Skip to content

Commit 70b0330

Browse files
cmb69cmb69
committed
Merge branch 'PHP-7.4' into PHP-8.0
* PHP-7.4: Fix #73630: Built-in Weberver - overwrite $_SERVER['request_uri']
2 parents 65bd8d2 + d7db570 commit 70b0330

File tree

4 files changed

+97
-5
lines changed

4 files changed

+97
-5
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ PHP NEWS
1111
offset). (girgias)
1212
. Fixed bug #80728 (PHP built-in web server resets timeout when it can kill
1313
the process). (Calvin Buckley)
14+
. Fixed bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri']).
15+
(cmb)
1416

1517
- Intl:
1618
. Fixed bug #72809 (Locale::lookup() wrong result with canonicalize option).

sapi/cli/php_cli_server.c

Lines changed: 25 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1569,6 +1569,9 @@ static int php_cli_server_client_read_request_on_path(php_http_parser *parser, c
15691569
{
15701570
char *vpath;
15711571
size_t vpath_len;
1572+
if (UNEXPECTED(client->request.vpath != NULL)) {
1573+
return 1;
1574+
}
15721575
normalize_vpath(&vpath, &vpath_len, at, length, 1);
15731576
client->request.vpath = vpath;
15741577
client->request.vpath_len = vpath_len;
@@ -1579,17 +1582,34 @@ static int php_cli_server_client_read_request_on_path(php_http_parser *parser, c
15791582
static int php_cli_server_client_read_request_on_query_string(php_http_parser *parser, const char *at, size_t length)
15801583
{
15811584
php_cli_server_client *client = parser->data;
1582-
client->request.query_string = pestrndup(at, length, 1);
1583-
client->request.query_string_len = length;
1585+
if (EXPECTED(client->request.query_string == NULL)) {
1586+
client->request.query_string = pestrndup(at, length, 1);
1587+
client->request.query_string_len = length;
1588+
} else {
1589+
ZEND_ASSERT(length <= PHP_HTTP_MAX_HEADER_SIZE && PHP_HTTP_MAX_HEADER_SIZE - length >= client->request.query_string_len);
1590+
client->request.query_string = perealloc(client->request.query_string, client->request.query_string_len + length + 1, 1);
1591+
memcpy(client->request.query_string + client->request.query_string_len, at, length);
1592+
client->request.query_string_len += length;
1593+
client->request.query_string[client->request.query_string_len] = '\0';
1594+
}
15841595
return 0;
15851596
}
15861597

15871598
static int php_cli_server_client_read_request_on_url(php_http_parser *parser, const char *at, size_t length)
15881599
{
15891600
php_cli_server_client *client = parser->data;
1590-
client->request.request_method = parser->method;
1591-
client->request.request_uri = pestrndup(at, length, 1);
1592-
client->request.request_uri_len = length;
1601+
if (EXPECTED(client->request.request_uri == NULL)) {
1602+
client->request.request_method = parser->method;
1603+
client->request.request_uri = pestrndup(at, length, 1);
1604+
client->request.request_uri_len = length;
1605+
} else {
1606+
ZEND_ASSERT(client->request.request_method == parser->method);
1607+
ZEND_ASSERT(length <= PHP_HTTP_MAX_HEADER_SIZE && PHP_HTTP_MAX_HEADER_SIZE - length >= client->request.query_string_len);
1608+
client->request.request_uri = perealloc(client->request.request_uri, client->request.request_uri_len + length + 1, 1);
1609+
memcpy(client->request.request_uri + client->request.request_uri_len, at, length);
1610+
client->request.request_uri_len += length;
1611+
client->request.request_uri[client->request.request_uri_len] = '\0';
1612+
}
15931613
return 0;
15941614
}
15951615

sapi/cli/tests/bug73630.phpt

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
--TEST--
2+
Bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri'])
3+
--SKIPIF--
4+
<?php
5+
include "skipif.inc";
6+
?>
7+
--FILE--
8+
<?php
9+
10+
$code = <<<'EOF'
11+
var_dump(strncmp($_SERVER['REQUEST_URI'], "/overflow.php", strlen("/overflow.php")));
12+
var_dump(strlen($_SERVER['QUERY_STRING']));
13+
EOF;
14+
15+
include "php_cli_server.inc";
16+
php_cli_server_start($code);
17+
18+
$host = PHP_CLI_SERVER_HOSTNAME;
19+
$fp = php_cli_server_connect();
20+
21+
$path = "/overflow.php?" . str_repeat("x", 16400) . "//example.com";
22+
23+
if (fwrite($fp, <<<HEADER
24+
GET $path HTTP/1.1
25+
Host: {$host}
26+
27+
28+
HEADER
29+
)) {
30+
while (!feof($fp)) {
31+
echo fgets($fp);
32+
}
33+
}
34+
35+
?>
36+
--EXPECTF--
37+
HTTP/1.1 200 OK
38+
Host: %s
39+
Date: %s
40+
Connection: close
41+
X-Powered-By: PHP/%s
42+
Content-type: text/html; charset=UTF-8
43+
44+
int(0)
45+
int(16413)

sapi/cli/tests/bug73630a.phpt

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
--TEST--
2+
Bug #73630 (Built-in Weberver - overwrite $_SERVER['request_uri'])
3+
--DESCRIPTION--
4+
Check that too long paths result in invalid request
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
$code = <<<'EOF'
12+
echo "won't happen\n";
13+
EOF;
14+
15+
include "php_cli_server.inc";
16+
php_cli_server_start($code);
17+
18+
$host = PHP_CLI_SERVER_HOSTNAME;
19+
$fp = php_cli_server_connect();
20+
$path = "/" . str_repeat("x", 16400) . "//example.com";
21+
var_dump(file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "$path"));
22+
?>
23+
--EXPECTF--
24+
Warning: file_get_contents(http://%s//example.com): failed to open stream: HTTP request failed! in %s on line %d
25+
bool(false)

0 commit comments

Comments
 (0)