Skip to content

Fix bug #50293 and #81713: file path checking in OpenSSL functions #8667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bukka merged 1 commit into from
Jun 9, 2022
Merged

Fix bug #50293 and #81713: file path checking in OpenSSL functions #8667

bukka merged 1 commit into from
Jun 9, 2022
+594 −234

Conversation

@bukka
Copy link
Member

@bukka bukka commented May 31, 2022

It introduces a single function to check file paths passed to OpenSSL functions. It expands paths, checks null bytes and finally does an open basedir check.

@bukka bukka mentioned this pull request May 31, 2022
Closed
nikic
nikic reviewed May 31, 2022
View reviewed changes
Copy link
Member

@nikic nikic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like tests for all the elaborate error messages are missing? Like option / array combinations etc.

@bukka bukka force-pushed the openssl_path_check branch 3 times, most recently from fc39eef to 682859a Compare June 2, 2022 19:45
@bukka
Copy link
Member Author

bukka commented Jun 2, 2022

There's still a bit more work (testing) needed as I noticed few mistakes in params when extending the bug81713.phpt . I will need to cover all functions to be sure that there aren't more mistakes. So far I have got cms and pkcs7 covered as well as few others. Will extend it further to cover the rest.

@bukka bukka force-pushed the openssl_path_check branch 3 times, most recently from e400a8f to 6dcf71a Compare June 9, 2022 17:20
@bukka
Fix bug #50293 and #81713: file path checking in OpenSSL functions
b765d4c 
It introduces a single function to check file paths passed to OpenSSL
functions. It expands the path, check null bytes and finally does
an open basedir check.
@bukka bukka force-pushed the openssl_path_check branch from 6dcf71a to b765d4c Compare June 9, 2022 18:50
@bukka bukka merged commit b765d4c into php:PHP-8.0 Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikic nikic nikic left review comments

Assignees

No one assigned

Labels

Extension: openssl

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bukka @nikic @ramsey