diff options
author | Remi Collet <remi@remirepo.net> | 2021-06-28 13:51:45 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2021-06-28 13:51:45 +0200 |
commit | 79f4911cb38af7817d0dc64fc7f2ef91bd144e16 (patch) | |
tree | 47c505b2abd70cb742a8fa34f600b9322186276e /php-bug81122.patch | |
parent | 25de6dc172808e2f5d11d32e03b5885f5a862ae4 (diff) |
Fix #81122 SSRF bypass in FILTER_VALIDATE_URL
CVE-2021-21705
Fix #76448 Stack buffer overflow in firebird_info_cb
Fix #76449 SIGSEGV in firebird_handle_doer
Fix #76450 SIGSEGV in firebird_stmt_execute
Fix #76452 Crash while parsing blob data in firebird_fetch_blob
CVE-2021-21704
Diffstat (limited to 'php-bug81122.patch')
-rw-r--r-- | php-bug81122.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/php-bug81122.patch b/php-bug81122.patch new file mode 100644 index 0000000..3d200d6 --- /dev/null +++ b/php-bug81122.patch @@ -0,0 +1,88 @@ +From bb524cfbd498cebedd9f866c51cef97b69f59644 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 14 Jun 2021 13:22:27 +0200 +Subject: [PATCH 1/8] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL + +We need to ensure that the password detected by parse_url() is actually +a valid password; we can re-use is_userinfo_valid() for that. + +(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3) +--- + ext/filter/logical_filters.c | 4 +++- + ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 ext/filter/tests/bug81122.phpt + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 22868fd8c1..357f7f2f43 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -587,7 +587,9 @@ bad_url: + RETURN_VALIDATION_FAILED + } + +- if (url->user != NULL && !is_userinfo_valid(url->user)) { ++ if (url->user != NULL && !is_userinfo_valid(url->user) ++ || url->pass != NULL && !is_userinfo_valid(url->pass) ++ ) { + php_url_free(url); + RETURN_VALIDATION_FAILED + +diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt +new file mode 100644 +index 0000000000..d89d4114a5 +--- /dev/null ++++ b/ext/filter/tests/bug81122.phpt +@@ -0,0 +1,21 @@ ++--TEST-- ++Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL) ++--SKIPIF-- ++<?php ++if (!extension_loaded('filter')) die("skip filter extension not available"); ++?> ++--FILE-- ++<?php ++$urls = [ ++ "https://example.com:\\@test.com/", ++ "https://user:\\epass@test.com", ++ "https://user:\\@test.com", ++]; ++foreach ($urls as $url) { ++ var_dump(filter_var($url, FILTER_VALIDATE_URL)); ++} ++?> ++--EXPECT-- ++bool(false) ++bool(false) ++bool(false) +-- +2.31.1 + +From db917b17e82344db82a67c4c68f627246b484ac4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 27 Jun 2021 21:57:58 -0700 +Subject: [PATCH 2/8] Fix warning + +(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) +--- + ext/filter/logical_filters.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 357f7f2f43..7a37f80e46 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -587,8 +587,8 @@ bad_url: + RETURN_VALIDATION_FAILED + } + +- if (url->user != NULL && !is_userinfo_valid(url->user) +- || url->pass != NULL && !is_userinfo_valid(url->pass) ++ if ((url->user != NULL && !is_userinfo_valid(url->user)) ++ || (url->pass != NULL && !is_userinfo_valid(url->pass)) + ) { + php_url_free(url); + RETURN_VALIDATION_FAILED +-- +2.31.1 + |