Fixed bug #71323 - Output of stream_get_meta_data can be falsified by its input

Author: smalyshev

ext/standard/streamsfuncs.c

@@ -496,6 +496,12 @@ PHP_FUNCTION(stream_get_meta_data)
 
 	array_init(return_value);
 
+	if (!php_stream_populate_meta_data(stream, return_value)) {
+		add_assoc_bool(return_value, "timed_out", 0);
+		add_assoc_bool(return_value, "blocked", 1);
+		add_assoc_bool(return_value, "eof", php_stream_eof(stream));
+	}
+
 	if (stream->wrapperdata) {
 		MAKE_STD_ZVAL(newval);
 		MAKE_COPY_ZVAL(&stream->wrapperdata, newval);
@@ -531,12 +537,6 @@ PHP_FUNCTION(stream_get_meta_data)
 		add_assoc_string(return_value, "uri", stream->orig_path, 1);
 	}
 
-	if (!php_stream_populate_meta_data(stream, return_value)) {
-		add_assoc_bool(return_value, "timed_out", 0);
-		add_assoc_bool(return_value, "blocked", 1);
-		add_assoc_bool(return_value, "eof", php_stream_eof(stream));
-	}
-
 }
 /* }}} */
 
@@ -696,7 +696,7 @@ static int stream_array_from_fd_set(zval *stream_array, fd_set *fds TSRMLS_DC)
 				} else { /* HASH_KEY_IS_STRING */
 					zend_hash_update(new_hash, key, key_len, (void *)elem, sizeof(zval *), (void **)&dest_elem);
 				}
-				
+
 				if (dest_elem) {
 					zval_add_ref(dest_elem);
 				}
@@ -1453,19 +1453,19 @@ PHP_FUNCTION(stream_set_chunk_size)
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The chunk size must be a positive integer, given %ld", csize);
 		RETURN_FALSE;
 	}
-	/* stream.chunk_size is actually a size_t, but php_stream_set_option 
+	/* stream.chunk_size is actually a size_t, but php_stream_set_option
 	 * can only use an int to accept the new value and return the old one.
 	 * In any case, values larger than INT_MAX for a chunk size make no sense.
 	 */
 	if (csize > INT_MAX) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "The chunk size cannot be larger than %d", INT_MAX);
 		RETURN_FALSE;
 	}
-	
+
 	php_stream_from_zval(stream, &zstream);
 
 	ret = php_stream_set_option(stream, PHP_STREAM_OPTION_SET_CHUNK_SIZE, (int)csize, NULL);
-	
+
 	RETURN_LONG(ret > 0 ? (long)ret : (long)EOF);
 }
 /* }}} */

ext/standard/tests/streams/bug71323.phpt

@@ -0,0 +1,31 @@
+--TEST--
+Bug #71323: Output of stream_get_meta_data can be falsified by its input
+--FILE--
+<?php
+$file = 'data:text/plain;z=y;uri=eviluri;mediatype=wut?;mediatype2=hello,somedata';
+$meta = stream_get_meta_data(fopen($file, "r"));
+var_dump($meta);
+?>
+--EXPECTF--
+array(10) {
+  ["mediatype"]=>
+  string(10) "text/plain"
+  ["z"]=>
+  string(1) "y"
+  ["uri"]=>
+  string(72) "data:text/plain;z=y;uri=eviluri;mediatype=wut?;mediatype2=hello,somedata"
+  ["mediatype2"]=>
+  string(5) "hello"
+  ["base64"]=>
+  bool(false)
+  ["wrapper_type"]=>
+  string(7) "RFC2397"
+  ["stream_type"]=>
+  string(7) "RFC2397"
+  ["mode"]=>
+  string(1) "r"
+  ["unread_bytes"]=>
+  int(0)
+  ["seekable"]=>
+  bool(true)
+}

ext/standard/tests/streams/stream_get_meta_data_dir_basic.phpt

@@ -13,6 +13,12 @@ var_dump(stream_get_meta_data($dirObject->handle));
 ?>
 --EXPECT--
 array(8) {
+  ["timed_out"]=>
+  bool(false)
+  ["blocked"]=>
+  bool(true)
+  ["eof"]=>
+  bool(false)
   ["wrapper_type"]=>
   string(9) "plainfile"
   ["stream_type"]=>
@@ -23,14 +29,14 @@ array(8) {
   int(0)
   ["seekable"]=>
   bool(true)
+}
+array(8) {
   ["timed_out"]=>
   bool(false)
   ["blocked"]=>
   bool(true)
   ["eof"]=>
   bool(false)
-}
-array(8) {
   ["wrapper_type"]=>
   string(9) "plainfile"
   ["stream_type"]=>
@@ -41,10 +47,4 @@ array(8) {
   int(0)
   ["seekable"]=>
   bool(true)
-  ["timed_out"]=>
-  bool(false)
-  ["blocked"]=>
-  bool(true)
-  ["eof"]=>
-  bool(false)
 }

ext/standard/tests/streams/stream_get_meta_data_file_basic.phpt

@@ -12,6 +12,12 @@ fclose($fp);
 ?>
 --EXPECTF--
 array(9) {
+  ["timed_out"]=>
+  bool(false)
+  ["blocked"]=>
+  bool(true)
+  ["eof"]=>
+  bool(false)
   ["wrapper_type"]=>
   string(9) "plainfile"
   ["stream_type"]=>
@@ -24,10 +30,4 @@ array(9) {
   bool(true)
   ["uri"]=>
   string(%i) "%sstream_get_meta_data_file_basic.php"
-  ["timed_out"]=>
-  bool(false)
-  ["blocked"]=>
-  bool(true)
-  ["eof"]=>
-  bool(false)
 }