clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-23 10:57:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

FPM: add test for CVE-2016-5385

Browse Source
This commit is contained in:
Remi Collet 2016-07-22 09:35:09 +02:00
parent f2c2a4be9e
commit fb4a6dc0f1
2 changed files with 84 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
sapi/fpm/tests/022-cve-2016-5385.phpt Normal file
View File

@ -0,0 +1,81 @@
--TEST--
FPM: HTTP_PROXY - CVE-2016-5385
--SKIPIF--
<?php include "skipif.inc"; ?>
--FILE--
<?php
include "include.inc";
$logfile = __DIR__.'/php-fpm.log.tmp';
$srcfile = __DIR__.'/php-fpm.tmp.php';
$port = 9000+PHP_INT_SIZE;
$cfg = <<<EOT
[global]
error_log = $logfile
[unconfined]
listen = 127.0.0.1:$port
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
EOT;
$code = <<<EOT
<?php
echo "Test Start\n";
var_dump(
\$_SERVER["HTTP_PROXY"],
\$_SERVER["HTTP_FOO"],
getenv("HTTP_PROXY"),
getenv("HTTP_FOO")
);
echo "Test End\n";
EOT;
file_put_contents($srcfile, $code);
$fpm = run_fpm($cfg, $tail);
if (is_resource($fpm)) {
fpm_display_log($tail, 2);
try {
$headers = [
'HTTP_FOO' => 'BAR',
'HTTP_PROXY' => 'BADPROXY',
];
$req = run_request('127.0.0.1', $port, $srcfile, '', $headers);
echo strstr($req, "Test Start");
echo "Request ok\n";
} catch (Exception $e) {
echo "Request error\n";
}
proc_terminate($fpm);
echo stream_get_contents($tail);
fclose($tail);
proc_close($fpm);
}
?>
Done
--EXPECTF--
[%s] NOTICE: fpm is running, pid %d
[%s] NOTICE: ready to handle connections
Test Start
NULL
string(3) "BAR"
bool(false)
string(3) "BAR"
Test End
Request ok
[%s] NOTICE: Terminating ...
[%s] NOTICE: exiting, bye-bye!
Done
--CLEAN--
<?php
$logfile = __DIR__.'/php-fpm.log.tmp';
$srcfile = __DIR__.'/php-fpm.tmp.php';
@unlink($logfile);
@unlink($srcfile);
?>

6
sapi/fpm/tests/include.inc
View File

@ -86,10 +86,10 @@ function fpm_display_log($tail, $n=1, $ignore='systemd') {
}
}
function run_request($host, $port, $uri='/ping', $query='') {
function run_request($host, $port, $uri='/ping', $query='', $headers=array()) {
require_once 'fcgi.inc';
$client = new Adoy\FastCGI\Client($host, $port);
$params = array(
$params = array_merge(array(
'GATEWAY_INTERFACE' => 'FastCGI/1.0',
'REQUEST_METHOD' => 'GET',
'SCRIPT_FILENAME' => $uri,
@ -106,6 +106,6 @@ function run_request($host, $port, $uri='/ping', $query='') {
'SERVER_PROTOCOL' => 'HTTP/1.1',
'CONTENT_TYPE' => '',
'CONTENT_LENGTH' => 0
);
), $headers);
return $client->request($params, false)."\n";
}