ext/ldap: Improve validation of inputs for parallel search

Girgias · Girgias · commit fa100e1ab333 · 2024-09-29T15:35:55.000+01:00
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
@@ -1485,12 +1485,12 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 
 	/* parallel search? */
 	if (Z_TYPE_P(link) == IS_ARRAY) {
-		int i, nlinks, nbases, nfilters, *rcs;
+		int i, *rcs;
 		ldap_linkdata **lds;
 		zval *entry, object;
 
-		nlinks = zend_hash_num_elements(Z_ARRVAL_P(link));
-		if (nlinks == 0) {
+		uint32_t num_links = zend_hash_num_elements(Z_ARRVAL_P(link));
+		if (num_links == 0) {
 			zend_argument_must_not_be_empty_error(1);
 			ret = 0;
 			goto cleanup;
@@ -1501,43 +1501,57 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 			goto cleanup;
 		}
 
+		uint32_t num_base_dns = 0; /* If 0 this means we are working with a unique base dn */
 		if (base_dn_ht) {
-			nbases = zend_hash_num_elements(base_dn_ht);
-			if (nbases != nlinks) {
-				zend_argument_value_error(2, "must have the same number of elements as the links array");
+			if (!zend_array_is_list(base_dn_ht)) {
+				zend_argument_value_error(2, "must be a list");
+				ret = 0;
+				goto cleanup;
+			}
+			num_base_dns = zend_hash_num_elements(base_dn_ht);
+			if (num_base_dns != num_links) {
+				zend_argument_value_error(2, "must be the same size as argument #1");
 				ret = 0;
 				goto cleanup;
 			}
 			zend_hash_internal_pointer_reset(base_dn_ht);
 		} else {
-			nbases = 0; /* this means string, not array */
-			ldap_base_dn = zend_string_copy(base_dn_str);
-			if (EG(exception)) {
+			if (zend_str_has_nul_byte(base_dn_str)) {
+				zend_argument_value_error(2, "must not contain null bytes");
 				ret = 0;
 				goto cleanup;
 			}
-			// TODO check filter does not have any nul bytes
+			ldap_base_dn = zend_string_copy(base_dn_str);
 		}
 
+		uint32_t num_filters = 0; /* If 0 this means we are working with a unique base dn */
 		if (filter_ht) {
-			nfilters = zend_hash_num_elements(filter_ht);
-			if (nfilters != nlinks) {
-				zend_argument_value_error(3, "must have the same number of elements as the links array");
+			if (!zend_array_is_list(filter_ht)) {
+				zend_argument_value_error(3, "must be a list");
+				ret = 0;
+				goto cleanup;
+			}
+			num_filters = zend_hash_num_elements(filter_ht);
+			if (num_filters != num_links) {
+				zend_argument_value_error(3, "must be the same size as argument #1");
 				ret = 0;
 				goto cleanup;
 			}
 			zend_hash_internal_pointer_reset(filter_ht);
 		} else {
-			nfilters = 0; /* this means string, not array */
+			if (zend_str_has_nul_byte(filter_str)) {
+				zend_argument_value_error(3, "must not contain null bytes");
+				ret = 0;
+				goto cleanup;
+			}
 			ldap_filter = zend_string_copy(filter_str);
-			// TODO check filter does not have any nul bytes
 		}
 
-		lds = safe_emalloc(nlinks, sizeof(ldap_linkdata), 0);
-		rcs = safe_emalloc(nlinks, sizeof(*rcs), 0);
+		lds = safe_emalloc(num_links, sizeof(ldap_linkdata), 0);
+		rcs = safe_emalloc(num_links, sizeof(*rcs), 0);
 
 		zend_hash_internal_pointer_reset(Z_ARRVAL_P(link));
-		for (i=0; i<nlinks; i++) {
+		for (i=0; i<num_links; i++) {
 			entry = zend_hash_get_current_data(Z_ARRVAL_P(link));
 
 			if (Z_TYPE_P(entry) != IS_OBJECT || !instanceof_function(Z_OBJCE_P(entry), ldap_link_ce)) {
@@ -1553,7 +1567,7 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 				goto cleanup_parallel;
 			}
 
-			if (nbases != 0) { /* base_dn an array? */
+			if (num_base_dns != 0) { /* base_dn an array? */
 				entry = zend_hash_get_current_data(base_dn_ht);
 				zend_hash_move_forward(base_dn_ht);
 				ldap_base_dn = zval_get_string(entry);
@@ -1563,7 +1577,7 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 				}
 				// TODO check dn does not have any nul bytes
 			}
-			if (nfilters != 0) { /* filter an array? */
+			if (num_filters != 0) { /* filter an array? */
 				entry = zend_hash_get_current_data(filter_ht);
 				zend_hash_move_forward(filter_ht);
 				ldap_filter = zval_get_string(entry);
@@ -1595,7 +1609,7 @@ static void php_ldap_do_search(INTERNAL_FUNCTION_PARAMETERS, int scope)
 		array_init(return_value);
 
 		/* Collect results from the searches */
-		for (i=0; i<nlinks; i++) {
+		for (i=0; i<num_links; i++) {
 			if (rcs[i] != -1) {
 				rcs[i] = ldap_result(lds[i]->link, LDAP_RES_ANY, 1 /* LDAP_MSG_ALL */, NULL, &ldap_res);
 			}
diff --git a/ext/ldap/tests/ldap_list_read_search_parallel_programming_errors.phpt b/ext/ldap/tests/ldap_list_read_search_parallel_programming_errors.phpt
@@ -0,0 +1,68 @@
+--TEST--
+Programming errors (Value/Type errors) for parallel usage of ldap_list(), ldap_read(), and ldap_search()
+--EXTENSIONS--
+ldap
+--FILE--
+<?php
+
+/* ldap_list(), ldap_read(), and ldap_search() share an underlying C function */
+/* We are assuming 3333 is not connectable */
+$ldap = ldap_connect('ldap://127.0.0.1:3333');
+$valid_dn = "cn=userA,something";
+$valid_filter = "";
+
+$ldaps = [$ldap, $ldap];
+
+$dn = "dn_with\0nul_byte";
+try {
+    var_dump(ldap_list($ldaps, $dn, $valid_filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+$filter = "filter_with\0nul_byte";
+try {
+    var_dump(ldap_list($ldaps, $valid_dn, $filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+$not_list = [
+    "attrib1",
+    "wat" => "attrib2",
+];
+try {
+    var_dump(ldap_list($ldaps, $not_list, $valid_filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+    var_dump(ldap_list($ldaps, $valid_dn, $not_list));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+$list_not_same_length = [
+    "string1",
+    "string2",
+    "string3",
+];
+try {
+    var_dump(ldap_list($ldaps, $list_not_same_length, $valid_filter));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+try {
+    var_dump(ldap_list($ldaps, $valid_dn, $list_not_same_length));
+} catch (Throwable $e) {
+    echo $e::class, ': ', $e->getMessage(), PHP_EOL;
+}
+
+?>
+--EXPECT--
+ValueError: ldap_list(): Argument #2 ($base) must not contain null bytes
+ValueError: ldap_list(): Argument #3 ($filter) must not contain null bytes
+ValueError: ldap_list(): Argument #2 ($base) must be a list
+ValueError: ldap_list(): Argument #3 ($filter) must be a list
+ValueError: ldap_list(): Argument #2 ($base) must be the same size as argument #1
+ValueError: ldap_list(): Argument #3 ($filter) must be the same size as argument #1
diff --git a/ext/ldap/tests/ldap_search_error.phpt b/ext/ldap/tests/ldap_search_error.phpt
@@ -62,7 +62,7 @@ Warning: ldap_search(): Search: No such object in %s on line %d
 bool(false)
 ldap_search(): Argument #4 ($attributes) must be a list
 ldap_search(): Argument #1 ($ldap) must not be empty
-ldap_search(): Argument #2 ($base) must have the same number of elements as the links array
-ldap_search(): Argument #3 ($filter) must have the same number of elements as the links array
+ldap_search(): Argument #2 ($base) must be the same size as argument #1
+ldap_search(): Argument #3 ($filter) must be the same size as argument #1
 ldap_search(): Argument #2 ($base) must be of type string when argument #1 ($ldap) is an LDAP instance
 ldap_search(): Argument #3 ($filter) must be of type string when argument #1 ($ldap) is an LDAP instance
