1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
From 72f993acb5de39ca5f01146ff33ff63dc110b8b4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 20 Sep 2020 18:08:55 -0700
Subject: [PATCH] Do not decode cookie names anymore
(cherry picked from commit 6559fe912661ca5ce5f0eeeb591d928451428ed0)
---
main/php_variables.c | 8 ++++++--
tests/basic/022.phpt | 10 +++++++---
tests/basic/023.phpt | 4 +++-
tests/basic/bug79699.phpt | 22 ++++++++++++++++++++++
4 files changed, 38 insertions(+), 6 deletions(-)
create mode 100644 tests/basic/bug79699.phpt
diff --git a/main/php_variables.c b/main/php_variables.c
index c56d23003c..d0223df44a 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -484,7 +484,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
size_t new_val_len;
*val++ = '\0';
- php_url_decode(var, strlen(var));
+ if (arg != PARSE_COOKIE) {
+ php_url_decode(var, strlen(var));
+ }
val_len = php_url_decode(val, strlen(val));
val = estrndup(val, val_len);
if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
@@ -495,7 +497,9 @@ SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
size_t val_len;
size_t new_val_len;
- php_url_decode(var, strlen(var));
+ if (arg != PARSE_COOKIE) {
+ php_url_decode(var, strlen(var));
+ }
val_len = 0;
val = estrndup("", val_len);
if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len)) {
diff --git a/tests/basic/022.phpt b/tests/basic/022.phpt
index 0ab70d4be7..bd1db13701 100644
--- a/tests/basic/022.phpt
+++ b/tests/basic/022.phpt
@@ -10,7 +10,7 @@ cookie1=val1 ; cookie2=val2%20; cookie3=val 3.; cookie 4= value 4 %3B; cookie1=
var_dump($_COOKIE);
?>
--EXPECT--
-array(10) {
+array(12) {
["cookie1"]=>
string(6) "val1 "
["cookie2"]=>
@@ -19,11 +19,15 @@ array(10) {
string(6) "val 3."
["cookie_4"]=>
string(10) " value 4 ;"
+ ["%20cookie1"]=>
+ string(6) "ignore"
+ ["+cookie1"]=>
+ string(6) "ignore"
["cookie__5"]=>
string(7) " value"
- ["cookie_6"]=>
+ ["cookie%206"]=>
string(3) "þæö"
- ["cookie_7"]=>
+ ["cookie+7"]=>
string(0) ""
["$cookie_8"]=>
string(0) ""
diff --git a/tests/basic/023.phpt b/tests/basic/023.phpt
index ca5f1dcfbb..0e2e0ac669 100644
--- a/tests/basic/023.phpt
+++ b/tests/basic/023.phpt
@@ -10,9 +10,11 @@ c o o k i e=value; c o o k i e= v a l u e ;;c%20o+o k+i%20e=v;name="value","valu
var_dump($_COOKIE);
?>
--EXPECT--
-array(3) {
+array(4) {
["c_o_o_k_i_e"]=>
string(5) "value"
+ ["c%20o+o_k+i%20e"]=>
+ string(1) "v"
["name"]=>
string(24) ""value","value",UEhQIQ=="
["UEhQIQ"]=>
diff --git a/tests/basic/bug79699.phpt b/tests/basic/bug79699.phpt
new file mode 100644
index 0000000000..fc3d3fedb0
--- /dev/null
+++ b/tests/basic/bug79699.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Cookies Security Bug
+--INI--
+max_input_vars=1000
+filter.default=unsafe_raw
+--COOKIE--
+__%48ost-evil=evil; __Host-evil=good; %66oo=baz;foo=bar
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(4) {
+ ["__%48ost-evil"]=>
+ string(4) "evil"
+ ["__Host-evil"]=>
+ string(4) "good"
+ ["%66oo"]=>
+ string(3) "baz"
+ ["foo"]=>
+ string(3) "bar"
+}
From ff5acd41c3498c1bf78f2803bbef89f006cbffb8 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 29 Sep 2020 08:53:26 +0200
Subject: [PATCH] NEWS
---
NEWS | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/NEWS b/NEWS
index 2c340eb648..bc49257774 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,18 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.2.34
+
+- Core:
+ . Fixed bug #79699 (PHP parses encoded cookie names so malicious `__Host-`
+ cookies can be sent). (CVE-2020-7070) (Stas)
+
+- OpenSSL:
+ . Fixed bug #79601 (Wrong ciphertext/tag in AES-CCM encryption for a 12
+ bytes IV). (CVE-2020-7069) (Jakub Zelenka)
+ . Fixed bug #78079 (openssl_encrypt_ccm.phpt fails with OpenSSL 1.1.1c).
+ (Jakub Zelenka)
+
Backported from 7.2.33
- Core:
|
