Оффлайн
- Регистрация
- 1 Мар 2015
- Сообщения
- 1,481
- Баллы
- 155
There are several HTTP status codes related to content-length:
if (!$request->hasHeader('Content-Length')) {
return response()->json(['error' => 'Content-Length header required'], 411);
}
$maxSize = 5 * 1024 * 1024; // 5MB
if ($request->header('Content-Length') > $maxSize) {
return response()->json(['error' => 'Payload too large'], 413);
}
$actualSize = strlen($request->getContent());
$declaredSize = $request->header('Content-Length');
if ($actualSize != $declaredSize) {
return response()->json(['error' => 'Content-Length mismatch'], 400);
}
CVE-2019-11043 - PHP-FPM Buffer Overflow
CVE-2018-7583 vulnerability
// Simplified PHP internal C code
void parse_multipart_data(request_t *request) {
// Step 1: Allocate based on Content-Length header
size_t declared_size = get_header_value("Content-Length"); // 100
char *buffer = malloc(declared_size); // 100 bytes allocated
// Step 2: Read actual data until boundary
size_t bytes_read = 0;
while (!found_boundary()) {
// This reads MORE than Content-Length declared!
bytes_read += read(input, buffer + bytes_read, CHUNK_SIZE);
// If bytes_read > 100, we overflow the buffer!
}
}
Memory Layout:
[Buffer: 100 bytes][Other Data][Return Address]
What happens:
1. Buffer allocated: [100 empty bytes]
2. Reads 500 bytes: [100 bytes][400 OVERFLOW→][Corrupted][Corrupted]
↑ Overwrites other memory!
Affected Versions:
Fixed in:
- 411 Length Required: Server requires Content-Length header but it's missing
if (!$request->hasHeader('Content-Length')) {
return response()->json(['error' => 'Content-Length header required'], 411);
}
- 413 Request Entity Too Large: Body exceeds server's size limit
$maxSize = 5 * 1024 * 1024; // 5MB
if ($request->header('Content-Length') > $maxSize) {
return response()->json(['error' => 'Payload too large'], 413);
}
- 400 Bad Request: Content-Length doesn't match actual body size
$actualSize = strlen($request->getContent());
$declaredSize = $request->header('Content-Length');
if ($actualSize != $declaredSize) {
return response()->json(['error' => 'Content-Length mismatch'], 400);
}
CVE-2019-11043 - PHP-FPM Buffer Overflow
CVE-2018-7583 vulnerability
// Simplified PHP internal C code
void parse_multipart_data(request_t *request) {
// Step 1: Allocate based on Content-Length header
size_t declared_size = get_header_value("Content-Length"); // 100
char *buffer = malloc(declared_size); // 100 bytes allocated
// Step 2: Read actual data until boundary
size_t bytes_read = 0;
while (!found_boundary()) {
// This reads MORE than Content-Length declared!
bytes_read += read(input, buffer + bytes_read, CHUNK_SIZE);
// If bytes_read > 100, we overflow the buffer!
}
}
Memory Layout:
[Buffer: 100 bytes][Other Data][Return Address]
What happens:
1. Buffer allocated: [100 empty bytes]
2. Reads 500 bytes: [100 bytes][400 OVERFLOW→][Corrupted][Corrupted]
↑ Overwrites other memory!
Affected Versions:
- PHP 7.0.x before 7.0.28
- PHP 7.1.x before 7.1.15
- PHP 7.2.x before 7.2.3
Fixed in:
- PHP 7.0.28
- PHP 7.1.15
- PHP 7.2.3
- PHP 7.3.0 and later