Skip to content

Commit 462092a

Browse files
nielsdosremicollet
nielsdos
authored and
remicollet
committed
(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
1 parent 2cee10a commit 462092a

File tree

2 files changed

+42
-5
lines changed

2 files changed

+42
-5
lines changed

sapi/cli/php_cli_server.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1863,18 +1863,14 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
18631863

18641864
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
18651865
{
1866-
char *val;
1867-
18681866
request_info->request_method = php_http_method_str(client->request.request_method);
18691867
request_info->proto_num = client->request.protocol_version;
18701868
request_info->request_uri = client->request.request_uri;
18711869
request_info->path_translated = client->request.path_translated;
18721870
request_info->query_string = client->request.query_string;
18731871
request_info->content_length = client->request.content_len;
18741872
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
1875-
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
1876-
request_info->content_type = val;
1877-
}
1873+
request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
18781874
} /* }}} */
18791875

18801876
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
include "php_cli_server.inc";
12+
13+
$serverCode = <<<'CODE'
14+
var_dump(file_get_contents('php://input'));
15+
CODE;
16+
17+
php_cli_server_start($serverCode, null, []);
18+
19+
$options = [
20+
"http" => [
21+
"method" => "POST",
22+
"header" => "Content-Type: application/x-www-form-urlencoded",
23+
"content" => "AAAAA",
24+
],
25+
];
26+
$context = stream_context_create($options);
27+
28+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
29+
30+
$options = [
31+
"http" => [
32+
"method" => "POST",
33+
],
34+
];
35+
$context = stream_context_create($options);
36+
37+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
38+
?>
39+
--EXPECT--
40+
string(5) "AAAAA"
41+
string(0) ""

0 commit comments

Comments
 (0)