From 5cea97e083448aaa2352320612541c895178b3b5 Mon Sep 17 00:00:00 2001

From: "Christoph M. Becker" <cmbecker69@gmx.de>

Date: Mon, 14 Jun 2021 13:22:27 +0200

Subject: [PATCH] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL

We need to ensure that the password detected by parse_url() is actually

a valid password; we can re-use is_userinfo_valid() for that.

---

 ext/filter/logical_filters.c   |  4 +++-

 ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++

 2 files changed, 24 insertions(+), 1 deletion(-)

 create mode 100644 ext/filter/tests/bug81122.phpt

diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c

index ba2e7e527e76..721da45d532d 100644

--- a/ext/filter/logical_filters.c

+++ b/ext/filter/logical_filters.c

@@ -632,7 +632,9 @@ void php_filter_validate_url(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */

 		RETURN_VALIDATION_FAILED

 	}

-	if (url->user != NULL && !is_userinfo_valid(url->user)) {

+	if (url->user != NULL && !is_userinfo_valid(url->user)

+		|| url->pass != NULL && !is_userinfo_valid(url->pass)

+	) {

 		php_url_free(url);

 		RETURN_VALIDATION_FAILED

diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt

new file mode 100644

index 000000000000..d89d4114a547

--- /dev/null

+++ b/ext/filter/tests/bug81122.phpt

@@ -0,0 +1,21 @@

+--TEST--

+Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)

+--SKIPIF--

+

+if (!extension_loaded('filter')) die("skip filter extension not available");

+?>

+--FILE--

+

+$urls = [

+    "https://example.com:\\@test.com/",

+    "https://user:\\epass@test.com",

+    "https://user:\\@test.com",

+];

+foreach ($urls as $url) {

+    var_dump(filter_var($url, FILTER_VALIDATE_URL));

+}

+?>

+--EXPECT--

+bool(false)

+bool(false)

+bool(false)