security #cve-2019-11325 [VarExporter] fix exporting some strings (ni…

…colas-grekas) This PR was merged into the 4.3 branch.
symfony · Nov 12, 2019 · 227e73d · 227e73d
2 parents 2baf53a + d446d77
commit 227e73d
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 20 deletions.
diff --git a/src/Symfony/Component/VarExporter/Internal/Exporter.php b/src/Symfony/Component/VarExporter/Internal/Exporter.php
@@ -212,27 +212,28 @@ public static function export($value, $indent = '')
         $subIndent = $indent.'    ';
 
         if (\is_string($value)) {
-            $code = var_export($value, true);
-
-            if (false !== strpos($value, "\n") || false !== strpos($value, "\r")) {
-                $code = strtr($code, [
-                    "\r\n" => "'.\"\\r\\n\"\n".$subIndent.".'",
-                    "\r" => "'.\"\\r\"\n".$subIndent.".'",
-                    "\n" => "'.\"\\n\"\n".$subIndent.".'",
-                ]);
-            }
+            $code = sprintf("'%s'", addcslashes($value, "'\\"));
 
-            if (false !== strpos($value, "\0")) {
-                $code = str_replace('\' . "\0" . \'', '\'."\0".\'', $code);
-                $code = str_replace('".\'\'."', '', $code);
-            }
+            $code = preg_replace_callback('/([\0\r\n]++)(.)/', function ($m) use ($subIndent) {
+                $m[1] = sprintf('\'."%s".\'', str_replace(
+                    ["\0", "\r", "\n", '\n\\'],
+                    ['\0', '\r', '\n', '\n"'."\n".$subIndent.'."\\'],
+                    $m[1]
+                ));
 
-            if (false !== strpos($code, "''.")) {
-                $code = str_replace("''.", '', $code);
-            }
+                if ("'" === $m[2]) {
+                   return substr($m[1], 0, -2);
+                }
+
+                if ('n".\'' === substr($m[1], -4)) {
+                   return substr_replace($m[1], "\n".$subIndent.".'".$m[2], -2);
+                }
+
+               return $m[1].$m[2];
+            }, $code, -1, $count);
 
-            if (".''" === substr($code, -3)) {
-                $code = rtrim(substr($code, 0, -3));
+            if ($count && 0 === strpos($code, "''.")) {
+                $code = substr($code, 3);
             }
 
             return $code;

diff --git a/src/Symfony/Component/VarExporter/Tests/Fixtures/lf-ending-string.php b/src/Symfony/Component/VarExporter/Tests/Fixtures/lf-ending-string.php
@@ -0,0 +1,4 @@
+<?php
+
+return '\'BOOM\''."\n"
+    .'.var_dump(123)//\'';
diff --git a/src/Symfony/Component/VarExporter/Tests/Fixtures/multiline-string.php b/src/Symfony/Component/VarExporter/Tests/Fixtures/multiline-string.php
@@ -2,7 +2,6 @@
 
 return [
     "\0\0\r\n"
-        .'A' => 'B'."\r"
-        .'C'."\n"
+        .'A' => 'B'."\r".'C'."\n"
         ."\n",
 ];
diff --git a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
@@ -112,6 +112,7 @@ public function testExport(string $testName, $value, bool $staticValueExpected =
     public function provideExport()
     {
         yield ['multiline-string', ["\0\0\r\nA" => "B\rC\n\n"], true];
+        yield ['lf-ending-string', "'BOOM'\n.var_dump(123)//'", true];
 
         yield ['bool', true, true];
         yield ['simple-array', [123, ['abc']], true];