Fixed bug #73342

nikic · nikic · commit 69dee5c732fe · 2018-06-20T12:28:15.000+02:00
Directly listen on socket, instead of duping it to STDIN and
listening on that.
diff --git a/NEWS b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Date:
   . Fixed bug #76462 (Undefined property: DateInterval::$f). (Anatol)
 
+- FPM:
+  . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to
+    non-blocking). (Nikita)
+
 22 Jun 2019, PHP 7.1.19
 
 - CLI Server:
diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c
@@ -146,6 +146,7 @@ static struct fpm_child_s *fpm_child_find(pid_t pid) /* {{{ */
 static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 {
 	fpm_globals.max_requests = wp->config->pm_max_requests;
+	fpm_globals.listening_socket = dup(wp->listening_socket);
 
 	if (0 > fpm_stdio_init_child(wp)  ||
 	    0 > fpm_log_init_child(wp)    ||
diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
@@ -103,12 +103,6 @@ int fpm_stdio_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
 	fpm_globals.error_log_fd = -1;
 	zlog_set_fd(-1);
 
-	if (wp->listening_socket != STDIN_FILENO) {
-		if (0 > dup2(wp->listening_socket, STDIN_FILENO)) {
-			zlog(ZLOG_SYSERROR, "failed to init child stdio: dup2()");
-			return -1;
-		}
-	}
 	return 0;
 }
 /* }}} */
diff --git a/sapi/fpm/tests/bug73342-nonblocking-stdio.phpt b/sapi/fpm/tests/bug73342-nonblocking-stdio.phpt
@@ -0,0 +1,46 @@
+--TEST--
+FPM: bug73342 - Non-blocking stdin
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+echo "Before\n";
+stream_set_blocking(fopen('php://stdin', 'r'), false);
+echo "After\n";
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->request()->expectBody("Before\nAfter");
+$tester->request()->expectBody("Before\nAfter");
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,7 @@ static struct fpm_child_s fpm_child_find(pid_t pid) / {{{ */`
`146`	`146`	`static void fpm_child_init(struct fpm_worker_pool_s wp) / {{{ */`
`147`	`147`	`{`
`148`	`148`	`fpm_globals.max_requests = wp->config->pm_max_requests;`
	`149`	`+ fpm_globals.listening_socket = dup(wp->listening_socket);`
`149`	`150`
`150`	`151`	`if (0 > fpm_stdio_init_child(wp) \|\|`
`151`	`152`	`0 > fpm_log_init_child(wp) \|\|`