File php7-CVE-2020-7071.patch of Package php7.20329
X-Git-Url: http://208.43.231.11:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Furl.c;h=113e0100243a4391a15e8fe1727867239201af7a;hp=a33091a86b75191c469a0c1dd076f0bf911af376;hb=b7f837381ef642d7fb369bfd0069e7525d4c22ea;hpb=b4b4a75afccde07724c39f8e8eb6217bab1db8bd
Index: php-7.4.6/ext/standard/url.c
===================================================================
--- php-7.4.6.orig/ext/standard/url.c 2020-05-12 10:09:27.000000000 +0200
+++ php-7.4.6/ext/standard/url.c 2021-01-11 12:10:00.876716443 +0100
@@ -87,6 +87,22 @@ PHPAPI php_url *php_url_parse(char const
return php_url_parse_ex(str, strlen(str));
}
+static int is_userinfo_valid(const char *str, size_t len)
+{
+ const char *valid = "-._~!$&'()*+,;=:";
+ const char *p = str;
+ while (p - str < len) {
+ if (isalpha(*p) || isdigit(*p) || strchr(valid, *p)) {
+ p++;
+ } else if (*p == '%' && p - str <= len - 3 && isdigit(*(p+1)) && isxdigit(*(p+2))) {
+ p += 3;
+ } else {
+ return 0;
+ }
+ }
+ return 1;
+}
+
/* {{{ php_url_parse
*/
PHPAPI php_url *php_url_parse_ex(char const *str, size_t length)
@@ -228,13 +244,17 @@ PHPAPI php_url *php_url_parse_ex(char co
ret->pass = zend_string_init(pp, (p-pp), 0);
php_replace_controlchars_ex(ZSTR_VAL(ret->pass), ZSTR_LEN(ret->pass));
} else {
- ret->user = zend_string_init(s, (p-s), 0);
- php_replace_controlchars_ex(ZSTR_VAL(ret->user), ZSTR_LEN(ret->user));
+ if (!is_userinfo_valid(s, p-s)) {
+ goto check_port;
+ }
+ ret->user = zend_string_init(s, (p-s), 0);
+ php_replace_controlchars_ex(ZSTR_VAL(ret->user), ZSTR_LEN(ret->user));
}
s = p + 1;
}
+check_port:
/* check for port */
if (s < ue && *s == '[' && *(e-1) == ']') {
/* Short circuit portscan,