meta-openembedded/meta-oe/recipes-benchmark/phoronix-test-suite/files/CVE-2022-40704.patch

From d3880d9d3ba795138444da83f1153c3c3ac27640 Mon Sep 17 00:00:00 2001
From: Michael Larabel <michael@phoronix.com>
Date: Sat, 23 Jul 2022 07:32:43 -0500
Subject: [PATCH] phoromatic: Explicitly check both $_GET abd $_POST in
 phoromatic_quit_if_invalid_input_found()

Fixes: https://github.com/phoronix-test-suite/phoronix-test-suite/issues/650#issuecomment-1193116678

Upstream-Status: Backport
CVE: CVE-2022-40704

Reference to upstream patch:
https://github.com/phoronix-test-suite/phoronix-test-suite/commit/d3880d9d3ba795138444da83f1153c3c3ac27640

Signed-off-by: Li Wang <li.wang@windriver.com>
---
 pts-core/phoromatic/phoromatic_functions.php | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/pts-core/phoromatic/phoromatic_functions.php b/pts-core/phoromatic/phoromatic_functions.php
index 74ccc5444c..c2313dcdea 100644
--- a/pts-core/phoromatic/phoromatic_functions.php
+++ b/pts-core/phoromatic/phoromatic_functions.php
@@ -37,9 +37,20 @@ function phoromatic_quit_if_invalid_input_found($input_keys = null)
 	{
 		foreach($input_keys as $key)
 		{
-			if(isset($_REQUEST[$key]) && !empty($_REQUEST[$key]))
+			if(isset($_GET[$key]) && !empty($_GET[$key]))
 			{
-				foreach(pts_arrays::to_array($_REQUEST[$key]) as $val_to_check)
+				foreach(pts_arrays::to_array($_GET[$key]) as $val_to_check)
+				{
+					if(stripos($val_to_check, $invalid_string) !== false)
+					{
+						echo '<strong>Exited due to invalid input ( ' . $invalid_string . ') attempted:</strong> ' . htmlspecialchars($val_to_check);
+						exit;
+					}
+				}
+			}
+			if(isset($_POST[$key]) && !empty($_POST[$key]))
+			{
+				foreach(pts_arrays::to_array($_POST[$key]) as $val_to_check)
 				{
 					if(stripos($val_to_check, $invalid_string) !== false)
 					{