Skip to content

Commit 6b8357c

Browse files
nielsdosremicollet
nielsdos
authored and
remicollet
committed
(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02) (cherry picked from commit 462092a) (cherry picked from commit 56488a8)
1 parent 7065fa3 commit 6b8357c

File tree

2 files changed

+42
-5
lines changed

2 files changed

+42
-5
lines changed

sapi/cli/php_cli_server.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1812,18 +1812,14 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
18121812

18131813
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
18141814
{
1815-
char *val;
1816-
18171815
request_info->request_method = php_http_method_str(client->request.request_method);
18181816
request_info->proto_num = client->request.protocol_version;
18191817
request_info->request_uri = client->request.request_uri;
18201818
request_info->path_translated = client->request.path_translated;
18211819
request_info->query_string = client->request.query_string;
18221820
request_info->content_length = client->request.content_len;
18231821
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
1824-
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
1825-
request_info->content_type = val;
1826-
}
1822+
request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
18271823
} /* }}} */
18281824

18291825
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
include "php_cli_server.inc";
12+
13+
$serverCode = <<<'CODE'
14+
var_dump(file_get_contents('php://input'));
15+
CODE;
16+
17+
php_cli_server_start($serverCode, null);
18+
19+
$options = [
20+
"http" => [
21+
"method" => "POST",
22+
"header" => "Content-Type: application/x-www-form-urlencoded",
23+
"content" => "AAAAA",
24+
],
25+
];
26+
$context = stream_context_create($options);
27+
28+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
29+
30+
$options = [
31+
"http" => [
32+
"method" => "POST",
33+
],
34+
];
35+
$context = stream_context_create($options);
36+
37+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
38+
?>
39+
--EXPECT--
40+
string(5) "AAAAA"
41+
string(0) ""

0 commit comments

Comments
 (0)