php/php-ghsa-4w77-75f9-2c8w.patch

From 462092a48aa0dbad24d9fa8a4a9d418faa14d309 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sat, 9 Nov 2024 15:29:52 +0100
Subject: [PATCH 6/8] Fix GHSA-4w77-75f9-2c8w

(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
---
 sapi/cli/php_cli_server.c               |  6 +---
 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 5 deletions(-)
 create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt

diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index 295448f1211..5104318a634 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -1863,8 +1863,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
 
 static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
 {
-	char *val;
-
 	request_info->request_method = php_http_method_str(client->request.request_method);
 	request_info->proto_num = client->request.protocol_version;
 	request_info->request_uri = client->request.request_uri;
@@ -1872,9 +1870,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
 	request_info->query_string = client->request.query_string;
 	request_info->content_length = client->request.content_len;
 	request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
-	if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
-		request_info->content_type = val;
-	}
+	request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
 } /* }}} */
 
 static void destroy_request_info(sapi_request_info *request_info) /* {{{ */
diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
new file mode 100644
index 00000000000..2c8aeff12d5
--- /dev/null
+++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
@@ -0,0 +1,41 @@
+--TEST--
+GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+
+$serverCode = <<<'CODE'
+var_dump(file_get_contents('php://input'));
+CODE;
+
+php_cli_server_start($serverCode, null, []);
+
+$options = [
+    "http" => [
+        "method" => "POST",
+        "header" => "Content-Type: application/x-www-form-urlencoded",
+        "content" => "AAAAA",
+    ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
+
+$options = [
+    "http" => [
+        "method" => "POST",
+    ],
+];
+$context = stream_context_create($options);
+
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);
+?>
+--EXPECT--
+string(5) "AAAAA"
+string(0) ""
-- 
2.47.0

From 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 22 Nov 2024 08:58:10 +0100
Subject: [PATCH 7/8] NEWS for 8.1.31 backports

---
 NEWS | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/NEWS b/NEWS
index bad0a719aae..0f82a65a44b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,30 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
+Backported from 8.1.31
+
+- CLI:
+  . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
+    Processing in CLI SAPI Interface). (nielsdos)
+
+- LDAP:
+  . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
+    (nielsdos)
+
+- PDO DBLIB:
+  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
+    OOB writes). (CVE-2024-11236) (nielsdos)
+
+- PDO Firebird:
+  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
+    causing OOB writes). (CVE-2024-11236) (nielsdos)
+
+- Streams:
+  . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
+    might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
+  . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
+    convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
+
 Backported from 8.1.30
 
 - CGI:
-- 
2.47.0
Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233 Fix cgi.force_redirect configuration is bypassable due to the environment variable collision CVE-2024-8927 Fix Logs from childrens may be altered CVE-2024-9026 Fix Erroneous parsing of multipart form data CVE-2024-8925 Fix filter bypass in filter_var FILTER_VALIDATE_URL CVE-2024-5458 Fix __Host-/__Secure- cookie bypass due to partial CVE-2022-31629 fix CVE-2024-2756 Fix password_verify can erroneously return true opening ATO risk CVE-2024-3096 Resolves: RHEL-71275 2025-01-21 14:36:05 +00:00			`From 462092a48aa0dbad24d9fa8a4a9d418faa14d309 Mon Sep 17 00:00:00 2001`
			`From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>`
			`Date: Sat, 9 Nov 2024 15:29:52 +0100`
			`Subject: [PATCH 6/8] Fix GHSA-4w77-75f9-2c8w`

			`(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)`
			`---`
			`sapi/cli/php_cli_server.c \| 6 +---`
			`sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt \| 41 +++++++++++++++++++++++++`
			`2 files changed, 42 insertions(+), 5 deletions(-)`
			`create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt`

			`diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c`
			`index 295448f1211..5104318a634 100644`
			`--- a/sapi/cli/php_cli_server.c`
			`+++ b/sapi/cli/php_cli_server.c`
			`@@ -1863,8 +1863,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,`

			`static void php_cli_server_client_populate_request_info(const php_cli_server_client client, sapi_request_info request_info) /* {{{ */`
			`{`
			`- char *val;`
			`-`
			`request_info->request_method = php_http_method_str(client->request.request_method);`
			`request_info->proto_num = client->request.protocol_version;`
			`request_info->request_uri = client->request.request_uri;`
			`@@ -1872,9 +1870,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli`
			`request_info->query_string = client->request.query_string;`
			`request_info->content_length = client->request.content_len;`
			`request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;`
			`- if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {`
			`- request_info->content_type = val;`
			`- }`
			`+ request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);`
			`} /* }}} */`

			`static void destroy_request_info(sapi_request_info request_info) / {{{ */`
			`diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt`
			`new file mode 100644`
			`index 00000000000..2c8aeff12d5`
			`--- /dev/null`
			`+++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt`
			`@@ -0,0 +1,41 @@`
			`+--TEST--`
			`+GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)`
			`+--INI--`
			`+allow_url_fopen=1`
			`+--SKIPIF--`
			`+<?php`
			`+include "skipif.inc";`
			`+?>`
			`+--FILE--`
			`+<?php`
			`+include "php_cli_server.inc";`
			`+`
			`+$serverCode = <<<'CODE'`
			`+var_dump(file_get_contents('php://input'));`
			`+CODE;`
			`+`
			`+php_cli_server_start($serverCode, null, []);`
			`+`
			`+$options = [`
			`+ "http" => [`
			`+ "method" => "POST",`
			`+ "header" => "Content-Type: application/x-www-form-urlencoded",`
			`+ "content" => "AAAAA",`
			`+ ],`
			`+];`
			`+$context = stream_context_create($options);`
			`+`
			`+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);`
			`+`
			`+$options = [`
			`+ "http" => [`
			`+ "method" => "POST",`
			`+ ],`
			`+];`
			`+$context = stream_context_create($options);`
			`+`
			`+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", context: $context);`
			`+?>`
			`+--EXPECT--`
			`+string(5) "AAAAA"`
			`+string(0) ""`
			`--`
			`2.47.0`

			`From 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a Mon Sep 17 00:00:00 2001`
			`From: Remi Collet <remi@remirepo.net>`
			`Date: Fri, 22 Nov 2024 08:58:10 +0100`
			`Subject: [PATCH 7/8] NEWS for 8.1.31 backports`

			`---`
			`NEWS \| 24 ++++++++++++++++++++++++`
			`1 file changed, 24 insertions(+)`

			`diff --git a/NEWS b/NEWS`
			`index bad0a719aae..0f82a65a44b 100644`
			`--- a/NEWS`
			`+++ b/NEWS`
			`@@ -1,6 +1,30 @@`
			`PHP NEWS`
			`\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|`

			`+Backported from 8.1.31`
			`+`
			`+- CLI:`
			`+ . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data`
			`+ Processing in CLI SAPI Interface). (nielsdos)`
			`+`
			`+- LDAP:`
			`+ . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)`
			`+ (nielsdos)`
			`+`
			`+- PDO DBLIB:`
			`+ . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing`
			`+ OOB writes). (CVE-2024-11236) (nielsdos)`
			`+`
			`+- PDO Firebird:`
			`+ . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter`
			`+ causing OOB writes). (CVE-2024-11236) (nielsdos)`
			`+`
			`+- Streams:`
			`+ . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context`
			`+ might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)`
			`+ . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with`
			`+ convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)`
			`+`
			`Backported from 8.1.30`

			`- CGI:`
			`--`
			`2.47.0`