archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source
This commit is contained in:
Jakub Zelenka 2024-10-06 19:43:19 +01:00
commit 10d2d862a6
No known key found for this signature in database
GPG key ID: 1C0779DC5C0A9DE4
4 changed files with 69 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
main/SAPI.c
View file

@ -509,12 +509,15 @@ SAPI_API void sapi_deactivate_module(void)
} }
if (SG(request_info).auth_user) { if (SG(request_info).auth_user) {
efree(SG(request_info).auth_user); efree(SG(request_info).auth_user);
SG(request_info).auth_user = NULL;
} }
if (SG(request_info).auth_password) { if (SG(request_info).auth_password) {
efree(SG(request_info).auth_password); efree(SG(request_info).auth_password);
SG(request_info).auth_password = NULL;
} }
if (SG(request_info).auth_digest) { if (SG(request_info).auth_digest) {
efree(SG(request_info).auth_digest); efree(SG(request_info).auth_digest);
SG(request_info).auth_digest = NULL;
} }
if (SG(request_info).content_type_dup) { if (SG(request_info).content_type_dup) {
efree(SG(request_info).content_type_dup); efree(SG(request_info).content_type_dup);

2
main/main.c
View file

@ -2680,7 +2680,9 @@ PHPAPI int php_handle_auth_data(const char *auth)
if (pass) { if (pass) {
*pass++ = '\0'; *pass++ = '\0';
SG(request_info).auth_user = estrndup(ZSTR_VAL(user), ZSTR_LEN(user)); SG(request_info).auth_user = estrndup(ZSTR_VAL(user), ZSTR_LEN(user));
if (strlen(pass) > 0) {
SG(request_info).auth_password = estrdup(pass); SG(request_info).auth_password = estrdup(pass);
}
ret = 0; ret = 0;
} }
zend_string_free(user); zend_string_free(user);

61
sapi/fpm/tests/gh15395-php-auth-shutdown.phpt Normal file
View file

@ -0,0 +1,61 @@
--TEST--
FPM: GH-15335 - PHP_AUTH shutdown use after free
--SKIPIF--
<?php include "skipif.inc"; ?>
--FILE--
<?php
require_once "tester.inc";
$cfg = <<<EOT
[global]
error_log = {{FILE:LOG}}
log_level = notice
[unconfined]
listen = {{ADDR}}
pm = static
pm.max_children = 1
catch_workers_output = yes
php_admin_value[cgi.fix_pathinfo] = no
EOT;
$code = <<<EOT
<?php
echo \$_SERVER["SCRIPT_NAME"] . "\n";
echo \$_SERVER["SCRIPT_FILENAME"] . "\n";
echo \$_SERVER["PHP_SELF"];
EOT;
$tester = new FPM\Tester($cfg, $code);
[$sourceFilePath, $scriptName] = $tester->createSourceFileAndScriptName();
$tester->start();
$tester->expectLogStartNotices();
$tester
->request(
headers: [ "HTTP_AUTHORIZATION" => "Basic Zm9vOg==", "REQUEST_METHOD" => "GET"],
uri: $scriptName,
address: '{{ADDR}}',
scriptFilename: __DIR__ . "/__unknown.php",
scriptName: "/",
)
->expectStatus('404 Not Found');
$tester
->request(
uri: $scriptName,
address: '{{ADDR}}',
params: [],
);
$tester->expectNoLogPattern("/zend_mm_heap corrupted/");
$tester->terminate();
$tester->expectLogTerminatingNotices();
$tester->close();
?>
Done
--EXPECT--
Done
--CLEAN--
<?php
require_once "tester.inc";
FPM\Tester::clean();
?>

3
sapi/fpm/tests/tester.inc
View file

@ -838,6 +838,7 @@ class Tester
int $readLimit = -1, int $readLimit = -1,
int $writeDelay = 0, int $writeDelay = 0,
?string $method = null, ?string $method = null,
array $params = null,
): Response { ): Response {
if ($this->hasError()) { if ($this->hasError()) {
return $this->createResponse(expectInvalid: true); return $this->createResponse(expectInvalid: true);
@ -847,7 +848,7 @@ class Tester
$stdin = $this->parseStdin($stdin, $headers); $stdin = $this->parseStdin($stdin, $headers);
} }
$params = $this->getRequestParams($query, $headers, $uri, $scriptFilename, $scriptName, $stdin, $method); $params = $params ?? $this->getRequestParams($query, $headers, $uri, $scriptFilename, $scriptName, $stdin, $method);
$this->trace('Request params', $params); $this->trace('Request params', $params);
try { try {