Hi all.
Several yii validators use regular expressions, such as CEmailValidator, CUrlValidator, CNumberValidator.
The email and url validators contain regular expressions that can be easily exploited for DOS attacks.
The regular expressions in those validators can easily reach the stack overflow and the process will crash with a segmentation fault.
PCRE is a tool with documented limitations, it is not intended to be used for validation of arbitrary data.
http://bugs.exim.org/show_bug.cgi?id=1018
Here is some Code:
CUrlValidator contains this regexp:
$pattern=’/^(http|https):\/\/(([A-Z0-9][A-Z0-9_-])(\.[A-Z0-9][A-Z0-9_-])+)/i’;
Sending the following string of 4Kb length to any script that runs URL validation leads to segfault:
$str = ‘http://w’.str_repeat(’.a’,4000).’.ru’;
One can compose a similar string that will crashs the email validator, which is used everywhere (I don’t want to write exact code here).
I assume, sending 30 simultaneous requests of this kind will bring down a server till the processes are restarted.
Solution:
use filter_var() function - the one intentionally written for this purpose.
class CUrlValidator extends CValidator
{
//…
public function validateValue($value)
{
return filter_var($value,FILTER_VALIDATE_EMAIL);
}
}
class CEmailValidator extends CValidator
{
//…
public function validateValue($value)
{
$valid= filter_var($value,FILTER_VALIDATE_EMAIL);
//…
CNumberValidator does not seem to have an easily reachable security issue, but using a filter_var() would be definitely faster and more reliable:
if($this->integerOnly){
if (!filter_var($value,FILTER_VALIDATE_INT)){$this->addError($object,$attribute,$message);}
}else{
if(!filter_var($value,FILTER_VALIDATE_FLOAT,))…
}