From: Remi Collet Date: Fri, 22 Jul 2016 07:35:09 +0000 (+0200) Subject: FPM: add test for CVE-2016-5385 X-Git-Tag: php-7.0.10RC1~66^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fb4a6dc0f1df106dae84c9d8f3ec53cc0da7231b;p=php FPM: add test for CVE-2016-5385 --- diff --git a/sapi/fpm/tests/022-cve-2016-5385.phpt b/sapi/fpm/tests/022-cve-2016-5385.phpt new file mode 100644 index 0000000000..7f3e818f9b --- /dev/null +++ b/sapi/fpm/tests/022-cve-2016-5385.phpt @@ -0,0 +1,81 @@ +--TEST-- +FPM: HTTP_PROXY - CVE-2016-5385 +--SKIPIF-- + +--FILE-- + 'BAR', + 'HTTP_PROXY' => 'BADPROXY', + ]; + $req = run_request('127.0.0.1', $port, $srcfile, '', $headers); + echo strstr($req, "Test Start"); + echo "Request ok\n"; + } catch (Exception $e) { + echo "Request error\n"; + } + proc_terminate($fpm); + echo stream_get_contents($tail); + fclose($tail); + proc_close($fpm); +} + +?> +Done +--EXPECTF-- +[%s] NOTICE: fpm is running, pid %d +[%s] NOTICE: ready to handle connections +Test Start +NULL +string(3) "BAR" +bool(false) +string(3) "BAR" +Test End + +Request ok +[%s] NOTICE: Terminating ... +[%s] NOTICE: exiting, bye-bye! +Done +--CLEAN-- + diff --git a/sapi/fpm/tests/include.inc b/sapi/fpm/tests/include.inc index b195fad507..a8b64f48b7 100644 --- a/sapi/fpm/tests/include.inc +++ b/sapi/fpm/tests/include.inc @@ -86,10 +86,10 @@ function fpm_display_log($tail, $n=1, $ignore='systemd') { } } -function run_request($host, $port, $uri='/ping', $query='') { +function run_request($host, $port, $uri='/ping', $query='', $headers=array()) { require_once 'fcgi.inc'; $client = new Adoy\FastCGI\Client($host, $port); - $params = array( + $params = array_merge(array( 'GATEWAY_INTERFACE' => 'FastCGI/1.0', 'REQUEST_METHOD' => 'GET', 'SCRIPT_FILENAME' => $uri, @@ -106,6 +106,6 @@ function run_request($host, $port, $uri='/ping', $query='') { 'SERVER_PROTOCOL' => 'HTTP/1.1', 'CONTENT_TYPE' => '', 'CONTENT_LENGTH' => 0 - ); + ), $headers); return $client->request($params, false)."\n"; }