x0808389b in ap_process_connection ()
#10 0x08077a06 in child_main ()
#11 0x08077cd6 in make_child ()
#12 0x08078034 in ap_mpm_run ()
#13 0x0807e970 in main ()
(gdb) p sapi_globals.request_info
$2 = {request_method = 0x81d2910 "GET", query_string = 0x81d69b8 "SECTION=anything;sELEMENT=anything;EXTENSION=", post_data = 0x0, raw_post_data = 0x0,
  cookie_data = 0x0, content_length = 1, post_data_length = 0, raw_post_data_length = 0, path_translated = 0x81d69f8 "/home/party/public_html/index.php",
  request_uri = 0x81d69e8 "/anything", content_type = 0x0, headers_only = 0 '\0', no_headers = 0 '\0', headers_read = 0 '\0', post_entry = 0x0,
  content_type_dup = 0x0, auth_user = 0x0, auth_password = 0x0, auth_digest = 0x0, argv0 = 0x0, current_user = 0x0, current_user_length = 0, argc = 0,
  argv = 0x0, proto_num = 1000}

But I've narrowed it down a bit. It requires the following lines in httpd.conf:

RewriteEngine on
RewriteRule ^/anywhere$ /somewherelse.php
ErrorDocument 413 /anywhere

/somewherelse.php must exists. There's no problem if a non-php file is used.

[2006-10-21 23:22 UTC] judas dot iscariote at gmail dot com

Unable to reproduce it here ...

[2006-11-03 13:39 UTC] thomas at partyflock dot nl

Found out another thing.
If I point ErrorDocument 413 to a static page, there is no segmentation fault, but then the static page is displayed AND the PHP script as requested by the POST command.

So

ErrorDocument 413 /something.html

And doing following POST with Content-Length with invalid extra carriage return:

POST /somescript.php HTTP/1.0
Content-Length: 1\r

Doesn't crash, but does exhibit strange behavouir by displaying the error document appended with the somescript.php!

[2006-11-03 13:40 UTC] thomas at partyflock dot nl

Upped version to 5.2.0, happens there too.

[2006-12-13 00:41 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.