diff options
author | Remi Collet <remi@remirepo.net> | 2021-06-28 11:30:15 +0200 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2021-06-28 11:30:15 +0200 |
commit | 535f16040de32c9cb02a79ea91c74501dba2d382 (patch) | |
tree | bfb634a0a45052916a08aa1fffcc34304f6e9f4f /php-bug81122.patch | |
parent | e7088ca64f9ebe2f0904a38978805b4671bb896f (diff) |
Fix #81122 SSRF bypass in FILTER_VALIDATE_URL
CVE-2021-21705
Fix #76448 Stack buffer overflow in firebird_info_cb
Fix #76449 SIGSEGV in firebird_handle_doer
Fix #76450 SIGSEGV in firebird_stmt_execute
Fix #76452 Crash while parsing blob data in firebird_fetch_blob
CVE-2021-21704
Diffstat (limited to 'php-bug81122.patch')
-rw-r--r-- | php-bug81122.patch | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/php-bug81122.patch b/php-bug81122.patch new file mode 100644 index 0000000..a534139 --- /dev/null +++ b/php-bug81122.patch @@ -0,0 +1,88 @@ +From 34e7f97cf67a8e2e0dd6675e4d82c0f8be7ad77f Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Mon, 14 Jun 2021 13:22:27 +0200 +Subject: [PATCH 1/7] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL + +We need to ensure that the password detected by parse_url() is actually +a valid password; we can re-use is_userinfo_valid() for that. + +(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3) +--- + ext/filter/logical_filters.c | 4 +++- + ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ + 2 files changed, 24 insertions(+), 1 deletion(-) + create mode 100644 ext/filter/tests/bug81122.phpt + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index ad0956a505..7ddf44cff0 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -587,7 +587,9 @@ bad_url: + RETURN_VALIDATION_FAILED + } + +- if (url->user != NULL && !is_userinfo_valid(url->user)) { ++ if (url->user != NULL && !is_userinfo_valid(url->user) ++ || url->pass != NULL && !is_userinfo_valid(url->pass) ++ ) { + php_url_free(url); + RETURN_VALIDATION_FAILED + +diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt +new file mode 100644 +index 0000000000..d89d4114a5 +--- /dev/null ++++ b/ext/filter/tests/bug81122.phpt +@@ -0,0 +1,21 @@ ++--TEST-- ++Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL) ++--SKIPIF-- ++<?php ++if (!extension_loaded('filter')) die("skip filter extension not available"); ++?> ++--FILE-- ++<?php ++$urls = [ ++ "https://example.com:\\@test.com/", ++ "https://user:\\epass@test.com", ++ "https://user:\\@test.com", ++]; ++foreach ($urls as $url) { ++ var_dump(filter_var($url, FILTER_VALIDATE_URL)); ++} ++?> ++--EXPECT-- ++bool(false) ++bool(false) ++bool(false) +-- +2.31.1 + +From 84d1d39e26520ae131a6ac14891c836adc969ad5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 27 Jun 2021 21:57:58 -0700 +Subject: [PATCH 2/7] Fix warning + +(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef) +--- + ext/filter/logical_filters.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c +index 7ddf44cff0..6894fa2551 100644 +--- a/ext/filter/logical_filters.c ++++ b/ext/filter/logical_filters.c +@@ -587,8 +587,8 @@ bad_url: + RETURN_VALIDATION_FAILED + } + +- if (url->user != NULL && !is_userinfo_valid(url->user) +- || url->pass != NULL && !is_userinfo_valid(url->pass) ++ if ((url->user != NULL && !is_userinfo_valid(url->user)) ++ || (url->pass != NULL && !is_userinfo_valid(url->pass)) + ) { + php_url_free(url); + RETURN_VALIDATION_FAILED +-- +2.31.1 + |