PHP filter_var shenanigans

&gt; There are some limitations to this exploit, for example, the user input must be 4GB in size (which is a large amount of data and may not be possible due to the configuration of some webservers and load balancers).<p>I&#x27;m thinking PHP&#x27;s built in request size limit config items (e.g. post_max_size) will prevent this from being an issue too. Might not stop this bug if the URL is in a header though.

If you take away the call to `system` what are you left with?<p>It&#x27;s not so much a vulnerability, but certainly a bug and I agree, it needs fixing. But it doesn&#x27;t feel particularly urgent.<p>It would likely be classed as a vulnerability if the out of bounds access _itself_ exposed some kind of internal issue beyond accessing the user input data in an unusual manner.<p>It only becomes a vulnerability in userland code where it&#x27;s in the hands of a naive implementation, such as the one posited here.<p>The other factor is that, as noted by others, there are likely a number of other layers that a sysadmin can put into place using readily-available PHP config options that would essentially prevent this from being possible and by default are pre-configured in such a way to prevent this.<p>Would be interesting to see if there is code in the wild that is as naive as the example given, but my gut says &#x27;probably not&#x27; so again likelihood of this being an issue is very very low.<p>From that perspective I can understand core PHP devs opting not to pursue this immediately.

Doesn&#x27;t change the vulnerability in question, but still worth mentioning : that&#x27;s not how you&#x27;re supposed to sanitize commands and args you send to system() and the like.

While this should be fixed, I think it&#x27;s always a bad idea to rely on implementation details for safety. By which I mean those filters exist for something other than protecting a system command from injection. Even if they did work properly today, there&#x27;s nothing saying that this couldn&#x27;t change in the future because what&#x27;s considered a valid domain changes. In this case it seems like escapeshellcmd would be more appropriate.

This appears to be a rare + rare + exceptionally rare = vulnerability type thing. While I do agree that it should be fixed, and certainly because the patch is a single easy fix that unit tests would catch any regressions.<p>But the author kind of made it seem like a big deal, while realistically nobody would write code this way. Taking user input, running the domain with host flag through filter var and then system call it?<p>Most libraries tend to implement validation themselves and not rely on filter_var.<p>But even if this was fixed, most people should know taking user input and running it via system is a bad idea and needs more than a simple filter_var filter.

&gt; We see that if t (end-1) is . then e is written with the character ., as if we were to pass a very large number to the function.<p>I don&#x27;t believe this is what&#x27;s happening at all... e and t are pointers, and they&#x27;re not being written to, just reassigned.

I wonder what system allows a 4GB string to be passed as a command. A brief look at <a href="https:&#x2F;&#x2F;www.in-ulm.de&#x2F;~mascheck&#x2F;various&#x2F;argmax&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.in-ulm.de&#x2F;~mascheck&#x2F;various&#x2F;argmax&#x2F;</a> makes me think none <i>by far</i>? It seems this limit is at most 2MB which is nowhere near 4GB. Am I misunderstanding something?

The example vulnerable code is super contrived. That&#x27;s not how you should escape comman line arguments. And even ignoring that, are you even allowed to give the system a 4gb long commandline?<p>Regardless, php should fix the issue.