Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PHP 7.3.29 introduced breaking change to FILTER_VALIDATE_URL #1153

Open
kfoubert opened this issue Jul 16, 2021 · 0 comments
Open

PHP 7.3.29 introduced breaking change to FILTER_VALIDATE_URL #1153

kfoubert opened this issue Jul 16, 2021 · 0 comments

Comments

@kfoubert
Copy link

kfoubert commented Jul 16, 2021

Summary of problem or feature request

This is more informative than a bugfix in case other people encounter the same issue. We're using elasticsearch-PHP version 6.5 and PHP 7.3.29 which was released on July 1st, 2021. That version changed how FILTER_VALIDATE_URL works, breaking the code for prependMissing() for a URL that is using basic authentication.

Version 7.3.29 Changelog

I also checked with the devs assigned to that bug if basic authentication is a valid URL, but it might be the password is causing the validation error.

Sec Bug #81122 | SSRF bypass in FILTER_VALIDATE_URL

Code snippet of problem

# vendor/elasticsearch/elasticsearch/src/Elasticsearch/ClientBuilder.php

// pseudo code
$host = "https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243";

$fixHost = $this->prependMissingScheme($host);
// returns: "http://https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"

/**
 * @param string $host
 *
 * @return string
 */
private function prependMissingScheme($host)
{
    // PHP 7.3.29 FILTER_VALIDATE_URL breaks, returns false
    // PHP 7.3.27 returned true
    if (!filter_var($host, FILTER_VALIDATE_URL)) {
        $host = 'http://' . $host;
    }

    return $host;
}

Code Snippet Solution

The easiest solution is to not use a URL with ->setHosts() but use the array option instead.

$hosts = ["https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"];

# changeto 

$hosts = [
      [
        "host" => $host,
        "port" => $port,
        "scheme" => $scheme,
        "path" => $path,
        "user" => $username,
        "pass" => $password
      ]
    ];

$this->elasticsearch = ClientBuilder::create()
                                                      ->setHosts($this->elastic_search_hosts)
                                                      ->build();

System details

  • linux
  • PHP 7.3.29
  • ES-PHP client version 6.5
  • Elasticsearch version 6.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant