<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:15:07 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-2401] Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-2401</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Bugs&quot;&gt;&lt;/a&gt;Bugs&lt;/h2&gt;

&lt;p&gt;Three minor issues if you feed the following PoCs into the &quot;mongoc_uri_new&quot; function. &lt;/p&gt;

&lt;p&gt;This was against:&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/releases/download/1.8.2/mongo-c-driver-1.8.2.tar.gz&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/releases/download/1.8.2/mongo-c-driver-1.8.2.tar.gz&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;With ASAN on.&lt;/p&gt;

&lt;p&gt;This is the script I used for testing:&lt;br/&gt;
&lt;a href=&quot;https://gist.github.com/c0nrad/760fd1d34e39b7ed8f4442c622c90160&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://gist.github.com/c0nrad/760fd1d34e39b7ed8f4442c622c90160&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;&lt;a name=&quot;scantounichar&quot;&gt;&lt;/a&gt;scan_to_unichar&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;READ of size 1&lt;br/&gt;
#7  0x000000000041c2ec in scan_to_unichar (terminators=&amp;lt;optimized out&amp;gt;, end=&amp;lt;synthetic pointer&amp;gt;, match=64, str=0x60200000ec50 &quot;\350\003&quot;) at src/mongoc/mongoc-uri.c:159&lt;br/&gt;
PoC&lt;br/&gt;
0000000 6f6d 676e 646f 3a62 2f2f 03e8 0000 686c&lt;br/&gt;
0000010 736f 3a74 3732 3130 2f37 6574 7473 723f&lt;br/&gt;
0000020 7065 696c 6163 6573 3d74 6f66 006f&lt;br/&gt;
000002d&lt;/p&gt;&lt;/blockquote&gt;

&lt;h3&gt;&lt;a name=&quot;bsonutf8getchar&quot;&gt;&lt;/a&gt;bson_utf8_get_char&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;READ of size 1&lt;br/&gt;
#7  0x00000000004763db in bson_utf8_get_char (utf8=utf8@entry=0x60200000ec30 &quot;\372&quot;) at src/bson/bson-utf8.c:367&lt;br/&gt;
PoC:&lt;br/&gt;
0000000 6f6d 676e 646f 3a62 2f2f 00fa fa00 686c&lt;br/&gt;
0000010 736f 3a74 3732 3130 2f37 6574 7473 723f&lt;br/&gt;
0000020 7065 696c 6163 6573 3d74 6f66 006f&lt;br/&gt;
000002d&lt;/p&gt;&lt;/blockquote&gt;

&lt;h3&gt;&lt;a name=&quot;bsonstringappendunichar&quot;&gt;&lt;/a&gt;bson_string_append_unichar&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;precondition failed: unichar&lt;br/&gt;
#2  0x0000000000471ed2 in bson_string_append_unichar (string=string@entry=0x60200000ebf0, unichar=&amp;lt;optimized out&amp;gt;) at src/bson/bson-string.c:232&lt;br/&gt;
#3  0x0000000000412529 in mongoc_uri_unescape (escaped_string=escaped_string@entry=0x60200000ec10 &quot;loca01te\332\213\300\200&quot;) at src/mongoc/mongoc-uri.c:1683&lt;br/&gt;
#4  0x0000000000412eff in mongoc_uri_do_unescape (str=&amp;lt;synthetic pointer&amp;gt;) at src/mongoc/mongoc-uri.c:76&lt;br/&gt;
#5  mongoc_uri_parse_host (uri=&amp;lt;optimized out&amp;gt;, str=&amp;lt;optimized out&amp;gt;, downcase=&amp;lt;optimized out&amp;gt;) at src/mongoc/mongoc-uri.c:367&lt;br/&gt;
PoC:&lt;br/&gt;
0000000 6f6d 676e 646f 3a62 2f2f 6f6c 6163 3130&lt;br/&gt;
0000010 6574 8bda 80c0 ff00 31ff 6574 8bda 8dc0&lt;br/&gt;
0000020 4063 6573 3d74 6f66 7361 0073&lt;br/&gt;
000002b&lt;/p&gt;&lt;/blockquote&gt;</description>
                <environment></environment>
        <key id="462507">CDRIVER-2401</key>
            <summary>Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="stuart.larsen@mongodb.com">Stuart Larsen</reporter>
                        <labels>
                            <label>asp</label>
                            <label>asp-sdl-fuzzing</label>
                            <label>asp-vuln-dos</label>
                    </labels>
                <created>Tue, 21 Nov 2017 20:37:29 +0000</created>
                <updated>Sat, 28 Oct 2023 11:30:17 +0000</updated>
                            <resolved>Thu, 23 Nov 2017 00:13:45 +0000</resolved>
                                                    <fixVersion>1.9.0</fixVersion>
                                    <component>uri</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="1733360" author="xgen-internal-githook" created="Wed, 22 Nov 2017 22:27:41 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;A. Jesse Jiryu Davis&apos;, &apos;username&apos;: &apos;ajdavis&apos;, &apos;email&apos;: &apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2401&quot; title=&quot;Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2401&quot;&gt;&lt;del&gt;CDRIVER-2401&lt;/del&gt;&lt;/a&gt; delete temporary comment&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/libbson/commit/155ad7c7a676f531ec10bdaec33c7f8e04a59fc1&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/libbson/commit/155ad7c7a676f531ec10bdaec33c7f8e04a59fc1&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1733290" author="xgen-internal-githook" created="Wed, 22 Nov 2017 20:52:14 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;A. Jesse Jiryu Davis&apos;, &apos;username&apos;: &apos;ajdavis&apos;, &apos;email&apos;: &apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2401&quot; title=&quot;Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2401&quot;&gt;&lt;del&gt;CDRIVER-2401&lt;/del&gt;&lt;/a&gt; test ASAN with GCC, as well as Clang&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/176b6643a6e801a24668e00f884700db0dbad581&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/176b6643a6e801a24668e00f884700db0dbad581&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1733289" author="xgen-internal-githook" created="Wed, 22 Nov 2017 20:52:12 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;A. Jesse Jiryu Davis&apos;, &apos;username&apos;: &apos;ajdavis&apos;, &apos;email&apos;: &apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2401&quot; title=&quot;Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2401&quot;&gt;&lt;del&gt;CDRIVER-2401&lt;/del&gt;&lt;/a&gt; validate whole URI as UTF-8&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/f4e8af4f80d2b20912a6c96407e1c20fe798c5f7&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/f4e8af4f80d2b20912a6c96407e1c20fe798c5f7&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1732933" author="jesse" created="Wed, 22 Nov 2017 16:01:32 +0000"  >&lt;p&gt;The first string begins with &quot;mongodb://\xe8\x03\x00&quot;. The &quot;\xe8&quot; should be the first byte of a three-byte character, but there aren&apos;t enough characters left in the string. &quot;\x00&quot; terminates the string - no UTF-8 multibyte character includes the zero byte. Unfortunately, mongoc_uri_parse tries to iterate over each UTF-8 character after &quot;mongodb://&quot;, searching for a &quot;/&quot; character, and it steps past the end of the string. I fixed it by simply UTF-8 validating the whole string in mongoc_uri_parse before splitting the string into URI segments.&lt;/p&gt;

&lt;p&gt;The second string begins with &quot;mongodb://\xfa&quot;. In libbson we interpret that as the first byte of a *&lt;b&gt;five&lt;/b&gt;*-byte character! I think this means libbson doesn&apos;t implement strict UTF-8, which only allows up to 4 bytes per character. Perhaps it implements CESU-8 but I haven&apos;t investigated. Anyway, the &quot;\xfa&quot; is at the end of the string, so this is the same bug with the same fix as the previous entry.&lt;/p&gt;

&lt;p&gt;The third contains &quot;\xc0\x80&quot; in the hostname. That&apos;s a multibyte synonym for NIL. We try to unescape the hostname in case it contains &quot;%20&quot; or something like that. This involves stepping over each unicode character, checking if it is &quot;%&quot;, and if not, then appending it to the actual hostname, using bson_string_append_unichar(). That function asserts the appended character is non-NIL, but &quot;\xc0\x80&quot; &lt;b&gt;is&lt;/b&gt; NIL.&lt;/p&gt;

&lt;p&gt;The solution here is to update the behavior of this function:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;bson_utf8_validate (str, strlen (str), false /* allow_null */)&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;The validate function should prohibit multibyte NIL the same as single-byte NIL if &quot;allow_null&quot; is false. (Yes, I&apos;m confusing NULL and NIL, sorry.)&lt;/p&gt;</comment>
                            <comment id="1732856" author="xgen-internal-githook" created="Wed, 22 Nov 2017 14:59:45 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;A. Jesse Jiryu Davis&apos;, &apos;username&apos;: &apos;ajdavis&apos;, &apos;email&apos;: &apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2401&quot; title=&quot;Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2401&quot;&gt;&lt;del&gt;CDRIVER-2401&lt;/del&gt;&lt;/a&gt; check for UTF-8 two-byte NULL&lt;/p&gt;

&lt;p&gt;bson_utf8_validate() with allow_null=false should prohibit the UTF-8&lt;br/&gt;
two-byte code for NULL, as well as the single-byte NULL.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/libbson/commit/b4bcd00967706502e53c948e740a2c503e2c6f79&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/libbson/commit/b4bcd00967706502e53c948e740a2c503e2c6f79&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1732383" author="jesse" created="Tue, 21 Nov 2017 23:16:02 +0000"  >&lt;p&gt;This is terrific Stuart. What&apos;s a PoC, is it a proof of concept?&lt;/p&gt;

&lt;p&gt;Is this required before we release 1.9.0. the first release that supports mongodb+srv URIs?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="462901">CDRIVER-2403</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htca1j:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>