Home Original page

SAPI may truncate POST data

Bug #69487 SAPI may truncate POST data
Submitted: 2015-04-20 10:21 UTC Modified: 2015-08-10 23:53 UTC
From: erik at datahack dot se Assigned: cmb (profile)
Status: Closed Package: *Web Server problem
PHP Version: PHP 5.6.12RC1 OS: *
Private report: No CVE-ID: None

 [2015-04-20 10:21 UTC] erik at datahack dot se

Description:
------------
If the SAPI fails to write the POST data to disk (eg. due to file system full or tmp folder is non-writable for other reasons), The PHP interpreter will get an incomplete/truncated POST request. This is very bad for data consistency if data is lost upon POST.

One workaround in the PHP script would be to check the content-length against the length of php://input.

if (count($_POST) &&
    (int)$_SERVER['CONTENT_LENGTH'] != strlen(file_get_contents("php://input"))) 
 ...

display_startup_errors triggers only a warning if the file can't be created (but the data is still corrupted). There are two cases that can happen and shouldn't result in corrupt data.

1. Temp file cannot be created
2. Data cannot be written to temp file

https://github.com/php/php-src/blob/master/main/SAPI.c#L288

Test script:
---------------
If sys_temp_dir can't be written to this will cause corrupt data.

<?php
if (count($_POST)) {
	echo strlen(file_get_contents("php://input"))."<br>";
	echo file_get_contents("php://input")."<br>";
}
?>
<form method="post">
<input type="hidden" name="data" value="<?php echo str_repeat("x", 16384).str_repeat("y", 16384).str_repeat("z", 16384); ?>">
<input type="submit">
</form>

Expected result:
----------------
No POST data or an internal error would be better than just continue with corrupt data...

Actual result:
--------------
PHP continues to process the request with corrupt data.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2015-08-04 21:24 UTC] cmb@php.net

-Summary: SAPI may cause truncated POST data +Summary: SAPI may truncate POST data -Status: Open +Status: Analyzed -Operating System: +Operating System: * -PHP Version: Irrelevant +PHP Version: PHP 5.6.12RC1 -Assigned To: +Assigned To: cmb

 [2015-08-04 21:24 UTC] cmb@php.net

Indeed, such data loss would be a bad thing. Of course, we should
check whether the read_bytes are actually written by
php_stream_write()[1]. What to do otherwise might be not so
obvious, but the simplest solution would be to bail out with
E_ERROR. As this error condition is supposed to be *very* rare,
the simple handling seems to be appropriate.

[1] <https://github.com/php/php-src/blob/php-7.0.0beta2/main/SAPI.c#L288>

 [2015-08-07 14:49 UTC] mike@php.net

-1 on E_ERROR

I'd rather suggest clearing the input stream an generating an E_WARNING to inform the system administrator.

 [2015-08-09 23:46 UTC] cmb@php.net

-Assigned To: cmb +Assigned To:

 [2015-08-09 23:46 UTC] cmb@php.net

Okay, Mike. :) I've submitted PR #1465.

 [2015-08-10 23:44 UTC] cmb@php.net

-Status: Analyzed +Status: Closed

 [2015-08-10 23:53 UTC] cmb@php.net

-Assigned To: +Assigned To: cmb

 [2015-08-10 23:53 UTC] cmb@php.net

The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.