A potential server-side request forgery flaw was found in the way PHP accepted an fsockopen hostname argument with an expectation that the port number was constrained. Because :port syntax is recognized, fsockopen would use the port number that was specified in the hostname argument, instead of the port number in the second argument of the function. This could potentially allow a remote attacker to generate requests from a vulnerable PHP application that would target an application on the attacker-supplied port. Upstream bug: https://bugs.php.net/bug.php?id=74216 Upstream patch: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
Created php tracking bugs for this issue: Affects: fedora-all [bug 1437838]
Fixed in 7.0.18RC1 and 7.1.4RC1 Notice, the fix for this minor security issue create a minor behavior change (regression), at least noticed for "proxy" attribute of stream context. See: guzzle/guzzle report https://github.com/guzzle/guzzle/issues/1790 guzzle/ringphp report https://github.com/guzzle/RingPHP/issues/41 Possible fix (probably not accepted) https://github.com/php/php-src/pull/2443
while the patch was in 7.0.18/7.1.4 we discovered it breaks lot of applications relying on undocumented behavior. See https://externals.io/thread/831 https://bugs.php.net/74429 https://bugs.php.net/74432 So change have been reverted (in 7.0.19RC1 / 7.1.5R1)