elasticsearch-php
elasticsearch-php copied to clipboard
Published
20 hours ago •
elastic
elastic
PHP 7.3.29 introduced breaking change to FILTER_VALIDATE_URL
Summary of problem or feature request
This is more informative than a bugfix in case other people encounter the same issue. We're using elasticsearch-PHP version 6.5 and PHP 7.3.29 which was released on July 1st, 2021. That version changed how FILTER_VALIDATE_URL works, breaking the code for prependMissing() for a URL that is using basic authentication.
I also checked with the devs assigned to that bug if basic authentication is a valid URL, but it might be the password is causing the validation error.
Sec Bug #81122 | SSRF bypass in FILTER_VALIDATE_URL
Code snippet of problem
# vendor/elasticsearch/elasticsearch/src/Elasticsearch/ClientBuilder.php
// pseudo code
$host = "https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243";
$fixHost = $this->prependMissingScheme($host);
// returns: "http://https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"
/**
* @param string $host
*
* @return string
*/
private function prependMissingScheme($host)
{
// PHP 7.3.29 FILTER_VALIDATE_URL breaks, returns false
// PHP 7.3.27 returned true
if (!filter_var($host, FILTER_VALIDATE_URL)) {
$host = 'http://' . $host;
}
return $host;
}
Code Snippet Solution
The easiest solution is to not use a URL with ->setHosts() but use the array option instead.
$hosts = ["https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"];
# changeto
$hosts = [
[
"host" => $host,
"port" => $port,
"scheme" => $scheme,
"path" => $path,
"user" => $username,
"pass" => $password
]
];
$this->elasticsearch = ClientBuilder::create()
->setHosts($this->elastic_search_hosts)
->build();
System details
- linux
- PHP 7.3.29
- ES-PHP client version 6.5
- Elasticsearch version 6.3
