Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package php-monolog
It fixes a potential security issue (mail header injection) by
cherry-picking an upstream commit that was already included in version
1.12.0-1 (as available in experimental). The patch also includes an
update to the test suite (showing how the issue may have been
exploited).
php-monolog (1.11.0-2) unstable; urgency=medium
* Add gbp.conf to track the Jessie branch
* Fix a potential security issue (header injection)
Prevent header injection through content type / encoding in
NativeMailerHandler.
-- David Prévot <taffit@debian.org> Sun, 01 Mar 2015 01:56:16 -0400
Please find attached the full debdiff, as well as the new patch itself
to ease the review.
unblock php-monolog/1.11.0-2
Thanks in advance for considering.
Regards
David
diff --git a/debian/changelog b/debian/changelog
index 8a207aa..a8bf6bb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+php-monolog (1.11.0-2) unstable; urgency=medium
+
+ * Add gbp.conf to track the Jessie branch
+ * Fix a potential security issue (header injection)
+ Prevent header injection through content type / encoding in
+ NativeMailerHandler.
+
+ -- David Prévot <taffit@debian.org> Sun, 01 Mar 2015 01:56:16 -0400
+
php-monolog (1.11.0-1) unstable; urgency=medium
[ gkedzierski ]
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..fae4302
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = jessie
diff --git a/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
new file mode 100644
index 0000000..1c27746
--- /dev/null
+++ b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch
@@ -0,0 +1,65 @@
+From: Jordi Boggiano <j.boggiano@seld.be>
+Date: Sun, 28 Dec 2014 14:32:10 +0000
+Subject: Prevent header injection through content type / encoding in
+ NativeMailerHandler, fixes #458, closes #448
+
+Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
+Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
+---
+ src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++
+ tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
+index 7605a14..0fe6b64 100644
+--- a/src/Monolog/Handler/NativeMailerHandler.php
++++ b/src/Monolog/Handler/NativeMailerHandler.php
+@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
+ */
+ public function setContentType($contentType)
+ {
++ if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++ }
++
+ $this->contentType = $contentType;
+
+ return $this;
+@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
+ */
+ public function setEncoding($encoding)
+ {
++ if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
++ }
++
+ $this->encoding = $encoding;
+
+ return $this;
+diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+index 50ceace..c2553ee 100644
+--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
++++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
+@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
+ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+ $mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
+ }
++
++ /**
++ * @expectedException InvalidArgumentException
++ */
++ public function testSetterContentTypeInjection()
++ {
++ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
++ $mailer->setContentType("text/html\r\nFrom: faked@attacker.org");
++ }
++
++ /**
++ * @expectedException InvalidArgumentException
++ */
++ public function testSetterEncodingInjection()
++ {
++ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
++ $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org");
++ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 5286df5..9766944 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch
0002-Drop-Git-test.patch
0003-Drop-failing-test-too-precise-time.patch
+0004-Prevent-header-injection-through-content-type-encodi.patch
From: Jordi Boggiano <j.boggiano@seld.be>
Date: Sun, 28 Dec 2014 14:32:10 +0000
Subject: Prevent header injection through content type / encoding in
NativeMailerHandler, fixes #458, closes #448
Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458
Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001
---
src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++
tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php
index 7605a14..0fe6b64 100644
--- a/src/Monolog/Handler/NativeMailerHandler.php
+++ b/src/Monolog/Handler/NativeMailerHandler.php
@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler
*/
public function setContentType($contentType)
{
+ if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) {
+ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+ }
+
$this->contentType = $contentType;
return $this;
@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler
*/
public function setEncoding($encoding)
{
+ if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) {
+ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection');
+ }
+
$this->encoding = $encoding;
return $this;
diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php
index 50ceace..c2553ee 100644
--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php
+++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php
@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase
$mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
$mailer->addHeader(array("Content-Type: text/html\r\nFrom: faked@attacker.org"));
}
+
+ /**
+ * @expectedException InvalidArgumentException
+ */
+ public function testSetterContentTypeInjection()
+ {
+ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+ $mailer->setContentType("text/html\r\nFrom: faked@attacker.org");
+ }
+
+ /**
+ * @expectedException InvalidArgumentException
+ */
+ public function testSetterEncodingInjection()
+ {
+ $mailer = new NativeMailerHandler('spammer@example.org', 'dear victim', 'receiver@example.org');
+ $mailer->setEncoding("utf-8\r\nFrom: faked@attacker.org");
+ }
}
Attachment:
signature.asc
Description: Digital signature