Skip to content

Commit

Permalink
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
Browse files Browse the repository at this point in the history 
We need to ensure that the password detected by parse_url() is actually
a valid password; we can re-use is_userinfo_valid() for that.
  • Loading branch information
@cmb69 @carusogabriel
cmb69 authored and carusogabriel committed Jun 29, 2021
1 parent e6063db commit 5a1fe88
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
4 changes: 3 additions & 1 deletion ext/filter/logical_filters.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -628,7 +628,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
RETURN_VALIDATION_FAILED
}

if (url->user != NULL && !is_userinfo_valid(url->user)) {
if (url->user != NULL && !is_userinfo_valid(url->user)
|| url->pass != NULL && !is_userinfo_valid(url->pass)
) {
php_url_free(url);
RETURN_VALIDATION_FAILED

Expand Down
21 changes: 21 additions & 0 deletions ext/filter/tests/bug81122.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
--TEST--
Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
--SKIPIF--
<?php
if (!extension_loaded('filter')) die("skip filter extension not available");
?>
--FILE--
<?php
$urls = [
"https://example.com:\\@test.com/",
"https://user:\\epass@test.com",
"https://user:\\@test.com",
];
foreach ($urls as $url) {
var_dump(filter_var($url, FILTER_VALIDATE_URL));
}
?>
--EXPECT--
bool(false)
bool(false)
bool(false)

0 comments on commit 5a1fe88

Please sign in to comment.