From 600f1f898f9771d13880255e74ea1c10590f5fd5 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 17 Nov 2019 14:14:59 +0100
Subject: Fix #78814: strip_tags allows / in tag name => whitelist bypass

When normalizing tags to check whether they are contained in the set
of allowable tags, we must not strip slashes, unless they come
immediately after the opening `<`, or immediately before the closing
`>`.
---
 ext/standard/string.c                    | 2 +-
 ext/standard/tests/strings/bug78814.phpt | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 ext/standard/tests/strings/bug78814.phpt

(limited to 'ext')

diff --git a/ext/standard/string.c b/ext/standard/string.c
index dcf9cb44c7..da51cd0966 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4663,7 +4663,7 @@ int php_tag_find(char *tag, size_t len, const char *set) {
 					if (state == 0) {
 						state=1;
 					}
-					if (c != '/') {
+					if (c != '/' || (*(t-1) != '<' && *(t+1) != '>')) {
 						*(n++) = c;
 					}
 				} else {
diff --git a/ext/standard/tests/strings/bug78814.phpt b/ext/standard/tests/strings/bug78814.phpt
new file mode 100644
index 0000000000..c8ad8373e0
--- /dev/null
+++ b/ext/standard/tests/strings/bug78814.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #78814 (strip_tags allows / in tag name => whitelist bypass)
+--FILE--
+<?php
+echo strip_tags("<s/trong>b</strong>", "<strong>");
+?>
+--EXPECT--
+b</strong>
-- 
cgit v1.2.1