Fix #78814: strip_tags allows / in tag name => whitelist bypass

When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.

diff --git a/NEWS b/NEWS
index 8bb7aa5b1c16d1729e07ea455fa2ac769515a537..6ecf8ad34c4a9077e62c94caaf9fbdca57d44059 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
   . Fixed bug #78759 (array_search in $GLOBALS). (Nikita)
   . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access).
     (cmb)
+  . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass).
+    (cmb)
 
 21 Nov 2019, PHP 7.2.25
 

diff --git a/ext/standard/string.c b/ext/standard/string.c
index dcf9cb44c76b6546de6734278e76b59e8aa747eb..da51cd0966fc86db5cdccc8992faf0c86e232360 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) {
                                        if (state == 0) {
                                                state=1;
                                        }
-                                       if (c != '/') {
+                                       if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) {
                                                *(n++) = c;
                                        }
                                } else {

diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt
new file mode 100644 (file)
index 0000000..c8ad837
--- /dev/null
+++ b/ext/standard/tests/strings/bug78814.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #78814 (strip_tags allows / in tag name => whitelist bypass)
+--FILE--
+<?php
+echo strip_tags("<s/trong>b</strong>", "<strong>");
+?>
+--EXPECT--
+b</strong>