security #cve-2019-11325 [VarExporter] fix exporting some strings (nicolas-grekas)

This PR was merged into the 4.2 branch.
2019-11-12 13:59:01 +01:00 · 2019-11-12 13:59:01 +01:00 · 9067fdc950
parent 81fce3ecca 0524868cbf
commit 9067fdc950
4 changed files with 24 additions and 19 deletions
--- a/src/Symfony/Component/VarExporter/Internal/Exporter.php
+++ b/src/Symfony/Component/VarExporter/Internal/Exporter.php
@ -212,27 +212,28 @@ class Exporter
        $subIndent = $indent.'    ';

        if (\is_string($value)) {
-            $code = var_export($value, true);
+            $code = sprintf("'%s'", addcslashes($value, "'\\"));

-            if (false !== strpos($value, "\n") || false !== strpos($value, "\r")) {
-                $code = strtr($code, [
-                    "\r\n" => "'.\"\\r\\n\"\n".$subIndent.".'",
-                    "\r" => "'.\"\\r\"\n".$subIndent.".'",
-                    "\n" => "'.\"\\n\"\n".$subIndent.".'",
-                ]);
-            }
+            $code = preg_replace_callback('/([\0\r\n]++)(.)/', function ($m) use ($subIndent) {
+                $m[1] = sprintf('\'."%s".\'', str_replace(
+                    ["\0", "\r", "\n", '\n\\'],
+                    ['\0', '\r', '\n', '\n"'."\n".$subIndent.'."\\'],
+                    $m[1]
+                ));

-            if (false !== strpos($value, "\0")) {
-                $code = str_replace('\' . "\0" . \'', '\'."\0".\'', $code);
-                $code = str_replace('".\'\'."', '', $code);
-            }
+                if ("'" === $m[2]) {
+                   return substr($m[1], 0, -2);
+                }

-            if (false !== strpos($code, "''.")) {
-                $code = str_replace("''.", '', $code);
-            }
+                if ('n".\'' === substr($m[1], -4)) {
+                   return substr_replace($m[1], "\n".$subIndent.".'".$m[2], -2);
+                }

-            if (".''" === substr($code, -3)) {
-                $code = rtrim(substr($code, 0, -3));
+               return $m[1].$m[2];
+            }, $code, -1, $count);
+
+            if ($count && 0 === strpos($code, "''.")) {
+                $code = substr($code, 3);
            }

            return $code;
--- a/src/Symfony/Component/VarExporter/Tests/Fixtures/lf-ending-string.php
+++ b/src/Symfony/Component/VarExporter/Tests/Fixtures/lf-ending-string.php
@ -0,0 +1,4 @@
+<?php
+
+return '\'BOOM\''."\n"
+    .'.var_dump(123)//\'';
--- a/src/Symfony/Component/VarExporter/Tests/Fixtures/multiline-string.php
+++ b/src/Symfony/Component/VarExporter/Tests/Fixtures/multiline-string.php
@ -2,7 +2,6 @@

 return [
    "\0\0\r\n"
-        .'A' => 'B'."\r"
-        .'C'."\n"
+        .'A' => 'B'."\r".'C'."\n"
        ."\n",
 ];
--- a/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
+++ b/src/Symfony/Component/VarExporter/Tests/VarExporterTest.php
@ -109,6 +109,7 @@ class VarExporterTest extends TestCase
    public function provideExport()
    {
        yield ['multiline-string', ["\0\0\r\nA" => "B\rC\n\n"], true];
+        yield ['lf-ending-string', "'BOOM'\n.var_dump(123)//'", true];

        yield ['bool', true, true];
        yield ['simple-array', [123, ['abc']], true];