Fix GH-19944: validate Uri\WhatWg\Url::withPort() boundaries #19946
Conversation
alexandre-daubois
force-pushed
the
uri-port-boundaries
branch
2 times, most recently
from
95a024c to
62bbdfe
Compare
alexandre-daubois
force-pushed
the
uri-port-boundaries
branch
from
62bbdfe to
242597c
Compare
|
I did not yet read the spec to see if the reported bug is even a bug. But I can say for certain that this this patch is incorrect: Lexbor would be responsible to perform the validation and report the issue. Not PHP. PS: The NEWS entry is in the wrong location. |
|
Should we really do no validation on PHP side about invalid values? Isn't it better to catch errors as early as possible? Also I'm not sure why this is the wrong location for the news entry? |
|
The spec says the following:
Apparently, the wither call somehow misses the validation. I'll have to debug it why, but the fix must go into the lexbor library indeed. PHP is just a dump wrapper, the logic is better suited in the original upstream library. |
|
Alright, I wasn't sure how much it should be "just a wrapper". It's clear now 🙂 |
|
As far as I see, the error is only present for negative values around this line: https://github.com/lexbor/lexbor/blob/master/source/lexbor/url/url.c#L1908 I think a negative value check was left out. |
In the best case, we are just replicating the validation of the upstream library. In the worst case, we are using differing validation, which will lead to security issues. The point of using a library is that it does the heavy lifting for you.
Because RC 1 is already tagged.
There is some validation happening: The port is not actually changed. So the invalid value is not accepted. This might actually be the expected behavior with regard to the specification. See JavaScript: |
|
I filed an issue upstream with a possible patch: lexbor/lexbor#306 Too large values trigger validation errors, while negative values don't. I think it is only due to an omission, but let's hear Alexander's opinion. |
3 participants
No description provided.