Skip to content

Commit 301b8e2

Browse files
devnexendevnexen
committed
Fix GH-16809: fopen HTTP wrapper timeout stream context option overflow.
close GH-16810
1 parent 5cbdd5f commit 301b8e2

File tree

3 files changed

+40
-0
lines changed

3 files changed

+40
-0
lines changed

NEWS

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ PHP NEWS
1414
- Streams:
1515
. Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
1616
to incorrect error handling). (nielsdos)
17+
. Fixed bug GH-16810 (overflow on fopen HTTP wrapper timeout value).
18+
(David Carlier)
1719

1820
- Windows:
1921
. Hardened proc_open() against cmd.exe hijacking. (cmb)

ext/standard/http_fopen_wrapper.c

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -216,6 +216,18 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
216216

217217
if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
218218
double d = zval_get_double(tmpzval);
219+
#ifndef PHP_WIN32
220+
const double timeoutmax = (double) PHP_TIMEOUT_ULL_MAX / 1000000.0;
221+
#else
222+
const double timeoutmax = (double) LONG_MAX / 1000000.0;
223+
#endif
224+
225+
if (d > timeoutmax) {
226+
php_stream_wrapper_log_error(wrapper, options, "timeout must be lower than " ZEND_ULONG_FMT, (zend_ulong)timeoutmax);
227+
zend_string_release(transport_string);
228+
php_url_free(resource);
229+
return NULL;
230+
}
219231
#ifndef PHP_WIN32
220232
timeout.tv_sec = (time_t) d;
221233
timeout.tv_usec = (size_t) ((d - timeout.tv_sec) * 1000000);

ext/standard/tests/http/gh16810.phpt

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
--TEST--
2+
Bug #79265 variation: "host:" not at start of header
3+
--INI--
4+
allow_url_fopen=1
5+
--SKIPIF--
6+
<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
7+
--FILE--
8+
<?php
9+
$uri = "http://www.example.com";
10+
$config = [
11+
'http' => [
12+
'timeout' => PHP_INT_MIN,
13+
],
14+
];
15+
$ctx = stream_context_create($config);
16+
var_dump(fopen($uri, "r", false, $ctx));
17+
18+
$config['http']['timeout'] = PHP_INT_MAX;
19+
$ctx = stream_context_create($config);
20+
var_dump(fopen($uri, "r", false, $ctx));
21+
?>
22+
--EXPECTF--
23+
resource(%d) of type (stream)
24+
25+
Warning: fopen(http://www.example.com): Failed to open stream: timeout must be lower than %d in %s on line %d
26+
bool(false)

0 commit comments

Comments
 (0)