From 0cc2810498a56e263f2e1dd77f1f42e6c53dc99e Mon Sep 17 00:00:00 2001
From: Adam Harvey <aharvey@php.net>
Date: Tue, 6 Jan 2015 01:22:59 +0000
Subject: [PATCH 1/2] Allow CLI server test scripts to specify the name of the
 router file.

This is required to write tests that behave differently when an index.php isn't
present in the document root. (Such as the one I'm about to commit.)
---
 sapi/cli/tests/bug61977.phpt           | 2 +-
 sapi/cli/tests/php_cli_server.inc      | 9 ++++-----
 sapi/cli/tests/php_cli_server_009.phpt | 2 +-
 sapi/cli/tests/php_cli_server_010.phpt | 2 +-
 sapi/cli/tests/php_cli_server_013.phpt | 2 +-
 sapi/cli/tests/php_cli_server_014.phpt | 2 +-
 6 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/sapi/cli/tests/bug61977.phpt b/sapi/cli/tests/bug61977.phpt
index 09a6ba6d230..d897737c3c6 100644
--- a/sapi/cli/tests/bug61977.phpt
+++ b/sapi/cli/tests/bug61977.phpt
@@ -7,7 +7,7 @@ include "skipif.inc";
 --FILE--
 <?php
 include "php_cli_server.inc";
-php_cli_server_start('<?php ?>', true);
+php_cli_server_start('<?php ?>', null);
 
 /*
  * If a Mime Type is added in php_cli_server.c, add it to this array and update
diff --git a/sapi/cli/tests/php_cli_server.inc b/sapi/cli/tests/php_cli_server.inc
index 40c53619957..c7222b4f254 100644
--- a/sapi/cli/tests/php_cli_server.inc
+++ b/sapi/cli/tests/php_cli_server.inc
@@ -3,13 +3,12 @@ define ("PHP_CLI_SERVER_HOSTNAME", "localhost");
 define ("PHP_CLI_SERVER_PORT", 8964);
 define ("PHP_CLI_SERVER_ADDRESS", PHP_CLI_SERVER_HOSTNAME.":".PHP_CLI_SERVER_PORT);
 
-function php_cli_server_start($code = 'echo "Hello world";', $no_router = FALSE) {
+function php_cli_server_start($code = 'echo "Hello world";', $router = 'index.php') {
 	$php_executable = getenv('TEST_PHP_EXECUTABLE');
 	$doc_root = __DIR__;
-	$router = "index.php";
 
 	if ($code) {
-		file_put_contents($doc_root . '/' . $router, '<?php ' . $code . ' ?>');
+		file_put_contents($doc_root . '/' . ($router ?: 'index.php'), '<?php ' . $code . ' ?>');
 	}
 
 	$descriptorspec = array(
@@ -20,14 +19,14 @@ function php_cli_server_start($code = 'echo "Hello world";', $no_router = FALSE)
 
 	if (substr(PHP_OS, 0, 3) == 'WIN') {
 		$cmd = "{$php_executable} -t {$doc_root} -n -S " . PHP_CLI_SERVER_ADDRESS;
-		if (!$no_router) {
+		if (!is_null($router)) {
 			$cmd .= " {$router}";
 		}
 
 		$handle = proc_open(addslashes($cmd), $descriptorspec, $pipes, $doc_root, NULL, array("bypass_shell" => true,  "suppress_errors" => true));
 	} else {
 		$cmd = "exec {$php_executable} -t {$doc_root} -n -S " . PHP_CLI_SERVER_ADDRESS;
-		if (!$no_router) {
+		if (!is_null($router)) {
 			$cmd .= " {$router}";
 		}
 		$cmd .= " 2>/dev/null";
diff --git a/sapi/cli/tests/php_cli_server_009.phpt b/sapi/cli/tests/php_cli_server_009.phpt
index 2beaeedab6b..5706af1c497 100644
--- a/sapi/cli/tests/php_cli_server_009.phpt
+++ b/sapi/cli/tests/php_cli_server_009.phpt
@@ -10,7 +10,7 @@ include "skipif.inc";
 --FILE--
 <?php
 include "php_cli_server.inc";
-php_cli_server_start('var_dump($_SERVER["PATH_INFO"]);', TRUE);
+php_cli_server_start('var_dump($_SERVER["PATH_INFO"]);', null);
 
 list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
 $port = intval($port)?:80;
diff --git a/sapi/cli/tests/php_cli_server_010.phpt b/sapi/cli/tests/php_cli_server_010.phpt
index 2ef018b8579..20f4e5ad912 100644
--- a/sapi/cli/tests/php_cli_server_010.phpt
+++ b/sapi/cli/tests/php_cli_server_010.phpt
@@ -7,7 +7,7 @@ include "skipif.inc";
 --FILE--
 <?php
 include "php_cli_server.inc";
-php_cli_server_start('var_dump($_SERVER["PHP_SELF"], $_SERVER["SCRIPT_NAME"], $_SERVER["PATH_INFO"], $_SERVER["QUERY_STRING"]);', TRUE);
+php_cli_server_start('var_dump($_SERVER["PHP_SELF"], $_SERVER["SCRIPT_NAME"], $_SERVER["PATH_INFO"], $_SERVER["QUERY_STRING"]);', null);
 
 list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
 $port = intval($port)?:80;
diff --git a/sapi/cli/tests/php_cli_server_013.phpt b/sapi/cli/tests/php_cli_server_013.phpt
index 0e3f4ff74f5..3ea3ea9cadb 100644
--- a/sapi/cli/tests/php_cli_server_013.phpt
+++ b/sapi/cli/tests/php_cli_server_013.phpt
@@ -7,7 +7,7 @@ include "skipif.inc";
 --FILE--
 <?php
 include "php_cli_server.inc";
-php_cli_server_start(NULL, TRUE);
+php_cli_server_start(NULL, NULL);
 
 list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
 $port = intval($port)?:80;
diff --git a/sapi/cli/tests/php_cli_server_014.phpt b/sapi/cli/tests/php_cli_server_014.phpt
index e8bb5fa8a2f..4f812e2f635 100644
--- a/sapi/cli/tests/php_cli_server_014.phpt
+++ b/sapi/cli/tests/php_cli_server_014.phpt
@@ -7,7 +7,7 @@ include "skipif.inc";
 --FILE--
 <?php
 include "php_cli_server.inc";
-php_cli_server_start('echo done, "\n";', TRUE);
+php_cli_server_start('echo done, "\n";', null);
 
 list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
 $port = intval($port)?:80;

From 448ef30f75988384b84cdb88bbb3a1a56b9534da Mon Sep 17 00:00:00 2001
From: Adam Harvey <aharvey@php.net>
Date: Tue, 6 Jan 2015 01:23:27 +0000
Subject: [PATCH 2/2] Handle NULL strings in
 sapi_cli_server_register_variable().

Fixes bug #68745 (Invalid HTTP requests make web server segfault).
---
 NEWS                         |  3 +++
 sapi/cli/php_cli_server.c    |  5 +++++
 sapi/cli/tests/bug68745.phpt | 34 ++++++++++++++++++++++++++++++++++
 3 files changed, 42 insertions(+)
 create mode 100644 sapi/cli/tests/bug68745.phpt

diff --git a/NEWS b/NEWS
index 9cef67b41c7..a103eadbfac 100644
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,9 @@ PHP                                                                        NEWS
 - CGI:
   . Fix bug #68618 (out of bounds read crashes php-cgi). (Stas)
 
+- CLI server:
+  . Fix bug #68745 (Invalid HTTP requests make web server segfault). (Adam)
+
 - cURL:
   . Fixed bug #67643 (curl_multi_getcontent returns '' when
     CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index 5e38fa53d34..5bfadf16c4c 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -708,6 +708,11 @@ static void sapi_cli_server_register_variable(zval *track_vars_array, const char
 {
 	char *new_val = (char *)val;
 	uint new_val_len;
+
+	if (NULL == val) {
+		return;
+	}
+
 	if (sapi_module.input_filter(PARSE_SERVER, (char*)key, &new_val, strlen(val), &new_val_len TSRMLS_CC)) {
 		php_register_variable_safe((char *)key, new_val, new_val_len, track_vars_array TSRMLS_CC);
 	}
diff --git a/sapi/cli/tests/bug68745.phpt b/sapi/cli/tests/bug68745.phpt
new file mode 100644
index 00000000000..f52e6bcc746
--- /dev/null
+++ b/sapi/cli/tests/bug68745.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #68745 (Invalid HTTP requests make web server segfault)
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+php_cli_server_start('var_dump(count($_SERVER));', 'not-index.php');
+
+list($host, $port) = explode(':', PHP_CLI_SERVER_ADDRESS);
+$port = intval($port)?:80;
+
+$fp = fsockopen($host, $port, $errno, $errstr, 0.5);
+if (!$fp) {
+  die("connect failed");
+}
+
+if(fwrite($fp, "GET www.example.com:80 HTTP/1.1\r\n\r\n")) {
+    while (!feof($fp)) {
+        echo fgets($fp);
+    }
+}
+
+fclose($fp);
+?>
+--EXPECTF--
+HTTP/1.1 200 OK
+Connection: close
+X-Powered-By: %s
+Content-type: text/html
+
+int(%d)