php://temp bug fixed in 8.1.6 is not backported to 8.1.2 release
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php-defaults (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
php8.1 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Athos Ribeiro |
Bug Description
[ Impact ]
PHP gives users access to the temporary data stream php://temp (see https:/
In jammy, when thise move from memory to disk happens, the file position is not preserved. Instead, PHP will set the file position to the end of the file.
This will result in corrupted/unwanted data being generated when users are manipulating the files in a lower level.
The proposed patch fixes the issue by preserving the file position when the data stream is moved from memory to a file.
[ Test Plan ]
The following PHP snippet reproduces the bug. Run it after applying the fix and verify the output is as expected (listed after the script).
<?php
$f = fopen('
fwrite($f, str_repeat("1", 738));
fseek($f, 0, SEEK_SET);
fwrite($f, str_repeat("2", 512));
fseek($f, 0, SEEK_SET);
var_dump(fread($f, 16));
fseek($f, 0, SEEK_END);
var_dump(
?>
Buggy PHP output:
$ php reproduce.php
string(16) "1111111111111111"
int(1250)
Fixed PHP output:
$ php reproduce.php
string(16) "2222222222222222"
int(738)
[ Where problems could occur ]
If the proposed patch (originated from and already released by the upstream project) contains any flaws, they would likely be manifested through a different bug when manipulating file positions for the php temporary data streams (instead of having a full regression). We would then need to work with upstream to find the best solution for the new issue.
[ Other Info ]
The proposed patch was released in PHP 8.1.6. Therefore, it only affects jammy.
[ Original message ]
Ubuntu 22.04 default PHP package (2:8.1+92ubuntu1) contains the pre-8.1.6 bug:
https:/
Streams:
Fixed php://temp does not preserve file-position when switched to temporary file.
Fixed in:
https:/
Current workaround:
When opening php://temp, prevent its conversion to a file by increasing maxmemory to whatever number your application needs:
$fp = fopen("
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 101 lines (+76/-0)3 files modifieddebian/changelog (+11/-0)
debian/patches/0049-Preserve-file-position-when-php-temp-switches.patch (+64/-0)
debian/patches/series (+1/-0)
Changed in php-defaults (Ubuntu): | |
status: | New → Invalid |
no longer affects: | php-defaults (Ubuntu Jammy) |
Changed in php8.1 (Ubuntu): | |
status: | New → Invalid |
description: | updated |
Changed in php8.1 (Ubuntu Jammy): | |
status: | Triaged → In Progress |
Thanks for taking the time to report this bug.
This is a minimal reproducer, available in the linked upstream patch:
<?php
$f = fopen(' php://temp/ maxmemory: 1024', 'r+');
fwrite($f, str_repeat("1", 738));
fseek($f, 0, SEEK_SET);
fwrite($f, str_repeat("2", 512));
fseek($f, 0, SEEK_SET);
var_dump(fread($f, 16));
fseek($f, 0, SEEK_END); ftell($ f));
var_dump(
?>
Buggy (jammy):
$ php reproduce.php
string(16) "1111111111111111"
int(1250)
Fixed (kinetic):
$ php reproduce.php
string(16) "2222222222222222"
int(738)
As one can see, the file position is indeed not being preserved in the affected run (jammy).