Jens Geyer created THRIFT-6029:
----------------------------------
Summary: Harden PHP protocol negative sizes
Key: THRIFT-6029
URL: https://issues.apache.org/jira/browse/THRIFT-6029
Project: Thrift
Issue Type: Bug
Components: PHP - Library
Reporter: Jens Geyer
The PHP library does not validate negative sizes when reading Thrift payloads.
Size values appear in binary/string fields and in map/list/set headers. Those
values must be non-negative. In the current PHP implementation:
- {{readListBegin}}, {{readMapBegin}}, {{readSetBegin}} pass the raw signed
integer to callers without checking.
- {{readString}}: PHP treats negative integers as truthy, so the guard {{if
($len)}} does NOT protect against negative sizes —
{{$this->trans->readAll($len)}} is called with a negative value.
This is a protocol hardening gap compared with other runtimes such as C++,
Java, Python, Go, and Node.js.
The fix should add explicit {{< 0}} checks with a TProtocolException in:
- {{TBinaryProtocol::readListBegin}}
- {{TBinaryProtocol::readMapBegin}}
- {{TBinaryProtocol::readSetBegin}}
- {{TBinaryProtocol::readString}}
See THRIFT-6025 for the equivalent Ruby fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
