Merge branch 'PHP-8.3' into PHP-8.4

2024-11-23 01:44:06 +08:00 · 2024-10-06 19:43:19 +01:00 · 2024-10-06 19:43:19 +01:00 · 10d2d862a6
commit 10d2d862a6
parent 062b3ca2f2 59816b9a73
4 changed files with 69 additions and 2 deletions
--- a/main/SAPI.c
+++ b/main/SAPI.c
@ -509,12 +509,15 @@ SAPI_API void sapi_deactivate_module(void)
 	}
 	if (SG(request_info).auth_user) {
 		efree(SG(request_info).auth_user);
+		SG(request_info).auth_user = NULL;
 	}
 	if (SG(request_info).auth_password) {
 		efree(SG(request_info).auth_password);
+		SG(request_info).auth_password = NULL;
 	}
 	if (SG(request_info).auth_digest) {
 		efree(SG(request_info).auth_digest);
+		SG(request_info).auth_digest = NULL;
 	}
 	if (SG(request_info).content_type_dup) {
 		efree(SG(request_info).content_type_dup);
--- a/main/main.c
+++ b/main/main.c
@ -2680,7 +2680,9 @@ PHPAPI int php_handle_auth_data(const char *auth)
 			if (pass) {
 				*pass++ = '\0';
 				SG(request_info).auth_user = estrndup(ZSTR_VAL(user), ZSTR_LEN(user));
-				SG(request_info).auth_password = estrdup(pass);
+				if (strlen(pass) > 0) {
+					SG(request_info).auth_password = estrdup(pass);
+				}
 				ret = 0;
 			}
 			zend_string_free(user);
--- a/sapi/fpm/tests/gh15395-php-auth-shutdown.phpt
+++ b/sapi/fpm/tests/gh15395-php-auth-shutdown.phpt
@ -0,0 +1,61 @@
+--TEST--
+FPM: GH-15335 - PHP_AUTH shutdown  use after free
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+log_level = notice
+[unconfined]
+listen = {{ADDR}}
+pm = static
+pm.max_children = 1
+catch_workers_output = yes
+php_admin_value[cgi.fix_pathinfo] = no
+EOT;
+
+$code = <<<EOT
+<?php
+echo \$_SERVER["SCRIPT_NAME"] . "\n";
+echo \$_SERVER["SCRIPT_FILENAME"] . "\n";
+echo \$_SERVER["PHP_SELF"];
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+[$sourceFilePath, $scriptName] = $tester->createSourceFileAndScriptName();
+$tester->start();
+$tester->expectLogStartNotices();
+$tester
+    ->request(
+        headers: [ "HTTP_AUTHORIZATION" => "Basic Zm9vOg==", "REQUEST_METHOD" => "GET"],
+        uri: $scriptName,
+        address: '{{ADDR}}',
+        scriptFilename: __DIR__ . "/__unknown.php",
+        scriptName: "/",
+    )
+    ->expectStatus('404 Not Found');
+$tester
+    ->request(
+        uri: $scriptName,
+        address: '{{ADDR}}',
+        params: [],
+    );
+$tester->expectNoLogPattern("/zend_mm_heap corrupted/");
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
--- a/sapi/fpm/tests/tester.inc
+++ b/sapi/fpm/tests/tester.inc
@ -838,6 +838,7 @@ class Tester
        int $readLimit = -1,
        int $writeDelay = 0,
        ?string $method = null,
+        array $params = null,
    ): Response {
        if ($this->hasError()) {
            return $this->createResponse(expectInvalid: true);
@ -847,7 +848,7 @@ class Tester
            $stdin = $this->parseStdin($stdin, $headers);
        }

-        $params = $this->getRequestParams($query, $headers, $uri, $scriptFilename, $scriptName, $stdin, $method);
+        $params = $params ?? $this->getRequestParams($query, $headers, $uri, $scriptFilename, $scriptName, $stdin, $method);
        $this->trace('Request params', $params);

        try {