Merge branch 'v2.6.x'

diff --git a/src/php_http_info.c b/src/php_http_info.c
index 6eef822707c1bfa6082672be7a91762e31ee094e..9045cd40997d4b23fa5ba97aadd1d6ab5947be4e 100644 (file)
--- a/src/php_http_info.c
+++ b/src/php_http_info.c
@@ -30,11 +30,11 @@ void php_http_info_dtor(php_http_info_t *i)
                        PTR_SET(PHP_HTTP_INFO(i).request.method, NULL);
                        PTR_SET(PHP_HTTP_INFO(i).request.url, NULL);
                        break;
-               
+
                case PHP_HTTP_RESPONSE:
                        PTR_SET(PHP_HTTP_INFO(i).response.status, NULL);
                        break;
-               
+
                default:
                        break;
        }
@@ -51,29 +51,41 @@ void php_http_info_free(php_http_info_t **i)
 
 php_http_info_t *php_http_info_parse(php_http_info_t *info, const char *pre_header)
 {
-       const char *end, *http;
+       const char *end, *http, *off;
        zend_bool free_info = !info;
-       
+
        /* sane parameter */
        if ((!pre_header) || (!*pre_header)) {
                return NULL;
        }
-       
+
        /* where's the end of the line */
        if (!(end = php_http_locate_eol(pre_header, NULL))) {
                end = pre_header + strlen(pre_header);
        }
-       
+
        /* there must be HTTP/1.x in the line */
        if (!(http = php_http_locate_str(pre_header, end - pre_header, "HTTP/", lenof("HTTP/")))) {
                return NULL;
        }
-       
+
        info = php_http_info_init(info);
 
-       /* and nothing than SPACE or NUL after HTTP/X.x */
-       if (!php_http_version_parse(&info->http.version, http)
-       ||      (http[lenof("HTTP/X.x")] && (!PHP_HTTP_IS_CTYPE(space, http[lenof("HTTP/X.x")])))) {
+       if (!php_http_version_parse(&info->http.version, http)) {
+               if (free_info) {
+                       php_http_info_free(&info);
+               }
+               return NULL;
+       }
+
+       /* clumsy fix for changed libcurl behaviour in 7.49.1, see https://github.com/curl/curl/issues/888 */
+       off = &http[lenof("HTTP/X")];
+       if (info->http.version.major < 2) {
+               off += 2;
+       }
+
+       /* and nothing than SPACE or NUL after HTTP/X(.x) */
+       if (*off && (!PHP_HTTP_IS_CTYPE(space, *off))) {
                if (free_info) {
                        php_http_info_free(&info);
                }
@@ -90,11 +102,11 @@ php_http_info_t *php_http_info_parse(php_http_info_t *info, const char *pre_head
 
        /* is response */
        if (pre_header == http) {
-               const char *status = NULL, *code = http + sizeof("HTTP/X.x");
-               
+               const char *status = NULL, *code = off;
+
                info->type = PHP_HTTP_RESPONSE;
                while (code < end && ' ' == *code) ++code;
-               if (code && end > code) {
+               if (end > code) {
                        /* rfc7230#3.1.2 The status-code element is a 3-digit integer code */
                        PHP_HTTP_INFO(info).response.code = 100*(*code++ - '0');
                        PHP_HTTP_INFO(info).response.code += 10*(*code++ - '0');
@@ -115,14 +127,14 @@ php_http_info_t *php_http_info_parse(php_http_info_t *info, const char *pre_head
                } else {
                        PHP_HTTP_INFO(info).response.status = NULL;
                }
-               
+
                return info;
        }
-       
+
        /* is request */
-       else if (*(http - 1) == ' ' && (!http[lenof("HTTP/X.x")] || http[lenof("HTTP/X.x")] == '\r' || http[lenof("HTTP/X.x")] == '\n')) {
+       else if (*(http - 1) == ' ' && (!*off || *off == '\r' || *off == '\n')) {
                const char *url = strchr(pre_header, ' ');
-               
+
                info->type = PHP_HTTP_REQUEST;
                if (url && http > url) {
                        size_t url_len = url - pre_header;
@@ -151,11 +163,11 @@ php_http_info_t *php_http_info_parse(php_http_info_t *info, const char *pre_head
                        PHP_HTTP_INFO(info).request.method = NULL;
                        PHP_HTTP_INFO(info).request.url = NULL;
                }
-               
+
                return info;
        }
 
-       /* some darn header containing HTTP/X.x */
+       /* some darn header containing HTTP/X(.x) */
        else {
                if (free_info) {
                        php_http_info_free(&info);

diff --git a/src/php_http_params.c b/src/php_http_params.c
index c9feccb6c56705e63088ded27a3a0f716acb7969..8988f43c65c0cd33dcd9ff7220304c0c4065d7bd 100644 (file)
--- a/src/php_http_params.c
+++ b/src/php_http_params.c
@@ -248,7 +248,7 @@ static inline void sanitize_key(unsigned flags, const char *str, size_t len, zva
        if (flags & PHP_HTTP_PARAMS_ESCAPED) {
                sanitize_escaped(zv);
        }
-       
+
        if (!Z_STRLEN_P(zv)) {
                return;
        }
@@ -554,7 +554,9 @@ static void merge_param(HashTable *params, zval *zdata, zval **current_param, zv
 static void push_param(HashTable *params, php_http_params_state_t *state, const php_http_params_opts_t *opts)
 {
        if (state->val.str) {
-               if (0 < (state->val.len = state->input.str - state->val.str)) {
+               if (!state->current.val) {
+                       return;
+               } else if (0 < (state->val.len = state->input.str - state->val.str)) {
                        sanitize_value(opts->flags, state->val.str, state->val.len, state->current.val, state->rfc5987);
                } else {
                        ZVAL_EMPTY_STRING(state->current.val);
@@ -639,7 +641,7 @@ static size_t check_sep(php_http_params_state_t *state, php_http_params_token_t
        if (state->quotes || state->escape) {
                return 0;
        }
-       
+
        if (sep) while (*sep) {
                if (check_str(state->input.str, state->input.len, (*sep)->str, (*sep)->len)) {
                        return (*sep)->len;
@@ -689,7 +691,7 @@ HashTable *php_http_params_parse(HashTable *params, const php_http_params_opts_t
                } else {
                        state.escape = (*state.input.str == '\\');
                }
-               
+
                if (!state.param.str) {
                        /* initialize */
                        skip_sep(0, &state, opts->param, opts->arg, opts->val);
@@ -743,7 +745,7 @@ HashTable *php_http_params_parse(HashTable *params, const php_http_params_opts_t
                                }
                        }
                }
-               
+
                if (state.input.len) {
                        ++state.input.str;
                        --state.input.len;

diff --git a/src/php_http_version.c b/src/php_http_version.c
index e763a855a12169a6df342e49b2316c5e41793b21..7f7d34245384f000376d2ba6f1725dac3131c466 100644 (file)
--- a/src/php_http_version.c
+++ b/src/php_http_version.c
@@ -44,18 +44,29 @@ php_http_version_t *php_http_version_parse(php_http_version_t *v, const char *st
                major = *ptr++ - '0';
                if (major >= 0 && major <= 9) {
                        separator = *ptr++;
-                       if (separator) {
-                               if (separator != '.' && separator != ',') {
-                                       php_error_docref(NULL, E_NOTICE, "Non-standard version separator '%c' in HTTP protocol version '%s'", separator, ptr - 2);
-                               }
+                       switch (separator) {
+                       default:
+                               php_error_docref(NULL, E_NOTICE, "Non-standard version separator '%c' in HTTP protocol version '%s'", separator, ptr - 2);
+                               /* no break */
+                       case '.':
+                       case ',':
                                minor = *ptr - '0';
-                               if (minor >= 0 && minor <= 9) {
-                                       return php_http_version_init(v, major, minor);
+                               break;
+
+                       case ' ':
+                               if (major > 1) {
+                                       minor = 0;
+                               } else {
+                                       goto error;
                                }
                        }
+                       if (minor >= 0 && minor <= 9) {
+                               return php_http_version_init(v, major, minor);
+                       }
                }
        }
 
+       error:
        php_error_docref(NULL, E_WARNING, "Could not parse HTTP protocol version '%s'", str);
        return NULL;
 }

diff --git a/tests/client022.phpt b/tests/client022.phpt
index e3f7f118812a86cc1faf11a4fd02615fbbfbc553..a59971ccbcaccb7b99bdac8e83ece4c51ede3cbd 100644 (file)
--- a/tests/client022.phpt
+++ b/tests/client022.phpt
@@ -18,10 +18,12 @@ nghttpd(function($port) {
        $client->setOptions([
                "protocol" => http\Client\Curl\HTTP_VERSION_2_0,
                "ssl" => [
-                       "cafile" => __DIR__."/helper/http2.crt",
+                       "cainfo" => __DIR__."/helper/http2.crt",
                ]
        ]);
-       $client->enqueue(new http\Client\Request("GET", "https://localhost:$port"));
+       
+       $request = new http\Client\Request("GET", "https://localhost:$port");
+       $client->enqueue($request);
        echo $client->send()->getResponse();
 });
 

diff --git a/tests/gh-issue47.phpt b/tests/gh-issue47.phpt
new file mode 100644 (file)
index 0000000..1a09b8d
--- /dev/null
+++ b/tests/gh-issue47.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Null pointer deref in sanitize_value
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+echo "Test\n";
+
+$urls = [
+    "",
+    "? = ="
+];
+
+$url0=new http\Url($urls[0], null, http\Url::FROM_ENV);
+$url1=$url0->mod($urls[1]);
+
+echo $url1;
+
+?>
+
+===DONE===
+--EXPECTF--
+Test
+http://%s/
+===DONE===