Merge branch '2.8'

Author: colinodell

CHANGELOG.md

@@ -6,6 +6,13 @@ Updates should follow the [Keep a CHANGELOG](https://keepachangelog.com/) princi
 
 ## [Unreleased][unreleased]
 
+## [2.8.2] - 2026-03-19
+
+This is a **security release** to address an issue where the `allowed_domains` setting for the `Embed` extension can be bypassed, resulting in a possible SSRF and XSS vulnerabilities.
+
+### Fixed
+- Fixed `DomainFilteringAdapter` hostname boundary bypass where domains like `youtube.com.evil` could match an allowlist entry for `youtube.com` (GHSA-hh8v-hgvp-g3f5)
+
 ## [2.8.1] - 2026-03-05
 
 This is a **security release** to address an issue where `DisallowedRawHtml` can be bypassed, resulting in a possible cross-site scripting (XSS) vulnerability.
@@ -725,7 +732,8 @@ No changes were introduced since the previous release.
     - Alternative 1: Use `CommonMarkConverter` or `GithubFlavoredMarkdownConverter` if you don't need to customize the environment
     - Alternative 2: Instantiate a new `Environment` and add the necessary extensions yourself
 
-[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.1...HEAD
+[unreleased]: https://github.com/thephpleague/commonmark/compare/2.8.2...HEAD
+[2.8.2]: https://github.com/thephpleague/commonmark/compare/2.8.1...2.8.2
 [2.8.1]: https://github.com/thephpleague/commonmark/compare/2.8.0...2.8.1
 [2.8.0]: https://github.com/thephpleague/commonmark/compare/2.7.1...2.8.0
 [2.7.1]: https://github.com/thephpleague/commonmark/compare/2.7.0...2.7.1

docs/2.x/extensions/front-matter.md

@@ -28,13 +28,15 @@ composer require league/commonmark
 
 See the [installation](/2.x/installation/) section for more details.
 
-You will also need to install `symfony/yaml` or the [YAML extension for PHP](https://www.php.net/manual/book.yaml.php) to use this extension. For `symfony/yaml`:
+You will also need to install `symfony/yaml` (2.6 or higher) or the [YAML extension for PHP](https://www.php.net/manual/book.yaml.php) to use this extension. For `symfony/yaml`:
 
 ```bash
 composer require symfony/yaml
 ```
 
-(You can use any version of `symfony/yaml` 2.6 or higher, though we recommend using 4.0 or higher.)
+If both are installed, the PHP YAML extension will be used by default.
+
+**Warning:** When using the PHP YAML extension, avoid setting `yaml.decode_php=1` in your `php.ini` file as this enables deserialization of arbitrary classes, which can lead to security vulnerabilities!
 
 ## Front Matter Syntax
 

src/Extension/Embed/DomainFilteringAdapter.php

@@ -17,37 +17,46 @@ class DomainFilteringAdapter implements EmbedAdapterInterface
 {
     private EmbedAdapterInterface $decorated;
 
-    /** @psalm-var non-empty-string */
-    private string $regex;
+    /** @var string[] */
+    private array $allowedDomains;
 
     /**
      * @param string[] $allowedDomains
      */
     public function __construct(EmbedAdapterInterface $decorated, array $allowedDomains)
     {
-        $this->decorated = $decorated;
-        $this->regex     = self::createRegex($allowedDomains);
+        $this->decorated      = $decorated;
+        $this->allowedDomains = \array_map('strtolower', $allowedDomains);
     }
 
     /**
      * {@inheritDoc}
      */
     public function updateEmbeds(array $embeds): void
     {
-        $this->decorated->updateEmbeds(\array_values(\array_filter($embeds, function (Embed $embed): bool {
-            return \preg_match($this->regex, $embed->getUrl()) === 1;
-        })));
+        $this->decorated->updateEmbeds(\array_values(\array_filter($embeds, [$this, 'isAllowed'])));
     }
 
-    /**
-     * @param string[] $allowedDomains
-     *
-     * @psalm-return non-empty-string
-     */
-    private static function createRegex(array $allowedDomains): string
+    private function isAllowed(Embed $embed): bool
     {
-        $allowedDomains = \array_map('preg_quote', $allowedDomains);
-
-        return '/^(?:https?:\/\/)?(?:[^.]+\.)*(' . \implode('|', $allowedDomains) . ')/';
+        $url    = $embed->getUrl();
+        $scheme = \parse_url($url, \PHP_URL_SCHEME);
+        if ($scheme === null || $scheme === false) {
+            // Bare domain (no scheme) - assume https:// so parse_url can extract the host
+            $url = 'https://' . $url;
+        } elseif (\strtolower($scheme) !== 'http' && \strtolower($scheme) !== 'https') {
+            return false;
+        }
+
+        $host = \parse_url($url, \PHP_URL_HOST);
+        $host = \strtolower(\rtrim((string) $host, '.'));
+
+        foreach ($this->allowedDomains as $domain) {
+            if ($host === $domain || \str_ends_with($host, '.' . $domain)) {
+                return true;
+            }
+        }
+
+        return false;
     }
 }

tests/unit/Extension/Embed/DomainFilteringAdapterTest.php

@@ -28,9 +28,23 @@ public function testUpdateEmbeds(): void
             $embed2 = new Embed('foo.example.com'),
             new Embed('www.bar.com'),
             new Embed('badexample.com'),
-            $embed3 = new Embed('http://foo.bar.com'),
-            $embed4 = new Embed('https://foo.bar.com/baz'),
+            $embed3 = new Embed('HTTP://foo.bar.com'),
+            $embed4 = new Embed('hTtPs://foo.bar.com/baz'),
             new Embed('https://bar.com'),
+            new Embed('https://example.com.evil'),
+            new Embed('https://example.com.evil/path'),
+            new Embed('https://foo.bar.com.evil'),
+            new Embed('example.com.evil'),
+            new Embed('example.com.evil/path'),
+            new Embed('foo.bar.com.evil'),
+            new Embed('https://example.com@evil.com'),
+            new Embed('https://user:pass@evil.com'),
+            new Embed('https://example.com:pass@evil.com/path'),
+            new Embed('javascript:alert(1)'),
+            new Embed('ftp://example.com'),
+            new Embed('file:///etc/passwd'),
+            new Embed('data:text/html,<script>alert(1)</script>'),
+            new Embed('//example.com/path'),
         ];
 
         $inner = $this->createMock(EmbedAdapterInterface::class);