MCPcopy Index your code
hub / github.com/php/frankenphp / TestSplitPosSecurityRegressionUnicodeBypass

Function TestSplitPosSecurityRegressionUnicodeBypass

cgi_test.go:278–298  ·  view source on GitHub ↗

TestSplitPosSecurityRegressionUnicodeBypass guards against GHSA-3g8v-8r37-cgjm (uninitialized match flag on inner non-ASCII byte) and GHSA-v4h7-cj44-8fc8 (Unicode equivalence via search.IgnoreCase letting non-PHP files be picked up as the script). Every payload below produced a false positive in the

(t *testing.T)

Source from the content-addressed store, hash-verified

276// non-PHP files be picked up as the script). Every payload below produced a
277// false positive in the vulnerable implementation; none must match here.
278func TestSplitPosSecurityRegressionUnicodeBypass(t *testing.T) {
279 t.Parallel()
280
281 split := []string{".php"}
282 payloads := []string{
283 "/PoC-match-unset.¡.txt", // GHSA-3g8v: match left set after IndexString fallback returned -1
284 "/shell﹒php", // U+FE52 small full stop
285 "/shell.php", // U+FF0E fullwidth full stop
286 "/shell.php", // U+FF50 fullwidth p
287 "/shell.php", // U+FF48 fullwidth h
288 "/shell.php", // U+FF50 fullwidth p (trailing)
289 "/shell.\U0001D5C1\U0001D5B5\U0001D5C1", // mathematical sans-serif p/h
290 "/shell.\U0001D5FD\U0001D5F5\U0001D5FD", // mathematical sans-serif bold p/h
291 "/shell.\U0001D4C5\U0001D4BD\U0001D4C5", // mathematical script p/h
292 "/shell.ⓟⓗⓟ", // circled latin small
293 }
294
295 for _, p := range payloads {
296 assert.Equalf(t, -1, splitPos(p, split), "payload %q must not be detected as .php", p)
297 }
298}

Callers

nothing calls this directly

Calls 1

splitPosFunction · 0.85

Tested by

no test coverage detected