FPM: add test for CVE-2016-5385

diff --git a/sapi/fpm/tests/022-cve-2016-5385.phpt b/sapi/fpm/tests/022-cve-2016-5385.phpt
new file mode 100644 (file)
index 0000000..7f3e818
--- /dev/null
+++ b/sapi/fpm/tests/022-cve-2016-5385.phpt
@@ -0,0 +1,81 @@
+--TEST--
+FPM: HTTP_PROXY - CVE-2016-5385
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+include "include.inc";
+
+$logfile = __DIR__.'/php-fpm.log.tmp';
+$srcfile = __DIR__.'/php-fpm.tmp.php';
+$port = 9000+PHP_INT_SIZE;
+
+$cfg = <<<EOT
+[global]
+error_log = $logfile
+[unconfined]
+listen = 127.0.0.1:$port
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+echo "Test Start\n";
+var_dump(
+       \$_SERVER["HTTP_PROXY"],
+       \$_SERVER["HTTP_FOO"],
+       getenv("HTTP_PROXY"),
+       getenv("HTTP_FOO")
+);
+echo "Test End\n";
+EOT;
+file_put_contents($srcfile, $code);
+
+$fpm = run_fpm($cfg, $tail);
+if (is_resource($fpm)) {
+    fpm_display_log($tail, 2);
+    try {
+               $headers = [
+                       'HTTP_FOO' => 'BAR',
+                       'HTTP_PROXY' => 'BADPROXY',
+               ];
+               $req = run_request('127.0.0.1', $port, $srcfile, '', $headers);
+               echo strstr($req, "Test Start");
+               echo "Request ok\n";
+       } catch (Exception $e) {
+               echo "Request error\n";
+       }
+    proc_terminate($fpm);
+    echo stream_get_contents($tail);
+    fclose($tail);
+    proc_close($fpm);
+}
+
+?>
+Done
+--EXPECTF--
+[%s] NOTICE: fpm is running, pid %d
+[%s] NOTICE: ready to handle connections
+Test Start
+NULL
+string(3) "BAR"
+bool(false)
+string(3) "BAR"
+Test End
+
+Request ok
+[%s] NOTICE: Terminating ...
+[%s] NOTICE: exiting, bye-bye!
+Done
+--CLEAN--
+<?php
+       $logfile = __DIR__.'/php-fpm.log.tmp';
+       $srcfile = __DIR__.'/php-fpm.tmp.php';
+    @unlink($logfile);
+    @unlink($srcfile);
+?>

diff --git a/sapi/fpm/tests/include.inc b/sapi/fpm/tests/include.inc
index b195fad507325709d389218733da07a55ef38179..a8b64f48b7eac0643e1ee83b1c8770bcd0e1a573 100644 (file)
--- a/sapi/fpm/tests/include.inc
+++ b/sapi/fpm/tests/include.inc
@@ -86,10 +86,10 @@ function fpm_display_log($tail, $n=1, $ignore='systemd') {
        }
 }
 
-function run_request($host, $port, $uri='/ping', $query='') {
+function run_request($host, $port, $uri='/ping', $query='', $headers=array()) {
        require_once 'fcgi.inc';
        $client = new Adoy\FastCGI\Client($host, $port);
-       $params = array(
+       $params = array_merge(array(
                'GATEWAY_INTERFACE' => 'FastCGI/1.0',
                'REQUEST_METHOD'    => 'GET',
                'SCRIPT_FILENAME'   => $uri,
@@ -106,6 +106,6 @@ function run_request($host, $port, $uri='/ping', $query='') {
                'SERVER_PROTOCOL'   => 'HTTP/1.1',
                'CONTENT_TYPE'      => '',
                'CONTENT_LENGTH'    => 0
-       );
+       ), $headers);
        return $client->request($params, false)."\n";
 }