From 11787051a17d2fcea427cd66c3fcc5e99ab94a03 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Fri, 8 Nov 2024 23:43:47 +0100 Subject: [PATCH 4/9] Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection (cherry picked from commit 426a6d4539ebee34879ac5de857036bb6ff0e732) (cherry picked from commit bc1f192102dd8cbda028e40aa31604c4885d387c) (cherry picked from commit 8d130e16fbfda7d154fedfa0f1ff1d5ad5e26815) (cherry picked from commit 494de65139592da0e5e5b6fdf198c2f9c762f4d6) (cherry picked from commit dcb89ed9d0217510f3906ce0c517f704e6bd80dc) --- ext/standard/http_fopen_wrapper.c | 18 ++++++++---- .../tests/http/ghsa-c5f2-jwm7-mmq2.phpt | 28 +++++++++++++++++++ 2 files changed, 40 insertions(+), 6 deletions(-) create mode 100644 ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index be23679d2d..e125364923 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -176,6 +176,11 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, return NULL; } + /* Should we send the entire path in the request line, default to no. */ + if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) { + request_fulluri = zend_is_true(tmpzval); + } + use_ssl = resource->scheme && (strlen(resource->scheme) > 4) && resource->scheme[4] == 's'; /* choose default ports */ if (use_ssl && resource->port == 0) @@ -195,6 +200,13 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, } } + if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) { + php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters"); + php_url_free(resource); + efree(transport_string); + return NULL; + } + if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) { double d = zval_get_double(tmpzval); #ifndef PHP_WIN32 @@ -375,12 +387,6 @@ finish: smart_str_appends(&req_buf, "GET "); } - /* Should we send the entire path in the request line, default to no. */ - if (!request_fulluri && context && - (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) { - request_fulluri = zend_is_true(tmpzval); - } - if (request_fulluri) { /* Ask for everything */ smart_str_appends(&req_buf, path); diff --git a/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt new file mode 100644 index 0000000000..6e68f67654 --- /dev/null +++ b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt @@ -0,0 +1,28 @@ +--TEST-- +GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs) +--INI-- +allow_url_fopen=1 +--CONFLICTS-- +server +--FILE-- + ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]); +echo file_get_contents("http://$host/$userinput", false, $context); +?> +--EXPECTF-- +Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1 +Host: localhost:%d + +GET /index2.php HTTP/1.1 +Host: localhost:%d + +GET /index.php): failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d -- 2.47.0