diff options
Diffstat (limited to 'php-cve-2026-6735.patch')
| -rw-r--r-- | php-cve-2026-6735.patch | 338 |
1 files changed, 338 insertions, 0 deletions
diff --git a/php-cve-2026-6735.patch b/php-cve-2026-6735.patch new file mode 100644 index 0000000..769c0e8 --- /dev/null +++ b/php-cve-2026-6735.patch @@ -0,0 +1,338 @@ +From 8e0efa0f20484c8bbfdb8671d61b232b70e2bd0a Mon Sep 17 00:00:00 2001 +From: Jakub Zelenka <bukka@php.net> +Date: Sun, 3 May 2026 20:01:41 +0200 +Subject: [PATCH 5/6] GHSA-7qg2-v9fj-4mwv: [fpm] XSS within status endpoint + +Fixes GHSA-7qg2-v9fj-4mwv +Fixes CVE-2026-6735 + +(cherry picked from commit 99a5ad7441de9914246c7863adb6997396008b9d) +(cherry picked from commit cc2960e782eb5cc262d7bd572a7d18979a811954) +(cherry picked from commit 62daef7b73108ceda2545862cde0673f252ba2d2) +(cherry picked from commit aeaf48ca0bceba42b9595dff30d9e96029c54613) + +backport some new FPM tester features + +(cherry picked from commit 8b1746466f9fcf248f9879fabfa356106d365da0) +--- + sapi/fpm/fpm/fpm_status.c | 28 ++++- + .../tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt | 48 ++++++++ + sapi/fpm/tests/tester.inc | 111 ++++++++++++++++-- + 3 files changed, 172 insertions(+), 15 deletions(-) + create mode 100644 sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt + +diff --git a/sapi/fpm/fpm/fpm_status.c b/sapi/fpm/fpm/fpm_status.c +index 45852a5b39..2c0d770329 100644 +--- a/sapi/fpm/fpm/fpm_status.c ++++ b/sapi/fpm/fpm/fpm_status.c +@@ -387,8 +387,8 @@ int fpm_status_handle_request(void) /* {{{ */ + if (full_syntax) { + unsigned int i; + int first; +- zend_string *tmp_query_string; +- char *query_string; ++ zend_string *tmp_query_string, *tmp_request_uri_string; ++ char *query_string, *request_uri_string; + struct timeval duration, now; + #ifdef HAVE_FPM_LQ + float cpu; +@@ -415,13 +415,30 @@ int fpm_status_handle_request(void) /* {{{ */ + } + } + ++ request_uri_string = NULL; ++ tmp_request_uri_string = NULL; ++ if (proc.request_uri[0] != '\0') { ++ if (encode) { ++ tmp_request_uri_string = php_escape_html_entities_ex( ++ (unsigned char*)proc.request_uri, ++ strlen(proc.request_uri), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, ++ NULL, /* double_encode */ 1); ++ request_uri_string = ZSTR_VAL(tmp_request_uri_string); ++ } else { ++ request_uri_string = proc.request_uri; ++ } ++ } ++ + query_string = NULL; + tmp_query_string = NULL; + if (proc.query_string[0] != '\0') { + if (!encode) { + query_string = proc.query_string; + } else { +- tmp_query_string = php_escape_html_entities_ex((unsigned char *)proc.query_string, strlen(proc.query_string), 1, ENT_HTML_IGNORE_ERRORS & ENT_COMPAT, NULL, 1); ++ tmp_query_string = php_escape_html_entities_ex( ++ (unsigned char*)proc.query_string, ++ strlen(proc.query_string), 1, ENT_DISALLOWED | ENT_HTML_DOC_XML1 | ENT_COMPAT, ++ NULL, /* double_encode */ 1); + query_string = ZSTR_VAL(tmp_query_string); + } + } +@@ -449,7 +466,7 @@ int fpm_status_handle_request(void) /* {{{ */ + proc.requests, + duration.tv_sec * 1000000UL + duration.tv_usec, + proc.request_method[0] != '\0' ? proc.request_method : "-", +- proc.request_uri[0] != '\0' ? proc.request_uri : "-", ++ request_uri_string ? request_uri_string : "-", + query_string ? "?" : "", + query_string ? query_string : "", + proc.content_length, +@@ -462,6 +479,9 @@ int fpm_status_handle_request(void) /* {{{ */ + PUTS(buffer); + efree(buffer); + ++ if (tmp_request_uri_string) { ++ zend_string_free(tmp_request_uri_string); ++ } + if (tmp_query_string) { + zend_string_free(tmp_query_string); + } +diff --git a/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt +new file mode 100644 +index 0000000000..475bc130a4 +--- /dev/null ++++ b/sapi/fpm/tests/ghsa-7qg2-v9fj-4mwv-status-xss.phpt +@@ -0,0 +1,48 @@ ++--TEST-- ++FPM: GHSA-7qg2-v9fj-4mwv - status xss ++--SKIPIF-- ++<?php include "skipif.inc"; ?> ++--FILE-- ++<?php ++ ++require_once "tester.inc"; ++ ++$cfg = <<<EOT ++[global] ++error_log = {{FILE:LOG}} ++[unconfined] ++listen = {{ADDR}} ++pm = static ++pm.max_children = 2 ++pm.status_path = /status ++catch_workers_output = yes ++EOT; ++ ++$code = <<<EOT ++<?php ++usleep(200000); ++EOT; ++ ++$tester = new FPM\Tester($cfg, $code); ++$tester->start(); ++$tester->expectLogStartNotices(); ++$responses = $tester ++ ->multiRequest([ ++ ['uri' => '/<script>alert(1)</script>', 'query' => '<script>alert(2)</script>'], ++ ['uri' => '/status', 'query' => 'full&html', 'delay' => 100000], ++ ]); ++var_dump(strpos($responses[1]->getBody(), '<script>')); ++$tester->terminate(); ++$tester->expectLogTerminatingNotices(); ++$tester->close(); ++ ++?> ++Done ++--EXPECT-- ++bool(false) ++Done ++--CLEAN-- ++<?php ++require_once "tester.inc"; ++FPM\Tester::clean(); ++?> +diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc +index 3b6702866c..c1384133f4 100644 +--- a/sapi/fpm/tests/tester.inc ++++ b/sapi/fpm/tests/tester.inc +@@ -489,7 +489,7 @@ class Tester + } + + /** +- * Execute request. ++ * Get request params array. + * + * @param string $query + * @param array $headers +@@ -498,20 +498,13 @@ class Tester + * @param string|null $successMessage + * @param string|null $errorMessage + * @param bool $connKeepAlive +- * @return Response ++ * @return array + */ +- public function request( ++ private function getRequestParams( + string $query = '', + array $headers = [], +- string $uri = null, +- string $address = null, +- string $successMessage = null, +- string $errorMessage = null, +- bool $connKeepAlive = false ++ string $uri = null + ) { +- if ($this->hasError()) { +- return new Response(null, true); +- } + if (is_null($uri)) { + $uri = $this->makeSourceFile(); + } +@@ -538,6 +531,42 @@ class Tester + ], + $headers + ); ++ ++ return array_filter($params, function($value) { ++ return !is_null($value); ++ }); ++ } ++ ++ /** ++ * Execute request. ++ * ++ * @param string $query ++ * @param array $headers ++ * @param string|null $uri ++ * @param string|null $address ++ * @param string|null $successMessage ++ * @param string|null $errorMessage ++ * @param bool $connKeepAlive ++ * @return Response ++ */ ++ public function request( ++ string $query = '', ++ array $headers = [], ++ string $uri = null, ++ string $address = null, ++ string $successMessage = null, ++ string $errorMessage = null, ++ bool $connKeepAlive = false ++ ) { ++ if ($this->hasError()) { ++ return new Response(null, true); ++ } ++ if (is_null($uri)) { ++ $uri = $this->makeSourceFile(); ++ } ++ ++ $params = $this->getRequestParams($query, $headers, $uri); ++ + try { + $this->response = new Response( + $this->getClient($address, $connKeepAlive)->request_data($params, false) +@@ -557,6 +586,66 @@ class Tester + return $this->response; + } + ++ /** ++ * Execute multiple requests in parallel. ++ * ++ * @param array|int $requests ++ * @param string|null $address ++ * @param string|null $successMessage ++ * @param string|null $errorMessage ++ * @param bool $connKeepAlive ++ * @return Response[] ++ * @throws \Exception ++ */ ++ public function multiRequest( ++ $requests, ++ string $address = null, ++ string $successMessage = null, ++ string $errorMessage = null, ++ bool $connKeepAlive = false ++ ) { ++ if ($this->hasError()) { ++ return new Response(null, true); ++ } ++ ++ if (is_numeric($requests)) { ++ $requests = array_fill(0, $requests, []); ++ } elseif (!is_array($requests)) { ++ throw new \Exception('Requests can be either numeric or array'); ++ } ++ ++ try { ++ $connections = array_map(function ($requestData) use ($address, $connKeepAlive) { ++ $client = $this->getClient($address, $connKeepAlive); ++ $params = $this->getRequestParams( ++ $requestData['query'] ?? '', ++ $requestData['headers'] ?? [], ++ $requestData['uri'] ?? null ++ ); ++ return [ ++ 'client' => $client, ++ 'requestId' => $client->async_request($params, false), ++ ]; ++ }, $requests); ++ ++ $responses = array_map(function ($conn) { ++ $response = new Response($conn['client']->wait_for_response_data($conn['requestId'])); ++ if ($this->debug) { ++ $response->debugOutput(); ++ } ++ return $response; ++ }, $connections); ++ $this->message($successMessage); ++ return $responses; ++ } catch (\Exception $exception) { ++ if ($errorMessage === null) { ++ $this->error("Request failed", $exception); ++ } else { ++ $this->message($errorMessage); ++ } ++ } ++ } ++ + /** + * Get client. + * +-- +2.54.0 + +From 8884e113e8351693eb4b5f1c58485ad0e4508d3a Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Thu, 7 May 2026 09:01:35 +0200 +Subject: [PATCH 6/6] NEWS from 8.2.31 + +(cherry picked from commit 7dff10e9a31d469fcd436e10b06f8b2bf2758a68) +(cherry picked from commit 1cbf0c27044bd54fb77de8a6bf993a7ab53892a4) +(cherry picked from commit 6b9f5d1673522bb3cf5d77889919084024565c7f) +(cherry picked from commit 5be222339cd6d299aa9170e6fa9edd51a5c42f39) +--- + NEWS | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/NEWS b/NEWS +index 18217680a1..0278901554 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,24 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 8.2.31 ++ ++- FPM: ++ . Fixed GHSA-7qg2-v9fj-4mwv (XSS within status endpoint). (CVE-2026-6735) ++ (Jakub Zelenka) ++ ++- SOAP: ++ . Fixed GHSA-85c2-q967-79q5 (Stale SOAP_GLOBAL(ref_map) pointer with Apache ++ Map). (CVE-2026-6722) (ilutov) ++ . Fixed GHSA-m33r-qmcv-p97q (Use-after-free after header parsing failure with ++ SOAP_PERSISTENCE_SESSION). (CVE-2026-7261) (ilutov) ++ . Fixed GHSA-hmxp-6pc4-f3vv (Broken Apache map value NULL check). ++ (CVE-2026-7262) (ilutov) ++ ++- Standard: ++ . Fixed GHSA-96wq-48vp-hh57 (Signed integer overflow of char array offset). ++ (CVE-2026-7568) (TimWolla) ++ + Backported from 8.1.34 + + . Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). +-- +2.54.0 + |