search

laruence / taint

Taint is a PHP extension, used for detecting XSS codes
Other
611 stars 128 forks source link

Variable tracing changed the reference of orignal variable! #40

Open stuven1989 opened 7 years ago

stuven1989 commented 7 years ago

the follow is test code

test.php 
<?php
      $a = "hello";
      $id = &$a;
      $id = $_GET['id'];
      $c = $id;
      $id = "hello123";
      echo $a;
      echo $id;
?>

if you input "http://*****/test.php?id=ab" in your browser and add the taint extension, the output will be "abhello123" in your page. But it should output "hello123hello123", this changed the php internal executing.

I think that the problem is caused by php_taint_assign_handler, when you seperating variable, the reference count of op2 decremented. The php_taint_assign_ref_handler have the same way of handling.

Your code 

/*the problem code*/
else if (PZVAL_IS_REF(*op2) && Z_REFCOUNT_PP(op2) > 1) {
        SEPARATE_ZVAL(op2);
        Z_STRVAL_PP(op2) = erealloc(Z_STRVAL_PP(op2), Z_STRLEN_PP(op2) + 1 + PHP_TAINT_MAGIC_LENGTH);
        PHP_TAINT_MARK(*op2, PHP_TAINT_MAGIC_POSSIBLE);
    }

@laruence