Fix GHSA-4w77-75f9-2c8w

2024-11-26 19:33:55 +08:00 · 2024-11-09 15:29:52 +01:00 · 2024-11-09 15:29:52 +01:00 · f18d429b20
commit f18d429b20
parent f3ade203d7
2 changed files with 43 additions and 0 deletions
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@ -1944,6 +1944,8 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
 	request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
 	if (NULL != (val = zend_hash_str_find(&client->request.headers, "content-type", sizeof("content-type")-1))) {
 		request_info->content_type = Z_STRVAL_P(val);
+	} else {
+		request_info->content_type = NULL;
 	}
 } /* }}} */

--- a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
@ -0,0 +1,41 @@
+--TEST--
+GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+
+$serverCode = <<<'CODE'
+var_dump(file_get_contents('php://input'));
+CODE;
+
+php_cli_server_start($serverCode, null, []);
+
+$options = [
+    "http" => [
+        "method" => "POST",
+        "header" => "Content-Type: application/x-www-form-urlencoded",
+        "content" => "AAAAA",
+    ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
+
+$options = [
+    "http" => [
+        "method" => "POST",
+    ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
+?>
+--EXPECT--
+string(5) "AAAAA"
+string(0) ""