Fix GH-16137: "Deduplicate" *Forwarded* http headers values.

devnexen · devnexen · commit 4ab96630f78f · 2024-10-01T18:28:24.000+01:00
Those are meant to have 1 or plus values separated by a comma even
 if the client set them separately.
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
@@ -1678,16 +1678,38 @@ static int php_cli_server_client_read_request_on_fragment(php_http_parser *parse
 
 static void php_cli_server_client_save_header(php_cli_server_client *client)
 {
+	zval *entry;
 	/* Wrap header value in a zval to add is to the HashTable which acts as an array */
 	zval tmp;
-	ZVAL_STR(&tmp, client->current_header_value);
 	/* strip off the colon */
 	zend_string *lc_header_name = zend_string_tolower_ex(client->current_header_name, /* persistent */ true);
 	GC_MAKE_PERSISTENT_LOCAL(lc_header_name);
 
-	/* Add the wrapped zend_string to the HashTable */
-	zend_hash_add(&client->request.headers, lc_header_name, &tmp);
-	zend_hash_add(&client->request.headers_original_case, client->current_header_name, &tmp);
+	/**
+	 * **Forwarded** HTTP family headers can have 1 or more values separated by a comma while still
+	 * possibly be set separately by the client.
+	 **/
+	if (!strstr(ZSTR_VAL(lc_header_name), "forwarded") ||
+             (entry = zend_hash_find(&client->request.headers, lc_header_name)) == NULL) {
+		ZVAL_STR(&tmp, client->current_header_value);
+
+		/* Add the wrapped zend_string to the HashTable */
+		zend_hash_add(&client->request.headers, lc_header_name, &tmp);
+		zend_hash_add(&client->request.headers_original_case, client->current_header_name, &tmp);
+	} else {
+		zend_string *curval = Z_STR_P(entry);
+		zend_string *newval = zend_string_alloc(ZSTR_LEN(curval) + ZSTR_LEN(client->current_header_value) + 2, /* persistent */true);
+
+		memcpy(ZSTR_VAL(newval), ZSTR_VAL(curval), ZSTR_LEN(curval));
+		memcpy(ZSTR_VAL(newval) + ZSTR_LEN(curval), ",", 1);
+		memcpy(ZSTR_VAL(newval) + ZSTR_LEN(curval) + 1, ZSTR_VAL(client->current_header_value), ZSTR_LEN(client->current_header_value) + 1);
+
+		ZVAL_STR(&tmp, newval);
+
+		/* Update the wrapped zend_string to the HashTable */
+		zend_hash_update(&client->request.headers, lc_header_name, &tmp);
+		zend_hash_update(&client->request.headers_original_case, client->current_header_name, &tmp);
+	}
 
 	zend_string_release_ex(lc_header_name, /* persistent */ true);
 	zend_string_release_ex(client->current_header_name, /* persistent */ true);
