Bugzilla – Bug 1180706
VUL-0: CVE-2020-7071: php5,php74,php72,php53,php7: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
Last modified: 2021-02-11 11:35:26 UTC
CVE-2020-7071 A flaw was found in PHP in the way the function parse_url() returns an erroneous host, which would be valid for `FILTER_VALIDATE_URL`. Reference: https://bugs.php.net/bug.php?id=77423 References: https://bugzilla.redhat.com/show_bug.cgi?id=1913846 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7071
Created attachment 844947 [details] POC run php $POC vulnerable: string(33) "http://php.net\@aliyun.com/aaa.do" array(4) { ["scheme"]=> string(4) "http" ["host"]=> string(10) "aliyun.com" ["user"]=> string(8) "php.net\" ["path"]=> string(7) "/aaa.do" } string(34) "https://example.com\uFF03@bing.com" array(3) { ["scheme"]=> string(5) "https" ["host"]=> string(8) "bing.com" ["user"]=> string(17) "example.com\uFF03" Fixed: bool(false) array(3) { ["scheme"]=> string(4) "http" ["host"]=> string(19) "php.net\@aliyun.com" ["path"]=> string(7) "/aaa.do" } bool(false) array(2) { ["scheme"]=> string(5) "https" ["host"]=> string(26) "example.com\uFF03@bing.com" }
Tracked as affected all supported php versions
Upstream issue https://bugs.php.net/bug.php?id=77423
BEFORE As said in comment 1: 7.4,7.2,5.3,5.2 $ php phptest.php string(33) "http://php.net\@aliyun.com/aaa.do" array(4) { ["scheme"]=> string(4) "http" ["host"]=> string(10) "aliyun.com" ["user"]=> string(8) "php.net\" ["path"]=> string(7) "/aaa.do" } string(34) "https://example.com\uFF03@bing.com" array(3) { ["scheme"]=> string(5) "https" ["host"]=> string(8) "bing.com" ["user"]=> string(17) "example.com\uFF03" } $ PATCH http://git.php.net/?p=php-src.git;a=commit;h=b132da7f9df39c1774997f21016c522b676a6ab0 http://git.php.net/?p=php-src.git;a=commit;h=2d3d72412a6734e19a38ed10f385227a6238e4a6 QA: note the change of the testsuite AFTER As said in comment 1: 7.4,7.2,5.3,5.2 $ php phptest.php bool(false) array(3) { ["scheme"]=> string(4) "http" ["host"]=> string(19) "php.net\@aliyun.com" ["path"]=> string(7) "/aaa.do" } bool(false) array(2) { ["scheme"]=> string(5) "https" ["host"]=> string(26) "example.com\uFF03@bing.com" } $
Submitted for 15sp2/php7,15/php7,12/php74,12/php72,11sp3/php53,11/php5 and devel:languages:php:php56/php5.
I believe all fixed.
SUSE-SU-2021:0124-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180706 CVE References: CVE-2020-7071 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): php7-7.4.6-3.14.2 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): php7-7.4.6-3.14.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0125-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180706 CVE References: CVE-2020-7071 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php72-7.2.5-1.57.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php72-7.2.5-1.57.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0126-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180706 CVE References: CVE-2020-7071 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): php74-7.4.6-1.16.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php74-7.4.6-1.16.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0101-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180706 CVE References: CVE-2020-7071 JIRA References: Sources used: openSUSE Leap 15.1 (src): php7-7.2.5-lp151.6.39.1, php7-test-7.2.5-lp151.6.39.1
openSUSE-SU-2021:0106-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180706 CVE References: CVE-2020-7071 JIRA References: Sources used: openSUSE Leap 15.2 (src): php7-7.4.6-lp152.2.12.1, php7-test-7.4.6-lp152.2.12.1