Page MenuHomePhabricator
Files F27615271

0001-SECURITY-Work-around-PHP-bug-in-parse_url-php5.patch
Anomie
Actions

Authored By
Anomie
Dec 17 2018, 6:32 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Work-around-PHP-bug-in-parse_url-php5.patch
View Options

From 112cf202e76c1602cb0da0054ed39986770877c9 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Mon, 17 Dec 2018 13:20:12 -0500
Subject: [PATCH] SECURITY: Work around PHP bug in parse_url
It gets confused by URLs with a query portion but no path.
Bug: T212067
Change-Id: I15c15161a668115d68eb2e2f8004826b47148fc1
---
includes/GlobalFunctions.php | 12 ++++++
.../GlobalFunctions/wfParseUrlTest.php | 40 +++++++++++++++++++
2 files changed, 52 insertions(+)
diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index a5f4def18f..dacceec253 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -824,6 +824,18 @@ function wfParseUrl( $url ) {
Wikimedia\suppressWarnings();
$bits = parse_url( $url );
Wikimedia\restoreWarnings();
+
+ // T212067: PHP < 5.6.28, 7.0.0–7.0.12, and HHVM (all relevant versions) screw up parsing
+ // the query part of pathless URLs
+ if ( isset( $bits['host'] ) && strpos( $bits['host'], '?' ) !== false ) {
+ list( $host, $query ) = explode( '?', $bits['host'], 2 );
+ $bits['host'] = $host;
+ $bits['query'] = $query
+ . ( isset( $bits['path'] ) ? $bits['path'] : '' )
+ . ( isset( $bits['query'] ) ? '?' . $bits['query'] : '' );
+ unset( $bits['path'] );
+ }
+
// parse_url() returns an array without scheme for some invalid URLs, e.g.
// parse_url("%0Ahttp://example.com") == [ 'host' => '%0Ahttp', 'path' => 'example.com' ]
if ( !$bits || !isset( $bits['scheme'] ) ) {
diff --git a/tests/phpunit/includes/GlobalFunctions/wfParseUrlTest.php b/tests/phpunit/includes/GlobalFunctions/wfParseUrlTest.php
index b20cfb5c22..25a2342953 100644
--- a/tests/phpunit/includes/GlobalFunctions/wfParseUrlTest.php
+++ b/tests/phpunit/includes/GlobalFunctions/wfParseUrlTest.php
@@ -152,6 +152,46 @@ class WfParseUrlTest extends MediaWikiTestCase {
'invalid://test/',
false
],
+ // T212067
+ [
+ '//evil.com?example.org/foo/bar',
+ [
+ 'scheme' => '',
+ 'delimiter' => '//',
+ 'host' => 'evil.com',
+ 'query' => 'example.org/foo/bar',
+ ]
+ ],
+ [
+ '//evil.com?example.org/foo/bar?baz#quux',
+ [
+ 'scheme' => '',
+ 'delimiter' => '//',
+ 'host' => 'evil.com',
+ 'query' => 'example.org/foo/bar?baz',
+ 'fragment' => 'quux',
+ ]
+ ],
+ [
+ '//evil.com?example.org?baz#quux',
+ [
+ 'scheme' => '',
+ 'delimiter' => '//',
+ 'host' => 'evil.com',
+ 'query' => 'example.org?baz',
+ 'fragment' => 'quux',
+ ]
+ ],
+ [
+ '//evil.com?example.org#quux',
+ [
+ 'scheme' => '',
+ 'delimiter' => '//',
+ 'host' => 'evil.com',
+ 'query' => 'example.org',
+ 'fragment' => 'quux',
+ ]
+ ],
];
}
}
--
2.20.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
6851344
Default Alt Text
0001-SECURITY-Work-around-PHP-bug-in-parse_url-php5.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL