Skip to content

Commit abd3bf9

Browse files
nielsdosremicollet
nielsdos
authored and
remicollet
committed
(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02) (cherry picked from commit 462092a) (cherry picked from commit 56488a8) (cherry picked from commit 6b8357c) (cherry picked from commit b7c951d)
1 parent c173da7 commit abd3bf9

File tree

2 files changed

+42
-5
lines changed

2 files changed

+42
-5
lines changed

sapi/cli/php_cli_server.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1833,18 +1833,14 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
18331833

18341834
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
18351835
{
1836-
char *val;
1837-
18381836
request_info->request_method = php_http_method_str(client->request.request_method);
18391837
request_info->proto_num = client->request.protocol_version;
18401838
request_info->request_uri = client->request.request_uri;
18411839
request_info->path_translated = client->request.path_translated;
18421840
request_info->query_string = client->request.query_string;
18431841
request_info->content_length = client->request.content_len;
18441842
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
1845-
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
1846-
request_info->content_type = val;
1847-
}
1843+
request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
18481844
} /* }}} */
18491845

18501846
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
include "php_cli_server.inc";
12+
13+
$serverCode = <<<'CODE'
14+
var_dump(file_get_contents('php://input'));
15+
CODE;
16+
17+
php_cli_server_start($serverCode, null);
18+
19+
$options = [
20+
"http" => [
21+
"method" => "POST",
22+
"header" => "Content-Type: application/x-www-form-urlencoded",
23+
"content" => "AAAAA",
24+
],
25+
];
26+
$context = stream_context_create($options);
27+
28+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
29+
30+
$options = [
31+
"http" => [
32+
"method" => "POST",
33+
],
34+
];
35+
$context = stream_context_create($options);
36+
37+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
38+
?>
39+
--EXPECT--
40+
string(5) "AAAAA"
41+
string(0) ""

0 commit comments

Comments
 (0)