php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-25 08:58:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection

Browse Source
This commit is contained in:
Jakub Zelenka
2024-11-08 23:43:47 +01:00
parent 2518ec1118
commit ab16b79dfd
2 changed files with 40 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ext/standard/http_fopen_wrapper.c
+12 -6
View File
@@ -184,6 +184,11 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
return NULL;
}
/* Should we send the entire path in the request line, default to no. */
if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
request_fulluri = zend_is_true(tmpzval);
}
use_ssl = (ZSTR_LEN(resource->scheme) > 4) && ZSTR_VAL(resource->scheme)[4] == 's';
/* choose default ports */
if (use_ssl && resource->port == 0)
@@ -202,6 +207,13 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
}
}
if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
php_url_free(resource);
zend_string_release(transport_string);
return NULL;
}
if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
double d = zval_get_double(tmpzval);
#ifndef PHP_WIN32
@@ -382,12 +394,6 @@ finish:
smart_str_appends(&req_buf, "GET ");
}
/* Should we send the entire path in the request line, default to no. */
if (!request_fulluri && context &&
(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
request_fulluri = zend_is_true(tmpzval);
}
if (request_fulluri) {
/* Ask for everything */
smart_str_appends(&req_buf, path);
ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+28
View File
@@ -0,0 +1,28 @@
--TEST--
GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs)
--INI--
allow_url_fopen=1
--CONFLICTS--
server
--FILE--
<?php
$serverCode = <<<'CODE'
echo $_SERVER['REQUEST_URI'];
CODE;
include __DIR__."/../../../../sapi/cli/tests/php_cli_server.inc";
php_cli_server_start($serverCode, null, []);
$host = PHP_CLI_SERVER_ADDRESS;
$userinput = "index.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index2.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index.php";
$context = stream_context_create(['http' => ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]);
echo file_get_contents("http://$host/$userinput", false, $context);
?>
--EXPECTF--
Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1
Host: localhost:%d
GET /index2.php HTTP/1.1
Host: localhost:%d
GET /index.php): Failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d