[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779508: marked as done (unblock: php-monolog/1.11.0-2)

Your message dated Mon, 02 Mar 2015 19:08:51 +0100
with message-id <[email protected]>
and subject line Re: Bug#779508: unblock: php-monolog/1.11.0-2
has caused the Debian Bug report #779508,
regarding unblock: php-monolog/1.11.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
779508: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779508
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package php-monolog

It fixes a potential security issue (mail header injection) by
cherry-picking an upstream commit that was already included in version
1.12.0-1 (as available in experimental). The patch also includes an
update to the test suite (showing how the issue may have been
exploited).

php-monolog (1.11.0-2) unstable; urgency=medium 

  * Add gbp.conf to track the Jessie branch
  * Fix a potential security issue (header injection)
    Prevent header injection through content type / encoding in
    NativeMailerHandler.

 -- David Prévot <[email protected]>  Sun, 01 Mar 2015 01:56:16 -0400

Please find attached the full debdiff, as well as the new patch itself
to ease the review.

unblock php-monolog/1.11.0-2

Thanks in advance for considering.

Regards

David

diff --git a/debian/changelog b/debian/changelog
index 8a207aa..a8bf6bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+php-monolog (1.11.0-2) unstable; urgency=medium
+
+  * Add gbp.conf to track the Jessie branch
+  * Fix a potential security issue (header injection)
+    Prevent header injection through content type / encoding in
+    NativeMailerHandler.
+
+ -- David Prévot <[email protected]>  Sun, 01 Mar 2015 01:56:16 -0400
+
 php-monolog (1.11.0-1) unstable; urgency=medium
 
   [ gkedzierski ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
new file mode 100644
index 0000000..1c27746
--- /dev/null
+++ b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
@@ -0,0 +1,65 @@
+From: Jordi Boggiano <[email protected]>
+Date: Sun, 28 Dec 2014 14:32:10 +0000
+Subject: Prevent header injection through content type / encoding in
+ NativeMailerHandler, fixes #458, closes #448
+
+Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
+Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
+---
+ src/Monolog/Handler/NativeMailerHandler.php       |  8 ++++++++
+ tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
+index 7605a14..0fe6b64 100644
+--- a/src/Monolog/Handler/NativeMailerHandler.php
++++ b/src/Monolog/Handler/NativeMailerHandler.php
+@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
+      */
+     public function setContentType($contentType)
+     {
++        if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
++            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++        }
++
+         $this->contentType = $contentType;
+ 
+         return $this;
+@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
+      */
+     public function setEncoding($encoding)
+     {
++        if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
++            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++        }
++
+         $this->encoding = $encoding;
+ 
+         return $this;
+diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+index 50ceace..c2553ee 100644
+--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
++++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
+         $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
+         $mailer->addHeader(array("Content-Type: text/html\r\nFrom: [email protected]"));
+     }
++
++    /**
++     * @expectedException InvalidArgumentException
++     */
++    public function testSetterContentTypeInjection()
++    {
++        $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
++        $mailer->setContentType("text/html\r\nFrom: [email protected]");
++    }
++
++    /**
++     * @expectedException InvalidArgumentException
++     */
++    public function testSetterEncodingInjection()
++    {
++        $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
++        $mailer->setEncoding("utf-8\r\nFrom: [email protected]");
++    }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 5286df5..9766944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
 0002-Drop-Git-test.patch
 0003-Drop-failing-test-too-precise-time.patch
+0004-Prevent-header-injection-through-content-type-encodi.patch

From: Jordi Boggiano <[email protected]>
Date: Sun, 28 Dec 2014 14:32:10 +0000
Subject: Prevent header injection through content type / encoding in
 NativeMailerHandler, fixes #458, closes #448

Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
---
 src/Monolog/Handler/NativeMailerHandler.php       |  8 ++++++++
 tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
index 7605a14..0fe6b64 100644
--- a/src/Monolog/Handler/NativeMailerHandler.php
+++ b/src/Monolog/Handler/NativeMailerHandler.php
@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
      */
     public function setContentType($contentType)
     {
+        if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
+            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+        }
+
         $this->contentType = $contentType;
 
         return $this;
@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
      */
     public function setEncoding($encoding)
     {
+        if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
+            throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+        }
+
         $this->encoding = $encoding;
 
         return $this;
diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
index 50ceace..c2553ee 100644
--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
+++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
         $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
         $mailer->addHeader(array("Content-Type: text/html\r\nFrom: [email protected]"));
     }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testSetterContentTypeInjection()
+    {
+        $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
+        $mailer->setContentType("text/html\r\nFrom: [email protected]");
+    }
+
+    /**
+     * @expectedException InvalidArgumentException
+     */
+    public function testSetterEncodingInjection()
+    {
+        $mailer = new NativeMailerHandler('[email protected]', 'dear victim', '[email protected]');
+        $mailer->setEncoding("utf-8\r\nFrom: [email protected]");
+    }
 }

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On 2015-03-01 18:16, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> 
> Please unblock package php-monolog
> 
> It fixes a potential security issue (mail header injection) by
> cherry-picking an upstream commit that was already included in version
> 1.12.0-1 (as available in experimental). The patch also includes an
> update to the test suite (showing how the issue may have been
> exploited).
> 
> [...]
> 
> Please find attached the full debdiff, as well as the new patch itself
> to ease the review.
> 
> unblock php-monolog/1.11.0-2
> 
> Thanks in advance for considering.
> 
> Regards
> 
> David
> 

Unblocked, thanks.

Please note that the message for setEncoding is probably wrong and
should have gotten a s/content type/encoding/.  But I consider it a
minor / cosmetic issue.

~Niels

--- End Message ---
Reply to:
OSZAR »