Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:19209 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 98977 invoked by uid 1010); 27 Sep 2005 16:49:31 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 98962 invoked from network); 27 Sep 2005 16:49:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Sep 2005 16:49:31 -0000 X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.4/2.6 Received: from ([204.11.219.139:38837] helo=colo.lerdorf.com) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id DC/21-54476-91879334 for ; Tue, 27 Sep 2005 12:49:30 -0400 Received: from [192.168.200.106] (c-24-6-5-134.hsd1.ca.comcast.net [24.6.5.134]) (authenticated bits=0) by colo.lerdorf.com (8.13.5/8.13.5/Debian-1) with ESMTP id j8RGnPXR032378 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Sep 2005 09:49:26 -0700 Message-ID: <43397815.2030000@lerdorf.com> Date: Tue, 27 Sep 2005 09:49:25 -0700 User-Agent: Mozilla Thunderbird 1.0.6 (Macintosh/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tim Nufire CC: internals@lists.php.net, Magpierss-general@lists.sourceforge.net References: <433973F4.2020103@ibink.com> In-Reply-To: <433973F4.2020103@ibink.com> X-Enigmail-Version: 0.92.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comment on Bug #30153: FATAL erealloc() error when using gzinflate() From: rasmus@lerdorf.com (Rasmus Lerdorf) Tim Nufire wrote: > Reposting from php-general@lists.php.net to the internals@lists.php.net > list because I'm told that's the right place for a discussion like this.... > > In tracking down a bug that I am seeing on a site I work on, I came > across bug #30153 (http://bugs.php.net/bug.php?id=30153). I must say I > am shocked that this bug was closed as 'bogus'.... Not only is this a > bug, it is a security issue! How can gzinflate not be responsible for > validating the content passed to it? Not doing so exposes PHP servers > that use this function to serious denial of service attacks.... > > Let me illustrate this issue using Magpierss > (http://magpierss.sourceforge.net) which uses gzinflate to support > gziped RSS feeds. Because Magpierss gets the compressed content from a > foreign server, it does not control its validity. The only way to see if > it is valid is to try to decompress it... Since this will crash the > script when the content is not valid, using gzinflate in this way will > expose any RSS aggregator that uses Magpierss to denial of service > attacks. Since no other means are provide to validate the gzip content, > I am at a loss to suggest a workaround to the Magpierss authors... > > This is just one example. Any server which decompresses content that it > gets from a foreign source will have this same issue. IMO, crashing a > script is never the right way to indicate that an error has occurred. > Without a fix, gzinflate should only be used when the content comes from > a trusted source. > > If I am missing something here or if there is a workaround to this > problem, please let me know. I agree it is a problem, but the fix isn't easy since the zlib library doesn't provide any help here. We'd welcome an intelligent patch for this. -Rasmus