Page MenuHomePhabricator
Differential D18388

Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
ClosedPublic
Actions

Authored by epriestley on Aug 10 2017, 10:23 PM.
Tags
None
Referenced Files
F15528959: D18388.id44198.diff
Tue, Apr 22, 3:26 PM
F15526488: D18388.id44199.diff
Mon, Apr 21, 9:08 PM
F15523018: D18388.id.diff
Sun, Apr 20, 11:09 PM
F15522835: D18388.id44199.diff
Sun, Apr 20, 9:47 PM
F15518672: D18388.diff
Sat, Apr 19, 3:39 PM
F15507771: D18388.diff
Tue, Apr 15, 10:39 PM
F15449488: D18388.id.diff
Mar 28 2025, 10:38 AM
F15447973: D18388.id44197.diff
Mar 28 2025, 2:38 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`)
Commits
rPHUee5ebf668ad4: (stable) Promote 2017 Week 32
rPHU276f6d304b69: Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
Summary

Ref T12961. See that task for discussion of the major attack we're responding to here.

  • Reject hosts beginning with "-". These are not legitimate.
  • Reject hosts beginning with ".". These are also not legitimate.
  • Tighten $ to \z. $ can match either "newline, end of string" or "end of string". \z matches ONLY "end of string". We don't want to match a newline, only "end of string" strictly.
  • We already that hosts otherwise contain only "reasonable" characters (letters, numbers, hyphens, and periods).
Test Plan
  • Added unit tests, ran unit tests.
  • Tried to set a repository URI to ssh://-oxyz/path with these changes, which worked previously; it no longer works.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
parser/
10 lines
__tests__/
14 lines

Diff 44199

View Options

src/parser/PhutilURI.php

Loading...
View Options

src/parser/__tests__/PhutilURITestCase.php

Loading...
Phabricator · Built by Phacility