Fixes CVE-2014-8150

Thanks for reporting and patching this Andrey!
author: Marco Ceppi <marco@ceppi.net> 2015-07-30 11:14:08 -0400
committer: Marco Ceppi <marco@ceppi.net> 2015-07-30 11:14:08 -0400
commit: 4de8818e28c6ec0eb6111a8b735f2e703950e537 (patch)
tree: 8820d7294f123e19bb98b665d924a6abdf9c11c1 /Auth
parent: fb4cdfcaa578436c451f8e8687dfb61165074488 (diff)
download: php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.zip
php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.tar.gz
php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.tar.bz2
1 files changed, 11 insertions, 1 deletions
diff --git a/Auth/OpenID/URINorm.php b/Auth/OpenID/URINorm.php
index c051b55..32e8458 100644
--- a/Auth/OpenID/URINorm.php
+++ b/Auth/OpenID/URINorm.php
@@ -93,7 +93,17 @@ function Auth_OpenID_pct_encoded_replace_unreserved($mo)
 
 function Auth_OpenID_pct_encoded_replace($mo)
 {
-    return chr(intval($mo[1], 16));
+    $code = intval($mo[1], 16);
+
+    // Prevent request splitting by ignoring newline and space characters
+    if($code === 0xA || $code === 0xD || $code === ord(' '))
+    {
+        return $mo[0];
+    }
+    else
+    {
+        return chr($code);
+    }
 }
 
 function Auth_OpenID_remove_dot_segments($path)
author	Marco Ceppi <marco@ceppi.net>	2015-07-30 11:14:08 -0400
committer	Marco Ceppi <marco@ceppi.net>	2015-07-30 11:14:08 -0400
commit	4de8818e28c6ec0eb6111a8b735f2e703950e537 (patch)
tree	8820d7294f123e19bb98b665d924a6abdf9c11c1 /Auth
parent	fb4cdfcaa578436c451f8e8687dfb61165074488 (diff)
download	php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.zip php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.tar.gz php-openid-4de8818e28c6ec0eb6111a8b735f2e703950e537.tar.bz2