elasticsearch-php icon indicating copy to clipboard operation
elasticsearch-php copied to clipboard

PHP 7.3.29 introduced breaking change to FILTER_VALIDATE_URL

Open kfoubert opened this issue 4 years ago • 0 comments

Summary of problem or feature request

This is more informative than a bugfix in case other people encounter the same issue. We're using elasticsearch-PHP version 6.5 and PHP 7.3.29 which was released on July 1st, 2021. That version changed how FILTER_VALIDATE_URL works, breaking the code for prependMissing() for a URL that is using basic authentication.

Version 7.3.29 Changelog

I also checked with the devs assigned to that bug if basic authentication is a valid URL, but it might be the password is causing the validation error.

Sec Bug #81122 | SSRF bypass in FILTER_VALIDATE_URL

Code snippet of problem

# vendor/elasticsearch/elasticsearch/src/Elasticsearch/ClientBuilder.php

// pseudo code
$host = "https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243";

$fixHost = $this->prependMissingScheme($host);
// returns: "http://https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"

/**
 * @param string $host
 *
 * @return string
 */
private function prependMissingScheme($host)
{
    // PHP 7.3.29 FILTER_VALIDATE_URL breaks, returns false
    // PHP 7.3.27 returned true
    if (!filter_var($host, FILTER_VALIDATE_URL)) {
        $host = 'http://' . $host;
    }

    return $host;
}

Code Snippet Solution

The easiest solution is to not use a URL with ->setHosts() but use the array option instead.


$hosts = ["https://[username]:[password]@fake83value4879dc445d84entered990here771358.us-west-2.aws.found.io:9243"];

# changeto 

$hosts = [
      [
        "host" => $host,
        "port" => $port,
        "scheme" => $scheme,
        "path" => $path,
        "user" => $username,
        "pass" => $password
      ]
    ];

$this->elasticsearch = ClientBuilder::create()
                                                      ->setHosts($this->elastic_search_hosts)
                                                      ->build();

System details

  • linux
  • PHP 7.3.29
  • ES-PHP client version 6.5
  • Elasticsearch version 6.3

kfoubert avatar Jul 16 '21 22:07 kfoubert