the follow is test code
test.php
<?php
$a = "hello";
$id = &$a;
$id = $_GET['id'];
$c = $id;
$id = "hello123";
echo $a;
echo $id;
?>
if you input "http://*****/test.php?id=ab" in your browser and add the taint extension, the output will be "abhello123" in your page. But it should output "hello123hello123", this changed the php internal executing.
I think that the problem is caused by php_taint_assign_handler, when you seperating variable, the reference count of op2 decremented. The php_taint_assign_ref_handler have the same way of handling.
Your code
/*the problem code*/
else if (PZVAL_IS_REF(*op2) && Z_REFCOUNT_PP(op2) > 1) {
SEPARATE_ZVAL(op2);
Z_STRVAL_PP(op2) = erealloc(Z_STRVAL_PP(op2), Z_STRLEN_PP(op2) + 1 + PHP_TAINT_MAGIC_LENGTH);
PHP_TAINT_MARK(*op2, PHP_TAINT_MAGIC_POSSIBLE);
}
@laruence
the follow is test code
if you input "http://*****/test.php?id=ab" in your browser and add the taint extension, the output will be "abhello123" in your page. But it should output "hello123hello123", this changed the php internal executing.
I think that the problem is caused by php_taint_assign_handler, when you seperating variable, the reference count of op2 decremented. The php_taint_assign_ref_handler have the same way of handling.
Your code
@laruence