ID: 37045
Updated by: [EMAIL PROTECTED]
Reported By: mberg at synacor dot com
-Status: Open
+Status: Assigned
Bug Type: Filesystem function related
Operating System: Red Hat Linux 7.2 (ish)
PHP Version: 5.1.2, 4.4.2
-Assigned To:
+Assigned To: iliaa
New Comment:
Ilia, your fix broke this?
Previous Comments:
------------------------------------------------------------------------
[2006-04-11 20:43:09] mberg at synacor dot com
Description:
------------
The original report was a vulnerability in redirects to FTP servers,
since they don't perform URL escaping, but the fix effects HTTP and
HTTPS as well.
This broke one valid redirection for us that we know about.
My fix was to wrap the calls to CHECK_FOR_CNTRL_CHARS in a
conditional:
diff -u2 -r php-4.4.2.orig/ext/standard/http_fopen_wrapper.c
php-4.4.2/ext/standard/http_fopen_wrapper.c
--- php-4.4.2.orig/ext/standard/http_fopen_wrapper.c Sun Jan 1
08:46:57 2006
+++ php-4.4.2/ext/standard/http_fopen_wrapper.c Fri Apr 7 18:07:28
2006
@@ -503,7 +503,9 @@
} \
/* check for control characters in login,
password & path */
- CHECK_FOR_CNTRL_CHARS(resource->user)
- CHECK_FOR_CNTRL_CHARS(resource->pass)
- CHECK_FOR_CNTRL_CHARS(resource->path)
+ if (strncasecmp(resource->scheme, "http",
sizeof("http")) && strncasecmp(resource->scheme, "https",
sizeof("https"))) {
+ CHECK_FOR_CNTRL_CHARS(resource->user)
+ CHECK_FOR_CNTRL_CHARS(resource->pass)
+ CHECK_FOR_CNTRL_CHARS(resource->path)
+ }
stream = php_stream_url_wrap_http_ex(NULL,
new_path, mode, options, opened_path, context, --redirect_max, 0
STREAMS_CC TSRMLS_CC);
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=37045&edit=1
