Skip to content

Commit dcb89ed

Browse files
bukkaremicollet
bukka
authored and
remicollet
committed
Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection
(cherry picked from commit 426a6d4539ebee34879ac5de857036bb6ff0e732) (cherry picked from commit bc1f192) (cherry picked from commit 8d130e1) (cherry picked from commit 494de65)
1 parent 37056ad commit dcb89ed

File tree

2 files changed

+40
-6
lines changed

2 files changed

+40
-6
lines changed

ext/standard/http_fopen_wrapper.c

Lines changed: 12 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,11 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
187187
return NULL;
188188
}
189189

190+
/* Should we send the entire path in the request line, default to no. */
191+
if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
192+
request_fulluri = zend_is_true(tmpzval);
193+
}
194+
190195
use_ssl = resource->scheme && (ZSTR_LEN(resource->scheme) > 4) && ZSTR_VAL(resource->scheme)[4] == 's';
191196
/* choose default ports */
192197
if (use_ssl && resource->port == 0)
@@ -206,6 +211,13 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
206211
}
207212
}
208213

214+
if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
215+
php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
216+
php_url_free(resource);
217+
efree(transport_string);
218+
return NULL;
219+
}
220+
209221
if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
210222
double d = zval_get_double(tmpzval);
211223
#ifndef PHP_WIN32
@@ -386,12 +398,6 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
386398
smart_str_appends(&req_buf, "GET ");
387399
}
388400

389-
/* Should we send the entire path in the request line, default to no. */
390-
if (!request_fulluri && context &&
391-
(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
392-
request_fulluri = zend_is_true(tmpzval);
393-
}
394-
395401
if (request_fulluri) {
396402
/* Ask for everything */
397403
smart_str_appends(&req_buf, path);

ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
--TEST--
2+
GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs)
3+
--INI--
4+
allow_url_fopen=1
5+
--CONFLICTS--
6+
server
7+
--FILE--
8+
<?php
9+
$serverCode = <<<'CODE'
10+
echo $_SERVER['REQUEST_URI'];
11+
CODE;
12+
13+
include __DIR__."/../../../../sapi/cli/tests/php_cli_server.inc";
14+
php_cli_server_start($serverCode, null);
15+
16+
$host = PHP_CLI_SERVER_ADDRESS;
17+
$userinput = "index.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index2.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index.php";
18+
$context = stream_context_create(['http' => ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]);
19+
echo file_get_contents("http://$host/$userinput", false, $context);
20+
?>
21+
--EXPECTF--
22+
Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1
23+
Host: localhost:%d
24+
25+
GET /index2.php HTTP/1.1
26+
Host: localhost:%d
27+
28+
GET /index.php): failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d

0 commit comments

Comments
 (0)