Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package php-monolog It fixes a potential security issue (mail header injection) by cherry-picking an upstream commit that was already included in version 1.12.0-1 (as available in experimental). The patch also includes an update to the test suite (showing how the issue may have been exploited). php-monolog (1.11.0-2) unstable; urgency=medium * Add gbp.conf to track the Jessie branch * Fix a potential security issue (header injection) Prevent header injection through content type / encoding in NativeMailerHandler. -- David Prévot <taf...@debian.org> Sun, 01 Mar 2015 01:56:16 -0400 Please find attached the full debdiff, as well as the new patch itself to ease the review. unblock php-monolog/1.11.0-2 Thanks in advance for considering. Regards David
diff --git a/debian/changelog b/debian/changelog index 8a207aa..a8bf6bb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +php-monolog (1.11.0-2) unstable; urgency=medium + + * Add gbp.conf to track the Jessie branch + * Fix a potential security issue (header injection) + Prevent header injection through content type / encoding in + NativeMailerHandler. + + -- David Prévot <taf...@debian.org> Sun, 01 Mar 2015 01:56:16 -0400 + php-monolog (1.11.0-1) unstable; urgency=medium [ gkedzierski ] diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch new file mode 100644 index 0000000..1c27746 --- /dev/null +++ b/debian/patches/0004-Prevent-header-injection-through-content-type-encodi.patch @@ -0,0 +1,65 @@ +From: Jordi Boggiano <j.boggi...@seld.be> +Date: Sun, 28 Dec 2014 14:32:10 +0000 +Subject: Prevent header injection through content type / encoding in + NativeMailerHandler, fixes #458, closes #448 + +Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458 +Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001 +--- + src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++ + tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++ + 2 files changed, 26 insertions(+) + +diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php +index 7605a14..0fe6b64 100644 +--- a/src/Monolog/Handler/NativeMailerHandler.php ++++ b/src/Monolog/Handler/NativeMailerHandler.php +@@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler + */ + public function setContentType($contentType) + { ++ if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) { ++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); ++ } ++ + $this->contentType = $contentType; + + return $this; +@@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler + */ + public function setEncoding($encoding) + { ++ if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) { ++ throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); ++ } ++ + $this->encoding = $encoding; + + return $this; +diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php +index 50ceace..c2553ee 100644 +--- a/tests/Monolog/Handler/NativeMailerHandlerTest.php ++++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php +@@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase + $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); + $mailer->addHeader(array("Content-Type: text/html\r\nFrom: fa...@attacker.org")); + } ++ ++ /** ++ * @expectedException InvalidArgumentException ++ */ ++ public function testSetterContentTypeInjection() ++ { ++ $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); ++ $mailer->setContentType("text/html\r\nFrom: fa...@attacker.org"); ++ } ++ ++ /** ++ * @expectedException InvalidArgumentException ++ */ ++ public function testSetterEncodingInjection() ++ { ++ $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); ++ $mailer->setEncoding("utf-8\r\nFrom: fa...@attacker.org"); ++ } + } diff --git a/debian/patches/series b/debian/patches/series index 5286df5..9766944 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-Use-ClassLoader-from-Symfony-instead-of-autoload.patch 0002-Drop-Git-test.patch 0003-Drop-failing-test-too-precise-time.patch +0004-Prevent-header-injection-through-content-type-encodi.patch
From: Jordi Boggiano <j.boggi...@seld.be> Date: Sun, 28 Dec 2014 14:32:10 +0000 Subject: Prevent header injection through content type / encoding in NativeMailerHandler, fixes #458, closes #448 Bug: https://github.com/Seldaek/monolog/pull/448 https://github.com/Seldaek/monolog/issues/458 Origin: upstream, https://github.com/Seldaek/monolog/commit/515a096c864b00b3967f7f601680f85d4a2e4001 --- src/Monolog/Handler/NativeMailerHandler.php | 8 ++++++++ tests/Monolog/Handler/NativeMailerHandlerTest.php | 18 ++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/src/Monolog/Handler/NativeMailerHandler.php b/src/Monolog/Handler/NativeMailerHandler.php index 7605a14..0fe6b64 100644 --- a/src/Monolog/Handler/NativeMailerHandler.php +++ b/src/Monolog/Handler/NativeMailerHandler.php @@ -129,6 +129,10 @@ class NativeMailerHandler extends MailHandler */ public function setContentType($contentType) { + if (strpos($contentType, "\n") !== false || strpos($contentType, "\r") !== false) { + throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); + } + $this->contentType = $contentType; return $this; @@ -140,6 +144,10 @@ class NativeMailerHandler extends MailHandler */ public function setEncoding($encoding) { + if (strpos($encoding, "\n") !== false || strpos($encoding, "\r") !== false) { + throw new \InvalidArgumentException('The content type can not contain newline characters to prevent email header injection'); + } + $this->encoding = $encoding; return $this; diff --git a/tests/Monolog/Handler/NativeMailerHandlerTest.php b/tests/Monolog/Handler/NativeMailerHandlerTest.php index 50ceace..c2553ee 100644 --- a/tests/Monolog/Handler/NativeMailerHandlerTest.php +++ b/tests/Monolog/Handler/NativeMailerHandlerTest.php @@ -40,4 +40,22 @@ class NativeMailerHandlerTest extends TestCase $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); $mailer->addHeader(array("Content-Type: text/html\r\nFrom: fa...@attacker.org")); } + + /** + * @expectedException InvalidArgumentException + */ + public function testSetterContentTypeInjection() + { + $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); + $mailer->setContentType("text/html\r\nFrom: fa...@attacker.org"); + } + + /** + * @expectedException InvalidArgumentException + */ + public function testSetterEncodingInjection() + { + $mailer = new NativeMailerHandler('spam...@example.org', 'dear victim', 'recei...@example.org'); + $mailer->setEncoding("utf-8\r\nFrom: fa...@attacker.org"); + } }
signature.asc
Description: Digital signature