Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability: Domain whitelist/blacklist checking is done via regex, can be bypassed #24

Open
justinsteven opened this issue Oct 4, 2019 · 1 comment
Open

Vulnerability: Domain whitelist/blacklist checking is done via regex, can be bypassed #24

justinsteven opened this issue Oct 4, 2019 · 1 comment

Comments

@justinsteven
Copy link

safecurl/src/fin1te/SafeCurl/Options.php

Lines 210 to 216 in a7c3d70

//For domains, a regex match is needed
if ($type == 'domain') {
foreach ($this->{$list}[$type] as $domain) {
if (preg_match('/^' . $domain . '$/i', $value)) {
return true;
}
}

This is presumably to make the matching case-insensitive.

It introduces a bypass, in that each blacklisted/whitelisted domain name is treated as a regex. Domains almost always include the . character which is a regex metacharacter.

For example, a domain whitelist of ['accounts.google.com'] would allow requests to https://accountszgoogle.com
justinsteven added a commit to justinsteven/safecurl that referenced this issue Oct 4, 2019
@justinsteven
Make domain checking not via regex
701ce83 
Use a case-insensitive comparison instead of vulnerable regex comparison

Fixes vulnerability wkcaj#24
@justinsteven justinsteven mentioned this issue Oct 4, 2019
Open
@justinsteven
Copy link
Author

Ahh this is a duplicate of #7 :(

I see in #7 you wanted the ability for a developer to whitelist "company.com" and have it match "subdomain.company.com". My fix in #25 does not do this - but nor does the original code, so no harm done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@justinsteven