Merge branch 'PHP-8.0'

smalyshev · smalyshev · commit d0850aba94aa · 2021-06-20T22:20:16.000-07:00
* PHP-8.0:
  Fix #76448: Stack buffer overflow in firebird_info_cb
  Fix #76449: SIGSEGV in firebird_handle_doer
  Fix #76450: SIGSEGV in firebird_stmt_execute
  Fix #76452: Crash while parsing blob data in firebird_fetch_blob
  Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
@@ -636,7 +636,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
 		RETURN_VALIDATION_FAILED
 	}
 
-	if (url->user != NULL && !is_userinfo_valid(url->user)) {
+	if (url->user != NULL && !is_userinfo_valid(url->user)
+		|| url->pass != NULL && !is_userinfo_valid(url->pass)
+	) {
 		php_url_free(url);
 		RETURN_VALIDATION_FAILED
 
diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
+--SKIPIF--
+<?php
+if (!extension_loaded('filter')) die("skip filter extension not available");
+?>
+--FILE--
+<?php
+$urls = [
+    "https://example.com:\\@test.com/",
+    "https://user:\\epass@test.com",
+    "https://user:\\@test.com",
+];
+foreach ($urls as $url) {
+    var_dump(filter_var($url, FILTER_VALIDATE_URL));
+}
+?>
+--EXPECT--
+bool(false)
+bool(false)
+bool(false)
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
@@ -626,8 +626,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const zend_string *sql) /*
 	if (result[0] == isc_info_sql_records) {
 		unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
 
+		if (result_size > sizeof(result)) {
+			ret = -1;
+			goto free_statement;
+		}
 		while (result[i] != isc_info_end && i < result_size) {
 			short len = (short)isc_vax_integer(&result[i+1],2);
+			/* bail out on bad len */
+			if (len != 1 && len != 2 && len != 4) {
+				ret = -1;
+				goto free_statement;
+			}
 			if (result[i] != isc_info_req_select_count) {
 				ret += isc_vax_integer(&result[i+3],len);
 			}
@@ -905,14 +914,16 @@ static bool firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *
 }
 /* }}} */
 
+#define INFO_BUF_LEN 512
+
 /* callback to used to report database server info */
 static void firebird_info_cb(void *arg, char const *s) /* {{{ */
 {
 	if (arg) {
 		if (*(char*)arg) { /* second call */
-			strcat(arg, " ");
+			strlcat(arg, " ", INFO_BUF_LEN);
 		}
-		strcat(arg, s);
+		strlcat(arg, s, INFO_BUF_LEN);
 	}
 }
 /* }}} */
@@ -923,7 +934,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
 
 	switch (attr) {
-		char tmp[512];
+		char tmp[INFO_BUF_LEN];
 
 		case PDO_ATTR_AUTOCOMMIT:
 			ZVAL_LONG(val,dbh->auto_commit);
diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
@@ -126,8 +126,14 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
 				}
 				if (result[0] == isc_info_sql_records) {
 					unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
+					if (result_size > sizeof(result)) {
+						goto error;
+					}
 					while (result[i] != isc_info_end && i < result_size) {
 						short len = (short) isc_vax_integer(&result[i + 1], 2);
+						if (len != 1 && len != 2 && len != 4) {
+							goto error;
+						}
 						if (result[i] != isc_info_req_select_count) {
 							affected_rows += isc_vax_integer(&result[i + 3], len);
 						}
@@ -152,6 +158,7 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
 		return 1;
 	} while (0);
 
+error:
 	RECORD_ERROR(stmt);
 
 	return 0;
diff --git a/ext/pdo_firebird/tests/bug_76448.data b/ext/pdo_firebird/tests/bug_76448.data
diff --git a/ext/pdo_firebird/tests/bug_76448.phpt b/ext/pdo_firebird/tests/bug_76448.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #76448 (Stack buffer overflow in firebird_info_cb)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_firebird')) die("skip podo_firebird extension not available");
+if (!extension_loaded('sockets')) die("skip sockets extension not available");
+?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76448.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+var_dump($dbh->getAttribute(PDO::ATTR_SERVER_INFO));
+?>
+--EXPECT--
+bool(false)
diff --git a/ext/pdo_firebird/tests/bug_76449.data b/ext/pdo_firebird/tests/bug_76449.data
diff --git a/ext/pdo_firebird/tests/bug_76449.phpt b/ext/pdo_firebird/tests/bug_76449.phpt
@@ -0,0 +1,23 @@
+--TEST--
+Bug #76449 (SIGSEGV in firebird_handle_doer)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available");
+if (!extension_loaded('sockets')) die("skip sockets extension not available");
+?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76449.data");
+
+// no need to change the credentials; we're running against a fake server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')"));
+?>
+--EXPECT--
+bool(false)
diff --git a/ext/pdo_firebird/tests/bug_76450.data b/ext/pdo_firebird/tests/bug_76450.data
diff --git a/ext/pdo_firebird/tests/bug_76450.phpt b/ext/pdo_firebird/tests/bug_76450.phpt
@@ -0,0 +1,29 @@
+--TEST--
+Bug #76450 (SIGSEGV in firebird_stmt_execute)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available");
+if (!extension_loaded('sockets')) die("skip sockets extension not available");
+?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76450.data");
+
+// no need to change the credentials; we're running against a fake server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+$sql = "EXECUTE PROCEDURE test_proc 123";
+$query = $dbh->prepare($sql);
+try {
+    $query->execute();
+} catch (Exception $ex) {
+    echo "{$ex->getMessage()}\n";
+}
+?>
+--EXPECT--
+SQLSTATE[HY000]: General error
diff --git a/ext/pdo_firebird/tests/bug_76452.data b/ext/pdo_firebird/tests/bug_76452.data
diff --git a/ext/pdo_firebird/tests/bug_76452.phpt b/ext/pdo_firebird/tests/bug_76452.phpt
@@ -0,0 +1,31 @@
+--TEST--
+Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
+--SKIPIF--
+<?php require('skipif.inc'); ?>
+--FILE--
+<?php
+require_once "payload_server.inc";
+
+$address = run_server(__DIR__ . "/bug_76452.data");
+
+// no need to change the credentials; we're running against a falke server
+$dsn = "firebird:dbname=inet://$address/test";
+$username = 'SYSDBA';
+$password = 'masterkey';
+
+$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+$query = $dbh->prepare("select * from test");
+$query->execute();
+var_dump($query->fetch());
+?>
+--EXPECT--
+array(4) {
+  ["AAA"]=>
+  string(4) "hihi"
+  [0]=>
+  string(4) "hihi"
+  ["BBBB"]=>
+  NULL
+  [1]=>
+  NULL
+}

Original file line number	Diff line number	Diff line change
`@@ -636,7 +636,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */`
`636`	`636`	`RETURN_VALIDATION_FAILED`
`637`	`637`	`}`
`638`	`638`
`639`		`- if (url->user != NULL && !is_userinfo_valid(url->user)) {`
	`639`	`+ if (url->user != NULL && !is_userinfo_valid(url->user)`
	`640`	`+ \|\| url->pass != NULL && !is_userinfo_valid(url->pass)`
	`641`	`+ ) {`
`640`	`642`	`php_url_free(url);`
`641`	`643`	`RETURN_VALIDATION_FAILED`
`642`	`644`