+ "details": "### Description\n\n`symfony/polyfill-intl-idn` provides a userland implementation of `idn_to_utf8()` and `idn_to_ascii()` for runtimes that lack the `intl` extension. Its `Idn::process()` method decodes labels prefixed with `xn--` using Punycode but never enforces the validity criterion added in UTS #46 revision 33 Section 4 step 4.1.2: after a successful Punycode decode, the result must contain at least one non-ASCII code point.\n\nAs a consequence, `xn--` labels whose Punycode payload is empty (`xn--`) or decodes to a string made of only ASCII code points (e.g. `xn--kc1zs4-`) are accepted by the polyfill while PHP's native `ext-intl` rejects them with `IDNA_ERROR_INVALID_ACE_LABEL`. Originally unequal domain names are therefore regarded as equal, which can lead to blacklist bypassing, inconsistent URL parsing and server-side request forgery (similar to CVE-2024-12224).\n\nExample with `IDNA_USE_STD3_RULES | IDNA_CHECK_BIDI | IDNA_CHECK_CONTEXTJ | IDNA_NONTRANSITIONAL_TO_ASCII`:\n\n| Input | Polyfill output | Native `ext-intl` output |\n| --- | --- | --- |\n| `poc.xn--kc1zs4-.com` | `poc.kc1zs4.com` | `false` (`errors=1024`) |\n| `poc.kc1zs4.xn--` | `poc.kc1zs4.` | `false` (`errors=1024`) |\n\nApplications using the polyfill to canonicalise or compare hostnames inherit the inconsistency.\n\n### Resolution\n\n`Idn::process()` now records `IDNA_ERROR_INVALID_ACE_LABEL` when a Punycode payload decodes to an empty string or to a string containing only ASCII code points, matching the native `ext-intl` behaviour and UTS #46 revision 33.\n\nThe patch for this issue is available [here](https://github.com/symfony/polyfill/commit/1be936e2491ccebe152bd736dfc91eb1422c8bec) for branch 1.x.\n\n### Credits\n\nSymfony would like to thank Nazy Mad for reporting the issue and Nicolas Grekas for providing the fix.",
0 commit comments