Page MenuHomePhabricator
Create Task
Maniphest T212067

wfParseUrl() incorrectly parses hostnames in older PHP versions and HHVM due to bug in parse_url() (CVE-2016-10397 [PHP])
Closed, ResolvedPublic
Actions

Description

As reported on pentest:

The following js:

$.post( 'https://en.wikipedia.beta.wmflabs.org/w/api.php?action=shortenurl&format=json&url=https%3A%2F%2Fgoogle.com/?en%2Ewikipedia%2Ebeta%2Ewmflabs%2Eorg%2Fwiki%2Ffoo' );

Creates a short url, despite the fact the domain is incorrect.

Details

SubjectRepoBranchLines +/-
SECURITY: Work around PHP bug in parse_urlmediawiki/coreREL1_32+53 -0
SECURITY: Work around PHP bug in parse_urlmediawiki/coreREL1_33+53 -0
SECURITY: Work around PHP bug in parse_urlmediawiki/coreREL1_31+53 -0
Tests for an old PHP bug in parse_urlmediawiki/coreREL1_34+40 -0
Tests for an old PHP bug in parse_urlmediawiki/coremaster+40 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.Dec 16 2018, 2:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 16 2018, 2:55 AM
Bawolff added a project: MediaWiki-extensions-UrlShortener.Dec 16 2018, 2:56 AM
Bawolff added a comment.Dec 16 2018, 8:07 AM

Debugging this, it appears the cause is related to how hosts are split by wfParseUrl().

on php7.0

> var_dump( wfParseUrl( 'https://google.com?en.wikipedia.beta.wmflabs.org/wiki/foo' ) );
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(10) "google.com"
  ["query"]=>
  string(38) "en.wikipedia.beta.wmflabs.org/wiki/foo"
  ["delimiter"]=>
  string(3) "://"
}

But on hhvm wmf servers:

> var_dump( wfParseUrl( 'https://google.com?en.wikipedia.beta.wmflabs.org/wiki/foo' ) );
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(40) "google.com?en.wikipedia.beta.wmflabs.org"
  ["path"]=>
  string(9) "/wiki/foo"
  ["delimiter"]=>
  string(3) "://"
}
Bawolff added a comment.Dec 16 2018, 8:09 AM

Easiest fix (esp. since hhvm is going away) would be to change the domain whitelist entries from (.*\.)?wikipedia\.beta\.wmflabs\.org to something like ([a-zA-Z0-9.-]*\.)?wikipedia\.beta\.wmflabs\.org

Legoktm subscribed.Dec 16 2018, 10:58 PM

According to https://3v4l.org/ko84p PHP only has the correct behavior in 5.6.28+. It was backported in https://bugs.php.net/bug.php?id=73192 as a security fix. Do we need to look at a core workaround for pre-1.31 branches that required PHP 5.5.9+?

I thought HHVM had moved back to the PHP 7 implementation of parse_url (c.f. https://github.com/facebook/hhvm/issues/8104#issuecomment-360226070) but I guess not.

sbassett subscribed.EditedDec 17 2018, 4:43 PM

For the easy fix, I imagine that'd be much simpler and safer to do within:

gerrit.wikimedia.org/g/mediawiki/extensions/UrlShortener/+/c79e331691aa00b137bb55a34090aeb60edaeb51/includes/UrlShortenerUtils.php#231

Er, rather: https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/f8a92cd6dccaed15ee927df7d420adc65c66a43f/wmf-config/CommonSettings-labs.php#116

as opposed to wfParseUrl, which sees heavy use by a lot of things, according to codesearch.

Anomie subscribed.Dec 17 2018, 6:22 PM
In T212067#4826771, @Legoktm wrote:

According to https://3v4l.org/ko84p PHP only has the correct behavior in 5.6.28+. It was backported in https://bugs.php.net/bug.php?id=73192 as a security fix. Do we need to look at a core workaround for pre-1.31 branches that required PHP 5.5.9+?

PHP 7.0.0–7.0.12, which we currently support in master, also show the incorrect behavior.

Anomie added a comment.Dec 17 2018, 6:33 PM

Patches for wfParseUrl():

  • Versions without PHP5 support:
    0001-SECURITY-Work-around-PHP-bug-in-parse_url.patch2 KBDownload
  • Versions with PHP5 support:
    0001-SECURITY-Work-around-PHP-bug-in-parse_url-php5.patch2 KBDownload

Test: https://3v4l.org/9SFUa

Anomie added a project: Patch-For-Review.Dec 17 2018, 6:33 PM
Legoktm added a comment.Dec 17 2018, 10:19 PM
In T212067#4828217, @sbassett wrote:

For the easy fix, I imagine that'd be much simpler and safer to do within:

gerrit.wikimedia.org/g/mediawiki/extensions/UrlShortener/+/c79e331691aa00b137bb55a34090aeb60edaeb51/includes/UrlShortenerUtils.php#231

Er, rather: https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/f8a92cd6dccaed15ee927df7d420adc65c66a43f/wmf-config/CommonSettings-labs.php#116

I think we have to fix this in core, given the usage of wfParseUrl in other security related contexts, including ContentSecurityPolicy, $wgNoFollowDomainExceptions, bypassing Special:LinkSearch, E:SecureLinkFixer, ...

as opposed to wfParseUrl, which sees heavy use by a lot of things, according to codesearch.

Given that we'd just be applying an upstream PHP fix, I think it should be relatively safe.

sbassett added a comment.Dec 17 2018, 10:25 PM

@Legoktm Yep, makes sense and @Anomie's patches above look good in that respect.

Legoktm renamed this task from UrlShortener doesn't correctly validate url whitelists to wfParseUrl() incorrectly parses hostnames in older PHP versions and HHVM due to bug in parse_url().Dec 17 2018, 11:50 PM
Legoktm edited projects, added MediaWiki-General; removed MediaWiki-extensions-UrlShortener.
Legoktm added a subscriber: Smalyshev.
Legoktm added a comment.Dec 18 2018, 9:22 AM
In T212067#4828683, @Anomie wrote:

Patches for wfParseUrl():

  • Versions without PHP5 support:
    0001-SECURITY-Work-around-PHP-bug-in-parse_url.patch2 KBDownload
  • Versions with PHP5 support:
    0001-SECURITY-Work-around-PHP-bug-in-parse_url-php5.patch2 KBDownload

Test: https://3v4l.org/9SFUa

Tested both, +2. I think the commit message should mention that this was already fixed in https://bugs.php.net/bug.php?id=73192 and this is just for specific older versions.

Legoktm added a comment.Dec 18 2018, 9:25 AM

I also discussed this issue with @Smalyshev on IRC earlier, and he noted that there are other issues with parse_url - he's sent an email to @Anomie and I with some more details. Once this security issue is dealt with, we should look at what other bug fixes have been made to parse_url upstream and whether they're important enough for us to work around for older versions.

chasemp triaged this task as Medium priority.Dec 9 2019, 4:40 PM
chasemp added a project: Security-Team.
sbassett added a comment.Dec 9 2019, 6:34 PM

@Legoktm @Anomie - looks like this task fell off the radar. Given where production is at with PHP7, I'm guessing the non-php5 patch from T212067#4828683 is no longer relevant for a security deploy. Does it still make sense to backport these to supported release branches?

sbassett moved this task from Backlog / Other to Other WMF team on the acl*security board.Dec 9 2019, 6:34 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.
Anomie added a comment.Dec 9 2019, 9:50 PM

Yeah, we no longer support any versions of PHP affected by this issue. But including the added unit tests in master would still be a good idea. I have a patch for that prepared, once I have the all-clear to put it in Gerrit.

As for supported releases:

  • 1.34 only supports unaffected versions of PHP.
  • 1.31–1.33 support PHP 7.0.13+, which is not affected, and HHVM 3.18.5, which is. They also state "Although HHVM 3.18.5 or later is supported, it is generally advised to use PHP 7.0.13 or later for long term support".
Smalyshev unsubscribed.Dec 9 2019, 10:02 PM
sbassett added a comment.EditedDec 9 2019, 10:02 PM
In T212067#5726015, @Anomie wrote:

Yeah, we no longer support any versions of PHP affected by this issue. But including the added unit tests in master would still be a good idea. I have a patch for that prepared, once I have the all-clear to put it in Gerrit.

If you're waiting on a thumbs up from the Security-Team, this is fine by me. I can +2 if needed.

As for supported releases:

  • 1.31–1.33 support PHP 7.0.13+, which is not affected, and HHVM 3.18.5, which is. They also state "Although HHVM 3.18.5 or later is supported, it is generally advised to use PHP 7.0.13 or later for long term support".

I'd guess we don't really have a good idea of how many people are actually running MW 1.31-1.33 with HHVM 3.18.5. Still, if the patch picks cleanly to those branches, we should probably expend the effort - I'm happy to try. And to confirm - the conditional in the patch (if ( isset( $bits['host'] ) && strpos( $bits['host'], '?' ) !== false )) works so that anything PHP 7.0.13+ would be unaffected.

Anomie added a comment.Dec 10 2019, 8:51 PM
In T212067#5726058, @sbassett wrote:
In T212067#5726015, @Anomie wrote:

Yeah, we no longer support any versions of PHP affected by this issue. But including the added unit tests in master would still be a good idea. I have a patch for that prepared, once I have the all-clear to put it in Gerrit.

If you're waiting on a thumbs up from the Security-Team, this is fine by me. I can +1/+2 if needed.

Ok, I'll push it to gerrit probably sometime this week.

And to confirm - the conditional in the patch (if ( isset( $bits['host'] ) && strpos( $bits['host'], '?' ) !== false )) works so that anything PHP 7.0.13+ would be unaffected.

Correct.

sbassett added a project: user-sbassett.Dec 10 2019, 9:31 PM
Reedy added a parent task: T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release.Dec 10 2019, 10:47 PM
Reedy subscribed.

0001-SECURITY-Work-around-PHP-bug-in-parse_url.patch applies cleanly to 1.31, 1.32 and 1.33

sbassett removed a project: user-sbassett.Dec 10 2019, 10:48 PM
Anomie added a comment.Dec 13 2019, 4:26 PM
In T212067#5729479, @Anomie wrote:
In T212067#5726058, @sbassett wrote:
In T212067#5726015, @Anomie wrote:

Yeah, we no longer support any versions of PHP affected by this issue. But including the added unit tests in master would still be a good idea. I have a patch for that prepared, once I have the all-clear to put it in Gerrit.

If you're waiting on a thumbs up from the Security-Team, this is fine by me. I can +1/+2 if needed.

Ok, I'll push it to gerrit probably sometime this week.

Now up as https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/557062

sbassett added a comment.Dec 13 2019, 6:19 PM
In T212067#5729995, @Reedy wrote:

0001-SECURITY-Work-around-PHP-bug-in-parse_url.patch applies cleanly to 1.31, 1.32 and 1.33

Ok, so I see the tests for master were merged. I assume the rest (the original patch with tests) will be backported to the other supported release branches with the security release next week. I'm trying to decide if this warrants a CVE on our end since it was technically a workaround for something broken within PHP/HHVM.

Reedy mentioned this in T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release.Dec 17 2019, 9:45 PM
Reedy added a comment.Dec 17 2019, 9:54 PM
In T212067#5739969, @sbassett wrote:
In T212067#5729995, @Reedy wrote:

0001-SECURITY-Work-around-PHP-bug-in-parse_url.patch applies cleanly to 1.31, 1.32 and 1.33

Ok, so I see the tests for master were merged. I assume the rest (the original patch with tests) will be backported to the other supported release branches with the security release next week. I'm trying to decide if this warrants a CVE on our end since it was technically a workaround for something broken within PHP/HHVM.

Yeah, I've backported the tests to REL1_34 for completeness, will do the other patches this week as part of the release

In T212067#4826772, @Legoktm wrote:

According to https://3v4l.org/ko84p PHP only has the correct behavior in 5.6.28+. It was backported in https://bugs.php.net/bug.php?id=73192 as a security fix. Do we need to look at a core workaround for pre-1.31 branches that required PHP 5.5.9+?

I thought HHVM had moved back to the PHP 7 implementation of parse_url (c.f. https://github.com/facebook/hhvm/issues/8104#issuecomment-360226070) but I guess not.

^ CVE's were discussed/mentioned upstream, but never assigned. I don't think it's necessarily worth assigning one ourselves, but certainly at least point upstream

Reedy closed this task as Resolved.Dec 19 2019, 2:16 PM
Reedy assigned this task to Anomie.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
gerritbot added a comment.Dec 19 2019, 2:19 PM

Change 559480 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Work around PHP bug in parse_url

https://gerrit.wikimedia.org/r/559480

gerritbot added a comment.Dec 19 2019, 2:21 PM

Change 559483 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Work around PHP bug in parse_url

https://gerrit.wikimedia.org/r/559483

gerritbot added a comment.Dec 19 2019, 2:23 PM

Change 559485 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Work around PHP bug in parse_url

https://gerrit.wikimedia.org/r/559485

ReleaseTaggerBot added projects: MW-1.31-release-notes, MW-1.33-notes, MW-1.32-notes.Dec 19 2019, 3:00 PM
Lewassec subscribed.Dec 30 2019, 12:34 PM

fyi, the issue in PHP (Sec Bug #73192) was assigned CVE-2016-10397. Seems like the Bug was never updated accordingly.

https://nvd.nist.gov/vuln/detail/CVE-2016-10397

sbassett renamed this task from wfParseUrl() incorrectly parses hostnames in older PHP versions and HHVM due to bug in parse_url() to wfParseUrl() incorrectly parses hostnames in older PHP versions and HHVM due to bug in parse_url() (CVE-2016-10397 [PHP]).Dec 30 2019, 11:40 PM
chasemp added a project: Security.Feb 10 2020, 10:57 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL