ext/standard: check the from address for control characters before PASS#22770
Open
iliaal wants to merge 1 commit into
Open
ext/standard: check the from address for control characters before PASS#22770iliaal wants to merge 1 commit into
iliaal wants to merge 1 commit into
Conversation
phpGH-17976 sanitized from and user_agent where the HTTP wrapper emits headers, and left the FTP wrapper for a follow-up. php_ftp_fopen_connect() sends FG(from_address) as the anonymous password without a check, so an ini_set() value carrying CRLF puts extra commands on the control channel. Apply PHP_FTP_CNTRL_CHK, as the branch that sends a URL-supplied password already does. Closes phpGH-22770
b967f41 to
2796857
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GH-17976 sanitized
fromanduser_agentat the HTTP wrapper's header-emit point and deferred the FTP wrapper.php_ftp_fopen_connect()still sendsFG(from_address)as the anonymous password unchecked, so withini_set('from', "evil\r\nSITE INJECT")the server receives a literal SITE INJECT on the control channel. The URL-supplied-password branch a few lines above already calls PHP_FTP_CNTRL_CHK; this uses the same macro over ZSTR_LEN, so the two branches now read identically.