| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000305 | Xdebug | Usage problems | public | 2007-08-28 14:41 | 2011-10-01 14:06 |
|
| Reporter | hoffie | |
| Assigned To | derick | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | | |
| Target Version | | Fixed in Version | | |
|
| Summary | 0000305: xdebug exception handler doesn't properly handle special chars |
| Description | While PHP's default exception handler escapes special chars like <, > and " correctly, xdebug's exception handler doesn't.
Basically this might be classified as XSS, but as xdebug is intended for debugging only I don't think it is that critical (it should still be fixed, of course). |
| Additional Information | $ echo '<?php throw new Exception("<MARK>"); ?>' | php-cgi -n | grep MARK
Fatal error: Uncaught exception 'Exception' with message '<MARK>' in /tmp/-:1
$ echo '<?php throw new Exception("<MARK>"); ?>' | php-cgi | grep MARK
<tr><th align='left' bgcolor='#f57900' colspan="5"><span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Exception: <MARK> in /tmp/- on line 1</th></tr> |
| Tags | No tags attached. |
|
| Operating System | Linux 2.6 |
| PHP Version | 5.2-dev |
|
| Attached Files | |
|
Relationships 
Relationships 