[
https://issues.apache.org/jira/browse/THRIFT-6029?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volodymyr Panivko reassigned THRIFT-6029:
-----------------------------------------
Assignee: Volodymyr Panivko
> Harden PHP protocol negative sizes
> ----------------------------------
>
> Key: THRIFT-6029
> URL: https://issues.apache.org/jira/browse/THRIFT-6029
> Project: Thrift
> Issue Type: Bug
> Components: PHP - Library
> Reporter: Jens Geyer
> Assignee: Volodymyr Panivko
> Priority: Major
>
> The PHP library does not validate negative sizes when reading Thrift payloads.
> Size values appear in binary/string fields and in map/list/set headers. Those
> values must be non-negative. In the current PHP implementation:
> - {{readListBegin}}, {{readMapBegin}}, {{readSetBegin}} pass the raw signed
> integer to callers without checking.
> - {{readString}}: PHP treats negative integers as truthy, so the guard {{if
> ($len)}} does NOT protect against negative sizes —
> {{$this->trans->readAll($len)}} is called with a negative value.
> This is a protocol hardening gap compared with other runtimes such as C++,
> Java, Python, Go, and Node.js.
> The fix should add explicit {{< 0}} checks with a TProtocolException in:
> - {{TBinaryProtocol::readListBegin}}
> - {{TBinaryProtocol::readMapBegin}}
> - {{TBinaryProtocol::readSetBegin}}
> - {{TBinaryProtocol::readString}}
> See THRIFT-6025 for the equivalent Ruby fix.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
