From f1e91ce7ba0eb5df6b73823e9fb9130c489d9b0c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 28 Jun 2021 13:51:57 +0200
Subject: Fix #81122 SSRF bypass in FILTER_VALIDATE_URL   CVE-2021-21705 Fix
 #76448 Stack buffer overflow in firebird_info_cb Fix #76449 SIGSEGV in
 firebird_handle_doer Fix #76450 SIGSEGV in firebird_stmt_execute Fix #76452
 Crash while parsing blob data in firebird_fetch_blob   CVE-2021-21704

---
 php-bug81122.patch | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 php-bug81122.patch

(limited to 'php-bug81122.patch')

diff --git a/php-bug81122.patch b/php-bug81122.patch
new file mode 100644
index 0000000..3d200d6
--- /dev/null
+++ b/php-bug81122.patch
@@ -0,0 +1,88 @@
+From bb524cfbd498cebedd9f866c51cef97b69f59644 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 14 Jun 2021 13:22:27 +0200
+Subject: [PATCH 1/8] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
+
+We need to ensure that the password detected by parse_url() is actually
+a valid password; we can re-use is_userinfo_valid() for that.
+
+(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3)
+---
+ ext/filter/logical_filters.c   |  4 +++-
+ ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 ext/filter/tests/bug81122.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 22868fd8c1..357f7f2f43 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,7 +587,9 @@ bad_url:
+ 		RETURN_VALIDATION_FAILED
+ 	}
+ 
+-	if (url->user != NULL && !is_userinfo_valid(url->user)) {
++	if (url->user != NULL && !is_userinfo_valid(url->user)
++		|| url->pass != NULL && !is_userinfo_valid(url->pass)
++	) {
+ 		php_url_free(url);
+ 		RETURN_VALIDATION_FAILED
+ 
+diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt
+new file mode 100644
+index 0000000000..d89d4114a5
+--- /dev/null
++++ b/ext/filter/tests/bug81122.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
++--SKIPIF--
++<?php
++if (!extension_loaded('filter')) die("skip filter extension not available");
++?>
++--FILE--
++<?php
++$urls = [
++    "https://example.com:\\@test.com/",
++    "https://user:\\epass@test.com",
++    "https://user:\\@test.com",
++];
++foreach ($urls as $url) {
++    var_dump(filter_var($url, FILTER_VALIDATE_URL));
++}
++?>
++--EXPECT--
++bool(false)
++bool(false)
++bool(false)
+-- 
+2.31.1
+
+From db917b17e82344db82a67c4c68f627246b484ac4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 27 Jun 2021 21:57:58 -0700
+Subject: [PATCH 2/8] Fix warning
+
+(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef)
+---
+ ext/filter/logical_filters.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 357f7f2f43..7a37f80e46 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,8 +587,8 @@ bad_url:
+ 		RETURN_VALIDATION_FAILED
+ 	}
+ 
+-	if (url->user != NULL && !is_userinfo_valid(url->user)
+-		|| url->pass != NULL && !is_userinfo_valid(url->pass)
++	if ((url->user != NULL && !is_userinfo_valid(url->user))
++		|| (url->pass != NULL && !is_userinfo_valid(url->pass))
+ 	) {
+ 		php_url_free(url);
+ 		RETURN_VALIDATION_FAILED
+-- 
+2.31.1
+
-- 
cgit