diff options
author | Jakub Zelenka <bukka@php.net> | 2019-10-12 15:56:16 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2019-10-20 22:50:04 -0700 |
commit | ab061f95ca966731b1c84cf5b7b20155c0a1c06a (patch) | |
tree | 66e75b8a006dbd3a14a8f1793330be8914cf311e | |
parent | fadd7f0f1e7a44d6209b5c5cf30870e4b73efa7d (diff) | |
download | php-git-ab061f95ca966731b1c84cf5b7b20155c0a1c06a.tar.gz |
Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
-rw-r--r-- | NEWS | 4 | ||||
-rw-r--r-- | sapi/fpm/fpm/fpm_main.c | 4 | ||||
-rw-r--r-- | sapi/fpm/tests/bug78599-path-info-underflow.phpt | 61 | ||||
-rw-r--r-- | sapi/fpm/tests/tester.inc | 11 |
4 files changed, 75 insertions, 5 deletions
@@ -2,7 +2,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? ????, PHP 7.1.33 - +- FPM: + . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE). + (CVE-2019-11043) (Jakub Zelenka) 29 Aug 2019, PHP 7.1.32 diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 24a7e5d56a..50f92981f1 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1209,8 +1209,8 @@ static void init_request_info(void) path_info = script_path_translated + ptlen; tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); } else { - path_info = env_path_info ? env_path_info + pilen - slen : NULL; - tflag = (orig_path_info != path_info); + path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL; + tflag = path_info && (orig_path_info != path_info); } if (tflag) { diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt new file mode 100644 index 0000000000..edd4e0d496 --- /dev/null +++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt @@ -0,0 +1,61 @@ +--TEST-- +FPM: bug78599 - env_path_info underflow - CVE-2019-11043 +--SKIPIF-- +<?php include "skipif.inc"; ?> +--FILE-- +<?php + +require_once "tester.inc"; + +$cfg = <<<EOT +[global] +error_log = {{FILE:LOG}} +[unconfined] +listen = {{ADDR}} +pm = dynamic +pm.max_children = 5 +pm.start_servers = 1 +pm.min_spare_servers = 1 +pm.max_spare_servers = 3 +EOT; + +$code = <<<EOT +<?php +echo "Test Start\n"; +var_dump(\$_SERVER["PATH_INFO"]); +echo "Test End\n"; +EOT; + +$tester = new FPM\Tester($cfg, $code); +$tester->start(); +$tester->expectLogStartNotices(); +$uri = $tester->makeSourceFile(); +$tester + ->request( + '', + [ + 'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35), + 'PATH_INFO' => '', + 'HTTP_HUI' => str_repeat('PTEST', 1000), + ], + $uri + ) + ->expectBody( + [ + 'Test Start', + 'string(0) ""', + 'Test End' + ] + ); +$tester->terminate(); +$tester->close(); + +?> +Done +--EXPECT-- +Done +--CLEAN-- +<?php +require_once "tester.inc"; +FPM\Tester::clean(); +?> diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc index 70c03ad70f..3b6702866c 100644 --- a/sapi/fpm/tests/tester.inc +++ b/sapi/fpm/tests/tester.inc @@ -513,7 +513,7 @@ class Tester return new Response(null, true); } if (is_null($uri)) { - $uri = $this->makeFile('src.php', $this->code); + $uri = $this->makeSourceFile(); } $params = array_merge( @@ -538,7 +538,6 @@ class Tester ], $headers ); - try { $this->response = new Response( $this->getClient($address, $connKeepAlive)->request_data($params, false) @@ -945,6 +944,14 @@ class Tester } /** + * @return string + */ + public function makeSourceFile() + { + return $this->makeFile('src.php', $this->code); + } + + /** * @param string|null $msg */ private function message($msg) |