#37045 [Asn->Csd]: Fix for #32936 affects valid http redirects

Sun, 16 Apr 2006 09:56:46 -0700 

 ID:               37045
 Updated by:       [EMAIL PROTECTED]
 Reported By:      mberg at synacor dot com
-Status:           Assigned
+Status:           Closed
 Bug Type:         Filesystem function related
 Operating System: Red Hat Linux 7.2 (ish)
 PHP Version:      5.1.2, 4.4.2
 Assigned To:      iliaa
 New Comment:

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.




Previous Comments:
------------------------------------------------------------------------

[2006-04-12 14:45:41] [EMAIL PROTECTED]

Ilia, your fix broke this?

------------------------------------------------------------------------

[2006-04-11 20:43:09] mberg at synacor dot com

Description:
------------
The original report was a vulnerability in redirects to FTP servers,
since they don't perform URL escaping, but the fix effects HTTP and
HTTPS as well.

This broke one valid redirection for us that we know about.

My fix was to wrap the calls to CHECK_FOR_CNTRL_CHARS in a
conditional:

diff -u2 -r php-4.4.2.orig/ext/standard/http_fopen_wrapper.c
php-4.4.2/ext/standard/http_fopen_wrapper.c
--- php-4.4.2.orig/ext/standard/http_fopen_wrapper.c    Sun Jan  1
08:46:57 2006
+++ php-4.4.2/ext/standard/http_fopen_wrapper.c Fri Apr  7 18:07:28
2006
@@ -503,7 +503,9 @@
 }      \
                        /* check for control characters in login,
password & path */
-                       CHECK_FOR_CNTRL_CHARS(resource->user)
-                       CHECK_FOR_CNTRL_CHARS(resource->pass)
-                       CHECK_FOR_CNTRL_CHARS(resource->path)
+                       if (strncasecmp(resource->scheme, "http",
sizeof("http")) && strncasecmp(resource->scheme, "https",
sizeof("https"))) {
+                               CHECK_FOR_CNTRL_CHARS(resource->user)

+                               CHECK_FOR_CNTRL_CHARS(resource->pass)
+                               CHECK_FOR_CNTRL_CHARS(resource->path)
+                       }

                        stream = php_stream_url_wrap_http_ex(NULL,
new_path, mode, options, opened_path, context, --redirect_max, 0
STREAMS_CC TSRMLS_CC);




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=37045&edit=1

Reply via email to