Skip to content

Commit 81f2819

Browse files
nielsdosremicollet
nielsdos
authored and
remicollet
committed
(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02) (cherry picked from commit 462092a) (cherry picked from commit 56488a8) (cherry picked from commit 6b8357c) (cherry picked from commit b7c951d) (cherry picked from commit abd3bf9)
1 parent 0535796 commit 81f2819

File tree

2 files changed

+42
-5
lines changed

2 files changed

+42
-5
lines changed

sapi/cli/php_cli_server.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1815,18 +1815,14 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
18151815

18161816
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
18171817
{
1818-
char *val;
1819-
18201818
request_info->request_method = php_http_method_str(client->request.request_method);
18211819
request_info->proto_num = client->request.protocol_version;
18221820
request_info->request_uri = client->request.request_uri;
18231821
request_info->path_translated = client->request.path_translated;
18241822
request_info->query_string = client->request.query_string;
18251823
request_info->content_length = client->request.content_len;
18261824
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
1827-
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
1828-
request_info->content_type = val;
1829-
}
1825+
request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
18301826
} /* }}} */
18311827

18321828
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
include "php_cli_server.inc";
12+
13+
$serverCode = <<<'CODE'
14+
var_dump(file_get_contents('php://input'));
15+
CODE;
16+
17+
php_cli_server_start($serverCode, null);
18+
19+
$options = [
20+
"http" => [
21+
"method" => "POST",
22+
"header" => "Content-Type: application/x-www-form-urlencoded",
23+
"content" => "AAAAA",
24+
],
25+
];
26+
$context = stream_context_create($options);
27+
28+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
29+
30+
$options = [
31+
"http" => [
32+
"method" => "POST",
33+
],
34+
];
35+
$context = stream_context_create($options);
36+
37+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
38+
?>
39+
--EXPECT--
40+
string(5) "AAAAA"
41+
string(0) ""

0 commit comments

Comments
 (0)