diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:38:11 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-02 11:38:45 +0100 |
commit | 861fa60814d9eb2173538c36c8c14d4de956b179 (patch) | |
tree | ffc886fe3320776502b5d461f7c055f4638532b7 | |
parent | bb735c9e9e4a2ca2686a141ffe867f60ee0053c3 (diff) | |
parent | 600f1f898f9771d13880255e74ea1c10590f5fd5 (diff) | |
download | php-git-861fa60814d9eb2173538c36c8c14d4de956b179.tar.gz |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fix #78814: strip_tags allows / in tag name => whitelist bypass
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | ext/standard/string.c | 2 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug78814.phpt | 8 |
3 files changed, 11 insertions, 1 deletions
@@ -29,6 +29,8 @@ PHP NEWS . Fixed bug #78840 (imploding $GLOBALS crashes). (cmb) . Fixed bug #78833 (Integer overflow in pack causes out-of-bound access). (cmb) + . Fixed bug #78814 (strip_tags allows / in tag name => whitelist bypass). + (cmb) 21 Nov 2019, PHP 7.3.12 diff --git a/ext/standard/string.c b/ext/standard/string.c index 55c3f395d3..39063484df 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -5003,7 +5003,7 @@ int php_tag_find(char *tag, size_t len, const char *set) { if (state == 0) { state=1; } - if (c != '/') { + if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) { *(n++) = c; } } else { diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt new file mode 100644 index 0000000000..c8ad8373e0 --- /dev/null +++ b/ext/standard/tests/strings/bug78814.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #78814 (strip_tags allows / in tag name => whitelist bypass) +--FILE-- +<?php +echo strip_tags("<s/trong>b</strong>", "<strong>"); +?> +--EXPECT-- +b</strong> |