From 600f1f898f9771d13880255e74ea1c10590f5fd5 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sun, 17 Nov 2019 14:14:59 +0100 Subject: [PATCH] Fix #78814: strip_tags allows / in tag name => whitelist bypass When normalizing tags to check whether they are contained in the set of allowable tags, we must not strip slashes, unless they come immediately after the opening `<`, or immediately before the closing `>`. --- NEWS | 2 ++ ext/standard/string.c | 2 +- ext/standard/tests/strings/bug78814.phpt | 8 ++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/strings/bug78814.phpt diff --git a/NEWS b/NEWS index 8bb7aa5b1c..6ecf8ad34c 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,8 @@ PHP NEWS . Fixed bug #78759 (array_search in $GLOBALS). (Nikita) . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access). (cmb) + . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass). + (cmb) 21 Nov 2019, PHP 7.2.25 diff --git a/ext/standard/string.c b/ext/standard/string.c index dcf9cb44c7..da51cd0966 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) { if (state == 0) { state=1; } - if (c != '/') { + if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) { *(n++) = c; } } else { diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt new file mode 100644 index 0000000000..c8ad8373e0 --- /dev/null +++ b/ext/standard/tests/strings/bug78814.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #78814 (strip_tags allows / in tag name => whitelist bypass) +--FILE-- +b", ""); +?> +--EXPECT-- +b -- 2.40.0