mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3: Update NEWS Fix #76448: Stack buffer overflow in firebird_info_cb Fix #76449: SIGSEGV in firebird_handle_doer Fix #76450: SIGSEGV in firebird_stmt_execute Fix #76452: Crash while parsing blob data in firebird_fetch_blob Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
This commit is contained in:
commit
2327e3d36a
@ -632,7 +632,9 @@ bad_url:
|
||||
RETURN_VALIDATION_FAILED
|
||||
}
|
||||
|
||||
if (url->user != NULL && !is_userinfo_valid(url->user)) {
|
||||
if (url->user != NULL && !is_userinfo_valid(url->user)
|
||||
|| url->pass != NULL && !is_userinfo_valid(url->pass)
|
||||
) {
|
||||
php_url_free(url);
|
||||
RETURN_VALIDATION_FAILED
|
||||
|
||||
|
21
ext/filter/tests/bug81122.phpt
Normal file
21
ext/filter/tests/bug81122.phpt
Normal file
@ -0,0 +1,21 @@
|
||||
--TEST--
|
||||
Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('filter')) die("skip filter extension not available");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
$urls = [
|
||||
"https://example.com:\\@test.com/",
|
||||
"https://user:\\epass@test.com",
|
||||
"https://user:\\@test.com",
|
||||
];
|
||||
foreach ($urls as $url) {
|
||||
var_dump(filter_var($url, FILTER_VALIDATE_URL));
|
||||
}
|
||||
?>
|
||||
--EXPECT--
|
||||
bool(false)
|
||||
bool(false)
|
||||
bool(false)
|
@ -206,8 +206,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq
|
||||
if (result[0] == isc_info_sql_records) {
|
||||
unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
|
||||
|
||||
if (result_size > sizeof(result)) {
|
||||
ret = -1;
|
||||
goto free_statement;
|
||||
}
|
||||
while (result[i] != isc_info_end && i < result_size) {
|
||||
short len = (short)isc_vax_integer(&result[i+1],2);
|
||||
/* bail out on bad len */
|
||||
if (len != 1 && len != 2 && len != 4) {
|
||||
ret = -1;
|
||||
goto free_statement;
|
||||
}
|
||||
if (result[i] != isc_info_req_select_count) {
|
||||
ret += isc_vax_integer(&result[i+3],len);
|
||||
}
|
||||
@ -509,14 +518,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
#define INFO_BUF_LEN 512
|
||||
|
||||
/* callback to used to report database server info */
|
||||
static void firebird_info_cb(void *arg, char const *s) /* {{{ */
|
||||
{
|
||||
if (arg) {
|
||||
if (*(char*)arg) { /* second call */
|
||||
strcat(arg, " ");
|
||||
strlcat(arg, " ", INFO_BUF_LEN);
|
||||
}
|
||||
strcat(arg, s);
|
||||
strlcat(arg, s, INFO_BUF_LEN);
|
||||
}
|
||||
}
|
||||
/* }}} */
|
||||
@ -527,7 +538,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
|
||||
pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
|
||||
|
||||
switch (attr) {
|
||||
char tmp[512];
|
||||
char tmp[INFO_BUF_LEN];
|
||||
|
||||
case PDO_ATTR_AUTOCOMMIT:
|
||||
ZVAL_LONG(val,dbh->auto_commit);
|
||||
|
@ -136,8 +136,14 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
|
||||
}
|
||||
if (result[0] == isc_info_sql_records) {
|
||||
unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
|
||||
if (result_size > sizeof(result)) {
|
||||
goto error;
|
||||
}
|
||||
while (result[i] != isc_info_end && i < result_size) {
|
||||
short len = (short) isc_vax_integer(&result[i + 1], 2);
|
||||
if (len != 1 && len != 2 && len != 4) {
|
||||
goto error;
|
||||
}
|
||||
if (result[i] != isc_info_req_select_count) {
|
||||
affected_rows += isc_vax_integer(&result[i + 3], len);
|
||||
}
|
||||
@ -161,6 +167,7 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
|
||||
return 1;
|
||||
} while (0);
|
||||
|
||||
error:
|
||||
RECORD_ERROR(stmt);
|
||||
|
||||
return 0;
|
||||
@ -302,6 +309,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
|
||||
unsigned short seg_len;
|
||||
ISC_STATUS stat;
|
||||
|
||||
/* prevent overflow */
|
||||
if (*len == ZEND_ULONG_MAX) {
|
||||
result = 0;
|
||||
goto fetch_blob_end;
|
||||
}
|
||||
*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
|
||||
|
||||
for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
|
||||
|
BIN
ext/pdo_firebird/tests/bug_76448.data
Normal file
BIN
ext/pdo_firebird/tests/bug_76448.data
Normal file
Binary file not shown.
23
ext/pdo_firebird/tests/bug_76448.phpt
Normal file
23
ext/pdo_firebird/tests/bug_76448.phpt
Normal file
@ -0,0 +1,23 @@
|
||||
--TEST--
|
||||
Bug #76448 (Stack buffer overflow in firebird_info_cb)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('pdo_firebird')) die("skip podo_firebird extension not available");
|
||||
if (!extension_loaded('sockets')) die("skip sockets extension not available");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
require_once "payload_server.inc";
|
||||
|
||||
$address = run_server(__DIR__ . "/bug_76448.data");
|
||||
|
||||
// no need to change the credentials; we're running against a falke server
|
||||
$dsn = "firebird:dbname=inet://$address/test";
|
||||
$username = 'SYSDBA';
|
||||
$password = 'masterkey';
|
||||
|
||||
$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
|
||||
var_dump($dbh->getAttribute(PDO::ATTR_SERVER_INFO));
|
||||
?>
|
||||
--EXPECT--
|
||||
bool(false)
|
BIN
ext/pdo_firebird/tests/bug_76449.data
Normal file
BIN
ext/pdo_firebird/tests/bug_76449.data
Normal file
Binary file not shown.
23
ext/pdo_firebird/tests/bug_76449.phpt
Normal file
23
ext/pdo_firebird/tests/bug_76449.phpt
Normal file
@ -0,0 +1,23 @@
|
||||
--TEST--
|
||||
Bug #76449 (SIGSEGV in firebird_handle_doer)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available");
|
||||
if (!extension_loaded('sockets')) die("skip sockets extension not available");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
require_once "payload_server.inc";
|
||||
|
||||
$address = run_server(__DIR__ . "/bug_76449.data");
|
||||
|
||||
// no need to change the credentials; we're running against a fake server
|
||||
$dsn = "firebird:dbname=inet://$address/test";
|
||||
$username = 'SYSDBA';
|
||||
$password = 'masterkey';
|
||||
|
||||
$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
|
||||
var_dump($dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')"));
|
||||
?>
|
||||
--EXPECT--
|
||||
bool(false)
|
BIN
ext/pdo_firebird/tests/bug_76450.data
Normal file
BIN
ext/pdo_firebird/tests/bug_76450.data
Normal file
Binary file not shown.
29
ext/pdo_firebird/tests/bug_76450.phpt
Normal file
29
ext/pdo_firebird/tests/bug_76450.phpt
Normal file
@ -0,0 +1,29 @@
|
||||
--TEST--
|
||||
Bug #76450 (SIGSEGV in firebird_stmt_execute)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('pdo_firebird')) die("skip pdo_firebird extension not available");
|
||||
if (!extension_loaded('sockets')) die("skip sockets extension not available");
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
require_once "payload_server.inc";
|
||||
|
||||
$address = run_server(__DIR__ . "/bug_76450.data");
|
||||
|
||||
// no need to change the credentials; we're running against a fake server
|
||||
$dsn = "firebird:dbname=inet://$address/test";
|
||||
$username = 'SYSDBA';
|
||||
$password = 'masterkey';
|
||||
|
||||
$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
|
||||
$sql = "EXECUTE PROCEDURE test_proc 123";
|
||||
$query = $dbh->prepare($sql);
|
||||
try {
|
||||
$query->execute();
|
||||
} catch (Exception $ex) {
|
||||
echo "{$ex->getMessage()}\n";
|
||||
}
|
||||
?>
|
||||
--EXPECT--
|
||||
SQLSTATE[HY000]: General error
|
BIN
ext/pdo_firebird/tests/bug_76452.data
Normal file
BIN
ext/pdo_firebird/tests/bug_76452.data
Normal file
Binary file not shown.
31
ext/pdo_firebird/tests/bug_76452.phpt
Normal file
31
ext/pdo_firebird/tests/bug_76452.phpt
Normal file
@ -0,0 +1,31 @@
|
||||
--TEST--
|
||||
Bug ##76452 (Crash while parsing blob data in firebird_fetch_blob)
|
||||
--SKIPIF--
|
||||
<?php require('skipif.inc'); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
require_once "payload_server.inc";
|
||||
|
||||
$address = run_server(__DIR__ . "/bug_76452.data");
|
||||
|
||||
// no need to change the credentials; we're running against a falke server
|
||||
$dsn = "firebird:dbname=inet://$address/test";
|
||||
$username = 'SYSDBA';
|
||||
$password = 'masterkey';
|
||||
|
||||
$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
|
||||
$query = $dbh->prepare("select * from test");
|
||||
$query->execute();
|
||||
var_dump($query->fetch());
|
||||
?>
|
||||
--EXPECT--
|
||||
array(4) {
|
||||
["AAA"]=>
|
||||
string(4) "hihi"
|
||||
[0]=>
|
||||
string(4) "hihi"
|
||||
["BBBB"]=>
|
||||
NULL
|
||||
[1]=>
|
||||
NULL
|
||||
}
|
Loading…
Reference in New Issue
Block a user