Security tightening: verify a stream file name is a string before unlinking #48
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Per CVE-2021-3007 (and as reported on Bleeping Computer there is a possibility IF A USER HAS USED UNSERIALIZE() ON UNTRUSTED DATA of the stream response destructor potentially invoking a class
__toString()
implementation, and thus triggering a vulnerability.This patch ensures that given that scenario, the stream response destructor does not use an object as a string for purposes of unlinking a potential stream filename.
Additional information
The Laminas security team was contacted on 2020-11-27 about a potential vulnerability in the MVC skeleton. After analysis, we responded on 2020-11-30 with the following:
The Open Web Application Security Project (OWASP) has a classification for this sort of vulnerability: PHP Object Injection. It is not specific to any given framework, and presents itself when an application blindly unserializes user input that includes classes with
__destruct()
methods and/or methods that might get called within the application context (including other magic methods such as__toString()
). The same vulnerability could have been achieved even easier by providing a serialized class with a__destruct()
method defined, as the method would be called as soon as the object was out of scope.Regardless, we are providing this patch to help further protect our users from these scenarios. The patch provides type checking of the
$streamName
property before performing a cleanup operation (which results in anunlink()
operation, which, previously, could have resulted in an implied call to an an object's__toString()
method) in theLaminas\Http\Response\Stream
destructor.