From d4d61a2bcb9975c8aeddbc6603211064174087a9 Mon Sep 17 00:00:00 2001
From: Ondřej Surý <ondrej@sury.org>
Date: Wed, 9 May 2012 08:47:34 +0200
Subject: Imported Upstream version 5.4.3

---
 sapi/cgi/cgi_main.c                        | 21 ++++++++++---
 sapi/cgi/tests/apache_request_headers.phpt | 49 ++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 5 deletions(-)
 create mode 100644 sapi/cgi/tests/apache_request_headers.phpt

(limited to 'sapi')

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 84e0d63ad..215a3d265 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -1614,15 +1614,21 @@ PHP_FUNCTION(apache_request_headers) /* {{{ */
 				p = var + 5;
 
 				var = q = t;
+				// First char keep uppercase
 				*q++ = *p++;
 				while (*p) {
-					if (*p == '_') {
+					if (*p == '=') {
+						// End of name
+						break;
+					} else if (*p == '_') {
 						*q++ = '-';
 						p++;
-						if (*p) {
+						// First char after - keep uppercase
+						if (*p && *p!='=') {
 							*q++ = *p++;
 						}
 					} else if (*p >= 'A' && *p <= 'Z') {
+						// lowercase
 						*q++ = (*p++ - 'A' + 'a');
 					} else {
 						*q++ = *p++;
@@ -1806,10 +1812,15 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	if(query_string = getenv("QUERY_STRING")) {
+	if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
+		/* we've got query string that has no = - apache CGI will pass it to command line */
+		unsigned char *p;
 		decoded_query_string = strdup(query_string);
 		php_url_decode(decoded_query_string, strlen(decoded_query_string));
-		if(*decoded_query_string == '-' && strchr(decoded_query_string, '=') == NULL) {
+		for (p = decoded_query_string; *p &&  *p <= ' '; p++) {
+			/* skip all leading spaces */
+		}
+		if(*p == '-') {
 			skip_getopt = 1;
 		}
 		free(decoded_query_string);
@@ -2073,7 +2084,7 @@ consult the installation file that came with this distribution, or visit \n\
 	}
 
 	zend_first_try {
-		while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
+		while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1, 2)) != -1) {
 			switch (c) {
 				case 'T':
 					benchmark = 1;
diff --git a/sapi/cgi/tests/apache_request_headers.phpt b/sapi/cgi/tests/apache_request_headers.phpt
new file mode 100644
index 000000000..2c82d57b2
--- /dev/null
+++ b/sapi/cgi/tests/apache_request_headers.phpt
@@ -0,0 +1,49 @@
+--TEST--
+apache_request_headers() stack overflow.
+--SKIPIF--
+<?php 
+include "skipif.inc"; 
+?>
+--FILE--
+<?php
+include "include.inc";
+
+$php = get_cgi_path();
+reset_env_vars();
+
+$file = dirname(__FILE__)."/012.test.php";
+
+file_put_contents($file, '<?php print_r(apache_request_headers()); ?>');
+
+passthru("$php $file");
+
+$names = array('HTTP_X_TEST', 'HTTP_X__TEST', 'HTTP_X_');
+foreach ($names as $name) {
+	putenv($name."=".str_repeat("A", 256));
+	passthru("$php -q $file");
+	putenv($name);
+}
+unlink($file);
+
+echo "Done\n";
+?>
+--EXPECTF--	
+X-Powered-By: PHP/%s
+Content-type: text/html
+
+Array
+(
+)
+Array
+(
+    [X-Test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X-_test] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Array
+(
+    [X-] => AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+)
+Done
-- 
cgit v1.2.3