Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
  Fixed bug #71559 Built-in HTTP server, we can downlaod file in web by bug

diff --cc sapi/cli/php_cli_server.c
index 4ee85bf538fa693edd41fe1302c46541604cd919,169c05b88e8a4100e8648d05f7b9ec54542a9ca4..ac41c44defdaf163ab9676b0a5c9faf1f330ebd6
--- 1/sapi/cli/php_cli_server.c
--- 2/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@@ -1952,12 -2055,25 +1952,25 @@@ static int php_cli_server_begin_send_st
  
        if (client->request.path_translated && strlen(client->request.path_translated) != client->request.path_translated_len) {
                /* can't handle paths that contain nul bytes */
 -              return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC);
 +              return php_cli_server_send_error_page(server, client, 400);
        }
  
+ #ifdef PHP_WIN32
+       /* The win32 namespace will cut off trailing dots and spaces. Since the
+          VCWD functionality isn't used here, a sophisticated functionality
+          would have to be reimplemented to know ahead there are no files
+          with invalid names there. The simplest is just to forbid invalid
+          filenames, which is done here. */
+       if (client->request.path_translated &&
+               ('.' == client->request.path_translated[client->request.path_translated_len-1] ||
+                ' ' == client->request.path_translated[client->request.path_translated_len-1])) {
+               return php_cli_server_send_error_page(server, client, 500);
+       }
+ #endif
+ 
        fd = client->request.path_translated ? open(client->request.path_translated, O_RDONLY): -1;
        if (fd < 0) {
 -              return php_cli_server_send_error_page(server, client, 404 TSRMLS_CC);
 +              return php_cli_server_send_error_page(server, client, 404);
        }
  
        php_cli_server_content_sender_ctor(&client->content_sender);