Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
Out of bounds read in php_strip_tags_ex
When using the fgetss() function to read data while stripping HTML tags, in PHP versions 7.2.x below 7.2.27, 7.3.x below 7.3.14, and 7.4.x below 7.4.2, it is possible to supply data that will cause this function to read past the allocated buffer. This may lead to information disclosure or crash.
fgetss()
fgetss() combines the functionality of fgets() with that of strip_tags(), which removes HTML and PHP tags, as well as null bytes. Considering fgetss() is deprecated, you should not be using it. Instead, you should call strip_tags() on each valid return value of fgets():
fgets()
strip_tags()
while (! feof($fh)) { $line = fgets($fh); $line = strip_tags($line); // do something with $line }
When possible, upgrade to PHP 7.2.27 or higher, 7.3.14 or higher, or 7.4.2 or higher.
Direct link to CVE-2020-7059 >
< View all CVEs