archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix #79971: special character is breaking the path in xml function

Browse source 
The libxml based XML functions accepting a filename actually accept
URIs with possibly percent-encoded characters.  Percent-encoded NUL
bytes lead to truncation, like non-encoded NUL bytes would.  We catch
those, and let the functions fail with a respective warning.
This commit is contained in:
Christoph M. Becker 2020-09-01 10:04:28 +02:00 committed by Stanislav Malyshev
parent 88f99c9c1d
commit f15f8fc573
No known key found for this signature in database
GPG key ID: 94B3CB48C3ECA219
5 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
ext/dom/domimplementation.c
View file

@ -112,6 +112,11 @@ PHP_METHOD(domimplementation, createDocumentType)
pch2 = (xmlChar *) systemid; pch2 = (xmlChar *) systemid;
} }
if (strstr(name, "%00")) {
php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
RETURN_FALSE;
}
uri = xmlParseURI(name); uri = xmlParseURI(name);
if (uri != NULL && uri->opaque != NULL) { if (uri != NULL && uri->opaque != NULL) {
localname = xmlStrdup((xmlChar *) uri->opaque); localname = xmlStrdup((xmlChar *) uri->opaque);

20
ext/dom/tests/bug79971_2.phpt Normal file
View file

@ -0,0 +1,20 @@
--TEST--
Bug #79971 (special character is breaking the path in xml function)
--SKIPIF--
<?php
if (!extension_loaded('dom')) die('skip dom extension not available');
?>
--FILE--
<?php
$imp = new DOMImplementation;
if (PHP_OS_FAMILY === 'Windows') {
$path = '/' . str_replace('\\', '/', __DIR__);
} else {
$path = __DIR__;
}
$uri = "file://$path/bug79971_2.xml";
var_dump($imp->createDocumentType("$uri%00foo"));
?>
--EXPECTF--
Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
bool(false)

9
ext/libxml/libxml.c
View file

@ -306,6 +306,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
int isescaped=0; int isescaped=0;
xmlURI *uri; xmlURI *uri;
if (strstr(filename, "%00")) {
php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
return NULL;
}
uri = xmlParseURI(filename); uri = xmlParseURI(filename);
if (uri && (uri->scheme == NULL || if (uri && (uri->scheme == NULL ||
@ -437,6 +441,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
if (URI == NULL) if (URI == NULL)
return(NULL); return(NULL);
if (strstr(URI, "%00")) {
php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
return NULL;
}
puri = xmlParseURI(URI); puri = xmlParseURI(URI);
if (puri != NULL) { if (puri != NULL) {
if (puri->scheme != NULL) if (puri->scheme != NULL)

27
ext/simplexml/tests/bug79971_1.phpt Normal file
View file

@ -0,0 +1,27 @@
--TEST--
Bug #79971 (special character is breaking the path in xml function)
--SKIPIF--
<?php
if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
?>
--FILE--
<?php
if (PHP_OS_FAMILY === 'Windows') {
$path = '/' . str_replace('\\', '/', __DIR__);
} else {
$path = __DIR__;
}
$uri = "file://$path/bug79971_1.xml";
var_dump(simplexml_load_file("$uri%00foo"));
$sxe = simplexml_load_file($uri);
var_dump($sxe->asXML("$uri.out%00foo"));
?>
--EXPECTF--
Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d
Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d
bool(false)
Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d
bool(false)

2
ext/simplexml/tests/bug79971_1.xml Normal file
View file

@ -0,0 +1,2 @@
<?xml version="1.0"?>
<root></root>