[SECURITY] Circumvent parser deviation in PSR-7 URI object

bnf · ohader · commit a4abf48d2546 · 2025-01-14T10:47:32.000+01:00
Adapt the URI object to refuse construction based on invalid URL inputs. As `parse_url()` is defined to not validate the resulting parts of the parsed URL, a parser deviation between PHP and browser URL implementations is possible when URL parts contain invalid characters. The missing validation is now performed via PHP upstream rules built into `filter_var()`. Note that `filter_var` has two limitations: It requires a fully qualified URL and it can not validate IDN domain names that have not been converted to ascii before. In order to circumvent these limitations we'll imply a intermediate fake default-scheme and perform IDN-to-ascii conversion for the purpose of the validation. Resolves: #105170 Releases: main, 13.4, 12.4 Change-Id: I63d02de49de53513a8f3b4442a35dccb01b92eff Security-Bulletin: TYPO3-CORE-SA-2025-002 Security-References: CVE-2024-55892 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/87743 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Classes/Http/Uri.php b/typo3/sysext/core/Classes/Http/Uri.php
@@ -117,7 +117,7 @@ public static function fromAnyScheme(string $uri = ''): self
 
     /**
      * @param string $uri The full URI including query string and fragment
-     * @throws \InvalidArgumentException when the URI is not a string
+     * @throws \InvalidArgumentException if the URI is malformed.
      */
     public function __construct(string $uri = '')
     {
@@ -154,7 +154,14 @@ protected function parseUri(string $uri): void
             }
         }
         if (isset($uriParts['port'])) {
-            $this->port = (int)$uriParts['port'];
+            $port = (int)$uriParts['port'];
+            if (!$this->validatePort($port)) {
+                throw new \InvalidArgumentException(
+                    'The uri "' . $uri . '" appears to be malformed, invalid port "' . $port . '" specified, must be a valid TCP/UDP port',
+                    1728057215
+                );
+            }
+            $this->port = $port;
         }
         if (isset($uriParts['path'])) {
             $this->path = $this->sanitizePath($uriParts['path']);
@@ -165,6 +172,30 @@ protected function parseUri(string $uri): void
         if (isset($uriParts['fragment'])) {
             $this->fragment = $this->sanitizeFragment($uriParts['fragment']);
         }
+
+        if (!$this->validate()) {
+            throw new \InvalidArgumentException('The uri "' . $uri . '" appears to be malformed', 1728057216);
+        }
+    }
+
+    protected function validate(): bool
+    {
+        $url = clone $this;
+
+        if ($url->scheme === '') {
+            // filter_var will mark //example.com/ as invalid, let's pretend it's https in this case
+            $url->scheme = 'https';
+        }
+
+        if ($url->host === '') {
+            // filter_var will mark /mypath/ as invalid, let's pretend it's localhost in this case
+            $url->host = 'localhost';
+        } else {
+            // filter_var can not validate UTF8 encoded hosts
+            $url->host = idn_to_ascii($url->host);
+        }
+
+        return filter_var($url->__toString(), FILTER_VALIDATE_URL) !== false;
     }
 
     /**
@@ -445,17 +476,23 @@ public function withHost(string $host): UriInterface
      */
     public function withPort(?int $port): UriInterface
     {
-        if ($port !== null) {
-            if ($port < 1 || $port > 65535) {
-                throw new \InvalidArgumentException('Invalid port "' . $port . '" specified, must be a valid TCP/UDP port.', 1436717326);
-            }
+        if ($port !== null && !$this->validatePort($port)) {
+            throw new \InvalidArgumentException('Invalid port "' . $port . '" specified, must be a valid TCP/UDP port.', 1436717326);
         }
 
         $clonedObject = clone $this;
         $clonedObject->port = $port;
         return $clonedObject;
     }
 
+    protected function validatePort(int $port): bool
+    {
+        if ($port < 1 || $port > 65535) {
+            return false;
+        }
+        return true;
+    }
+
     /**
      * Return an instance with the specified path.
      *
diff --git a/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/UriValue.php b/typo3/sysext/core/Classes/Security/ContentSecurityPolicy/UriValue.php
@@ -36,6 +36,20 @@ public static function fromUri(UriInterface $other): self
         return new self((string)$other);
     }
 
+    protected function validate(): bool
+    {
+        $backupHost = null;
+        if ($this->host) {
+            $backupHost = $this->host;
+            $this->host = str_replace('*', 'wildcard', $this->host);
+        }
+        $ret = parent::validate();
+        if ($backupHost !== null) {
+            $this->host = $backupHost;
+        }
+        return $ret;
+    }
+
     public function __toString(): string
     {
         if ($this->entireWildcard) {
diff --git a/typo3/sysext/core/Tests/Unit/Http/UriTest.php b/typo3/sysext/core/Tests/Unit/Http/UriTest.php
@@ -110,14 +110,33 @@ public function withPortAndNullValueReturnsInstanceWithProvidedPort(): void
     public function noSchemeWithDomainAlikeIsInterpretedAsPath(): void
     {
         $subject = new Uri('www.example.com');
+        // This is counter intuitive, but interpreted as path.
+        // Although we'd like to see protocol independent `//` here,
+        // we must not change this, as…
         self::assertEquals('/www.example.com', (string)$subject);
+
+        // …this behaviour is security relevant.
+        // This invalid domain name – given without a scheme – is
+        // only "save" because they are considered to be paths
+        // (invalid hostname alike is not parsed as a hostname):
+        $subject = new Uri('evil.tld\\@host.tld');
+        self::assertEquals('/evil.tld%5C@host.tld', (string)$subject);
+
+        $subject = new Uri('evil.tld\\\\\\@host.tld');
+        self::assertEquals('/evil.tld%5C%5C%5C@host.tld', (string)$subject);
     }
 
     #[Test]
     public function noSchemeWithDomainAlikeAndTrailingSlashIsInterpretedAsPath(): void
     {
         $subject = new Uri('www.example.com/');
         self::assertEquals('/www.example.com/', (string)$subject);
+
+        $subject = new Uri('evil.tld\\@host.tld/');
+        self::assertEquals('/evil.tld%5C@host.tld/', (string)$subject);
+
+        $subject = new Uri('evil.tld\\\\\\@host.tld/');
+        self::assertEquals('/evil.tld%5C%5C%5C@host.tld/', (string)$subject);
     }
 
     public static function validPortsDataProvider(): array
@@ -497,6 +516,69 @@ public function canParseInternationalizedDomainName(): void
         self::assertEquals('https://ουτοπία.δπθ.gr/', (string)$uri);
     }
 
+    public static function invalidHostDataProvider(): \Generator
+    {
+        yield [
+            'url' => 'https://evil.tld\\@host.tld/',
+            'parseUrl' => 'host.tld',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => 'https://evil.tld\\\\@host.tld/',
+            'parseUrl' => 'host.tld',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => 'https://evil.tld\\\\\\@host.tld/',
+            'parseUrl' => 'host.tld',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => '//evil.tld\\@host.tld/',
+            'parseUrl' => 'host.tld',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => '//evil.tld\\\\\\@host.tld',
+            'parseUrl' => 'host.tld',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => 'http://normal.com[@evil.tld]/',
+            'parseUrl' => 'evil.tld]',
+            'chrome' => 'evil.tld',
+        ];
+
+        yield [
+            'url' => 'http://evil.tld\\',
+            'parseUrl' => 'evil.tld\\',
+            'chrome' => 'evil.tld',
+        ];
+    }
+
+    #[DataProvider('invalidHostDataProvider')]
+    #[Test]
+    public function uriParsingThrowsExceptionForParserDeviatingHostValues($url, $parseUrl, $chrome): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        $this->expectExceptionCode(1728057216);
+        new Uri($url);
+    }
+
+    #[DataProvider('invalidHostDataProvider')]
+    #[Test]
+    public function parseUrlReturnsExpectedInvalidHostForInvalidHostURLs($url, $parseUrl, $chrome): void
+    {
+        $result = parse_url($url, PHP_URL_HOST);
+        self::assertSame($parseUrl, $result);
+        self::assertNotSame($chrome, $result);
+    }
+
     #[Test]
     public function canParseAllPropertiesWithIPv6(): void
     {
@@ -563,4 +645,36 @@ public function canStringifyMalformedBracketlessIPv6toValidIPv6(): void
         $uri = new Uri($input);
         self::assertSame($expected, (string)$uri);
     }
+
+    /**
+     * @return iterable<non-empty-string, array{non-empty-string}>
+     */
+    public static function invalidUriProvider(): iterable
+    {
+        yield 'Unsupported scheme ftp' => ['ftp://user:pass@local.example.com:3001/foo?bar=baz#quz'];
+        yield 'Unsupported scheme ssh' => ['ssh://user:pass@local.example.com:3001/foo?bar=baz#quz'];
+        yield 'Unsupported scheme git' => ['git://user:pass@local.example.com:3001/foo?bar=baz#quz'];
+
+        yield 'Invalid port -1 (too small)' => ['https://user:pass@local.example.com:-1/foo?bar=baz#quz'];
+        yield 'Invalid port 0 (zero)' => ['https://user:pass@local.example.com:0/foo?bar=baz#quz'];
+        yield 'Invalid port 65536 (too big)' => ['https://user:pass@local.example.com:65536/foo?bar=baz#quz'];
+
+        yield from [
+            'Malformed URI'             => ['http://invalid:%20https://example.com'],
+            'Colon in non-IPv6 host'    => ['https://user:pass@local:example.com:3001/foo?bar=baz#quz'],
+            'Wrong bracket in the IPv6' => ['https://user:pass@fe80[::200:5aee:feaa:20a2]:3001/foo?bar=baz#quz'],
+            // percent encoding is allowed in URI but not in web urls particularly with idn encoding for dns.
+            // no validation for correct percent encoding either
+            // 'Percent in the host' => ["https://user:pass@local%example.com:3001/foo?bar=baz#quz"],
+            'Bracket in the host' => ['https://user:pass@[local.example.com]:3001/foo?bar=baz#quz'],
+        ];
+    }
+
+    #[DataProvider('invalidUriProvider')]
+    #[Test]
+    public function invalidUriRaisesAnException(string $invalidUri): void
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        new Uri($invalidUri);
+    }
 }
