Skip to content

Commit 093c08a

Browse files
ndosscheramsey
ndossche
authored and
ramsey
committed
Fix GHSA-wpj3-hf5j-x4v4: __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix
The check happened too early as later code paths may perform more mangling rules. Move the check downwards right before adding the actual variable.
1 parent e3c784f commit 093c08a

File tree

2 files changed

+90
-14
lines changed

2 files changed

+90
-14
lines changed

ext/standard/tests/ghsa-wpj3-hf5j-x4v4.phpt

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
--TEST--
2+
ghsa-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix)
3+
--COOKIE--
4+
..Host-test=ignore_1;
5+
._Host-test=ignore_2;
6+
.[Host-test=ignore_3;
7+
_.Host-test=ignore_4;
8+
__Host-test=ignore_5;
9+
_[Host-test=ignore_6;
10+
[.Host-test=ignore_7;
11+
[_Host-test=ignore_8;
12+
[[Host-test=ignore_9;
13+
..Host-test[]=ignore_10;
14+
._Host-test[]=ignore_11;
15+
.[Host-test[]=ignore_12;
16+
_.Host-test[]=ignore_13;
17+
__Host-test[]=legitimate_14;
18+
_[Host-test[]=legitimate_15;
19+
[.Host-test[]=ignore_16;
20+
[_Host-test[]=ignore_17;
21+
[[Host-test[]=ignore_18;
22+
..Secure-test=ignore_1;
23+
._Secure-test=ignore_2;
24+
.[Secure-test=ignore_3;
25+
_.Secure-test=ignore_4;
26+
__Secure-test=ignore_5;
27+
_[Secure-test=ignore_6;
28+
[.Secure-test=ignore_7;
29+
[_Secure-test=ignore_8;
30+
[[Secure-test=ignore_9;
31+
..Secure-test[]=ignore_10;
32+
._Secure-test[]=ignore_11;
33+
.[Secure-test[]=ignore_12;
34+
_.Secure-test[]=ignore_13;
35+
__Secure-test[]=legitimate_14;
36+
_[Secure-test[]=legitimate_15;
37+
[.Secure-test[]=ignore_16;
38+
[_Secure-test[]=ignore_17;
39+
[[Secure-test[]=ignore_18;
40+
--FILE--
41+
<?php
42+
var_dump($_COOKIE);
43+
?>
44+
--EXPECT--
45+
array(3) {
46+
["__Host-test"]=>
47+
array(1) {
48+
[0]=>
49+
string(13) "legitimate_14"
50+
}
51+
["_"]=>
52+
array(2) {
53+
["Host-test["]=>
54+
string(13) "legitimate_15"
55+
["Secure-test["]=>
56+
string(13) "legitimate_15"
57+
}
58+
["__Secure-test"]=>
59+
array(1) {
60+
[0]=>
61+
string(13) "legitimate_14"
62+
}
63+
}

main/php_variables.c

Lines changed: 27 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,21 @@ static zend_always_inline void php_register_variable_quick(const char *name, siz
5454
zend_string_release_ex(key, 0);
5555
}
5656

57+
/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host-
58+
* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
59+
static bool php_is_forbidden_variable_name(const char *mangled_name, size_t mangled_name_len, const char *pre_mangled_name)
60+
{
61+
if (mangled_name_len >= sizeof("__Host-")-1 && strncmp(mangled_name, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(pre_mangled_name, "__Host-", sizeof("__Host-")-1) != 0) {
62+
return true;
63+
}
64+
65+
if (mangled_name_len >= sizeof("__Secure-")-1 && strncmp(mangled_name, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(pre_mangled_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
66+
return true;
67+
}
68+
69+
return false;
70+
}
71+
5772
PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *track_vars_array)
5873
{
5974
char *p = NULL;
@@ -104,20 +119,6 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
104119
}
105120
var_len = p - var;
106121

107-
/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
108-
if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
109-
zval_ptr_dtor_nogc(val);
110-
free_alloca(var_orig, use_heap);
111-
return;
112-
}
113-
114-
/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
115-
if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
116-
zval_ptr_dtor_nogc(val);
117-
free_alloca(var_orig, use_heap);
118-
return;
119-
}
120-
121122
if (var_len==0) { /* empty variable name, or variable name with a space in it */
122123
zval_ptr_dtor_nogc(val);
123124
free_alloca(var_orig, use_heap);
@@ -221,6 +222,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
221222
return;
222223
}
223224
} else {
225+
if (php_is_forbidden_variable_name(index, index_len, var_name)) {
226+
zval_ptr_dtor_nogc(val);
227+
free_alloca(var_orig, use_heap);
228+
return;
229+
}
230+
224231
gpc_element_p = zend_symtable_str_find(symtable1, index, index_len);
225232
if (!gpc_element_p) {
226233
zval tmp;
@@ -258,6 +265,12 @@ PHPAPI void php_register_variable_ex(const char *var_name, zval *val, zval *trac
258265
zval_ptr_dtor_nogc(val);
259266
}
260267
} else {
268+
if (php_is_forbidden_variable_name(index, index_len, var_name)) {
269+
zval_ptr_dtor_nogc(val);
270+
free_alloca(var_orig, use_heap);
271+
return;
272+
}
273+
261274
zend_ulong idx;
262275

263276
/*

0 commit comments

Comments
 (0)