fix bug #61807 - Buffer Overflow in apache_request_headers

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index d25cad41645fea0bbe7ac6231b80fc859a0b00d6..a0a1adadc9c95051011a5918a602d88c6c54ca15 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1615,15 +1615,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */
                                p = var + 5;
 
                                var = q = t;
+                                // First char keep uppercase
                                *q++ = *p++;
                                while (*p) {
-                                       if (*p == '_') {
+                                       if (*p == '=') {
+                                               // End of name
+                                               break;
+                                        } else if (*p == '_') {
                                                *q++ = '-';
                                                p++;
-                                               if (*p) {
+                                                // First char after - keep uppercase
+                                               if (*p && *p!='=' && *p!='_') {
                                                        *q++ = *p++;
                                                }
                                        } else if (*p >= 'A' && *p <= 'Z') {
+                                                // lowercase
                                                *q++ = (*p++ - 'A' + 'a');
                                        } else {
                                                *q++ = *p++;

diff --git a/sapi/cgi/tests/apache_request_headers.phpt b/sapi/cgi/tests/apache_request_headers.phpt
new file mode 100644 (file)
index 0000000..37e077e
--- /dev/null
+++ b/sapi/cgi/tests/apache_request_headers.phpt
@@ -0,0 +1,49 @@
+--TEST--
+apache_request_headers() stack overflow.
+--SKIPIF--
+<?php 
+include "skipif.inc"; 
+?>
+--FILE--
+<?php
+include "include.inc";
+
+$php = get_cgi_path();
+reset_env_vars();
+
+$file = dirname(__FILE__)."/012.test.php";
+
+file_put_contents($file, '<?php print_r(apache_request_headers()); ?>');
+
+passthru("$php $file");
+
+$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_');
+foreach ($names as $name) {
+       putenv($name."=".str_repeat("A", 256));
+       passthru("$php -q $file");
+       putenv($name);
+}
+unlink($file);
+
+echo "Done\n";
+?>
+--EXPECTF--    
+X-Powered-By: PHP/%s
+Content-type: text/html
+
+Array
+(
+)
+Array
+(
+    [X-Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X--Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X-] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Done