Merge branch 'PHP-7.4' into PHP-8.0

cmb69 · cmb69 · commit bb4dbbc150d0 · 2021-07-15T19:13:58.000+02:00
* PHP-7.4:
  Fix #80849: HTTP Status header truncation
diff --git a/NEWS b/NEWS
@@ -5,6 +5,9 @@ PHP                                                                        NEWS
 - Core:
   . Fixed bug #72595 (php_output_handler_append illegal write access). (cmb)
 
+- CGI:
+  . Fixed bug #80849 (HTTP Status header truncation). (cmb)
+
 - Standard:
   . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
 
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
@@ -383,7 +383,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)
 
 		if (CGIG(rfc2616_headers) && SG(sapi_headers).http_status_line) {
 			char *s;
-			len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);
+			len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s", SG(sapi_headers).http_status_line);
 			if ((s = strchr(SG(sapi_headers).http_status_line, ' '))) {
 				response_status = atoi((s + 1));
 			}
@@ -400,7 +400,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)
 				(s - SG(sapi_headers).http_status_line) >= 5 &&
 				strncasecmp(SG(sapi_headers).http_status_line, "HTTP/", 5) == 0
 			) {
-				len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);
+				len = slprintf(buf, sizeof(buf), "Status:%s", s);
 				response_status = atoi((s + 1));
 			} else {
 				h = (sapi_header_struct*)zend_llist_get_first_ex(&sapi_headers->headers, &pos);
@@ -423,16 +423,17 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)
 						err++;
 					}
 					if (err->str) {
-						len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);
+						len = slprintf(buf, sizeof(buf), "Status: %d %s", SG(sapi_headers).http_response_code, err->str);
 					} else {
-						len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);
+						len = slprintf(buf, sizeof(buf), "Status: %d", SG(sapi_headers).http_response_code);
 					}
 				}
 			}
 		}
 
 		if (!has_status) {
 			PHPWRITE_H(buf, len);
+			PHPWRITE_H("\r\n", 2);
 			ignore_status = 1;
 		}
 	}
diff --git a/sapi/cgi/tests/bug80849-cgi.phpt b/sapi/cgi/tests/bug80849-cgi.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #80849 (HTTP Status header truncation)
+--CGI--
+--FILE--
+<?php
+header('HTTP/1.1 201 ' . str_repeat('A', 1014), true);
+?>
+--EXPECTHEADERS--
+Status: 201 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+--EXPECT--
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
@@ -323,7 +323,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers) /* {{{ */
 
 		if (CGIG(rfc2616_headers) && SG(sapi_headers).http_status_line) {
 			char *s;
-			len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);
+			len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s", SG(sapi_headers).http_status_line);
 			if ((s = strchr(SG(sapi_headers).http_status_line, ' '))) {
 				response_status = atoi((s + 1));
 			}
@@ -340,7 +340,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers) /* {{{ */
 				(s - SG(sapi_headers).http_status_line) >= 5 &&
 				strncasecmp(SG(sapi_headers).http_status_line, "HTTP/", 5) == 0
 			) {
-				len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);
+				len = slprintf(buf, sizeof(buf), "Status:%s", s);
 				response_status = atoi((s + 1));
 			} else {
 				h = (sapi_header_struct*)zend_llist_get_first_ex(&sapi_headers->headers, &pos);
@@ -363,16 +363,17 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers) /* {{{ */
 						err++;
 					}
 					if (err->str) {
-						len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);
+						len = slprintf(buf, sizeof(buf), "Status: %d %s", SG(sapi_headers).http_response_code, err->str);
 					} else {
-						len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);
+						len = slprintf(buf, sizeof(buf), "Status: %d", SG(sapi_headers).http_response_code);
 					}
 				}
 			}
 		}
 
 		if (!has_status) {
 			PHPWRITE_H(buf, len);
+			PHPWRITE_H("\r\n", 2);
 			ignore_status = 1;
 		}
 	}
diff --git a/sapi/fpm/tests/bug80849-fpm.phpt b/sapi/fpm/tests/bug80849-fpm.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #80849 (HTTP Status header truncation)
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+header('HTTP/1.1 201 ' . str_repeat('A', 1014), true);
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester
+    ->request()
+    ->expectHeader('Status', '201 ' . str_repeat('A', 1011));
+$tester->terminate();
+$tester->close();
+?>
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
+--EXPECT--

Original file line number	Diff line number	Diff line change
`@@ -383,7 +383,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)`
`383`	`383`
`384`	`384`	`if (CGIG(rfc2616_headers) && SG(sapi_headers).http_status_line) {`
`385`	`385`	`char *s;`
`386`		`- len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`386`	`+ len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s", SG(sapi_headers).http_status_line);`
`387`	`387`	`if ((s = strchr(SG(sapi_headers).http_status_line, ' '))) {`
`388`	`388`	`response_status = atoi((s + 1));`
`389`	`389`	`}`
`@@ -400,7 +400,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)`
`400`	`400`	`(s - SG(sapi_headers).http_status_line) >= 5 &&`
`401`	`401`	`strncasecmp(SG(sapi_headers).http_status_line, "HTTP/", 5) == 0`
`402`	`402`	`) {`
`403`		`- len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`403`	`+ len = slprintf(buf, sizeof(buf), "Status:%s", s);`
`404`	`404`	`response_status = atoi((s + 1));`
`405`	`405`	`} else {`
`406`	`406`	`h = (sapi_header_struct*)zend_llist_get_first_ex(&sapi_headers->headers, &pos);`
`@@ -423,16 +423,17 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers)`
`423`	`423`	`err++;`
`424`	`424`	`}`
`425`	`425`	`if (err->str) {`
`426`		`- len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`426`	`+ len = slprintf(buf, sizeof(buf), "Status: %d %s", SG(sapi_headers).http_response_code, err->str);`
`427`	`427`	`} else {`
`428`		`- len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`
	`428`	`+ len = slprintf(buf, sizeof(buf), "Status: %d", SG(sapi_headers).http_response_code);`
`429`	`429`	`}`
`430`	`430`	`}`
`431`	`431`	`}`
`432`	`432`	`}`
`433`	`433`
`434`	`434`	`if (!has_status) {`
`435`	`435`	`PHPWRITE_H(buf, len);`
	`436`	`+ PHPWRITE_H("\r\n", 2);`
`436`	`437`	`ignore_status = 1;`
`437`	`438`	`}`
`438`	`439`	`}`
Original file line number	Diff line number	Diff line change
`@@ -323,7 +323,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct sapi_headers) / {{{ */`
`323`	`323`
`324`	`324`	`if (CGIG(rfc2616_headers) && SG(sapi_headers).http_status_line) {`
`325`	`325`	`char *s;`
`326`		`- len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`326`	`+ len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s", SG(sapi_headers).http_status_line);`
`327`	`327`	`if ((s = strchr(SG(sapi_headers).http_status_line, ' '))) {`
`328`	`328`	`response_status = atoi((s + 1));`
`329`	`329`	`}`
`@@ -340,7 +340,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct sapi_headers) / {{{ */`
`340`	`340`	`(s - SG(sapi_headers).http_status_line) >= 5 &&`
`341`	`341`	`strncasecmp(SG(sapi_headers).http_status_line, "HTTP/", 5) == 0`
`342`	`342`	`) {`
`343`		`- len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`343`	`+ len = slprintf(buf, sizeof(buf), "Status:%s", s);`
`344`	`344`	`response_status = atoi((s + 1));`
`345`	`345`	`} else {`
`346`	`346`	`h = (sapi_header_struct*)zend_llist_get_first_ex(&sapi_headers->headers, &pos);`
`@@ -363,16 +363,17 @@ static int sapi_cgi_send_headers(sapi_headers_struct sapi_headers) / {{{ */`
`363`	`363`	`err++;`
`364`	`364`	`}`
`365`	`365`	`if (err->str) {`
`366`		`- len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`366`	`+ len = slprintf(buf, sizeof(buf), "Status: %d %s", SG(sapi_headers).http_response_code, err->str);`
`367`	`367`	`} else {`
`368`		`- len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`
	`368`	`+ len = slprintf(buf, sizeof(buf), "Status: %d", SG(sapi_headers).http_response_code);`
`369`	`369`	`}`
`370`	`370`	`}`
`371`	`371`	`}`
`372`	`372`	`}`
`373`	`373`
`374`	`374`	`if (!has_status) {`
`375`	`375`	`PHPWRITE_H(buf, len);`
	`376`	`+ PHPWRITE_H("\r\n", 2);`
`376`	`377`	`ignore_status = 1;`
`377`	`378`	`}`
`378`	`379`	`}`