SAPI may truncate POST data
| Bug #69487 | SAPI may truncate POST data | ||||
|---|---|---|---|---|---|
| Submitted: | 2015-04-20 10:21 UTC | Modified: | 2015-08-10 23:53 UTC | ||
| From: | erik at datahack dot se | Assigned: | cmb (profile) | ||
| Status: | Closed | Package: | *Web Server problem | ||
| PHP Version: | PHP 5.6.12RC1 | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2015-04-20 10:21 UTC] erik at datahack dot se
Description:
------------
If the SAPI fails to write the POST data to disk (eg. due to file system full or tmp folder is non-writable for other reasons), The PHP interpreter will get an incomplete/truncated POST request. This is very bad for data consistency if data is lost upon POST.
One workaround in the PHP script would be to check the content-length against the length of php://input.
if (count($_POST) &&
(int)$_SERVER['CONTENT_LENGTH'] != strlen(file_get_contents("php://input")))
...
display_startup_errors triggers only a warning if the file can't be created (but the data is still corrupted). There are two cases that can happen and shouldn't result in corrupt data.
1. Temp file cannot be created
2. Data cannot be written to temp file
https://github.com/php/php-src/blob/master/main/SAPI.c#L288
Test script:
---------------
If sys_temp_dir can't be written to this will cause corrupt data.
<?php
if (count($_POST)) {
echo strlen(file_get_contents("php://input"))."<br>";
echo file_get_contents("php://input")."<br>";
}
?>
<form method="post">
<input type="hidden" name="data" value="<?php echo str_repeat("x", 16384).str_repeat("y", 16384).str_repeat("z", 16384); ?>">
<input type="submit">
</form>
Expected result:
----------------
No POST data or an internal error would be better than just continue with corrupt data...
Actual result:
--------------
PHP continues to process the request with corrupt data.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2015-08-04 21:24 UTC] cmb@php.net
-Summary: SAPI may cause truncated POST data +Summary: SAPI may truncate POST data -Status: Open +Status: Analyzed -Operating System: +Operating System: * -PHP Version: Irrelevant +PHP Version: PHP 5.6.12RC1 -Assigned To: +Assigned To: cmb
[2015-08-04 21:24 UTC] cmb@php.net
[2015-08-07 14:49 UTC] mike@php.net
[2015-08-09 23:46 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
[2015-08-09 23:46 UTC] cmb@php.net
[2015-08-10 23:44 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
[2015-08-10 23:53 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
[2015-08-10 23:53 UTC] cmb@php.net