From 66054bd65585277dbe5453e336f875f8f126d589 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Sat, 9 Nov 2024 15:29:52 +0100 Subject: [PATCH 5/6] Fix GHSA-4w77-75f9-2c8w (cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02) (cherry picked from commit 462092a48aa0dbad24d9fa8a4a9d418faa14d309) (cherry picked from commit 56488a8a4ec68e58eecc9e78dd75e41adf56984c) (cherry picked from commit 6b8357c22f83a93104c2682d5cba9104c8de636d) (cherry picked from commit b7c951d47acae54aab5ce896b8ec151d661c8fd0) (cherry picked from commit abd3bf9eb5a1c42fc24b7a0296b09d93ed7d6730) (cherry picked from commit 81f2819ec08c6c7ff1f4e2caccb51719ace6a27d) (cherry picked from commit f7ea64028c884c1c41a25b31d5839ff2d34ced86) --- sapi/cli/php_cli_server.c | 2 ++ sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c index 82bd573b56..68c123e9e8 100644 --- a/sapi/cli/php_cli_server.c +++ b/sapi/cli/php_cli_server.c @@ -1873,6 +1873,8 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL; if (SUCCESS == zend_hash_find(&client->request.headers, "content-type", sizeof("content-type"), (void**)&val)) { request_info->content_type = *val; + } else { + request_info->content_type = NULL; } } /* }}} */ diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt new file mode 100644 index 0000000000..44667e8389 --- /dev/null +++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt @@ -0,0 +1,41 @@ +--TEST-- +GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface) +--INI-- +allow_url_fopen=1 +--SKIPIF-- + +--FILE-- + [ + "method" => "POST", + "header" => "Content-Type: application/x-www-form-urlencoded", + "content" => "AAAAA", + ], +]; +$context = stream_context_create($options); + +echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context); + +$options = [ + "http" => [ + "method" => "POST", + ], +]; +$context = stream_context_create($options); + +echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context); +?> +--EXPECT-- +string(5) "AAAAA" +string(0) "" -- 2.47.0 From dcb480001bf83a82a745a160d243e7213df10d83 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 22 Nov 2024 08:58:10 +0100 Subject: [PATCH 6/6] NEWS for 8.1.31 backports (cherry picked from commit 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a) (cherry picked from commit d8d682d3d6a4d027771806c8fc77128cae078d29) (cherry picked from commit b97a41a47f77df92771b3c01fbf7cf445c0e7a1b) (cherry picked from commit 46f3d442aae8d8caca33a4d4ff9c9470568aee80) (cherry picked from commit 49783ab65131f0af188ea41a74db4af56a41c323) (cherry picked from commit 861b62921190c2c29205d6029d33a606b7a47831) (cherry picked from commit d4b0872ce2a907b2a69db720abb5ab939fc13985) --- NEWS | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/NEWS b/NEWS index 957508cd64..24fa47ec2b 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,22 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +Backported from 8.1.31 + +- CLI: + . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data + Processing in CLI SAPI Interface). (nielsdos) + +- LDAP: + . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932) + (nielsdos) + +- Streams: + . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context + might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka) + . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with + convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos) + Backported from 8.1.30 - CGI: -- 2.47.0