From 7a990257a05c725d53ca91bc9d080c99102f4e5e Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Mon, 21 Oct 2019 13:17:09 -0700

Subject: [PATCH] Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:

  Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)

  bump versions after release

  set versions for release

---

 sapi/fpm/fpm/fpm_main.c                       |  4 +-

 .../tests/bug78599-path-info-underflow.phpt   | 61 +++++++++++++++++++

 sapi/fpm/tests/tester.inc                     | 11 +++-

 3 files changed, 72 insertions(+), 4 deletions(-)

 create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt

diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c

index f0cc3a07a485..b0e6226d9ad8 100644

--- a/sapi/fpm/fpm/fpm_main.c

+++ b/sapi/fpm/fpm/fpm_main.c

@@ -1209,8 +1209,8 @@ static void init_request_info(void)

 								path_info = script_path_translated + ptlen;

 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));

 							} else {

-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;

-								tflag = (orig_path_info != path_info);

+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;

+								tflag = path_info && (orig_path_info != path_info);

 							}

 							if (tflag) {

diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt

new file mode 100644

index 000000000000..edd4e0d49699

--- /dev/null

+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt

@@ -0,0 +1,61 @@

+--TEST--

+FPM: bug78599 - env_path_info underflow - CVE-2019-11043

+--SKIPIF--

+

+--FILE--

+

+

+require_once "tester.inc";

+

+$cfg = <<

+[global]

+error_log = {{FILE:LOG}}

+[unconfined]

+listen = {{ADDR}}

+pm = dynamic

+pm.max_children = 5

+pm.start_servers = 1

+pm.min_spare_servers = 1

+pm.max_spare_servers = 3

+EOT;

+

+$code = <<

+

+echo "Test Start\n";

+var_dump(\$_SERVER["PATH_INFO"]);

+echo "Test End\n";

+EOT;

+

+$tester = new FPM\Tester($cfg, $code);

+$tester->start();

+$tester->expectLogStartNotices();

+$uri = $tester->makeSourceFile();

+$tester

+    ->request(

+        '',

+        [

+            'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),

+            'PATH_INFO'       => '',

+            'HTTP_HUI'        => str_repeat('PTEST', 1000),

+        ],

+        $uri

+    )

+    ->expectBody(

+        [

+            'Test Start',

+            'string(0) ""',

+            'Test End'

+        ]

+    );

+$tester->terminate();

+$tester->close();

+

+?>

+Done

+--EXPECT--

+Done

+--CLEAN--

+

+require_once "tester.inc";

+FPM\Tester::clean();

+?>

diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc

index 70c03ad70f1c..3b6702866cc1 100644

--- a/sapi/fpm/tests/tester.inc

+++ b/sapi/fpm/tests/tester.inc

@@ -513,7 +513,7 @@ class Tester

             return new Response(null, true);

         }

         if (is_null($uri)) {

-            $uri = $this->makeFile('src.php', $this->code);

+            $uri = $this->makeSourceFile();

         }

         $params = array_merge(

@@ -538,7 +538,6 @@ class Tester

             ],

             $headers

         );

-

         try {

             $this->response = new Response(

                 $this->getClient($address, $connKeepAlive)->request_data($params, false)

@@ -944,6 +943,14 @@ class Tester

         return $filePath;

     }

+    /**

+     * @return string

+     */

+    public function makeSourceFile()

+    {

+        return $this->makeFile('src.php', $this->code);

+    }

+

     /**

      * @param string|null $msg

      */