Fix GHSA-w8qr-v226-r27w

We should not early-out with success status if we found an ipv6
hostname, we should keep checking the rest of the conditions.
Because integrating the if-check of the ipv6 hostname in the
"Validate domain" if-check made the code hard to read, I extracted the
condition out to a separate function. This also required to make
a few pointers const in order to have some clean code.

(cherry picked from commit 4066610)
(cherry picked from commit 08be64e)
(cherry picked from commit 76362f9)
(cherry picked from commit 87a7b8d)
(cherry picked from commit b919ad0)

Author: nielsdos

ext/filter/logical_filters.c

@@ -81,7 +81,7 @@
 #define FORMAT_IPV4    4
 #define FORMAT_IPV6    6
 
-static int _php_filter_validate_ipv6(char *str, size_t str_len);
+static int _php_filter_validate_ipv6(const char *str, size_t str_len);
 
 static int php_filter_parse_int(const char *str, size_t str_len, zend_long *ret) { /* {{{ */
 	zend_long ctx_value;
@@ -532,6 +532,14 @@ static int is_userinfo_valid(char *str)
 	return 1;
 }
 
+static zend_bool php_filter_is_valid_ipv6_hostname(const char *s, size_t l)
+{
+	const char *e = s + l;
+	const char *t = e - 1;
+
+	return *s == '[' && *t == ']' && _php_filter_validate_ipv6(s + 1, l - 2);
+}
+
 void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 {
 	php_url *url;
@@ -551,7 +559,7 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 	}
 
 	if (url->scheme != NULL && (!strcasecmp(url->scheme, "http") || !strcasecmp(url->scheme, "https"))) {
-		char *e, *s, *t;
+		const char *s;
 		size_t l;
 
 		if (url->host == NULL) {
@@ -560,17 +568,14 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 
 		s = url->host;
 		l = strlen(s);
-		e = url->host + l;
-		t = e - 1;
-
-		/* An IPv6 enclosed by square brackets is a valid hostname */
-		if (*s == '[' && *t == ']' && _php_filter_validate_ipv6((s + 1), l - 2)) {
-			php_url_free(url);
-			return;
-		}
 
-		// Validate domain
-		if (!_php_filter_validate_domain(url->host, l, FILTER_FLAG_HOSTNAME)) {
+		if (
+			/* An IPv6 enclosed by square brackets is a valid hostname.*/
+			!php_filter_is_valid_ipv6_hostname(s, l) &&
+			/* Validate domain.
+			 * This includes a loose check for an IPv4 address. */
+			!_php_filter_validate_domain(url->host, l, FILTER_FLAG_HOSTNAME)
+		) {
 			php_url_free(url);
 			RETURN_VALIDATION_FAILED
 		}
@@ -691,15 +696,15 @@ static int _php_filter_validate_ipv4(char *str, size_t str_len, int *ip) /* {{{
 }
 /* }}} */
 
-static int _php_filter_validate_ipv6(char *str, size_t str_len) /* {{{ */
+static int _php_filter_validate_ipv6(const char *str, size_t str_len) /* {{{ */
 {
 	int compressed = 0;
 	int blocks = 0;
 	int n;
 	char *ipv4;
-	char *end;
+	const char *end;
 	int ip4elm[4];
-	char *s = str;
+	const char *s = str;
 
 	if (!memchr(str, ':', str_len)) {
 		return 0;

ext/filter/tests/ghsa-w8qr-v226-r27w.phpt

@@ -0,0 +1,41 @@
+--TEST--
+GHSA-w8qr-v226-r27w
+--EXTENSIONS--
+filter
+--FILE--
+<?php
+
+function test(string $input) {
+    var_dump(filter_var($input, FILTER_VALIDATE_URL));
+}
+
+echo "--- These ones should fail ---\n";
+test("http://t[[email protected]");
+test("http://t[est@[::1]");
+test("http://t[est@[::1");
+test("http://t[est@::1]");
+test("http://php.net\\@aliyun.com/aaa.do");
+test("http://test[@2001:db8:3333:4444:5555:6666:1.2.3.4]");
+test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4]");
+test("http://te[st@2001:db8:3333:4444:5555:6666:1.2.3.4");
+
+echo "--- These ones should work ---\n";
+test("http://[email protected]");
+test("http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]");
+test("http://test@[::1]");
+
+?>
+--EXPECT--
+--- These ones should fail ---
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+bool(false)
+--- These ones should work ---
+string(21) "http://[email protected]"
+string(50) "http://test@[2001:db8:3333:4444:5555:6666:1.2.3.4]"
+string(17) "http://test@[::1]"