PHP  
 PHP_HEAD
downloads | QA | documentation | faq | getting help | mailing lists | reporting bugs | php.net sites | links | my php.net 
 

Test Failure Report for ext/curl/tests/bug69316.phpt ('Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER')

Script

1: <?php
2:   
function hdr_callback($ch$data) {
3:       
// close the stream, causing the FILE structure to be free()'d
4:       
if($GLOBALS['f_file']) {
5:           
fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
6:
7:           
// cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
8:           
$FILE_size = (PHP_INT_SIZE == 0x160 0x238);
9:           
curl_setopt($chCURLOPT_COOKIEstr_repeat("a"$FILE_size 1));
10:       }
11:       return 
strlen($data);
12:   }
13:
14:   include 
'server.inc';
15:   
$host curl_cli_server_start();
16:   
$temp_file __DIR__ '/body.tmp';
17:   
$url "{$host}/get.inc?test=getpost";
18:   
$ch curl_init();
19:   
$f_file fopen($temp_file"w") or die("failed to open file\n");
20:   
curl_setopt($chCURLOPT_BUFFERSIZE10);
21:   
curl_setopt($chCURLOPT_HEADERFUNCTION"hdr_callback");
22:   
curl_setopt($chCURLOPT_FILE$f_file);
23:   
curl_setopt($chCURLOPT_URL$url);
24:   
curl_exec($ch);
25:   
curl_close($ch);
26:
?>
27:
===DONE===
28:

Expected

Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
array(1) {
  ["test"]=>
  string(7) "getpost"
}
array(0) {
}
===DONE===

Output

Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in /var/php_gcov/PHP_HEAD/ext/curl/tests/bug69316.php on line 24
<?php
  $test = isset($_GET['test']) ? $_GET['test'] : null;
  switch($test) {
    case 'post':
      var_dump($_POST);
      break;
    case 'getpost':
      var_dump($_GET);
      var_dump($_POST);
      break;
    case 'referer':
      echo $_SERVER['HTTP_REFERER'];
      break;
    case 'useragent':
      echo $_SERVER['HTTP_USER_AGENT'];
      break;
    case 'httpversion':
      echo $_SERVER['SERVER_PROTOCOL'];
      break;
    case 'cookie':
      echo $_COOKIE['foo'];
      break;
    case 'encoding':
      echo $_SERVER['HTTP_ACCEPT_ENCODING'];
      break;
    case 'contenttype':
      header('Content-Type: text/plain;charset=utf-8');
      break;
    case 'file':
      if (isset($_FILES['file'])) {
          echo $_FILES['file']['name'] . '|' . $_FILES['file']['type'];
      }
      break;
    case 'method':
      echo $_SERVER['REQUEST_METHOD'];
      break;
    default:
      echo "Hello World!\n";
      echo "Hello World!";
      break;
  }
?>
===DONE===

Diff

002+ <?php
003+   $test = isset($_GET['test']) ? $_GET['test'] : null;
004+   switch($test) {
005+     case 'post':
006+       var_dump($_POST);
007+       break;
008+     case 'getpost':
002- array(1) {
003-   ["test"]=>
004-   string(7) "getpost"
005- }
006- array(0) {
007- }
008- ===DONE===
009+       var_dump($_GET);
010+       var_dump($_POST);
011+       break;
012+     case 'referer':
013+       echo $_SERVER['HTTP_REFERER'];
014+       break;
015+     case 'useragent':
016+       echo $_SERVER['HTTP_USER_AGENT'];
017+       break;
018+     case 'httpversion':
019+       echo $_SERVER['SERVER_PROTOCOL'];
020+       break;
021+     case 'cookie':
022+       echo $_COOKIE['foo'];
023+       break;
024+     case 'encoding':
025+       echo $_SERVER['HTTP_ACCEPT_ENCODING'];
026+       break;
027+     case 'contenttype':
028+       header('Content-Type: text/plain;charset=utf-8');
029+       break;
030+     case 'file':
031+       if (isset($_FILES['file'])) {
032+           echo $_FILES['file']['name'] . '|' . $_FILES['file']['type'];
033+       }
034+       break;
035+     case 'method':
036+       echo $_SERVER['REQUEST_METHOD'];
037+       break;
038+     default:
039+       echo "Hello World!\n";
040+       echo "Hello World!";
041+       break;
042+   }
043+ ?>
044+ ===DONE===

 

Generated at Mon, 06 May 2019 17:58:35 +0000 (50 days ago)

Copyright © 2005-2019 The PHP Group
All rights reserved.