Ubuntu
php5 package

php: throw and catch within a destructor causes exception on-the-fly to be lost

Bug #1042711 reported by Mikko Rantalainen
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Won't Fix
Medium
Unassigned

Bug Description

See the attached test case. The Outer::runInner() throws a test exception that is supposed to be catched in Outer::run(). However, before this the destructor of Inner will run as a result of stack unwinding while returning from Outer::runInner(). This, in turn, causes the original exception to be lost because Inner::tearDown() throws an exception which it later catches.

The test case is expected to output (tested official win32 builds 5.3.16 and 5.4.6):

$ php throw-test.php
Catched exception in Inner::tearDown(): test throw inside Inner::tearDown()
#0 /path/to/test.php(6): Inner->tearDown()
#1 /path/to/test.php(29): Inner->__destruct()
#2 /path/to/test.php(29): Outer->runInner()
#3 /path/to/test.php(45): Outer->run()
#4 {main}
OK: Catched exception in Outer::run(): test throw from Outer::runInner()
#0 /path/to/test.php(29): Outer->runInner()
#1 /path/to/test.php(45): Outer->run()
#2 {main}

The version distributed by ubuntu (PHP 5.3.2-1ubuntu4.17) outputs:

$ php throw-test.php
Catched exception in Inner::tearDown(): test throw inside Inner::tearDown()
#0 /home/mira/tmp/throw-test.php(6): Inner->tearDown()
#1 /home/mira/tmp/throw-test.php(29): Inner->__destruct()
#2 /home/mira/tmp/throw-test.php(29): Outer->runInner()
#3 /home/mira/tmp/throw-test.php(45): Outer->run()
#4 {main}

Notice the missing exception in Outer::run(). [Lines have been manually wrapped for this bug report.]

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: php5-cli 5.3.2-1ubuntu4.17
ProcVersionSignature: Ubuntu 3.0.0-24.40~lucid1-generic 3.0.38
Uname: Linux 3.0.0-24-generic x86_64
Architecture: amd64
CheckboxSubmission: f0bf0101e3df07a87acfbc156f0db03d
CheckboxSystem: b5acb6c9ca4017b1d44043910f45329d
Date: Tue Aug 28 15:01:35 2012
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release Candidate amd64 (20091020.3)
SourcePackage: php5

Revision history for this message
Mikko Rantalainen (mira) wrote :
Revision history for this message
Mikko Rantalainen (mira) wrote :

It just occurred to me that the test case written a bit differently could be program logic guarding authenticated session.

As a result, I'm marking this bug as "security" but keeping it still public because I'm not aware of real world PHP program suffering from a security issue because of this issue.

security vulnerability: no → yes
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi Mikko, thanks for filing this report.

I can confirm that the wrong behavior happens on Lucid's php5-cli package.

I can also confirm that this was resolved upstream in version 5.3.3:

https://bugs.php.net/bug.php?id=52361

These two commits *could* be backported to Lucid's PHP:

http://svn.php.net/viewvc/?view=revision&revision=302323
http://svn.php.net/viewvc/?view=revision&revision=302311

However, I'm not convinced this is a High or Critical importance bug fix. Users can (and should!) upgrade to Ubuntu 12.04.1 and have this resolved. I do acknowledge though that this might be raised in importance if it is seen as a security problem.

Changed in php5 (Ubuntu):
status: New → Fix Released
Changed in php5 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in php5 (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.