Fix #81122: SSRF bypass in FILTER_VALIDATE_URL

cmb69 · derickr · commit 5cea97e08344 · 2021-06-29T16:10:58.000+01:00
We need to ensure that the password detected by parse_url() is actually
a valid password; we can re-use is_userinfo_valid() for that.
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
@@ -632,7 +632,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 		RETURN_VALIDATION_FAILED
 	}
 
-	if (url->user != NULL && !is_userinfo_valid(url->user)) {
+	if (url->user != NULL && !is_userinfo_valid(url->user)
+		|| url->pass != NULL && !is_userinfo_valid(url->pass)
+	) {
 		php_url_free(url);
 		RETURN_VALIDATION_FAILED
 
diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
+--SKIPIF--
+<?php
+if (!extension_loaded('filter')) die("skip filter extension not available");
+?>
+--FILE--
+<?php
+$urls = [
+    "https://example.com:\\@test.com/",
+    "https://user:\\epass@test.com",
+    "https://user:\\@test.com",
+];
+foreach ($urls as $url) {
+    var_dump(filter_var($url, FILTER_VALIDATE_URL));
+}
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)

Original file line number	Diff line number	Diff line change
`@@ -632,7 +632,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */`
`632`	`632`	`RETURN_VALIDATION_FAILED`
`633`	`633`	`}`
`634`	`634`
`635`		`- if (url->user != NULL && !is_userinfo_valid(url->user)) {`
	`635`	`+ if (url->user != NULL && !is_userinfo_valid(url->user)`
	`636`	`+ \|\| url->pass != NULL && !is_userinfo_valid(url->pass)`
	`637`	`+ ) {`
`636`	`638`	`php_url_free(url);`
`637`	`639`	`RETURN_VALIDATION_FAILED`
`638`	`640`