-
Notifications
You must be signed in to change notification settings - Fork 7.7k
/
022-cve-2016-5385.phpt
81 lines (74 loc) · 1.44 KB
/
022-cve-2016-5385.phpt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
--TEST--
FPM: HTTP_PROXY - CVE-2016-5385
--SKIPIF--
<?php include "skipif.inc"; ?>
--FILE--
<?php
include "include.inc";
$logfile = __DIR__.'/php-fpm.log.tmp';
$srcfile = __DIR__.'/php-fpm.tmp.php';
$port = 9000+PHP_INT_SIZE;
$cfg = <<<EOT
[global]
error_log = $logfile
[unconfined]
listen = 127.0.0.1:$port
pm = dynamic
pm.max_children = 5
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 3
EOT;
$code = <<<EOT
<?php
echo "Test Start\n";
var_dump(
@\$_SERVER["HTTP_PROXY"],
\$_SERVER["HTTP_FOO"],
getenv("HTTP_PROXY"),
getenv("HTTP_FOO")
);
echo "Test End\n";
EOT;
file_put_contents($srcfile, $code);
$fpm = run_fpm($cfg, $tail);
if (is_resource($fpm)) {
fpm_display_log($tail, 2);
try {
$headers = [
'HTTP_FOO' => 'BAR',
'HTTP_PROXY' => 'BADPROXY',
];
$req = run_request('127.0.0.1', $port, $srcfile, '', $headers);
echo strstr($req, "Test Start");
echo "Request ok\n";
} catch (Exception $e) {
echo "Request error\n";
}
proc_terminate($fpm);
echo stream_get_contents($tail);
fclose($tail);
proc_close($fpm);
}
?>
Done
--EXPECTF--
[%s] NOTICE: fpm is running, pid %d
[%s] NOTICE: ready to handle connections
Test Start
NULL
string(3) "BAR"
bool(false)
string(3) "BAR"
Test End
Request ok
[%s] NOTICE: Terminating ...
[%s] NOTICE: exiting, bye-bye!
Done
--CLEAN--
<?php
$logfile = __DIR__.'/php-fpm.log.tmp';
$srcfile = __DIR__.'/php-fpm.tmp.php';
@unlink($logfile);
@unlink($srcfile);
?>