Skip to content
This repository has been archived by the owner on Jun 17, 2022. It is now read-only.

Clamp JSON object depth to PHP limit #22

Merged
merged 1 commit into from
Dec 16, 2019
Merged

Clamp JSON object depth to PHP limit #22

merged 1 commit into from
Dec 16, 2019

Conversation

laanwj
Copy link
Member

@laanwj laanwj commented Dec 15, 2019
edited
Loading

Cherry-picks jgarzik#64 to fix CVE-2019-18936.

Based on fe2227d

@laanwj laanwj added the bug label Dec 15, 2019
@laanwj laanwj mentioned this pull request Dec 15, 2019
Closed
@laanwj
Copy link
Member Author

laanwj commented Dec 15, 2019

travis error: Looks like this doesn't work as a clean cherry-pick because the return_fail label is missing in our branch.

@laanwj laanwj force-pushed the 2019_12_cap_obj_depth branch from 3b6854d to 54c4015 Compare December 15, 2019 11:51
@laanwj
Copy link
Member Author

laanwj commented Dec 15, 2019
edited
Loading

I replaced the goto return_fail with direct return false. This effectively reverts jgarzik#58 (which was controversial in bitcoin/bitcoin#17324) over this change.

@maflcko
Copy link

maflcko commented Dec 15, 2019

Concept ACK

@maflcko
Copy link

maflcko commented Dec 16, 2019

ACK 54c4015 📣

Show signature and timestamp

Signature:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ACK 54c40154156c6f279865394577b204b68a53b6e8 📣
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEE+rVPoUahrI9sLGYTzit1aX5ppUgFAlwqrYAACgkQzit1aX5p
pUgw0Av9GJPTAPYw9eFtxMiklchXJ+8E5gBZv2nKht8g8tZLp4wQaycFg+C85lcu
mLTHsbwpCA5Zp/ZzOFONr/b+MsssuG17DXB4vecI+eRUpAafGcvvyo0+qgX1lbp7
WXE5sLI8+PB94dL2b7HGmP3XxOM+4Idcks0LeokXt/ZJwS1XuMFr9PIiLjY+Prj3
aa5RfxGSbOCnLDqWK/wZExli/xfcDX6snXvBQnTyBf9LRL4Vbctk2qLd0vXKxEgh
WRLEm9dY66vAY7zaufATABVJ+BrzqIgg1dOEb8996WV6dlLRGtKMAU+ov3px8JZF
AyX27bnD0eTgxnlnfBSZlTjw1vjG0Q0eUpC6xxtxiTxu3JZaKHjv9LNQh7hnqzUX
uvCAHxVcmRq7/RN+BgMQapbgHWzTYTxi6aIs/u4fWIOfkiqDZeAy+Hd5TxVyTRU3
oaiaYxmfHW9zKTDHL5snrRnzDpIiNKtS0frirHRbfOgJew8v+GwPaYe+BmghML9l
F/TfRgcu
=VcuZ
-----END PGP SIGNATURE-----

Timestamp of file with hash cb631f965aa215c49ef9b5d3a1f59a0cd190fe7e8813b13d2bfbc8a4d897db77 -

maflcko pushed a commit that referenced this pull request Dec 16, 2019
Merge #22: Clamp JSON object depth to PHP limit
98261b1 
54c4015 Clamp JSON object depth to PHP limit (Jeff Garzik)

Pull request description:

  Cherry-picks jgarzik#64 to fix CVE-2019-18936.

  Based on fe2227d

ACKs for top commit:
  MarcoFalke:
    ACK 54c4015 📣

Tree-SHA512: d21458bcfdd37abd84daad46cead0635098d3b1ecd86720c48e724f5e3fcbea39692e1b1fbb2e0d9401a5121df44f280dc6eba8e3ace474c8f4cdb81004a6189
@maflcko maflcko merged commit 54c4015 into master Dec 16, 2019
@maflcko maflcko deleted the 2019_12_cap_obj_depth branch December 16, 2019 19:00
@DenioD DenioD mentioned this pull request Dec 23, 2019
Merged
@ca333 ca333 mentioned this pull request Dec 23, 2019
Merged
DeckerSU added a commit to DeckerSU/KomodoOcean that referenced this pull request Dec 23, 2019
@DeckerSU
update univalue
0a483a3 
port of KomodoPlatform/komodo#248

fixes CVE-2019-18936 - based on bitcoin-core/univalue-subtree#22 / bitcoin-core/univalue-subtree@98261b1
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@laanwj @maflcko @jgarzik