Skip to content

sapi/cli: guard Content-Length overflow and enforce post_max_size #22017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
iliaal wants to merge 1 commit into
base: master
Choose a base branch
from
+105 −9
Open

sapi/cli: guard Content-Length overflow and enforce post_max_size #22017

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 30 additions & 5 deletions sapi/cli/php_cli_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,7 @@ typedef struct php_cli_server_client {
zend_string *addr_str;
php_http_parser parser;
bool request_read;
bool too_large_post;
zend_string *current_header_name;
zend_string *current_header_value;
enum { HEADER_NONE=0, HEADER_FIELD, HEADER_VALUE } last_header_element;
Expand Down Expand Up @@ -209,6 +210,7 @@ static const php_cli_server_http_response_status_code_pair template_map[] = {
{ 400, "<h1>%s</h1><p>Your browser sent a request that this server could not understand.</p>" },
{ 404, "<h1>%s</h1><p>The requested resource <code class=\"url\">%s</code> was not found on this server.</p>" },
{ 405, "<h1>%s</h1><p>Requested method not allowed.</p>" },
{ 413, "<h1>%s</h1><p>The request body exceeds the configured <code>post_max_size</code> of " ZEND_LONG_FMT " bytes.</p>" },
{ 500, "<h1>%s</h1><p>The server is temporarily unavailable.</p>" },
{ 501, "<h1>%s</h1><p>Request method not supported.</p>" }
};
Expand Down Expand Up @@ -1779,6 +1781,16 @@ static int php_cli_server_client_read_request_on_headers_complete(php_http_parse
break;
}
client->last_header_element = HEADER_NONE;

if (parser->content_length > 0
&& SG(post_max_size) > 0
&& (zend_long) parser->content_length > SG(post_max_size)) {
client->request.protocol_version = parser->http_major * 100 + parser->http_minor;
client->too_large_post = true;
client->request_read = true;
return 2;
}

return 0;
}

Expand Down Expand Up @@ -1866,7 +1878,7 @@ static int php_cli_server_client_read_request(php_cli_server_client *client, cha
}
client->parser.data = client;
nbytes_consumed = php_http_parser_execute(&client->parser, &settings, buf, nbytes_read);
if (nbytes_consumed != (size_t)nbytes_read) {
if (nbytes_consumed != (size_t)nbytes_read && !client->too_large_post) {
if (php_cli_server_log_level >= PHP_CLI_SERVER_LOG_ERROR) {
if ((buf[0] & 0x80) /* SSLv2 */ || buf[0] == 0x16 /* SSLv3/TLSv1 */) {
*errstr = estrdup("Unsupported SSL request");
Expand Down Expand Up @@ -1960,6 +1972,7 @@ static void php_cli_server_client_ctor(php_cli_server_client *client, php_cli_se

php_http_parser_init(&client->parser, PHP_HTTP_REQUEST);
client->request_read = false;
client->too_large_post = false;
Copy link
Copy Markdown
Member

@devnexen devnexen May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

too_large_post is only cleared in client_ctor. Works now since each request rebuilds the client, but if keep-alive ever reuses the struct, the flag
lingers and every follow-up request gets a bogus 413. Worth resetting it with the other per-request state, or leaving a note at the declaration

Copy link
Copy Markdown
Contributor Author

@iliaal iliaal May 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

request_read, last_header_element, and current_header_* are all initialized only in client_ctor for the same reason: the client is torn down at request end. Keep-alive would need a shared per-request reset covering the lot, not just too_large_post.


client->last_header_element = HEADER_NONE;
client->current_header_name = NULL;
Expand Down Expand Up @@ -2038,11 +2051,20 @@ static zend_result php_cli_server_send_error_page(php_cli_server *server, php_cl
php_cli_server_buffer_append(&client->content_sender.buffer, chunk);
}
{
php_cli_server_chunk *chunk = php_cli_server_chunk_heap_new_self_contained(strlen(content_template) + ZSTR_LEN(escaped_request_uri) + 3 + strlen(status_string) + 1);
if (!chunk) {
goto fail;
php_cli_server_chunk *chunk;
if (status == 413) {
chunk = php_cli_server_chunk_heap_new_self_contained(strlen(content_template) + strlen(status_string) + MAX_LENGTH_OF_LONG + 1);
if (!chunk) {
goto fail;
}
snprintf(chunk->data.heap.p, chunk->data.heap.len, content_template, status_string, SG(post_max_size));
} else {
chunk = php_cli_server_chunk_heap_new_self_contained(strlen(content_template) + ZSTR_LEN(escaped_request_uri) + 3 + strlen(status_string) + 1);
if (!chunk) {
goto fail;
}
snprintf(chunk->data.heap.p, chunk->data.heap.len, content_template, status_string, ZSTR_VAL(escaped_request_uri));
}
snprintf(chunk->data.heap.p, chunk->data.heap.len, content_template, status_string, ZSTR_VAL(escaped_request_uri));
chunk->data.heap.len = strlen(chunk->data.heap.p);
php_cli_server_buffer_append(&client->content_sender.buffer, chunk);
}
Expand Down Expand Up @@ -2641,6 +2663,9 @@ static zend_result php_cli_server_recv_event_read_request(php_cli_server *server
if (client->request.request_method == PHP_HTTP_NOT_IMPLEMENTED) {
return php_cli_server_send_error_page(server, client, 501);
}
if (client->too_large_post) {
return php_cli_server_send_error_page(server, client, 413);
}
php_cli_server_poller_remove(&server->poller, POLLIN, client->sock);
return php_cli_server_dispatch(server, client);
case 0:
Expand Down
17 changes: 13 additions & 4 deletions sapi/cli/php_http_parser.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,18 @@
*/
#include <assert.h>
#include <stddef.h>
#include <stdint.h>
#include "php_http_parser.h"


#ifndef MIN
# define MIN(a,b) ((a) < (b) ? (a) : (b))
#endif

#ifndef SSIZE_MAX
# define SSIZE_MAX PTRDIFF_MAX
#endif


#define CALLBACK2(FOR) \
do { \
Expand Down Expand Up @@ -1228,8 +1233,10 @@ size_t php_http_parser_execute (php_http_parser *parser,
case h_content_length:
if (ch == ' ') break;
if (ch < '0' || ch > '9') goto error;
parser->content_length *= 10;
parser->content_length += ch - '0';
if (parser->content_length > (SSIZE_MAX - (ch - '0')) / 10) {
goto error;
}
parser->content_length = parser->content_length * 10 + (ch - '0');
break;

/* Transfer-Encoding: chunked */
Expand Down Expand Up @@ -1433,8 +1440,10 @@ size_t php_http_parser_execute (php_http_parser *parser,
goto error;
}

parser->content_length *= 16;
parser->content_length += c;
if (parser->content_length > (SSIZE_MAX - c) / 16) {
goto error;
}
parser->content_length = parser->content_length * 16 + c;
break;
}

Expand Down
62 changes: 62 additions & 0 deletions sapi/cli/tests/gh22003.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
--TEST--
GH-22003 (CLI server: overflow in Content-Length parser + post_max_size enforcement)
--SKIPIF--
<?php
include "skipif.inc";
?>
--FILE--
<?php
include "php_cli_server.inc";
php_cli_server_start("echo 'OK';", null, ['-d', 'post_max_size=1024']);

$host = PHP_CLI_SERVER_HOSTNAME;

// 1. Content-Length above the configured post_max_size but within ssize_t:
// consumer must reject with a 413 page before allocating a body buffer.
$fp = php_cli_server_connect();
fwrite($fp, "POST / HTTP/1.1\r\nHost: $host\r\nContent-Length: 999999\r\nConnection: close\r\n\r\n");
$response = stream_get_contents($fp);
fclose($fp);
echo "over post_max_size: ", str_contains($response, "413 Request Entity Too Large") ? "413" : "FAIL", "\n";
echo "shows configured limit: ", str_contains($response, "1024 bytes") ? "yes" : "no", "\n";

// 2. Same case but with body bytes piggybacked in the same write. The parser sees
// the body bytes after on_headers_complete bails; without a guard in the
// read-request error path the response would be 400 instead of 413.
$fp = php_cli_server_connect();
fwrite($fp, "POST / HTTP/1.1\r\nHost: $host\r\nContent-Length: 999999\r\nConnection: close\r\n\r\n0123456789");
$response = stream_get_contents($fp);
fclose($fp);
echo "over limit with body bytes: ", str_contains($response, "413 Request Entity Too Large") ? "413" : "FAIL", "\n";

// 3. Content-Length wide enough to overflow ssize_t accumulation in the parser:
// parser-level guard rejects as a malformed request before headers-complete fires.
$fp = php_cli_server_connect();
fwrite($fp, "POST / HTTP/1.1\r\nHost: $host\r\nContent-Length: 999999999999999999999999999999\r\nConnection: close\r\n\r\n");
$response = stream_get_contents($fp);
fclose($fp);
echo "content-length overflow: ", str_contains($response, "200 OK") ? "FAIL" : "rejected", "\n";

// 4. Transfer-Encoding: chunked with an oversized hex chunk size: same parser guard
// on the chunked accumulator must reject without aborting the server.
$fp = php_cli_server_connect();
fwrite($fp, "POST / HTTP/1.1\r\nHost: $host\r\nTransfer-Encoding: chunked\r\nConnection: close\r\n\r\n"
. str_repeat("F", 32) . "\r\n");
$response = stream_get_contents($fp);
fclose($fp);
echo "chunked overflow: ", str_contains($response, "200 OK") ? "FAIL" : "rejected", "\n";

// 5. Server must still be alive and serving normal requests.
$fp = php_cli_server_connect();
fwrite($fp, "GET / HTTP/1.1\r\nHost: $host\r\nConnection: close\r\n\r\n");
$response = stream_get_contents($fp);
fclose($fp);
echo "follow-up: ", str_contains($response, "200 OK") ? "200 OK" : "FAILED", "\n";
?>
--EXPECT--
over post_max_size: 413
shows configured limit: yes
over limit with body bytes: 413
content-length overflow: rejected
chunked overflow: rejected
follow-up: 200 OK
Loading