!78 Fix CVE-2021-21707

Merge pull request !78 from 莫得感情的打包机器人/openEuler-20.03-LTS-SP3

backport-CVE-2021-21707.patch

@@ -0,0 +1,131 @@
+From f15f8fc573eb38c3c73e23e0930063a6f6409ed4 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 1 Sep 2020 10:04:28 +0200
+Subject: [PATCH] Fix #79971: special character is breaking the path in xml
+ function
+
+The libxml based XML functions accepting a filename actually accept
+URIs with possibly percent-encoded characters.  Percent-encoded NUL
+bytes lead to truncation, like non-encoded NUL bytes would.  We catch
+those, and let the functions fail with a respective warning.
+---
+ ext/dom/domimplementation.c         |  5 +++++
+ ext/dom/tests/bug79971_2.phpt       | 20 ++++++++++++++++++++
+ ext/libxml/libxml.c                 |  9 +++++++++
+ ext/simplexml/tests/bug79971_1.phpt | 27 +++++++++++++++++++++++++++
+ ext/simplexml/tests/bug79971_1.xml  |  2 ++
+ 5 files changed, 63 insertions(+)
+ create mode 100644 ext/dom/tests/bug79971_2.phpt
+ create mode 100644 ext/simplexml/tests/bug79971_1.phpt
+ create mode 100644 ext/simplexml/tests/bug79971_1.xml
+
+diff --git a/ext/dom/domimplementation.c b/ext/dom/domimplementation.c
+index c6629c85e965..6f59f9c7c89f 100644
+--- a/ext/dom/domimplementation.c
++++ b/ext/dom/domimplementation.c
+@@ -112,6 +112,11 @@ PHP_METHOD(domimplementation, createDocumentType)
+ 		pch2 = (xmlChar *) systemid;
+ 	}
+ 
++	if (strstr(name, "%00")) {
++		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
++		RETURN_FALSE;
++	}
++
+ 	uri = xmlParseURI(name);
+ 	if (uri != NULL && uri->opaque != NULL) {
+ 		localname = xmlStrdup((xmlChar *) uri->opaque);
+diff --git a/ext/dom/tests/bug79971_2.phpt b/ext/dom/tests/bug79971_2.phpt
+new file mode 100644
+index 000000000000..c4e6b1e4e093
+--- /dev/null
++++ b/ext/dom/tests/bug79971_2.phpt
+@@ -0,0 +1,20 @@
++--TEST--
++Bug #79971 (special character is breaking the path in xml function)
++--SKIPIF--
++<?php
++if (!extension_loaded('dom')) die('skip dom extension not available');
++?>
++--FILE--
++<?php
++$imp = new DOMImplementation;
++if (PHP_OS_FAMILY === 'Windows') {
++    $path = '/' . str_replace('\\', '/', __DIR__);
++} else {
++    $path = __DIR__;
++}
++$uri = "file://$path/bug79971_2.xml";
++var_dump($imp->createDocumentType("$uri%00foo"));
++?>
++--EXPECTF--
++Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
++bool(false)
+diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
+index 2be6a5b47a06..72ceea63274c 100644
+--- a/ext/libxml/libxml.c
++++ b/ext/libxml/libxml.c
+@@ -306,6 +306,10 @@ static void *php_libxml_streams_IO_open_wrapper(const char *filename, const char
+ 	int isescaped=0;
+ 	xmlURI *uri;
+ 
++	if (strstr(filename, "%00")) {
++		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
++		return NULL;
++	}
+ 
+ 	uri = xmlParseURI(filename);
+ 	if (uri && (uri->scheme == NULL ||
+@@ -437,6 +441,11 @@ php_libxml_output_buffer_create_filename(const char *URI,
+ 	if (URI == NULL)
+ 		return(NULL);
+ 
++	if (strstr(URI, "%00")) {
++		php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
++		return NULL;
++	}
++
+ 	puri = xmlParseURI(URI);
+ 	if (puri != NULL) {
+ 		if (puri->scheme != NULL)
+diff --git a/ext/simplexml/tests/bug79971_1.phpt b/ext/simplexml/tests/bug79971_1.phpt
+new file mode 100644
+index 000000000000..197776d82d38
+--- /dev/null
++++ b/ext/simplexml/tests/bug79971_1.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++Bug #79971 (special character is breaking the path in xml function)
++--SKIPIF--
++<?php
++if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
++?>
++--FILE--
++<?php
++if (PHP_OS_FAMILY === 'Windows') {
++    $path = '/' . str_replace('\\', '/', __DIR__);
++} else {
++    $path = __DIR__;
++}
++$uri = "file://$path/bug79971_1.xml";
++var_dump(simplexml_load_file("$uri%00foo"));
++
++$sxe = simplexml_load_file($uri);
++var_dump($sxe->asXML("$uri.out%00foo"));
++?>
++--EXPECTF--
++Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d
++
++Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d
++bool(false)
++
++Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d
++bool(false)
+diff --git a/ext/simplexml/tests/bug79971_1.xml b/ext/simplexml/tests/bug79971_1.xml
+new file mode 100644
+index 000000000000..912bb76d9d7e
+--- /dev/null
++++ b/ext/simplexml/tests/bug79971_1.xml
+@@ -0,0 +1,2 @@
++<?xml version="1.0"?>
++<root></root>

php.spec

@@ -26,7 +26,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       5
+Release:       6
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend-2.0 and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -62,6 +62,7 @@ Patch11:       backport-0001-CVE-2021-21705.patch
 Patch12:       backport-0002-CVE-2021-21705.patch
 Patch13:       backport-CVE-2021-21704.patch
 Patch14:       backport-CVE-2021-21703.patch
+Patch15:       backport-CVE-2021-21707.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1090,6 +1091,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 %{_mandir}/*
 
 %changelog
+* Fri Jan 28 2022 herengui <herengui@uniontech.com> - 8.0.0-6
+- Fix CVE-2021-21707
+
 * Thu Nov 4 2021 panxiaohe <panxiaohe@huawei.com> - 8.0.0-5
 - Fix CVE-2021-21703