mirror of
https://github.com/php/php-src.git
synced 2025-08-16 14:08:47 +02:00
Merge branch 'PHP-7.3' into PHP-7.4
* PHP-7.3: Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043) bump versions after release set versions for release
This commit is contained in:
Stanislav Malyshev
commit
59953efc09
3 changed files with 72 additions and 4 deletions
|
|
@ -1140,8 +1140,8 @@ static void init_request_info(void)
|
||||||
path_info = script_path_translated + ptlen;
|
path_info = script_path_translated + ptlen;
|
||||||
tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
|
tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
|
||||||
} else {
|
} else {
|
||||||
path_info = env_path_info ? env_path_info + pilen - slen : NULL;
|
path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
|
||||||
tflag = (orig_path_info != path_info);
|
tflag = path_info && (orig_path_info != path_info);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (tflag) {
|
if (tflag) {
|
||||||
|
|
|
||||||
61
sapi/fpm/tests/bug78599-path-info-underflow.phpt
Normal file
61
sapi/fpm/tests/bug78599-path-info-underflow.phpt
Normal file
|
|
@ -0,0 +1,61 @@
|
||||||
|
--TEST--
|
||||||
|
FPM: bug78599 - env_path_info underflow - CVE-2019-11043
|
||||||
|
--SKIPIF--
|
||||||
|
<?php include "skipif.inc"; ?>
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
|
||||||
|
require_once "tester.inc";
|
||||||
|
|
||||||
|
$cfg = <<<EOT
|
||||||
|
[global]
|
||||||
|
error_log = {{FILE:LOG}}
|
||||||
|
[unconfined]
|
||||||
|
listen = {{ADDR}}
|
||||||
|
pm = dynamic
|
||||||
|
pm.max_children = 5
|
||||||
|
pm.start_servers = 1
|
||||||
|
pm.min_spare_servers = 1
|
||||||
|
pm.max_spare_servers = 3
|
||||||
|
EOT;
|
||||||
|
|
||||||
|
$code = <<<EOT
|
||||||
|
<?php
|
||||||
|
echo "Test Start\n";
|
||||||
|
var_dump(\$_SERVER["PATH_INFO"]);
|
||||||
|
echo "Test End\n";
|
||||||
|
EOT;
|
||||||
|
|
||||||
|
$tester = new FPM\Tester($cfg, $code);
|
||||||
|
$tester->start();
|
||||||
|
$tester->expectLogStartNotices();
|
||||||
|
$uri = $tester->makeSourceFile();
|
||||||
|
$tester
|
||||||
|
->request(
|
||||||
|
'',
|
||||||
|
[
|
||||||
|
'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
|
||||||
|
'PATH_INFO' => '',
|
||||||
|
'HTTP_HUI' => str_repeat('PTEST', 1000),
|
||||||
|
],
|
||||||
|
$uri
|
||||||
|
)
|
||||||
|
->expectBody(
|
||||||
|
[
|
||||||
|
'Test Start',
|
||||||
|
'string(0) ""',
|
||||||
|
'Test End'
|
||||||
|
]
|
||||||
|
);
|
||||||
|
$tester->terminate();
|
||||||
|
$tester->close();
|
||||||
|
|
||||||
|
?>
|
||||||
|
Done
|
||||||
|
--EXPECT--
|
||||||
|
Done
|
||||||
|
--CLEAN--
|
||||||
|
<?php
|
||||||
|
require_once "tester.inc";
|
||||||
|
FPM\Tester::clean();
|
||||||
|
?>
|
||||||
|
|
@ -509,7 +509,7 @@ class Tester
|
||||||
return new Response(null, true);
|
return new Response(null, true);
|
||||||
}
|
}
|
||||||
if (is_null($uri)) {
|
if (is_null($uri)) {
|
||||||
$uri = $this->makeFile('src.php', $this->code);
|
$uri = $this->makeSourceFile();
|
||||||
}
|
}
|
||||||
|
|
||||||
$params = array_merge(
|
$params = array_merge(
|
||||||
|
|
@ -534,7 +534,6 @@ class Tester
|
||||||
],
|
],
|
||||||
$headers
|
$headers
|
||||||
);
|
);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$this->response = new Response(
|
$this->response = new Response(
|
||||||
$this->getClient($address, $connKeepAlive)->request_data($params, false)
|
$this->getClient($address, $connKeepAlive)->request_data($params, false)
|
||||||
|
|
@ -940,6 +939,14 @@ class Tester
|
||||||
return $filePath;
|
return $filePath;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function makeSourceFile()
|
||||||
|
{
|
||||||
|
return $this->makeFile('src.php', $this->code);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param string|null $msg
|
* @param string|null $msg
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue