Fix CVE-2021-21707

Signed-off-by: herengui <herengui@uniontech.com>
2022-01-28 15:10:20 +08:00 · 2022-01-28 15:10:20 +08:00 · 0576a21bdf
commit 0576a21bdf
parent cecd50e7fc
2 changed files with 136 additions and 1 deletions
--- a/backport-CVE-2021-21707.patch
+++ b/backport-CVE-2021-21707.patch
@ -0,0 +1,131 @@
 From f15f8fc573eb38c3c73e23e0930063a6f6409ed4 Mon Sep 17 00:00:00 2001
 From: "Christoph M. Becker" <cmbecker69@gmx.de>
 Date: Tue, 1 Sep 2020 10:04:28 +0200
 Subject: [PATCH] Fix #79971: special character is breaking the path in xml
 function
 The libxml based XML functions accepting a filename actually accept
 URIs with possibly percent-encoded characters.  Percent-encoded NUL
 bytes lead to truncation, like non-encoded NUL bytes would.  We catch
 those, and let the functions fail with a respective warning.
 ---
 ext/dom/domimplementation.c         |  5 +++++
 ext/dom/tests/bug79971_2.phpt       | 20 ++++++++++++++++++++
 ext/libxml/libxml.c                 |  9 +++++++++
 ext/simplexml/tests/bug79971_1.phpt | 27 +++++++++++++++++++++++++++
 ext/simplexml/tests/bug79971_1.xml  |  2 ++
 5 files changed, 63 insertions(+)
 create mode 100644 ext/dom/tests/bug79971_2.phpt
 create mode 100644 ext/simplexml/tests/bug79971_1.phpt
 create mode 100644 ext/simplexml/tests/bug79971_1.xml
 diff --git a/ext/dom/domimplementation.c b/ext/dom/domimplementation.c
 index c6629c85e965..6f59f9c7c89f 100644
 --- a/ext/dom/domimplementation.c
 +++ b/ext/dom/domimplementation.c
@@ -112,6 +112,11 @@ PHP_METHOD(domimplementation, createDocumentType)
 		pch2 = (xmlChar *) systemid;
 	}
 +	if (strstr(name, "%00")) {
 +		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
 +		RETURN_FALSE;
 +	}
 +
 	uri = xmlParseURI(name);
 	if (uri != NULL && uri->opaque != NULL) {
 		localname = xmlStrdup((xmlChar *) uri->opaque);
 diff --git a/ext/dom/tests/bug79971_2.phpt b/ext/dom/tests/bug79971_2.phpt
 new file mode 100644
 index 000000000000..c4e6b1e4e093
 --- /dev/null
 +++ b/ext/dom/tests/bug79971_2.phpt
@@ -0,0 +1,20 @@
 +--TEST--
 +Bug #79971 (special character is breaking the path in xml function)
 +--SKIPIF--
 +<?php
 +if (!extension_loaded('dom')) die('skip dom extension not available');
 +?>
 +--FILE--
 +<?php
 +$imp = new DOMImplementation;
 +if (PHP_OS_FAMILY === 'Windows') {
 +    $path = '/' . str_replace('\\', '/', __DIR__);
 +} else {
 +    $path = __DIR__;
 +}
 +$uri = "file://$path/bug79971_2.xml";
 +var_dump($imp->createDocumentType("$uri%00foo"));
 +?>
 +--EXPECTF--
 +Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
 +bool(false)
 diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
 index 2be6a5b47a06..72ceea63274c 100644
 --- a/ext/libxml/libxml.c
 +++ b/ext/libxml/libxml.c
@@ -306,6 +306,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
 	int isescaped=0;
 	xmlURI *uri;
 +	if (strstr(filename, "%00")) {
 +		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
 +		return NULL;
 +	}
 	uri = xmlParseURI(filename);
 	if (uri && (uri->scheme == NULL ||
@@ -437,6 +441,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
 	if (URI == NULL)
 		return(NULL);
 +	if (strstr(URI, "%00")) {
 +		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
 +		return NULL;
 +	}
 +
 	puri = xmlParseURI(URI);
 	if (puri != NULL) {
 		if (puri->scheme != NULL)
 diff --git a/ext/simplexml/tests/bug79971_1.phpt b/ext/simplexml/tests/bug79971_1.phpt
 new file mode 100644
 index 000000000000..197776d82d38
 --- /dev/null
 +++ b/ext/simplexml/tests/bug79971_1.phpt
@@ -0,0 +1,27 @@
 +--TEST--
 +Bug #79971 (special character is breaking the path in xml function)
 +--SKIPIF--
 +<?php
 +if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
 +?>
 +--FILE--
 +<?php
 +if (PHP_OS_FAMILY === 'Windows') {
 +    $path = '/' . str_replace('\\', '/', __DIR__);
 +} else {
 +    $path = __DIR__;
 +}
 +$uri = "file://$path/bug79971_1.xml";
 +var_dump(simplexml_load_file("$uri%00foo"));
 +
 +$sxe = simplexml_load_file($uri);
 +var_dump($sxe->asXML("$uri.out%00foo"));
 +?>
 +--EXPECTF--
 +Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d
 +
 +Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d
 +bool(false)
 +
 +Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d
 +bool(false)
 diff --git a/ext/simplexml/tests/bug79971_1.xml b/ext/simplexml/tests/bug79971_1.xml
 new file mode 100644
 index 000000000000..912bb76d9d7e
 --- /dev/null
 +++ b/ext/simplexml/tests/bug79971_1.xml
@@ -0,0 +1,2 @@
 +<?xml version="1.0"?>
 +<root></root>
--- a/php.spec
+++ b/php.spec
@ -26,7 +26,7 @@
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       5
+Release:       6
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@ -62,6 +62,7 @@ Patch11:       backport-0001-CVE-2021-21705.patch
 Patch12:       backport-0002-CVE-2021-21705.patch
 Patch13:       backport-CVE-2021-21704.patch
 Patch14:       backport-CVE-2021-21703.patch
 Patch15:       backport-CVE-2021-21707.patch
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1090,6 +1091,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 %{_mandir}/*
 %changelog
 * Fri Jan 28 2022 herengui <herengui@uniontech.com> - 8.0.0-6
 - Fix CVE-2021-21707
 * Thu Nov 4 2021 panxiaohe <panxiaohe@huawei.com> - 8.0.0-5
 - Fix CVE-2021-21703