php_echo is vulnerable to format string attacks!

killertux / solder

Library to help you build php extensions using Rust

Other

21 stars 13 forks source link

php_echo is vulnerable to format string attacks! #5

Open wizzwizz4 opened 4 years ago

wizzwizz4 commented 4 years ago

solder::zend::php_echo is implemented as:

php_printf(c_message.as_bytes_with_nul().as_ptr() as *const i8);

but it should be something like:

php_printf(c_str!("%s"), c_message.as_bytes_with_nul().as_ptr() as *const i8);

(Please check that this works before using it; it's untested unsafe code interacting with C variadic arguments!)

wizzwizz4 commented 4 years ago

I tested this code in my fork (SnAgCu, not the one on GitHub). I can't promise it is safe, but it prints the output and isn't vulnerable against format string attacks, so I'm tentatively calling it a success.