Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection

bukka · remicollet · commit 8dab7d0bb9c4 · 2024-11-26T11:43:27.000+01:00
(cherry picked from commit 426a6d4539ebee34879ac5de857036bb6ff0e732) (cherry picked from commit bc1f192) (cherry picked from commit 8d130e1) (cherry picked from commit 494de65) (cherry picked from commit dcb89ed) (cherry picked from commit 1178705) (cherry picked from commit 59bfc16)
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
@@ -182,6 +182,11 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 			return NULL;
 		}
 
+		/* Should we send the entire path in the request line, default to no. */
+		if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
+			request_fulluri = zend_is_true(tmpzval);
+		}
+
 		use_ssl = resource->scheme && (strlen(resource->scheme) > 4) && resource->scheme[4] == 's';
 		/* choose default ports */
 		if (use_ssl && resource->port == 0)
@@ -201,6 +206,13 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		}
 	}
 
+	if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
+		php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
+		php_url_free(resource);
+		efree(transport_string);
+		return NULL;
+	}
+
 	if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
 		double d = zval_get_double(tmpzval);
 #ifndef PHP_WIN32
@@ -387,12 +399,6 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		strncpy(scratch, "GET ", scratch_len);
 	}
 
-	/* Should we send the entire path in the request line, default to no. */
-	if (!request_fulluri && context &&
-		(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
-		request_fulluri = zend_is_true(tmpzval);
-	}
-
 	if (request_fulluri) {
 		/* Ask for everything */
 		strcat(scratch, path);
diff --git a/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
@@ -0,0 +1,28 @@
+--TEST--
+GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs)
+--INI--
+allow_url_fopen=1
+--CONFLICTS--
+server
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+echo $_SERVER['REQUEST_URI'];
+CODE;
+
+include __DIR__."/../../../../sapi/cli/tests/php_cli_server.inc";
+php_cli_server_start($serverCode, null);
+
+$host = PHP_CLI_SERVER_ADDRESS;
+$userinput = "index.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index2.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index.php";
+$context = stream_context_create(['http' => ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]);
+echo file_get_contents("http://$host/$userinput", false, $context);
+?>
+--EXPECTF--
+Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1
+Host: localhost:%d
+
+GET /index2.php HTTP/1.1
+Host: localhost:%d
+
+GET /index.php): failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d
