Skip to content

Commit 7dd336a

Browse files
nielsdosbukka
nielsdos
authored and
bukka
committed
1 parent 81030c9 commit 7dd336a

File tree

2 files changed

+42
-5
lines changed

2 files changed

+42
-5
lines changed

sapi/cli/php_cli_server.c

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1876,18 +1876,14 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
18761876

18771877
static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
18781878
{
1879-
char *val;
1880-
18811879
request_info->request_method = php_http_method_str(client->request.request_method);
18821880
request_info->proto_num = client->request.protocol_version;
18831881
request_info->request_uri = client->request.request_uri;
18841882
request_info->path_translated = client->request.path_translated;
18851883
request_info->query_string = client->request.query_string;
18861884
request_info->content_length = client->request.content_len;
18871885
request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
1888-
if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
1889-
request_info->content_type = val;
1890-
}
1886+
request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
18911887
} /* }}} */
18921888

18931889
static void destroy_request_info(sapi_request_info *request_info) /* {{{ */

sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,41 @@
1+
--TEST--
2+
GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php
7+
include "skipif.inc";
8+
?>
9+
--FILE--
10+
<?php
11+
include "php_cli_server.inc";
12+
13+
$serverCode = <<<'CODE'
14+
var_dump(file_get_contents('php://input'));
15+
CODE;
16+
17+
php_cli_server_start($serverCode, null, []);
18+
19+
$options = [
20+
"http" => [
21+
"method" => "POST",
22+
"header" => "Content-Type: application/x-www-form-urlencoded",
23+
"content" => "AAAAA",
24+
],
25+
];
26+
$context = stream_context_create($options);
27+
28+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
29+
30+
$options = [
31+
"http" => [
32+
"method" => "POST",
33+
],
34+
];
35+
$context = stream_context_create($options);
36+
37+
echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
38+
?>
39+
--EXPECT--
40+
string(5) "AAAAA"
41+
string(0) ""

0 commit comments

Comments
 (0)