Fix #78814: strip_tags allows / in tag name => whitelist bypass

cmb69 · cmb69 · commit 600f1f898f97 · 2019-12-02T11:37:25.000+01:00
When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `&lt;`, or immediately before the closing
`&gt;`.
diff --git a/NEWS b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
   . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
     (cmb)
+  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
+    (cmb)
 
 21 Nov 2019, PHP 7.2.25
 
diff --git a/ext/standard/string.c b/ext/standard/string.c
@@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) {
 					if (state == 0) {
 						state=1;
 					}
-					if (c != '/') {
+					if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) {
 						*(n++) = c;
 					}
 				} else {
diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #78814 (strip_tags allows / in tag name => whitelist bypass)
+--FILE--
+<?php
+echo strip_tags("<s/trong>b</strong>", "<strong>");
+?>
+--EXPECT--
+b</strong>

Original file line number	Diff line number	Diff line change
`@@ -4663,7 +4663,7 @@ int php_tag_find(char tag, size_t len, const char set) {`
`4663`	`4663`	`if (state == 0) {`
`4664`	`4664`	`state=1;`
`4665`	`4665`	`}`
`4666`		`- if (c != '/') {`
	`4666`	`+ if (c != '/' \|\| ((t-1) != '<' && (t+1) != '>')) {`
`4667`	`4667`	`*(n++) = c;`
`4668`	`4668`	`}`
`4669`	`4669`	`} else {`