[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779508: marked as done (unblock: php-monolog/1.11.0-2)

Your message dated Mon, 02 Mar 2015 19:08:51 +0100
with message-id <54F4A733.40709@thykier.net>
and subject line Re: Bug#779508: unblock: php-monolog/1.11.0-2
has caused the Debian Bug report #779508,
regarding unblock: php-monolog/1.11.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779508: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779508
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package php-monolog

It fixes a potential security issue (mail header injection) by
cherry-picking an upstream commit that was already included in version
1.12.0-1 (as available in experimental). The patch also includes an
update to the test suite (showing how the issue may have been
exploited).

php-monolog (1.11.0-2) unstable; urgency=medium 

  * Add gbp.conf to track the Jessie branch
  * Fix a potential security issue (header injection)
    Prevent header injection through content type / encoding in
    NativeMailerHandler.

 -- David Prévot <taffit@debian.org>  Sun, 01 Mar 2015 01:56:16 -0400

Please find attached the full debdiff, as well as the new patch itself
to ease the review.

unblock php-monolog/1.11.0-2

Thanks in advance for considering.

Regards

David

diff --git a/debian/changelog b/debian/changelog
index 8a207aa..a8bf6bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+php-monolog (1.11.0-2) unstable; urgency=medium
+
+  * Add gbp.conf to track the Jessie branch
+  * Fix a potential security issue (header injection)
+    Prevent header injection through content type / encoding in
+    NativeMailerHandler.
+
+ -- David Prévot <taffit@debian.org>  Sun, 01 Mar 2015 01:56:16 -0400
+
 php-monolog (1.11.0-1) unstable; urgency=medium
 
   [ gkedzierski ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
new file mode 100644
index 0000000..1c27746
--- /dev/null
+++ b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
@@ -0,0 +1,65 @@
+From: Jordi Boggiano <j.boggiano@seld.be>
+Date: Sun, 28 Dec 2014 14:32:10 +0000
+Subject: Prevent header injection through content type / encoding in
+ NativeMailerHandler, fixes #458, closes #448
+
+Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
+Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
+---
+ src/Monolog/Handler/NativeMailerHandler.php       |  8 ++++++++
+ tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
+index 7605a14..0fe6b64 100644
+--- a/src/Monolog/Handler/NativeMailerHandler.php
++++ b/src/Monolog/Handler/NativeMailerHandler.php
+@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
+      */
+     public function setContentType($contentType)
+     {
++        if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
++            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++        }
++
+         $this->contentType = $contentType;
+ 
+         return $this;
+@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
+      */
+     public function setEncoding($encoding)
+     {
++        if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
++            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++        }
++
+         $this->encoding = $encoding;
+ 
+         return $this;
+diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+index 50ceace..c2553ee 100644
+--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
++++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
+         $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+         $mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
+     }
++
++    /**
++     * @expectedException InvalidArgumentException
++     */
++    public function testSetterContentTypeInjection()
++    {
++        $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
++        $mailer->setContentType("text/html\r\nFrom: faked@attacker.org");
++    }
++
++    /**
++     * @expectedException InvalidArgumentException
++     */
++    public function testSetterEncodingInjection()
++    {
++        $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
++        $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org");
++    }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 5286df5..9766944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
 0002-Drop-Git-test.patch
 0003-Drop-failing-test-too-precise-time.patch
+0004-Prevent-header-injection-through-content-type-encodi.patch

From: Jordi Boggiano <j.boggiano@seld.be>
Date: Sun, 28 Dec 2014 14:32:10 +0000
Subject: Prevent header injection through content type / encoding in
 NativeMailerHandler, fixes #458, closes #448

Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
---
 src/Monolog/Handler/NativeMailerHandler.php       |  8 ++++++++
 tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
index 7605a14..0fe6b64 100644
--- a/src/Monolog/Handler/NativeMailerHandler.php
+++ b/src/Monolog/Handler/NativeMailerHandler.php
@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
      */
     public function setContentType($contentType)
     {
+        if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
+            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+        }
+
         $this->contentType = $contentType;
 
         return $this;
@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
      */
     public function setEncoding($encoding)
     {
+        if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
+            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+        }
+
         $this->encoding = $encoding;
 
         return $this;
diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
index 50ceace..c2553ee 100644
--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
+++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
         $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
         $mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
     }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testSetterContentTypeInjection()
+    {
+        $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+        $mailer->setContentType("text/html\r\nFrom: faked@attacker.org");
+    }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testSetterEncodingInjection()
+    {
+        $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+        $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org");
+    }
 }

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2015-03-01 18:16, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package php-monolog
> 
> It fixes a potential security issue (mail header injection) by
> cherry-picking an upstream commit that was already included in version
> 1.12.0-1 (as available in experimental). The patch also includes an
> update to the test suite (showing how the issue may have been
> exploited).
> 
> [...]
> 
> Please find attached the full debdiff, as well as the new patch itself
> to ease the review.
> 
> unblock php-monolog/1.11.0-2
> 
> Thanks in advance for considering.
> 
> Regards
> 
> David
> 

Unblocked, thanks.

Please note that the message for setEncoding is probably wrong and
should have gotten a s/content type/encoding/.  But I consider it a
minor / cosmetic issue.

~Niels

--- End Message ---
Reply to: