mirror of
https://github.com/caddyserver/caddy.git
synced 2026-05-21 06:16:31 -04:00
Merge commit from fork
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Has been skipped
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m15s
Cross-Build / build (~1.26.0, 1.26, aix) (push) Failing after 1m39s
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m25s
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 3m42s
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 3m42s
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 3m45s
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m26s
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m25s
Lint / govulncheck (push) Successful in 1m14s
Lint / dependency-review (push) Failing after 24s
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 2m11s
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m48s
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 2m48s
Lint / lint (ubuntu-latest, linux) (push) Failing after 2m36s
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 26s
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Has been skipped
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m15s
Cross-Build / build (~1.26.0, 1.26, aix) (push) Failing after 1m39s
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m25s
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 3m42s
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 3m42s
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 3m45s
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 2m26s
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m25s
Lint / govulncheck (push) Successful in 1m14s
Lint / dependency-review (push) Failing after 24s
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 2m11s
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 2m48s
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 2m48s
Lint / lint (ubuntu-latest, linux) (push) Failing after 2m36s
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 26s
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
Both fallbacks in splitPos relied on golang.org/x/text/search with search.IgnoreCase, which performs Unicode equivalence matching far beyond ASCII case folding. Combined with the validated-ASCII guarantee on every SplitPath entry, that fallback turned non-PHP filenames into PHP scripts: - when the inner loop hit a non-ASCII byte and the IndexString fallback returned -1, the loop broke without resetting match=false, so a stale match=true caused a non-existent .php to be reported (PoC: "/name.<U+00A1>.txt"). - search.IgnoreCase folded fullwidth, mathematical and circled letters onto ASCII, so "/shell.<math sans-serif php>", "/shell.<fullwidth p>hp", "/shell.<circled php>" were all detected as ".php" files. Replace the fallback with strict byte-level ASCII case-insensitive matching: any byte >= utf8.RuneSelf in the path can never be part of a match, since SplitPath entries are validated ASCII-only and lower-cased in Provision(). This keeps the hot path branch-light and removes the x/text/search dependency from the main module. Reported against FrankenPHP as GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8. The vulnerable function in this module was adapted from the same FrankenPHP code.
This commit is contained in:
Kévin Dunglas
GitHub
@@ -191,6 +191,65 @@ func TestSplitPos(t *testing.T) {
|
||||
splitPath: []string{".php"},
|
||||
wantPos: 9,
|
||||
},
|
||||
// Regression tests adapted from FrankenPHP advisories
|
||||
// GHSA-3g8v-8r37-cgjm and GHSA-v4h7-cj44-8fc8: search.IgnoreCase
|
||||
// matched Unicode equivalents of ASCII letters as ".php", and an
|
||||
// inner non-ASCII byte path could leave the match flag stale.
|
||||
{
|
||||
name: "non-ascii byte after dot must not match",
|
||||
path: "/PoC-match-unset.¡.txt",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "non-ascii byte mid-extension must not match",
|
||||
path: "/script.p\xc2\xa1p",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "small full stop ﹒ in extension must not match",
|
||||
path: "/shell﹒php",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "fullwidth full stop . in extension must not match",
|
||||
path: "/shell.php",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "fullwidth p in extension must not match",
|
||||
path: "/shell.php",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "circled php must not match",
|
||||
path: "/shell.ⓟⓗⓟ",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "mathematical sans-serif bold php must not match",
|
||||
path: "/shell.\U0001D5FD\U0001D5F5\U0001D5FD",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "mathematical script php must not match",
|
||||
path: "/shell.\U0001D4C5\U0001D4BD\U0001D4C5",
|
||||
splitPath: []string{".php"},
|
||||
wantPos: -1,
|
||||
},
|
||||
{
|
||||
name: "circled php with later real php still picks the real one",
|
||||
path: "/shell.ⓟⓗⓟ.anything-after-payload.php",
|
||||
splitPath: []string{".php"},
|
||||
// "/shell." (7) + "ⓟⓗⓟ" (3*3 bytes) + ".anything-after-payload.php" (27) = 43
|
||||
wantPos: 43,
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
@@ -244,3 +303,31 @@ func TestSplitPosUnicodeSecurityRegression(t *testing.T) {
|
||||
assert.Equal(t, ".txt.php", pathInfo, "path info should be the remainder after first .php")
|
||||
}
|
||||
}
|
||||
|
||||
// TestSplitPosSecurityRegressionUnicodeBypass guards against the FrankenPHP
|
||||
// advisories GHSA-3g8v-8r37-cgjm (uninitialized match flag on inner non-ASCII
|
||||
// byte) and GHSA-v4h7-cj44-8fc8 (Unicode equivalence via search.IgnoreCase
|
||||
// folding fullwidth/mathematical/circled letters onto ASCII). Every payload
|
||||
// below produced a false positive in the vulnerable implementation; none
|
||||
// must match here.
|
||||
func TestSplitPosSecurityRegressionUnicodeBypass(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
tr := Transport{SplitPath: []string{".php"}}
|
||||
payloads := []string{
|
||||
"/PoC-match-unset.¡.txt", // GHSA-3g8v: stale match=true on IndexString fallback
|
||||
"/shell﹒php", // U+FE52 small full stop
|
||||
"/shell.php", // U+FF0E fullwidth full stop
|
||||
"/shell.php", // U+FF50 fullwidth p
|
||||
"/shell.php", // U+FF48 fullwidth h
|
||||
"/shell.php", // U+FF50 fullwidth p (trailing)
|
||||
"/shell.\U0001D5C1\U0001D5B5\U0001D5C1", // mathematical sans-serif p/h
|
||||
"/shell.\U0001D5FD\U0001D5F5\U0001D5FD", // mathematical sans-serif bold p/h
|
||||
"/shell.\U0001D4C5\U0001D4BD\U0001D4C5", // mathematical script p/h
|
||||
"/shell.ⓟⓗⓟ", // circled latin small
|
||||
}
|
||||
|
||||
for _, p := range payloads {
|
||||
assert.Equalf(t, -1, tr.splitPos(p), "payload %q must not be detected as .php", p)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user