fix CVE-2024-5458
(cherry picked from commit dbbea5b9ee97d9afe8cbaea63cf94a18017d8fe7)
This commit is contained in:
Funda Wang
openeuler-sync-bot
parent
dcdc496aa5
commit
c52c3289a3
177
php-cve-2024-5458.patch
Normal file
177
php-cve-2024-5458.patch
Normal file
@ -0,0 +1,177 @@
|
||||
From 4066610b47e22c24cbee91be434a94357056a479 Mon Sep 17 00:00:00 2001
|
||||
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
||||
Date: Wed, 22 May 2024 22:25:02 +0200
|
||||
Subject: [PATCH 1/2] Fix GHSA-w8qr-v226-r27w
|
||||
|
||||
We should not early-out with success status if we found an ipv6
|
||||
hostname, we should keep checking the rest of the conditions.
|
||||
Because integrating the if-check of the ipv6 hostname in the
|
||||
"Validate domain" if-check made the code hard to read, I extracted the
|
||||
condition out to a separate function. This also required to make
|
||||
a few pointers const in order to have some clean code.
|
||||
---
|
||||
ext/filter/logical_filters.c | 35 ++++++++++---------
|
||||
ext/filter/tests/ghsa-w8qr-v226-r27w.phpt | 41 +++++++++++++++++++++++
|
||||
2 files changed, 61 insertions(+), 15 deletions(-)
|
||||
create mode 100644 ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
|
||||
|
||||
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
|
||||
index ad011568aac..300c6e2809c 100644
|
||||
--- a/ext/filter/logical_filters.c
|
||||
+++ b/ext/filter/logical_filters.c
|
||||
@@ -89,7 +89,7 @@
|
||||
#define FORMAT_IPV4 4
|
||||
#define FORMAT_IPV6 6
|
||||
|
||||
-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]);
|
||||
+static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]);
|
||||
|
||||
static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */
|
||||
zend_long ctx_value;
|
||||
@@ -572,6 +572,14 @@ static int is_userinfo_valid(zend_string *str)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
|
||||
+{
|
||||
+ const char *e = s + l;
|
||||
+ const char *t = e - 1;
|
||||
+
|
||||
+ return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2, NULL);
|
||||
+}
|
||||
+
|
||||
void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
|
||||
{
|
||||
php_url *url;
|
||||
@@ -592,7 +600,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
|
||||
|
||||
if (url->scheme != NULL &&
|
||||
(zend_string_equals_literal_ci(url->scheme, "http") || zend_string_equals_literal_ci(url->scheme, "https"))) {
|
||||
- char *e, *s, *t;
|
||||
+ const char *s;
|
||||
size_t l;
|
||||
|
||||
if (url->host == NULL) {
|
||||
@@ -601,17 +609,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
|
||||
|
||||
s = ZSTR_VAL(url->host);
|
||||
l = ZSTR_LEN(url->host);
|
||||
- e = s + l;
|
||||
- t = e - 1;
|
||||
-
|
||||
- /* An IPv6 enclosed by square brackets is a valid hostname */
|
||||
- if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2, NULL)) {
|
||||
- php_url_free(url);
|
||||
- return;
|
||||
- }
|
||||
|
||||
- // Validate domain
|
||||
- if (!_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)) {
|
||||
+ if (
|
||||
+ /* An IPv6 enclosed by square brackets is a valid hostname.*/
|
||||
+ !php_filter_is_valid_ipv6_hostname(s, l) &&
|
||||
+ /* Validate domain.
|
||||
+ * This includes a loose check for an IPv4 address. */
|
||||
+ !_php_filter_validate_domain(ZSTR_VAL(url->host), l, FILTER_FLAG_HOSTNAME)
|
||||
+ ) {
|
||||
php_url_free(url);
|
||||
RETURN_VALIDATION_FAILED
|
||||
}
|
||||
@@ -745,15 +750,15 @@ static int _php_filter_validate_ipv4(char *str, size_t str_len, int *ip) /* {{{
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
-static int _php_filter_validate_ipv6(char *str, size_t str_len, int ip[8]) /* {{{ */
|
||||
+static int _php_filter_validate_ipv6(const char *str, size_t str_len, int ip[8]) /* {{{ */
|
||||
{
|
||||
int compressed_pos = -1;
|
||||
int blocks = 0;
|
||||
int num, n, i;
|
||||
char *ipv4;
|
||||
- char *end;
|
||||
+ const char *end;
|
||||
int ip4elm[4];
|
||||
- char *s = str;
|
||||
+ const char *s = str;
|
||||
|
||||
if (!memchr(str, ':', str_len)) {
|
||||
return 0;
|
||||
diff --git a/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
|
||||
new file mode 100644
|
||||
index 00000000000..0092408ee5a
|
||||
--- /dev/null
|
||||
+++ b/ext/filter/tests/ghsa-w8qr-v226-r27w.phpt
|
||||
@@ -0,0 +1,41 @@
|
||||
+--TEST--
|
||||
+GHSA-w8qr-v226-r27w
|
||||
+--EXTENSIONS--
|
||||
+filter
|
||||
+--FILE--
|
||||
+<?php
|
||||
+
|
||||
+function test(string $input) {
|
||||
+ var_dump(filter_var($input, FILTER_VALIDATE_URL));
|
||||
+}
|
||||
+
|
||||
+echo "--- These ones should fail ---\n";
|
||||
+test("http://t[est@127.0.0.1");
|
||||
+test("http://t[est@[::1]");
|
||||
+test("http://t[est@[::1");
|
||||
+test("http://t[est@::1]");
|
||||
+test("http://php.net\\@aliyun.com/aaa.do");
|
||||
+test("http://test[@2001:db8:3333:4444:5555:6666:1.2.3.4]");
|
||||
+test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4]");
|
||||
+test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4");
|
||||
+
|
||||
+echo "--- These ones should work ---\n";
|
||||
+test("http://test@127.0.0.1");
|
||||
+test("http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]");
|
||||
+test("http://test@[::1]");
|
||||
+
|
||||
+?>
|
||||
+--EXPECT--
|
||||
+--- These ones should fail ---
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+bool(false)
|
||||
+--- These ones should work ---
|
||||
+string(21) "http://test@127.0.0.1"
|
||||
+string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]"
|
||||
+string(17) "http://test@[::1]"
|
||||
--
|
||||
2.45.1
|
||||
|
||||
From a1ff81b786bd519597e770795be114f5171f0648 Mon Sep 17 00:00:00 2001
|
||||
From: Remi Collet <remi@remirepo.net>
|
||||
Date: Tue, 4 Jun 2024 16:48:08 +0200
|
||||
Subject: [PATCH 2/2] NEWS
|
||||
|
||||
---
|
||||
NEWS | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/NEWS b/NEWS
|
||||
index 1300609f189..7a9b6bdae18 100644
|
||||
--- a/NEWS
|
||||
+++ b/NEWS
|
||||
@@ -1,6 +1,12 @@
|
||||
PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
|
||||
+Backported from 8.1.29
|
||||
+
|
||||
+- Filter:
|
||||
+ . Fixed bug GHSA-w8qr-v226-r27w (Filter bypass in filter_var FILTER_VALIDATE_URL).
|
||||
+ (CVE-2024-5458) (nielsdos)
|
||||
+
|
||||
Backported from 8.1.28
|
||||
|
||||
- Standard:
|
||||
--
|
||||
2.45.1
|
||||
|
||||
6
php.spec
6
php.spec
@ -26,7 +26,7 @@
|
||||
|
||||
Name: php
|
||||
Version: %{upver}
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: PHP scripting language for creating dynamic web sites
|
||||
License: PHP-3.01 and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
|
||||
URL: http://www.php.net/
|
||||
@ -58,6 +58,7 @@ Patch7: php-7.4.0-datetests.patch
|
||||
Patch8: php-Add-sw64-architecture.patch
|
||||
Patch9: php-cve-2024-2756.patch
|
||||
Patch10: php-cve-2024-3096.patch
|
||||
Patch11: php-cve-2024-5458.patch
|
||||
|
||||
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
|
||||
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
|
||||
@ -1085,6 +1086,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jun 07 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-4
|
||||
- fix CVE-2024-5458
|
||||
|
||||
* Fri Apr 12 2024 Funda Wang <fundawang@yeah.net> - 8.0.30-3
|
||||
- fix CVE-2024-2756, CVE-2024-3096
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user