Created
June 14, 2021 11:23
-
-
Save cmb69/cd1a701099e0b904fd8aa4b150312bca to your computer and use it in GitHub Desktop.
Fix for PHP bug #81122
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 724da851c72007aaafe29f9afaa7ce8dcbce5c8e Mon Sep 17 00:00:00 2001 | |
From: "Christoph M. Becker" <cmbecker69@gmx.de> | |
Date: Mon, 14 Jun 2021 13:22:27 +0200 | |
Subject: [PATCH] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL | |
We need to ensure that the password detected by parse_url() is actually | |
a valid password; we can re-use is_userinfo_valid() for that. | |
--- | |
ext/filter/logical_filters.c | 4 +++- | |
ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++ | |
2 files changed, 24 insertions(+), 1 deletion(-) | |
create mode 100644 ext/filter/tests/bug81122.phpt | |
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c | |
index 1cf345dbb5..3f314fefa0 100644 | |
--- a/ext/filter/logical_filters.c | |
+++ b/ext/filter/logical_filters.c | |
@@ -609,7 +609,9 @@ bad_url: | |
RETURN_VALIDATION_FAILED | |
} | |
- if (url->user != NULL && !is_userinfo_valid(url->user)) { | |
+ if (url->user != NULL && !is_userinfo_valid(url->user) | |
+ || url->pass != NULL && !is_userinfo_valid(url->pass) | |
+ ) { | |
php_url_free(url); | |
RETURN_VALIDATION_FAILED | |
diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt | |
new file mode 100644 | |
index 0000000000..d89d4114a5 | |
--- /dev/null | |
+++ b/ext/filter/tests/bug81122.phpt | |
@@ -0,0 +1,21 @@ | |
+--TEST-- | |
+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL) | |
+--SKIPIF-- | |
+<?php | |
+if (!extension_loaded('filter')) die("skip filter extension not available"); | |
+?> | |
+--FILE-- | |
+<?php | |
+$urls = [ | |
+ "https://example.com:\\@test.com/", | |
+ "https://user:\\epass@test.com", | |
+ "https://user:\\@test.com", | |
+]; | |
+foreach ($urls as $url) { | |
+ var_dump(filter_var($url, FILTER_VALIDATE_URL)); | |
+} | |
+?> | |
+--EXPECT-- | |
+bool(false) | |
+bool(false) | |
+bool(false) | |
-- | |
2.32.0.windows.1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment