Overview

File php7-CVE-2024-11234.patch of Package php7.36545

From 426a6d4539ebee34879ac5de857036bb6ff0e732 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Fri, 8 Nov 2024 23:43:47 +0100
Subject: [PATCH] Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF injection

---
 ext/standard/http_fopen_wrapper.c             | 18 ++++++++----
 .../tests/http/ghsa-c5f2-jwm7-mmq2.phpt       | 28 +++++++++++++++++++
 2 files changed, 40 insertions(+), 6 deletions(-)
 create mode 100644 ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt

Index: php-7.4.33/ext/standard/http_fopen_wrapper.c
===================================================================
--- php-7.4.33.orig/ext/standard/http_fopen_wrapper.c
+++ php-7.4.33/ext/standard/http_fopen_wrapper.c
@@ -186,6 +186,11 @@ static php_stream *php_stream_url_wrap_h
 			return NULL;
 		}
 
+		/* Should we send the entire path in the request line, default to no. */
+		if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
+			request_fulluri = zend_is_true(tmpzval);
+		}
+
 		use_ssl = resource->scheme && (ZSTR_LEN(resource->scheme) > 4) && ZSTR_VAL(resource->scheme)[4] == 's';
 		/* choose default ports */
 		if (use_ssl && resource->port == 0)
@@ -205,6 +210,13 @@ static php_stream *php_stream_url_wrap_h
 		}
 	}
 
+	if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
+		php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
+		php_url_free(resource);
+		zend_string_release(transport_string);
+		return NULL;
+	}
+
 	if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
 		double d = zval_get_double(tmpzval);
 #ifndef PHP_WIN32
@@ -385,12 +397,6 @@ finish:
 		smart_str_appends(&req_buf, "GET ");
 	}
 
-	/* Should we send the entire path in the request line, default to no. */
-	if (!request_fulluri && context &&
-		(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
-		request_fulluri = zend_is_true(tmpzval);
-	}
-
 	if (request_fulluri) {
 		/* Ask for everything */
 		smart_str_appends(&req_buf, path);
openSUSE Build Service is sponsored by
Places