Skip to content

Implement RF bug #72777 - Add oniguruma stack limit #2109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Implement RF bug #72777 - Add oniguruma stack limit #2109

wants to merge 6 commits into from

Conversation

yohgaki
Copy link
Contributor

@yohgaki yohgaki commented Sep 1, 2016
edited
Loading

@smalyshev
Copy link
Contributor

looks ok to me

@yohgaki
Copy link
Contributor Author

yohgaki commented Sep 6, 2016

@smalyshev Which branch should I apply? Even if it's not perfect mitigation for ReDoS, it does work for some type of ReDoS attacks and no additional globals. If nobody objects, I would like to apply it from PHP-5.6 branch.

@smalyshev
Copy link
Contributor

If RMs do not object, I think 5.6 is good.

KalleZ
KalleZ reviewed Sep 9, 2016
View reviewed changes
ext/mbstring/mbstring.c
@@ -1473,6 +1473,25 @@ static PHP_INI_MH(OnUpdate_mbstring_http_output_conv_mimetypes)
return SUCCESS;
}
/* }}} */

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the PHP_INI_ENTRY() is commented out by preprocessor macros, then shouldn't the PHP_INI_MH() function be too?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I should!

@cmb69
Copy link
Member

cmb69 commented Oct 18, 2016

If RMs do not object, I think 5.6 is good.

ACK.

@Tyrael, @weltling what do you think?

@weltling
Copy link
Contributor

@cmb69 onig_set_match_stack_limit_size() is not thread safe, that was the last point as it was discussed on the security lists. Either the ini setting has to be PHP_INI_SYSTEM, or the underling lib needs to be patched. That was the last status, AFAIR.

Thanks.

@cmb69
Copy link
Member

cmb69 commented Oct 18, 2016

Thanks for the update, Anatol! :-)

@krakjoe
Copy link
Member

krakjoe commented Jan 3, 2017

@yohgaki can you apply the change requested by @weltling, alternatively, if you consider this work abandoned (because the fix belongs upstream), please close this PR.

@krakjoe
Copy link
Member

krakjoe commented Mar 1, 2017

Having waited more than a month (2) for feedback and activity on this PR, it would seem abandoned, so I'm closing it.

@krakjoe krakjoe closed this Mar 1, 2017
@smalyshev smalyshev reopened this Mar 18, 2019
@smalyshev
Copy link
Contributor

smalyshev commented Mar 18, 2019
edited
Loading

I think we should revive this, having regex functionality with no limits (while underlying library supports limits) is not great. If @yohgaki doesn't update it I plan to try and bring it into 7.1 with necessary fixes.

smalyshev
smalyshev reviewed Mar 18, 2019
View reviewed changes
ext/mbstring/mbstring.c

stack_limit = atol(ZSTR_VAL(new_value));
if (stack_limit > 0 && stack_limit <= UINT_MAX) {
onig_set_match_stack_limit_size(stack_limit);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably use onig_set_match_stack_limit_size_of_match_param() and onig_match_with_param()

@nikic
Copy link
Member

nikic commented Mar 18, 2019

@smalyshev As a side note, if you're looking into making mbstring more defensive, you might want to consider backporting f5d2a30 and 2e59426.

@smalyshev
Copy link
Contributor

@nikic yes I think it makes sense to backport these, we've had overflow issues that happen because of invalid encoding.

@smalyshev smalyshev mentioned this pull request Mar 28, 2019
Merged
@yohgaki
Copy link
Contributor Author

yohgaki commented Apr 22, 2019

@smalyshev Thank you for taking care of this.

@nikic
Copy link
Member

nikic commented Jun 14, 2019

This has been implemented in #3997, so closing this one :)

@nikic nikic closed this Jun 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smalyshev smalyshev smalyshev left review comments

Assignees

@yohgaki yohgaki

@smalyshev smalyshev

Labels
Feature Waiting on Author
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@yohgaki @smalyshev @cmb69 @weltling @krakjoe @nikic @KalleZ