HomePhabricator
Diffusion libphutil 276f6d304b69

Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
276f6d304b69
Actions

Description

Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"

Summary:
Ref T12961. See that task for discussion of the major attack we're responding to here.

  • Reject hosts beginning with "-". These are not legitimate.
  • Reject hosts beginning with ".". These are also not legitimate.
  • Tighten $ to \z. $ can match either "newline, end of string" or "end of string". \z matches ONLY "end of string". We don't want to match a newline, only "end of string" strictly.
  • We already that hosts otherwise contain only "reasonable" characters (letters, numbers, hyphens, and periods).

Test Plan:

  • Added unit tests, ran unit tests.
  • Tried to set a repository URI to ssh://-oxyz/path with these changes, which worked previously; it no longer works.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T12961

Differential Revision: https://secure.phabricator.com/D18388

Details

Provenance
epriestleyAuthored on Aug 10 2017, 10:19 PM
epriestleyPushed on Aug 10 2017, 10:32 PM
Reviewer
chad
Differential Revision
D18388: Increase strictness of URI parsing, rejecting URIs in the form "ssh://-flag"
Parents
rPHU3b087892148d: Consolidate binary (hg, git, svn) analysis code into one place
Branches
Unknown
Tags
Unknown
Tasks
T12961: [CVE-2017-1000117, et al] Git, Mercurial and Subversion could all execute arbitrary commands when interacting with malicious SSH URIs (`ssh://-...`)
Build Status
Buildable 17993
Build 24164: Run Core Tests

Changes (2)

PathSize
src/
parser/
__tests__/

rPHU276f6d304b69

View Options

src/parser/PhutilURI.php

Loading...
View Options

src/parser/__tests__/PhutilURITestCase.php

Loading...
Phabricator ยท Built by Phacility