Fix GHSA-52jp-hrpf-2jff: http redirect location truncation

It converts the allocation of location to be on heap instead of stack
and errors if the location length is greater than 8086 bytes.

Author: bukka

ext/standard/http_fopen_wrapper.c

@@ -67,15 +67,16 @@
 
 #include "php_fopen_wrappers.h"
 
-#define HTTP_HEADER_BLOCK_SIZE		1024
-#define PHP_URL_REDIRECT_MAX		20
-#define HTTP_HEADER_USER_AGENT		1
-#define HTTP_HEADER_HOST			2
-#define HTTP_HEADER_AUTH			4
-#define HTTP_HEADER_FROM			8
-#define HTTP_HEADER_CONTENT_LENGTH	16
-#define HTTP_HEADER_TYPE			32
-#define HTTP_HEADER_CONNECTION		64
+#define HTTP_HEADER_BLOCK_SIZE			1024
+#define HTTP_HEADER_MAX_LOCATION_SIZE	8182 /* 8192 - 10 (size of "Location: ") */
+#define PHP_URL_REDIRECT_MAX			20
+#define HTTP_HEADER_USER_AGENT			1
+#define HTTP_HEADER_HOST				2
+#define HTTP_HEADER_AUTH				4
+#define HTTP_HEADER_FROM				8
+#define HTTP_HEADER_CONTENT_LENGTH		16
+#define HTTP_HEADER_TYPE				32
+#define HTTP_HEADER_CONNECTION			64
 
 #define HTTP_WRAPPER_HEADER_INIT    1
 #define HTTP_WRAPPER_REDIRECTED     2
@@ -120,17 +121,15 @@ typedef struct _php_stream_http_response_header_info {
 	size_t file_size;
 	bool error;
 	bool follow_location;
-	char location[HTTP_HEADER_BLOCK_SIZE];
+	char *location;
+	size_t location_len;
 } php_stream_http_response_header_info;
 
 static void php_stream_http_response_header_info_init(
 		php_stream_http_response_header_info *header_info)
 {
-	header_info->transfer_encoding = NULL;
-	header_info->file_size = 0;
-	header_info->error = false;
+	memset(header_info, 0, sizeof(php_stream_http_response_header_info));
 	header_info->follow_location = 1;
-	header_info->location[0] = '\0';
 }
 
 /* Trim white spaces from response header line and update its length */
@@ -256,7 +255,22 @@ static zend_string *php_stream_http_response_headers_parse(php_stream_wrapper *w
 			 * RFC 7238 defines 308: http://tools.ietf.org/html/rfc7238 */
 			header_info->follow_location = 0;
 		}
-		strlcpy(header_info->location, last_header_value, sizeof(header_info->location));
+		size_t last_header_value_len = strlen(last_header_value);
+		if (last_header_value_len > HTTP_HEADER_MAX_LOCATION_SIZE) {
+			header_info->error = true;
+			php_stream_wrapper_log_error(wrapper, options,
+					"HTTP Location header size is over the limit of %d bytes",
+					HTTP_HEADER_MAX_LOCATION_SIZE);
+			zend_string_efree(last_header_line_str);
+			return NULL;
+		}
+		if (header_info->location_len == 0) {
+			header_info->location = emalloc(last_header_value_len + 1);
+		} else if (header_info->location_len <= last_header_value_len) {
+			header_info->location = erealloc(header_info->location, last_header_value_len + 1);
+		}
+		header_info->location_len = last_header_value_len;
+		memcpy(header_info->location, last_header_value, last_header_value_len + 1);
 	} else if (!strncasecmp(last_header_line, "Content-Type:", sizeof("Content-Type:")-1)) {
 		php_stream_notify_info(context, PHP_STREAM_NOTIFY_MIME_TYPE_IS, last_header_value, 0);
 	} else if (!strncasecmp(last_header_line, "Content-Length:", sizeof("Content-Length:")-1)) {
@@ -536,6 +550,8 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		}
 	}
 
+	php_stream_http_response_header_info_init(&header_info);
+
 	if (stream == NULL)
 		goto out;
 
@@ -917,8 +933,6 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		}
 	}
 
-	php_stream_http_response_header_info_init(&header_info);
-
 	/* read past HTTP headers */
 	while (!php_stream_eof(stream)) {
 		size_t http_header_line_length;
@@ -988,12 +1002,12 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 				last_header_line_str, NULL, NULL, response_code, response_header, &header_info);
 	}
 
-	if (!reqok || (header_info.location[0] != '\0' && header_info.follow_location)) {
+	if (!reqok || (header_info.location != NULL && header_info.follow_location)) {
 		if (!header_info.follow_location || (((options & STREAM_ONLY_GET_HEADERS) || ignore_errors) && redirect_max <= 1)) {
 			goto out;
 		}
 
-		if (header_info.location[0] != '\0')
+		if (header_info.location != NULL)
 			php_stream_notify_info(context, PHP_STREAM_NOTIFY_REDIRECTED, header_info.location, 0);
 
 		php_stream_close(stream);
@@ -1004,18 +1018,17 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 			header_info.transfer_encoding = NULL;
 		}
 
-		if (header_info.location[0] != '\0') {
+		if (header_info.location != NULL) {
 
-			char new_path[HTTP_HEADER_BLOCK_SIZE];
-			char loc_path[HTTP_HEADER_BLOCK_SIZE];
+			char *new_path = NULL;
 
-			*new_path='\0';
 			if (strlen(header_info.location) < 8 ||
 					(strncasecmp(header_info.location, "http://", sizeof("http://")-1) &&
 							strncasecmp(header_info.location, "https://", sizeof("https://")-1) &&
 							strncasecmp(header_info.location, "ftp://", sizeof("ftp://")-1) &&
 							strncasecmp(header_info.location, "ftps://", sizeof("ftps://")-1)))
 			{
+				char *loc_path = NULL;
 				if (*header_info.location != '/') {
 					if (*(header_info.location+1) != '\0' && resource->path) {
 						char *s = strrchr(ZSTR_VAL(resource->path), '/');
@@ -1033,31 +1046,35 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 						if (resource->path &&
 							ZSTR_VAL(resource->path)[0] == '/' &&
 							ZSTR_VAL(resource->path)[1] == '\0') {
-							snprintf(loc_path, sizeof(loc_path) - 1, "%s%s",
-									ZSTR_VAL(resource->path), header_info.location);
+							spprintf(&loc_path, 0, "%s%s", ZSTR_VAL(resource->path), header_info.location);
 						} else {
-							snprintf(loc_path, sizeof(loc_path) - 1, "%s/%s",
-									ZSTR_VAL(resource->path), header_info.location);
+							spprintf(&loc_path, 0, "%s/%s", ZSTR_VAL(resource->path), header_info.location);
 						}
 					} else {
-						snprintf(loc_path, sizeof(loc_path) - 1, "/%s", header_info.location);
+						spprintf(&loc_path, 0, "/%s", header_info.location);
 					}
 				} else {
-					strlcpy(loc_path, header_info.location, sizeof(loc_path));
+					loc_path = header_info.location;
+					header_info.location = NULL;
 				}
 				if ((use_ssl && resource->port != 443) || (!use_ssl && resource->port != 80)) {
-					snprintf(new_path, sizeof(new_path) - 1, "%s://%s:%d%s", ZSTR_VAL(resource->scheme), ZSTR_VAL(resource->host), resource->port, loc_path);
+					spprintf(&new_path, 0, "%s://%s:%d%s", ZSTR_VAL(resource->scheme),
+							ZSTR_VAL(resource->host), resource->port, loc_path);
 				} else {
-					snprintf(new_path, sizeof(new_path) - 1, "%s://%s%s", ZSTR_VAL(resource->scheme), ZSTR_VAL(resource->host), loc_path);
+					spprintf(&new_path, 0, "%s://%s%s", ZSTR_VAL(resource->scheme),
+							ZSTR_VAL(resource->host), loc_path);
 				}
+				efree(loc_path);
 			} else {
-				strlcpy(new_path, header_info.location, sizeof(new_path));
+				new_path = header_info.location;
+				header_info.location = NULL;
 			}
 
 			php_url_free(resource);
 			/* check for invalid redirection URLs */
 			if ((resource = php_url_parse(new_path)) == NULL) {
 				php_stream_wrapper_log_error(wrapper, options, "Invalid redirect URL! %s", new_path);
+				efree(new_path);
 				goto out;
 			}
 
@@ -1069,6 +1086,7 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		while (s < e) { \
 			if (iscntrl(*s)) { \
 				php_stream_wrapper_log_error(wrapper, options, "Invalid redirect URL! %s", new_path); \
+				efree(new_path); \
 				goto out; \
 			} \
 			s++; \
@@ -1091,6 +1109,7 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 			stream = php_stream_url_wrap_http_ex(
 				wrapper, new_path, mode, options, opened_path, context,
 				--redirect_max, new_flags, response_header STREAMS_CC);
+			efree(new_path);
 		} else {
 			php_stream_wrapper_log_error(wrapper, options, "HTTP request failed! %s", tmp_line);
 		}
@@ -1103,6 +1122,10 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
 		efree(http_header_line);
 	}
 
+	if (header_info.location != NULL) {
+		efree(header_info.location);
+	}
+
 	if (resource) {
 		php_url_free(resource);
 	}

ext/standard/tests/http/ghsa-52jp-hrpf-2jff-001.phpt

@@ -0,0 +1,58 @@
+--TEST--
+GHSA-52jp-hrpf-2jff: HTTP stream wrapper truncate redirect location to 1024 bytes (success)
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+$ctxt = stream_context_create([
+     "socket" => [
+         "tcp_nodelay" => true
+     ]
+ ]);
+
+ $server = stream_socket_server(
+     "tcp://127.0.0.1:0", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $ctxt);
+ phpt_notify_server_start($server);
+
+ $conn = stream_socket_accept($server);
+
+ phpt_notify(message:"server-accepted");
+
+ $loc = str_repeat("y", 8000);
+ fwrite($conn, "HTTP/1.0 301 Ok\r\nContent-Type: text/html;\r\nLocation: $loc\r\n\r\nbody\r\n");
+CODE;
+
+$clientCode = <<<'CODE'
+ function stream_notification_callback($notification_code, $severity, $message, $message_code, $bytes_transferred, $bytes_max) {
+ switch($notification_code) {
+     case STREAM_NOTIFY_MIME_TYPE_IS:
+         echo "Found the mime-type: ", $message, PHP_EOL;
+         break;
+     case STREAM_NOTIFY_REDIRECTED:
+         echo "Redirected: ";
+         var_dump($message);
+     }
+ }
+
+ $ctx = stream_context_create();
+ stream_context_set_params($ctx, array("notification" => "stream_notification_callback"));
+ var_dump(trim(file_get_contents("http://{{ ADDR }}", false, $ctx)));
+ var_dump($http_response_header);
+CODE;
+
+include sprintf("%s/../../../openssl/tests/ServerClientTestCase.inc", __DIR__);
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--EXPECTF--
+Found the mime-type: text/html;
+Redirected: string(8000) "%s"
+
+Warning: file_get_contents(http://127.0.0.1:%d): Failed to open stream: %s
+string(0) ""
+array(3) {
+  [0]=>
+  string(15) "HTTP/1.0 301 Ok"
+  [1]=>
+  string(24) "Content-Type: text/html;"
+  [2]=>
+  string(8010) "Location: %s"
+}

ext/standard/tests/http/ghsa-52jp-hrpf-2jff-002.phpt

@@ -0,0 +1,55 @@
+--TEST--
+GHSA-52jp-hrpf-2jff: HTTP stream wrapper truncate redirect location to 1024 bytes (over limit)
+--FILE--
+<?php
+$serverCode = <<<'CODE'
+$ctxt = stream_context_create([
+     "socket" => [
+         "tcp_nodelay" => true
+     ]
+ ]);
+
+ $server = stream_socket_server(
+     "tcp://127.0.0.1:0", $errno, $errstr, STREAM_SERVER_BIND | STREAM_SERVER_LISTEN, $ctxt);
+ phpt_notify_server_start($server);
+
+ $conn = stream_socket_accept($server);
+
+ phpt_notify(message:"server-accepted");
+
+ $loc = str_repeat("y", 9000);
+ fwrite($conn, "HTTP/1.0 301 Ok\r\nContent-Type: text/html;\r\nLocation: $loc\r\n\r\nbody\r\n");
+CODE;
+
+$clientCode = <<<'CODE'
+ function stream_notification_callback($notification_code, $severity, $message, $message_code, $bytes_transferred, $bytes_max) {
+ switch($notification_code) {
+     case STREAM_NOTIFY_MIME_TYPE_IS:
+         echo "Found the mime-type: ", $message, PHP_EOL;
+         break;
+     case STREAM_NOTIFY_REDIRECTED:
+         echo "Redirected: ";
+         var_dump($message);
+     }
+ }
+
+ $ctx = stream_context_create();
+ stream_context_set_params($ctx, array("notification" => "stream_notification_callback"));
+ var_dump(trim(file_get_contents("http://{{ ADDR }}", false, $ctx)));
+ var_dump($http_response_header);
+CODE;
+
+include sprintf("%s/../../../openssl/tests/ServerClientTestCase.inc", __DIR__);
+ServerClientTestCase::getInstance()->run($clientCode, $serverCode);
+?>
+--EXPECTF--
+Found the mime-type: text/html;
+
+Warning: file_get_contents(http://127.0.0.1:%d): Failed to open stream: HTTP Location header size is over the limit of 8182 bytes in %s
+string(0) ""
+array(2) {
+  [0]=>
+  string(15) "HTTP/1.0 301 Ok"
+  [1]=>
+  string(24) "Content-Type: text/html;"
+}