php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76829 Incorrect validation of domain on idn_to_utf8() function
Submitted: 2018-08-31 14:45 UTC Modified: 2018-08-31 17:46 UTC
From: dsromashov at yandex dot ru Assigned:
Status: Closed Package: intl (PECL)
PHP Version: 7.0.31 OS:
Private report: No CVE-ID: None
 [2018-08-31 14:45 UTC] dsromashov at yandex dot ru
Description:
------------
In source code https://github.com/php/php-src/blob/master/ext/intl/idn/idn.c#L159 I see that comparison with 255 bytes is after covertation to Unicode by uidna_nameToUnicodeUTF8() function and it is wrong.
So domain 'абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаеж.рф' has 264 bytes, so idn_to_utf8() function returns false.



RFC 589: https://tools.ietf.org/rfc/rfc5890#page-16. U-label Lengths section:
"Because A-labels (the form actually used in the DNS) are potentially much more compressed than UTF-8 (and UTF-8 is, in general, more compressed that UTF-16 or UTF-32), U-labels that obey all of the relevant symmetry (and other) constraints of these documents may be quite a bit longer, potentially up to 252 characters (Unicode code points).  A fully-qualified domain name containing several such labels can obviously also exceed the nominal 255 octet limit for such names.  Application authors using U-labels must exert due caution to avoid buffer overflow and truncation errors and attacks in contexts where shorter strings are expected."

So, it is need compare with 255 bytes punycode form of domain, not Unicode.


Test script:
---------------
$punycode = idn_to_ascii('абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаеж.рф', IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46);

$unicode = idn_to_utf8($punycode, IDNA_DEFAULT, INTL_IDNA_VARIANT_UTS46);

var_dump($unicode);



Expected result:
----------------
string(294) "абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаежзи.абвгдаеж.рф"

Actual result:
--------------
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-08-31 17:46 UTC] cmb@php.net
-Package: idn +Package: intl
 [2018-08-31 22:21 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b9ca573a1bf62e7fb55e863e2073e29ae94d59eb
Log: Fixed bug #76829 Incorrect validation of domain on idn_to_utf8() function
 [2018-08-31 22:21 UTC] ab@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Dec 13 22:01:26 2018 UTC