Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI InterfaceHEAD master

GHSA-4w77-75f9-2c8w Fix OOB access in ldap_escape CVE-2024-8932 Fix Integer overflow in the dblib/firebird quoter causing OOB writes CVE-2024-11236 Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233
author: Remi Collet <remi@remirepo.net> 2024-11-22 10:18:23 +0100
committer: Remi Collet <remi@php.net> 2024-11-22 10:18:23 +0100
commit: 6d1bc7b714098577d61e6b16a451edc02d3e9c7c (patch)
tree: ff9b73e16754044369ed041fc06bf66ecf2c4098 /php-ghsa-4w77-75f9-2c8w.patch
parent: aa64914647126cbc436872eccf8aed6eda8c182e (diff)
1 files changed, 133 insertions, 0 deletions
diff --git a/php-ghsa-4w77-75f9-2c8w.patch b/php-ghsa-4w77-75f9-2c8w.patch
new file mode 100644
index 0000000..61e859f
--- /dev/null
+++ b/php-ghsa-4w77-75f9-2c8w.patch
@@ -0,0 +1,133 @@
+From 462092a48aa0dbad24d9fa8a4a9d418faa14d309 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 9 Nov 2024 15:29:52 +0100
+Subject: [PATCH 6/8] Fix GHSA-4w77-75f9-2c8w
+
+(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
+---
+ sapi/cli/php_cli_server.c               |  6 +---
+ sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 5 deletions(-)
+ create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+
+diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
+index 295448f1211..5104318a634 100644
+--- a/sapi/cli/php_cli_server.c
++++ b/sapi/cli/php_cli_server.c
+@@ -1863,8 +1863,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
+ 
+ static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
+ {
+-	char *val;
+-
+ 	request_info->request_method = php_http_method_str(client->request.request_method);
+ 	request_info->proto_num = client->request.protocol_version;
+ 	request_info->request_uri = client->request.request_uri;
+@@ -1872,9 +1870,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
+ 	request_info->query_string = client->request.query_string;
+ 	request_info->content_length = client->request.content_len;
+ 	request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
+-	if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
+-		request_info->content_type = val;
+-	}
++	request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
+ } /* }}} */
+ 
+ static void destroy_request_info(sapi_request_info *request_info) /* {{{ */
+diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+new file mode 100644
+index 00000000000..2c8aeff12d5
+--- /dev/null
++++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php
++include "skipif.inc";
++?>
++--FILE--
++<?php
++include "php_cli_server.inc";
++
++$serverCode = <<<'CODE'
++var_dump(file_get_contents('php://input'));
++CODE;
++
++php_cli_server_start($serverCode, null, []);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++        "header" => "Content-Type: application/x-www-form-urlencoded",
++        "content" => "AAAAA",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
++?>
++--EXPECT--
++string(5) "AAAAA"
++string(0) ""
+-- 
+2.47.0
+
+From 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 22 Nov 2024 08:58:10 +0100
+Subject: [PATCH 7/8] NEWS for 8.1.31 backports
+
+---
+ NEWS | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index bad0a719aae..0f82a65a44b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,30 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.31
++
++- CLI:
++  . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
++    Processing in CLI SAPI Interface). (nielsdos)
++
++- LDAP:
++  . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
++    (nielsdos)
++
++- PDO DBLIB:
++  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
++    OOB writes). (CVE-2024-11236) (nielsdos)
++
++- PDO Firebird:
++  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
++    causing OOB writes). (CVE-2024-11236) (nielsdos)
++
++- Streams:
++  . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
++    might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
++  . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
++    convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
++
+ Backported from 8.1.30
+ 
+ - CGI:
+-- 
+2.47.0
+
author	Remi Collet <remi@remirepo.net>	2024-11-22 10:18:23 +0100
committer	Remi Collet <remi@php.net>	2024-11-22 10:18:23 +0100
commit	6d1bc7b714098577d61e6b16a451edc02d3e9c7c (patch)
tree	ff9b73e16754044369ed041fc06bf66ecf2c4098 /php-ghsa-4w77-75f9-2c8w.patch
parent	aa64914647126cbc436872eccf8aed6eda8c182e (diff)