Skip to content

Commit

Permalink
Check for spaces in keys when using the non-binary protocol even if k…
Browse files Browse the repository at this point in the history
…ey verification is disabled to avoid injection issues
  • Loading branch information
rlerdorf committed Oct 20, 2023
1 parent 78ba261 commit 1527217
Showing 1 changed file with 13 additions and 6 deletions.
19 changes: 13 additions & 6 deletions php_memcached.c
Original file line number Diff line number Diff line change
Expand Up @@ -231,14 +231,21 @@ zend_bool s_memc_valid_key_binary(zend_string *key)
}

static
zend_bool s_memc_valid_key_ascii(zend_string *key)
zend_bool s_memc_valid_key_ascii(zend_string *key, uint64_t verify_key)
{
const char *str = ZSTR_VAL(key);
size_t i, len = ZSTR_LEN(key);

for (i = 0; i < len; i++) {
if (!isgraph(str[i]) || isspace(str[i]))
return 0;
if (verify_key) {
for (i = 0; i < len; i++) {
if (!isgraph(str[i]) || isspace(str[i]))
return 0;
}
} else { /* if key verification is disabled, only check for spaces to avoid injection issues */
for (i = 0; i < len; i++) {
if (isspace(str[i]))
return 0;
}
}
return 1;
}
Expand All @@ -248,7 +255,7 @@ zend_bool s_memc_valid_key_ascii(zend_string *key)
ZSTR_LEN(key) > MEMC_OBJECT_KEY_MAX_LENGTH || \
(memcached_behavior_get(intern->memc, MEMCACHED_BEHAVIOR_BINARY_PROTOCOL) \
? !s_memc_valid_key_binary(key) \
: (memcached_behavior_get(intern->memc, MEMCACHED_BEHAVIOR_VERIFY_KEY) && !s_memc_valid_key_ascii(key)) \
: !s_memc_valid_key_ascii(key, memcached_behavior_get(intern->memc, MEMCACHED_BEHAVIOR_VERIFY_KEY)) \
))) { \
intern->rescode = MEMCACHED_BAD_KEY_PROVIDED; \
RETURN_FALSE; \
Expand Down Expand Up @@ -342,7 +349,7 @@ PHP_INI_MH(OnUpdateSessionPrefixString)
php_error_docref(NULL, E_WARNING, "memcached.sess_prefix too long (max: %d)", MEMCACHED_MAX_KEY - 1);
return FAILURE;
}
if (!s_memc_valid_key_ascii(new_value)) {
if (!s_memc_valid_key_ascii(new_value, 1)) {
php_error_docref(NULL, E_WARNING, "memcached.sess_prefix cannot contain whitespace or control characters");
return FAILURE;
}
Expand Down

0 comments on commit 1527217

Please sign in to comment.