Page MenuHomePhabricator
Differential D18388

Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
ClosedPublic
Actions

Authored by epriestley on Aug 10 2017, 10:23 PM.
Tags
None
Referenced Files
F13982069: D18388.id44197.diff
Sat, Oct 19, 9:04 PM
F13976649: D18388.diff
Fri, Oct 18, 3:10 PM
F13960658: D18388.id.diff
Tue, Oct 15, 12:36 AM
Unknown Object (File)
Sun, Oct 13, 10:43 PM
Unknown Object (File)
Oct 2 2024, 3:13 PM
Unknown Object (File)
Oct 2 2024, 9:13 AM
Unknown Object (File)
Sep 23 2024, 11:28 PM
Unknown Object (File)
Sep 15 2024, 6:49 PM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`)
Commits
rPHUee5ebf668ad4: (stable) Promote 2017 Week 32
rPHU276f6d304b69: Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
Summary

Ref T12961. See that task for discussion of the major attack we're responding to here.

  • Reject hosts beginning with "-". These are not legitimate.
  • Reject hosts beginning with ".". These are also not legitimate.
  • Tighten $ to \z. $ can match either "newline, end of string" or "end of string". \z matches ONLY "end of string". We don't want to match a newline, only "end of string" strictly.
  • We already that hosts otherwise contain only "reasonable" characters (letters, numbers, hyphens, and periods).
Test Plan
  • Added unit tests, ran unit tests.
  • Tried to set a repository URI to ssh://-oxyz/path with these changes, which worked previously; it no longer works.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
parser/
10 lines
__tests__/
14 lines

Diff 44199

View Options

src/parser/PhutilURI.php

Loading...
View Options

src/parser/__tests__/PhutilURITestCase.php

Loading...
Phabricator · Built by Phacility