Page MenuHomePhabricator
Differential D18388

Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
ClosedPublic
Actions

Authored by epriestley on Aug 10 2017, 10:23 PM.

Details

Reviewers
chad
Maniphest Tasks
T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`)
Commits
rPHUee5ebf668ad4: (stable) Promote 2017 Week 32
rPHU276f6d304b69: Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
Summary

Ref T12961. See that task for discussion of the major attack we're responding to here.

  • Reject hosts beginning with "-". These are not legitimate.
  • Reject hosts beginning with ".". These are also not legitimate.
  • Tighten $ to \z. $ can match either "newline, end of string" or "end of string". \z matches ONLY "end of string". We don't want to match a newline, only "end of string" strictly.
  • We already that hosts otherwise contain only "reasonable" characters (letters, numbers, hyphens, and periods).
Test Plan
  • Added unit tests, ran unit tests.
  • Tried to set a repository URI to ssh://-oxyz/path with these changes, which worked previously; it no longer works.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
parser/
10 lines
__tests__/
14 lines

Diff 44199

View Options

src/parser/PhutilURI.php

Loading...
View Options

src/parser/__tests__/PhutilURITestCase.php

Loading...
Phabricator · Built by Phacility