ID: 49650
Comment by: michkol at gmail dot com
Reported By: michkol at gmail dot com
Status: Feedback
Bug Type: Apache2 related
Operating System: Linux
PHP Version: 5.2.11
New Comment:
PHP 5.2.11, Apache 2.2.11.
Previous Comments:
------------------------------------------------------------------------
[2009-09-24 08:43:03] j...@php.net
Sometimes? What PHP version are you really using?
------------------------------------------------------------------------
[2009-09-24 08:30:35] michkol at gmail dot com
Description:
------------
PHP responds to some invalid POST requests with an error message that
includes the source code.
Reproduce code:
---------------
<?php
$dblogin = 'admin';
$dbpass = 'secret';
mysql_connect('localhost', $dblogin, $dbpass);
echo 'some output';
?>
$ telnet localhost 80
POST /test.php HTTP/1.0
Content-Length: -75000000
Expected result:
----------------
The code of a script should be never sent to clients. This is a severe
security flaw.
Apache/PHP should just send a 413 error, without the code, for
example:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/test.php<br />
does not allow request data with POST requests, or the amount of data
provided in
the request exceeds the capacity limit.
</body></html>
Actual result:
--------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>413 Request Entity Too Large</title>
</head><body>
<h1>Request Entity Too Large</h1>
The requested resource<br />/test.php<br />
does not allow request data with POST requests, or the amount of data
provided in
the request exceeds the capacity limit.
</body></html>
<?php
$dblogin = 'admin';
$dbpass = 'secret';
mysql_connect('localhost', $dblogin, $dbpass);
echo 'some output';
?>
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49650&edit=1
