Описание
Filter bypass in filter_var (FILTER_VALIDATE_URL)
Summary
An early-return in filter_var (FILTER_VALIDATE_URL) will result in invalid user information (username + password part of URLs) being treated as valid user information.
This causes the same problems as CVE-2020-7071, but with IPv6 host parts.
Details
The function php_filter_validate_url in php-src/ext/filter/logical_filters.c contains the logic for validating URLs.
For HTTP-IPv6 addresses the implementation contains an early return statement that results in further checks on the user_info being skipped. The offending return statement is at: https://github.com/php/php-src/blob/master/ext/filter/logical_filters.c#L618
This results in invalid user information being passed as valid for URLs with IPv6 Hosts.
Fix: Restructuring the code to include the user_info checks if the IPv6-host part is correct. This could be done by only return "SUCCESS" if the end of the function is reached.
PoC
To prove the user info check was skipped I looked for a character that is not allowed in usernames. (Based on the validation code in is_userinfo_valid)
I chose [.
The following statements show that the handling of the URLs is different if the "host" part of the URL is changed.
Output for 7.3.27 - 7.3.33, 7.4.15 - 7.4.33, 8.0.2 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.19, 8.3.0 - 8.3.7
Output for 7.3.26, 7.4.14, 8.0.1 (CVE-2020-7071 was patched here!)
Output for 5.2.0 - 5.2.12, 5.3.0 - 5.3.1, 7.0.0 - 7.0.33, 7.1.0 - 7.1.33, 7.2.0 - 7.2.34, 7.3.0 - 7.3.25, 7.4.0 - 7.4.13, 8.0.0
Output for 5.2.13 - 5.2.17, 5.3.2 - 5.3.29, 5.4.0 - 5.4.45, 5.5.0 - 5.5.38, 5.6.0 - 5.6.40
Impact
This bug impacts users that expect only completely valid URLs to be returned by filter_var (FILTER_VALIDATE_URL).
As this function is meant to validate user supplied strings this will be exposed to raw user input often.
As this is almost the same vulnerability as CVE-2020-7071 this should also have a MEDIUM impact.
Related info: Bugfix for invalid usernames: https://bugs.php.net/bug.php?id=77423 (contains another example POC)
Пакеты
7.3.27 - 7.3.33, 7.4.15 - 7.4.33, 8.0.2 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.19, 8.3.0 - 8.3.7
8.1.29, 8.2.20, 8.3.8.
Связанные уязвимости
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs (FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.
In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before ...