Edit report at https://bugs.php.net/bug.php?id=54114&edit=1
ID: 54114
User updated by: danhstevens at gmail dot com
Reported by: danhstevens at gmail dot com
Summary: Output Buffer Dumps Data On Error
Status: Not a bug
Type: Bug
Package: Output Control
Operating System: all
PHP Version: 5.3.5
Block user comment: N
Private report: N
New Comment:
Mike, this is a security issue because users of frameworks like Symfony are
highly
exposed to this bug. Symfony uses OB for parsing configuration files which
often
contain sensitive information. One syntax error in your config file and all
your
config params are on display to the www. It's unexpected behavior, and it can
(and
in my case, has) caused the release of sensitive information.
Previous Comments:
------------------------------------------------------------------------
[2013-09-30 12:11:25] m...@php.net
I'm not sure why this should be security related?
Why even output security sensitive information at all?
------------------------------------------------------------------------
[2011-08-17 13:44:19] nicolas dot grekas+php at gmail dot com
Here is an other example that can't be workaround using danhstevens' technique:
<?php
function my_shutdown()
{
echo "secret\n";
throw new Exception;
}
function ob_custom_filter($b)
{
return str_replace('secret', '******', $b);
}
register_shutdown_function('my_shutdown');
ob_start('ob_custom_filter');
?>
------------------------------------------------------------------------
[2011-03-10 19:41:28] danhstevens at gmail dot com
I've found a viable work-around for this bug (although a patch of the core
would still be ideal so people don't discover this potential security issue the
hard-way).
By registering the following shutdown handler before any output buffering the
dump of data can be prevented:
<?php
function shutdown_fn()
{
//If ob_start has been called at least once
if(ob_get_level() > 1)
{
//Prevent data in buffer from dumping
ob_end_clean();
}
}
register_shutdown_function('shutdown_fn');
Now when using the examples above that normally cause the buffer to dump to the
client the buffer data is disposed of. Of course, this can be extended to use
ob_get_contents and redirect the data to file or other means if necessary. This
approach is working for me (on PHP 5.3.5).
~Dan
------------------------------------------------------------------------
[2011-03-06 16:51:52] neweracracker at gmail dot com
I've managed to reproduce this in Windows 7 running php 5.2.17 (with
php.ini-dist) and php 5.3.5 (with php.ini-development).
Here is my test script:
<?php
set_time_limit(1);
ob_start();
echo "You shouldn't see this!";
sleep(2); //comment this and you won't see the line above in output ;)
ob_end_clean();
?>
I've reported this as bug #54174 which got closed due being a dupe of this one
so I am leaving this comment here for reference purposes.
Regards,
NewEraCracker.
------------------------------------------------------------------------
[2011-02-28 21:40:36] danhstevens at gmail dot com
Hi Rasmus,
I was still able to create the problem by calling on a non-existing class to
create a fatal error. Here is a variation of your code:
function eh($errno, $errstr, $errfile, $errline) {
$contents = ob_get_contents();
ob_end_clean();
echo "Error: $errno, $errstr, $errfile, $errline\n";
}
set_error_handler('eh');
ob_start();
echo 123;
nonExistantClass::nonExistantMethod();
echo "After error\n";
Output is:
123
Fatal error: Class 'nonExistantClass' not found in ...
Hopefully the above should more accurately illustrate the issue.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=54114
--
Edit this bug report at https://bugs.php.net/bug.php?id=54114&edit=1
