#37045 [NEW]: Fix for #32936 affects valid http redirects

Tue, 11 Apr 2006 13:43:22 -0700 

From:             mberg at synacor dot com
Operating system: Red Hat Linux 7.2 (ish)
PHP version:      4.4.2
PHP Bug Type:     Filesystem function related
Bug description:  Fix for #32936 affects valid http redirects

Description:
------------
The original report was a vulnerability in redirects to FTP servers, since
they don't perform URL escaping, but the fix effects HTTP and HTTPS as
well.

This broke one valid redirection for us that we know about.

My fix was to wrap the calls to CHECK_FOR_CNTRL_CHARS in a conditional:

diff -u2 -r php-4.4.2.orig/ext/standard/http_fopen_wrapper.c
php-4.4.2/ext/standard/http_fopen_wrapper.c
--- php-4.4.2.orig/ext/standard/http_fopen_wrapper.c    Sun Jan  1
08:46:57 2006
+++ php-4.4.2/ext/standard/http_fopen_wrapper.c Fri Apr  7 18:07:28 2006
@@ -503,7 +503,9 @@
 }      \
                        /* check for control characters in login, password
& path */
-                       CHECK_FOR_CNTRL_CHARS(resource->user)
-                       CHECK_FOR_CNTRL_CHARS(resource->pass)
-                       CHECK_FOR_CNTRL_CHARS(resource->path)
+                       if (strncasecmp(resource->scheme, "http",
sizeof("http")) && strncasecmp(resource->scheme, "https",
sizeof("https"))) {
+                               CHECK_FOR_CNTRL_CHARS(resource->user)

+                               CHECK_FOR_CNTRL_CHARS(resource->pass)
+                               CHECK_FOR_CNTRL_CHARS(resource->path)
+                       }

                        stream = php_stream_url_wrap_http_ex(NULL,
new_path, mode, options, opened_path, context, --redirect_max, 0
STREAMS_CC TSRMLS_CC);



-- 
Edit bug report at http://bugs.php.net/?id=37045&edit=1
-- 
Try a CVS snapshot (PHP 4.4): 
http://bugs.php.net/fix.php?id=37045&r=trysnapshot44
Try a CVS snapshot (PHP 5.1): 
http://bugs.php.net/fix.php?id=37045&r=trysnapshot51
Try a CVS snapshot (PHP 6.0): 
http://bugs.php.net/fix.php?id=37045&r=trysnapshot60
Fixed in CVS:                 http://bugs.php.net/fix.php?id=37045&r=fixedcvs
Fixed in release:             
http://bugs.php.net/fix.php?id=37045&r=alreadyfixed
Need backtrace:               http://bugs.php.net/fix.php?id=37045&r=needtrace
Need Reproduce Script:        http://bugs.php.net/fix.php?id=37045&r=needscript
Try newer version:            http://bugs.php.net/fix.php?id=37045&r=oldversion
Not developer issue:          http://bugs.php.net/fix.php?id=37045&r=support
Expected behavior:            http://bugs.php.net/fix.php?id=37045&r=notwrong
Not enough info:              
http://bugs.php.net/fix.php?id=37045&r=notenoughinfo
Submitted twice:              
http://bugs.php.net/fix.php?id=37045&r=submittedtwice
register_globals:             http://bugs.php.net/fix.php?id=37045&r=globals
PHP 3 support discontinued:   http://bugs.php.net/fix.php?id=37045&r=php3
Daylight Savings:             http://bugs.php.net/fix.php?id=37045&r=dst
IIS Stability:                http://bugs.php.net/fix.php?id=37045&r=isapi
Install GNU Sed:              http://bugs.php.net/fix.php?id=37045&r=gnused
Floating point limitations:   http://bugs.php.net/fix.php?id=37045&r=float
No Zend Extensions:           http://bugs.php.net/fix.php?id=37045&r=nozend
MySQL Configuration Error:    http://bugs.php.net/fix.php?id=37045&r=mysqlcfg

Reply via email to