PHP :: Bug #37045 :: Fix for #32936 affects valid http redirects

Bug #37045	Fix for #32936 affects valid http redirects
Submitted:	2006-04-11 20:43 UTC	Modified:	2006-04-16 16:56 UTC
From:	mberg at synacor dot com	Assigned:	iliaa (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	5.1.2, 4.4.2	OS:	Red Hat Linux 7.2 (ish)
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	mberg at synacor dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2006-04-11 20:43 UTC] mberg at synacor dot com

Description:
------------
The original report was a vulnerability in redirects to FTP servers, since they don't perform URL escaping, but the fix effects HTTP and HTTPS as well.

This broke one valid redirection for us that we know about.

My fix was to wrap the calls to CHECK_FOR_CNTRL_CHARS in a conditional:

diff -u2 -r php-4.4.2.orig/ext/standard/http_fopen_wrapper.c php-4.4.2/ext/standard/http_fopen_wrapper.c
--- php-4.4.2.orig/ext/standard/http_fopen_wrapper.c    Sun Jan  1 08:46:57 2006
+++ php-4.4.2/ext/standard/http_fopen_wrapper.c Fri Apr  7 18:07:28 2006
@@ -503,7 +503,9 @@
 }      \
                        /* check for control characters in login, password & path */
-                       CHECK_FOR_CNTRL_CHARS(resource->user)
-                       CHECK_FOR_CNTRL_CHARS(resource->pass)
-                       CHECK_FOR_CNTRL_CHARS(resource->path)
+                       if (strncasecmp(resource->scheme, "http", sizeof("http")) && strncasecmp(resource->scheme, "https", sizeof("https"))) {
+                               CHECK_FOR_CNTRL_CHARS(resource->user)

+                               CHECK_FOR_CNTRL_CHARS(resource->pass)
+                               CHECK_FOR_CNTRL_CHARS(resource->path)
+                       }

                        stream = php_stream_url_wrap_http_ex(NULL, new_path, mode, options, opened_path, context, --redirect_max, 0 STREAMS_CC TSRMLS_CC);

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-04-12 14:45 UTC] sniper@php.net

Ilia, your fix broke this?

[2006-04-16 16:56 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 22:01:30 2024 UTC