copy of tainted variable makes original variable forget it was a reference
Mrten opened this issue · comments
Copying a function variable makes it forget that is was a reference. This is with php 5.3.10 (latest in ubuntu precise).
Demo-code:
<?php
header('Content-Type: text/plain');
$string = 'foo@bar.com';
echo "input: ".$string."\n";
echo "expected result: @bar.com\n-----\n\n";
taint($string);
checkEmailAddress($string);
untaint($string);
checkEmailAddress($string);
function checkEmailAddress($address) {
if ( is_tainted($address) ) {
echo "with tainted variable:\n";
} else {
echo "with normal variable:\n";
}
$ret = getAddressSpec($address);
echo "RESULT: ";
var_dump($address);
echo "\n\n";
}
function getAddressSpec(&$at) {
echo "BEFORE CHANGE: ";
var_dump($at);
// This line is the problem. It works for tainted variables if we remove it.
$oldat = $at;
// Change contents of reference
$at = '@bar.com';
echo "AFTER CHANGE IN SAME FUNCTION: ";
var_dump($at);
}
?>
You'll see that the result of checkEmailAddress changes if we change the 'taintedness' of the variable given to the function.
Output for 5.3.10:
input: foo@bar.com
expected result: @bar.com
-----
with tainted variable:
BEFORE CHANGE: &string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(11) "foo@bar.com"
with normal variable:
BEFORE CHANGE: string(11) "foo@bar.com"
AFTER CHANGE IN SAME FUNCTION: string(8) "@bar.com"
RESULT: string(8) "@bar.com"