mirror of
https://github.com/php/php-src.git
synced 2025-08-15 21:48:51 +02:00
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3: Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043) bump versions after release set versions for release
This commit is contained in:
Stanislav Malyshev
commit
59953efc09
3 changed files with 72 additions and 4 deletions
|
|
@ -1140,8 +1140,8 @@ static void init_request_info(void)
|
|||
path_info = script_path_translated + ptlen;
|
||||
tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
|
||||
} else {
|
||||
path_info = env_path_info ? env_path_info + pilen - slen : NULL;
|
||||
tflag = (orig_path_info != path_info);
|
||||
path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
|
||||
tflag = path_info && (orig_path_info != path_info);
|
||||
}
|
||||
|
||||
if (tflag) {
|
||||
|
|
|
|||
61
sapi/fpm/tests/bug78599-path-info-underflow.phpt
Normal file
61
sapi/fpm/tests/bug78599-path-info-underflow.phpt
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
--TEST--
|
||||
FPM: bug78599 - env_path_info underflow - CVE-2019-11043
|
||||
--SKIPIF--
|
||||
<?php include "skipif.inc"; ?>
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
require_once "tester.inc";
|
||||
|
||||
$cfg = <<<EOT
|
||||
[global]
|
||||
error_log = {{FILE:LOG}}
|
||||
[unconfined]
|
||||
listen = {{ADDR}}
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.start_servers = 1
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
EOT;
|
||||
|
||||
$code = <<<EOT
|
||||
<?php
|
||||
echo "Test Start\n";
|
||||
var_dump(\$_SERVER["PATH_INFO"]);
|
||||
echo "Test End\n";
|
||||
EOT;
|
||||
|
||||
$tester = new FPM\Tester($cfg, $code);
|
||||
$tester->start();
|
||||
$tester->expectLogStartNotices();
|
||||
$uri = $tester->makeSourceFile();
|
||||
$tester
|
||||
->request(
|
||||
'',
|
||||
[
|
||||
'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
|
||||
'PATH_INFO' => '',
|
||||
'HTTP_HUI' => str_repeat('PTEST', 1000),
|
||||
],
|
||||
$uri
|
||||
)
|
||||
->expectBody(
|
||||
[
|
||||
'Test Start',
|
||||
'string(0) ""',
|
||||
'Test End'
|
||||
]
|
||||
);
|
||||
$tester->terminate();
|
||||
$tester->close();
|
||||
|
||||
?>
|
||||
Done
|
||||
--EXPECT--
|
||||
Done
|
||||
--CLEAN--
|
||||
<?php
|
||||
require_once "tester.inc";
|
||||
FPM\Tester::clean();
|
||||
?>
|
||||
|
|
@ -509,7 +509,7 @@ class Tester
|
|||
return new Response(null, true);
|
||||
}
|
||||
if (is_null($uri)) {
|
||||
$uri = $this->makeFile('src.php', $this->code);
|
||||
$uri = $this->makeSourceFile();
|
||||
}
|
||||
|
||||
$params = array_merge(
|
||||
|
|
@ -534,7 +534,6 @@ class Tester
|
|||
],
|
||||
$headers
|
||||
);
|
||||
|
||||
try {
|
||||
$this->response = new Response(
|
||||
$this->getClient($address, $connKeepAlive)->request_data($params, false)
|
||||
|
|
@ -940,6 +939,14 @@ class Tester
|
|||
return $filePath;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function makeSourceFile()
|
||||
{
|
||||
return $this->makeFile('src.php', $this->code);
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string|null $msg
|
||||
*/
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue