summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2024-06-05 07:52:16 +0200
committerRemi Collet <remi@php.net>2024-06-05 07:52:16 +0200
commit13a3244124b870632454ec8452fdcca0ebfe37af (patch)
treeee4a93b62742364760dca1db46270561dd8b59a3
parent3b831d483c7757c23b0b25885c6aab6ba5c7ed35 (diff)
Fix filter bypass in filter_var FILTER_VALIDATE_URL
CVE-2024-5458
-rw-r--r--failed.txt4
-rw-r--r--php-cve-2024-5458.patch182
-rw-r--r--php.spec14
3 files changed, 195 insertions, 5 deletions
diff --git a/failed.txt b/failed.txt
index 26bdaa9..015e11f 100644
--- a/failed.txt
+++ b/failed.txt
@@ -3,12 +3,14 @@
$ grep -ar 'Tests failed' /var/lib/mock/*/build.log
/var/lib/mock/scl73el7x/build.log:Tests failed : 2
+/var/lib/mock/scl73el84/build.log:Tests failed : 14
/var/lib/mock/scl73el8x/build.log:Tests failed : 15
+x86_64:
+ 3 Zend/tests/bug74093.phpt
el7x:
5 ext/openssl/tests/openssl_x509_checkpurpose_basic.phpt
- 3 Zend/tests/bug74093.phpt
el8x:
2 buildroot issue with strict openssl policy (fixed in 7.4)
diff --git a/php-cve-2024-5458.patch b/php-cve-2024-5458.patch
new file mode 100644
index 0000000..65405ee
--- /dev/null
+++ b/php-cve-2024-5458.patch
@@ -0,0 +1,182 @@
+From 76362f9526afbd5565003d981f9507aaf62337f2 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Wed, 22 May 2024 22:25:02 +0200
+Subject: [PATCH 1/2] Fix GHSA-w8qr-v226-r27w
+
+We should not early-out with success status if we found an ipv6
+hostname, we should keep checking the rest of the conditions.
+Because integrating the if-check of the ipv6 hostname in the
+"Validate domain" if-check made the code hard to read, I extracted the
+condition out to a separate function. This also required to make
+a few pointers const in order to have some clean code.
+
+(cherry picked from commit 4066610b47e22c24cbee91be434a94357056a479)
+(cherry picked from commit 08be64e40197fc12dca5f802d16748d9c3cb4cb4)
+---
+ ext/filter/logical_filters.c | 35 ++++++++++---------
+ ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++++++++++++++++++++++
+ 2 files changed, 61 insertions(+), 15 deletions(-)
+ create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 3f314fefa0..59b7cb8ff8 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -79,7 +79,7 @@
+ #define FORMAT_IPV4 4
+ #define FORMAT_IPV6 6
+
+-static int _php_filter_validate_ipv6(char *str, size_t str_len);
++static int _php_filter_validate_ipv6(const char *str, size_t str_len);
+
+ static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */
+ zend_long ctx_value;
+@@ -548,6 +548,14 @@ static int is_userinfo_valid(zend_string *str)
+ return 1;
+ }
+
++static zend_bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
++{
++ const char *e = s + l;
++ const char *t = e - 1;
++
++ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2);
++}
++
+ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ {
+ php_url *url;
+@@ -573,7 +581,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+
+ if (url->scheme != NULL &&
+ (zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) {
+- char *e, *s, *t;
++ const char *s;
+ size_t l;
+
+ if (url->host == NULL) {
+@@ -582,17 +590,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+
+ s = ZSTR_VAL(url->host);
+ l = ZSTR_LEN(url->host);
+- e = s + l;
+- t = e - 1;
+-
+- /* An IPv6 enclosed by square brackets is a valid hostname */
+- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2)) {
+- php_url_free(url);
+- return;
+- }
+
+- // Validate domain
+- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) {
++ if (
++ /* An IPv6 enclosed by square brackets is a valid hostname.*/
++ !php_filter_is_valid_ipv6_hostname(s, l) &&
++ /* Validate domain.
++ * This includes a loose check for an IPv4 address. */
++ !_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)
++ ) {
+ php_url_free(url);
+ RETURN_VALIDATION_FAILED
+ }
+@@ -726,15 +731,15 @@ static int _php_filter_validate_ipv4(char *str, size_t str_len, int *ip) /* {{{
+ }
+ /* }}} */
+
+-static int _php_filter_validate_ipv6(char *str, size_t str_len) /* {{{ */
++static int _php_filter_validate_ipv6(const char *str, size_t str_len) /* {{{ */
+ {
+ int compressed = 0;
+ int blocks = 0;
+ int n;
+ char *ipv4;
+- char *end;
++ const char *end;
+ int ip4elm[4];
+- char *s = str;
++ const char *s = str;
+
+ if (!memchr(str, ':', str_len)) {
+ return 0;
+diff --git a/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+new file mode 100644
+index 0000000000..0092408ee5
+--- /dev/null
++++ b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++GHSA-w8qr-v226-r27w
++--EXTENSIONS--
++filter
++--FILE--
++<?php
++
++function test(string $input) {
++ var_dump(filter_var($input, FILTER_VALIDATE_URL));
++}
++
++echo "--- These ones should fail ---\n";
++test("http://t[est@127.0.0.1");
++test("http://t[est@[::1]");
++test("http://t[est@[::1");
++test("http://t[est@::1]");
++test("http://php.net\\@aliyun.com/aaa.do");
++test("http://test[@2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4");
++
++echo "--- These ones should work ---\n";
++test("http://test@127.0.0.1");
++test("http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]");
++test("http://test@[::1]");
++
++?>
++--EXPECT--
++--- These ones should fail ---
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++bool(false)
++--- These ones should work ---
++string(21) "http://test@127.0.0.1"
++string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]"
++string(17) "http://test@[::1]"
+--
+2.45.1
+
+From cfe1b1acead13b6af163f3ce947d3a1dbded82a0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 4 Jun 2024 16:48:08 +0200
+Subject: [PATCH 2/2] NEWS
+
+(cherry picked from commit a1ff81b786bd519597e770795be114f5171f0648)
+(cherry picked from commit ec1d5e6468479e64acc7fb8cb955f053b64ea9a0)
+---
+ NEWS | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 6ad89d2e8e..1075db151f 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 8.1.29
++
++- Filter:
++ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
++ (CVE-2024-5458) (nielsdos)
++
+ Backported from 8.1.28
+
+ - Standard:
+--
+2.45.1
+
diff --git a/php.spec b/php.spec
index 7a1db7e..6b412b7 100644
--- a/php.spec
+++ b/php.spec
@@ -56,9 +56,9 @@
%global mysql_sock %(mysql_config --socket 2>/dev/null || echo /var/lib/mysql/mysql.sock)
%ifarch aarch64
-%global oraclever 19.19
+%global oraclever 19.22
%global oraclelib 19.1
-%global oracledir 19.19
+%global oracledir 19.22
%else
%global oraclever 21.13
%global oraclelib 21.1
@@ -133,7 +133,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 13%{?dist}
+Release: 14%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -219,6 +219,7 @@ Patch210: php-cve-2023-3823.patch
Patch211: php-cve-2023-3824.patch
Patch212: php-cve-2024-2756.patch
Patch213: php-cve-2024-3096.patch
+Patch214: php-cve-2024-5458.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1009,6 +1010,7 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
%patch -P211 -p1 -b .cve3824
%patch -P212 -p1 -b .cve2756
%patch -P213 -p1 -b .cve3096
+%patch -P214 -p1 -b .cve5458
# Fixes for tests
%patch -P300 -p1 -b .datetests
@@ -1787,7 +1789,7 @@ cat << EOF
WARNING : PHP 7.3 have reached its "End of Life" in
December 2021. Even, if this package includes some of
- the important security fixes, backported from 8.0, the
+ the important security fixes, backported from 8.1, the
UPGRADE to a maintained version is very strongly RECOMMENDED.
=====================================================================
@@ -1968,6 +1970,10 @@ EOF
%changelog
+* Tue Jun 4 2024 Remi Collet <remi@remirepo.net> - 7.3.33-14
+- Fix filter bypass in filter_var FILTER_VALIDATE_URL
+ CVE-2024-5458
+
* Wed Apr 10 2024 Remi Collet <remi@remirepo.net> - 7.3.33-13
- use oracle client library version 21.13 on x86_64, 19.19 on aarch64
- Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix