Skip to content

Commit a5538c6

Browse files
cmb69smalyshev
cmb69
authored and
smalyshev
committed
Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
We need to ensure that the password detected by parse_url() is actually a valid password; we can re-use is_userinfo_valid() for that.
1 parent 98c8ad9 commit a5538c6

2 files changed

Lines changed: 24 additions & 1 deletion

File tree

ext/filter/logical_filters.c

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -609,7 +609,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
609609
RETURN_VALIDATION_FAILED
610610
}
611611

612-
if (url->user != NULL && !is_userinfo_valid(url->user)) {
612+
if (url->user != NULL && !is_userinfo_valid(url->user)
613+
|| url->pass != NULL && !is_userinfo_valid(url->pass)
614+
) {
613615
php_url_free(url);
614616
RETURN_VALIDATION_FAILED
615617

ext/filter/tests/bug81122.phpt

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
--TEST--
2+
Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
3+
--SKIPIF--
4+
<?php
5+
if (!extension_loaded('filter')) die("skip filter extension not available");
6+
?>
7+
--FILE--
8+
<?php
9+
$urls = [
10+
"https://example.com:\\@test.com/",
11+
"https://user:\\epass@test.com",
12+
"https://user:\\@test.com",
13+
];
14+
foreach ($urls as $url) {
15+
var_dump(filter_var($url, FILTER_VALIDATE_URL));
16+
}
17+
?>
18+
--EXPECT--
19+
bool(false)
20+
bool(false)
21+
bool(false)

0 commit comments

Comments
 (0)