PHPC-724: Do not allow null bytes in Regex pattern or flags

jmikola · jmikola · commit 66822bfb5e97 · 2016-07-14T11:27:18.000-04:00
These fields are cstrings in the BSON spec, so any null bytes would result in unexpected truncation.
diff --git a/src/BSON/Regex.c b/src/BSON/Regex.c
@@ -46,9 +46,20 @@ PHONGO_API zend_class_entry *php_phongo_regex_ce;
 
 zend_object_handlers php_phongo_handler_regex;
 
-/* Initialize the object and return whether it was successful. */
-static bool php_phongo_regex_init(php_phongo_regex_t *intern, const char *pattern, phongo_zpp_char_len pattern_len, const char *flags, phongo_zpp_char_len flags_len)
+/* Initialize the object and return whether it was successful. An exception will
+ * be thrown on error. */
+static bool php_phongo_regex_init(php_phongo_regex_t *intern, const char *pattern, phongo_zpp_char_len pattern_len, const char *flags, phongo_zpp_char_len flags_len TSRMLS_DC)
 {
+	if (strlen(pattern) != pattern_len) {
+		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Pattern cannot contain null bytes");
+		return false;
+	}
+
+	if (strlen(flags) != flags_len) {
+		phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT TSRMLS_CC, "Flags cannot contain null bytes");
+		return false;
+	}
+
 	intern->pattern = estrndup(pattern, pattern_len);
 	intern->pattern_len = pattern_len;
 	intern->flags = estrndup(flags, flags_len);
@@ -66,14 +77,14 @@ static bool php_phongo_regex_init_from_hash(php_phongo_regex_t *intern, HashTabl
 
 	if ((pattern = zend_hash_str_find(props, "pattern", sizeof("pattern")-1)) && Z_TYPE_P(pattern) == IS_STRING &&
 	    (flags = zend_hash_str_find(props, "flags", sizeof("flags")-1)) && Z_TYPE_P(flags) == IS_STRING) {
-		return php_phongo_regex_init(intern, Z_STRVAL_P(pattern), Z_STRLEN_P(pattern), Z_STRVAL_P(flags), Z_STRLEN_P(flags));
+		return php_phongo_regex_init(intern, Z_STRVAL_P(pattern), Z_STRLEN_P(pattern), Z_STRVAL_P(flags), Z_STRLEN_P(flags) TSRMLS_CC);
 	}
 #else
 	zval **pattern, **flags;
 
 	if (zend_hash_find(props, "pattern", sizeof("pattern"), (void**) &pattern) == SUCCESS && Z_TYPE_PP(pattern) == IS_STRING &&
 	    zend_hash_find(props, "flags", sizeof("flags"), (void**) &flags) == SUCCESS && Z_TYPE_PP(flags) == IS_STRING) {
-		return php_phongo_regex_init(intern, Z_STRVAL_PP(pattern), Z_STRLEN_PP(pattern), Z_STRVAL_PP(flags), Z_STRLEN_PP(flags));
+		return php_phongo_regex_init(intern, Z_STRVAL_PP(pattern), Z_STRLEN_PP(pattern), Z_STRVAL_PP(flags), Z_STRLEN_PP(flags) TSRMLS_CC);
 	}
 #endif
 
@@ -102,7 +113,7 @@ PHP_METHOD(Regex, __construct)
 	}
 	zend_restore_error_handling(&error_handling TSRMLS_CC);
 
-	php_phongo_regex_init(intern, pattern, pattern_len, flags, flags_len);
+	php_phongo_regex_init(intern, pattern, pattern_len, flags, flags_len TSRMLS_CC);
 }
 /* }}} */
 /* {{{ proto void Regex::getPattern()
diff --git a/tests/bson/bson-regex-serialization_error-002.phpt b/tests/bson/bson-regex-serialization_error-002.phpt
@@ -0,0 +1,25 @@
+--TEST--
+MongoDB\BSON\Regex unserialization does not allow pattern or flags to contain null bytes
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+echo throws(function() {
+    unserialize('O:18:"MongoDB\BSON\Regex":2:{s:7:"pattern";s:7:"regexp' . "\0" . '";s:5:"flags";s:1:"i";}');
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+echo throws(function() {
+    unserialize('O:18:"MongoDB\BSON\Regex":2:{s:7:"pattern";s:6:"regexp";s:5:"flags";s:2:"i' . "\0" . '";}');
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Pattern cannot contain null bytes
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Flags cannot contain null bytes
+===DONE===
diff --git a/tests/bson/bson-regex-set_state_error-002.phpt b/tests/bson/bson-regex-set_state_error-002.phpt
@@ -0,0 +1,25 @@
+--TEST--
+MongoDB\BSON\Regex::__set_state() does not allow pattern or flags to contain null bytes
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+echo throws(function() {
+    MongoDB\BSON\Regex::__set_state(['pattern' => "regexp\0", 'flags' => 'i']);
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+echo throws(function() {
+    MongoDB\BSON\Regex::__set_state(['pattern' => 'regexp', 'flags' => "i\0"]);
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Pattern cannot contain null bytes
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Flags cannot contain null bytes
+===DONE===
diff --git a/tests/bson/bson-regex_error-003.phpt b/tests/bson/bson-regex_error-003.phpt
@@ -0,0 +1,25 @@
+--TEST--
+MongoDB\BSON\Regex::__construct() does not allow pattern or flags to contain null bytes
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+echo throws(function() {
+    new MongoDB\BSON\Regex("regexp\0", 'i');
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+echo throws(function() {
+    new MongoDB\BSON\Regex('regexp', "i\0");
+}, 'MongoDB\Driver\Exception\InvalidArgumentException'), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Pattern cannot contain null bytes
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Flags cannot contain null bytes
+===DONE===
