From 69dee5c732fe982c82edb17d0dbc3e79a47748d8 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 12 Jun 2018 20:34:01 +0200
Subject: [PATCH] Fixed bug #73342

Directly listen on socket, instead of duping it to STDIN and
listening on that.
---
 NEWS                                          |  4 ++
 sapi/fpm/fpm/fpm_children.c                   |  1 +
 sapi/fpm/fpm/fpm_stdio.c                      |  6 ---
 .../fpm/tests/bug73342-nonblocking-stdio.phpt | 46 +++++++++++++++++++
 4 files changed, 51 insertions(+), 6 deletions(-)
 create mode 100644 sapi/fpm/tests/bug73342-nonblocking-stdio.phpt

diff --git a/NEWS b/NEWS
index 435df031c8..c0e391cb6e 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - Date:
   . Fixed bug #76462 (Undefined property: DateInterval::$f). (Anatol)
 
+- FPM:
+  . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to
+    non-blocking). (Nikita)
+
 22 Jun 2019, PHP 7.1.19
 
 - CLI Server:
diff --git a/sapi/fpm/fpm/fpm_children.c b/sapi/fpm/fpm/fpm_children.c
index b48fa54f53..4ee316ba1b 100644
--- a/sapi/fpm/fpm/fpm_children.c
+++ b/sapi/fpm/fpm/fpm_children.c
@@ -146,6 +146,7 @@ static struct fpm_child_s *fpm_child_find(pid_t pid) /* {{{ */
 static void fpm_child_init(struct fpm_worker_pool_s *wp) /* {{{ */
 {
 	fpm_globals.max_requests = wp->config->pm_max_requests;
+	fpm_globals.listening_socket = dup(wp->listening_socket);
 
 	if (0 > fpm_stdio_init_child(wp)  ||
 	    0 > fpm_log_init_child(wp)    ||
diff --git a/sapi/fpm/fpm/fpm_stdio.c b/sapi/fpm/fpm/fpm_stdio.c
index 40720176e1..76e8b324df 100644
--- a/sapi/fpm/fpm/fpm_stdio.c
+++ b/sapi/fpm/fpm/fpm_stdio.c
@@ -103,12 +103,6 @@ int fpm_stdio_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
 	fpm_globals.error_log_fd = -1;
 	zlog_set_fd(-1);
 
-	if (wp->listening_socket != STDIN_FILENO) {
-		if (0 > dup2(wp->listening_socket, STDIN_FILENO)) {
-			zlog(ZLOG_SYSERROR, "failed to init child stdio: dup2()");
-			return -1;
-		}
-	}
 	return 0;
 }
 /* }}} */
diff --git a/sapi/fpm/tests/bug73342-nonblocking-stdio.phpt b/sapi/fpm/tests/bug73342-nonblocking-stdio.phpt
new file mode 100644
index 0000000000..3cf44d11ff
--- /dev/null
+++ b/sapi/fpm/tests/bug73342-nonblocking-stdio.phpt
@@ -0,0 +1,46 @@
+--TEST--
+FPM: bug73342 - Non-blocking stdin
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+echo "Before\n";
+stream_set_blocking(fopen('php://stdin', 'r'), false);
+echo "After\n";
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$tester->request()->expectBody("Before\nAfter");
+$tester->request()->expectBody("Before\nAfter");
+$tester->terminate();
+$tester->expectLogTerminatingNotices();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
-- 
2.40.0