Bug 820101

Summary: CVE-2006-7243 in PHP 5.1.6
Product: Red Hat Enterprise Linux 5 Reporter: Svyatoslav Lempert <svyatoslav.lempert>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: unspecified    
Version: 5.1.zCC: jlieskov
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-09 09:27:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Svyatoslav Lempert 2012-05-09 07:29:07 UTC 
Description of problem:

file_exists() silently truncates anything after a null byte in a string.  This produces unexpected results in some circumstances and possibly would result in security problems for limited amounts of poorly written code.

include_once() for instance, provides the following:
"ALERT - Include filename truncated by a \0 after '/etc/passwd' (attacker 'REMOTE_ADDR not set', file '/home/djc/test.php', line 13)"

This seems like a sane way to handle it if truncating has to be done... though frankly since truncation will *always* produce the wrong result it might be nice to throw an error and stop processing.

Check https://bugs.php.net/bug.php?id=39863

Run script

https://bugs.php.net/patch-display.php?bug_id=39863&patch=bug39863.phpt&revision=latest

MUST be show PASS, but script return FAIL.
Comment 1 Jan Lieskovsky 2012-05-09 09:27:50 UTC 

*** This bug has been marked as a duplicate of bug 662707 ***
Comment 2 Jan Lieskovsky 2012-05-09 09:29:22 UTC 
See also statement at:
https://access.redhat.com/security/cve/CVE-2006-7243