summaryrefslogtreecommitdiffstats
path: root/php-bug81122.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2021-06-28 13:51:45 +0200
committerRemi Collet <remi@remirepo.net>2021-06-28 13:51:45 +0200
commit79f4911cb38af7817d0dc64fc7f2ef91bd144e16 (patch)
tree47c505b2abd70cb742a8fa34f600b9322186276e /php-bug81122.patch
parent25de6dc172808e2f5d11d32e03b5885f5a862ae4 (diff)
Fix #81122 SSRF bypass in FILTER_VALIDATE_URL
CVE-2021-21705 Fix #76448 Stack buffer overflow in firebird_info_cb Fix #76449 SIGSEGV in firebird_handle_doer Fix #76450 SIGSEGV in firebird_stmt_execute Fix #76452 Crash while parsing blob data in firebird_fetch_blob CVE-2021-21704
Diffstat (limited to 'php-bug81122.patch')
-rw-r--r--php-bug81122.patch88
1 files changed, 88 insertions, 0 deletions
diff --git a/php-bug81122.patch b/php-bug81122.patch
new file mode 100644
index 0000000..3d200d6
--- /dev/null
+++ b/php-bug81122.patch
@@ -0,0 +1,88 @@
+From bb524cfbd498cebedd9f866c51cef97b69f59644 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 14 Jun 2021 13:22:27 +0200
+Subject: [PATCH 1/8] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
+
+We need to ensure that the password detected by parse_url() is actually
+a valid password; we can re-use is_userinfo_valid() for that.
+
+(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3)
+---
+ ext/filter/logical_filters.c | 4 +++-
+ ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 ext/filter/tests/bug81122.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 22868fd8c1..357f7f2f43 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,7 +587,9 @@ bad_url:
+ RETURN_VALIDATION_FAILED
+ }
+
+- if (url->user != NULL && !is_userinfo_valid(url->user)) {
++ if (url->user != NULL && !is_userinfo_valid(url->user)
++ || url->pass != NULL && !is_userinfo_valid(url->pass)
++ ) {
+ php_url_free(url);
+ RETURN_VALIDATION_FAILED
+
+diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt
+new file mode 100644
+index 0000000000..d89d4114a5
+--- /dev/null
++++ b/ext/filter/tests/bug81122.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
++--SKIPIF--
++<?php
++if (!extension_loaded('filter')) die("skip filter extension not available");
++?>
++--FILE--
++<?php
++$urls = [
++ "https://example.com:\\@test.com/",
++ "https://user:\\epass@test.com",
++ "https://user:\\@test.com",
++];
++foreach ($urls as $url) {
++ var_dump(filter_var($url, FILTER_VALIDATE_URL));
++}
++?>
++--EXPECT--
++bool(false)
++bool(false)
++bool(false)
+--
+2.31.1
+
+From db917b17e82344db82a67c4c68f627246b484ac4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 27 Jun 2021 21:57:58 -0700
+Subject: [PATCH 2/8] Fix warning
+
+(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef)
+---
+ ext/filter/logical_filters.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 357f7f2f43..7a37f80e46 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,8 +587,8 @@ bad_url:
+ RETURN_VALIDATION_FAILED
+ }
+
+- if (url->user != NULL && !is_userinfo_valid(url->user)
+- || url->pass != NULL && !is_userinfo_valid(url->pass)
++ if ((url->user != NULL && !is_userinfo_valid(url->user))
++ || (url->pass != NULL && !is_userinfo_valid(url->pass))
+ ) {
+ php_url_free(url);
+ RETURN_VALIDATION_FAILED
+--
+2.31.1
+