archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GHSA-4w77-75f9-2c8w

Browse source
This commit is contained in:
Niels Dossche 2024-11-09 15:29:52 +01:00 committed by Jakub Zelenka
parent 81030c9bbb
commit 7dd336ae83
No known key found for this signature in database
GPG key ID: 1C0779DC5C0A9DE4
2 changed files with 42 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
sapi/cli/php_cli_server.c
View file

@ -1876,8 +1876,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */ static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
{ {
char *val;
request_info->request_method = php_http_method_str(client->request.request_method); request_info->request_method = php_http_method_str(client->request.request_method);
request_info->proto_num = client->request.protocol_version; request_info->proto_num = client->request.protocol_version;
request_info->request_uri = client->request.request_uri; request_info->request_uri = client->request.request_uri;
@ -1885,9 +1883,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
request_info->query_string = client->request.query_string; request_info->query_string = client->request.query_string;
request_info->content_length = client->request.content_len; request_info->content_length = client->request.content_len;
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL; request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) { request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
request_info->content_type = val;
}
} /* }}} */ } /* }}} */
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */ static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

41
sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt Normal file
View file

@ -0,0 +1,41 @@
--TEST--
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
--INI--
allow_url_fopen=1
--SKIPIF--
<?php
include "skipif.inc";
?>
--FILE--
<?php
include "php_cli_server.inc";
$serverCode = <<<'CODE'
var_dump(file_get_contents('php://input'));
CODE;
php_cli_server_start($serverCode, null, []);
$options = [
"http" => [
"method" => "POST",
"header" => "Content-Type: application/x-www-form-urlencoded",
"content" => "AAAAA",
],
];
$context = stream_context_create($options);
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
$options = [
"http" => [
"method" => "POST",
],
];
$context = stream_context_create($options);
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
?>
--EXPECT--
string(5) "AAAAA"
string(0) ""