php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75760 The php development server crashes on GET/POST request with huge Content-Length
Submitted: 2018-01-04 16:30 UTC Modified: 2018-01-05 07:31 UTC
From: speirofr at gmail dot com Assigned:
Status: Open Package: Built-in web server
PHP Version: 7.0.27 OS: Ubuntu 16
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: speirofr at gmail dot com
New email:
PHP Version: OS:

 

 [2018-01-04 16:30 UTC] speirofr at gmail dot com
Description:
------------
The PHP development server crashes when a GET/POST request is performed with a huge Content-Length header, as the PHP server attempts to allocate the memory requested by the client (same as https://bugs.php.net/bug.php?id=61461).

The steps to reproduce the bug are provided in the Test Script,
on the PHP debian package php7.0 (7.0.22-0ubuntu0.16.04.1),
as well as on previous PHP versions starting with PHP5 (php 5.6.30).

Test script:
---------------
# start php development server
! pgrep '^php$' && php -S 127.0.0.1:8080 &
sleep 1
# send GET/POST request with huge content-length
nc 127.0.0.1 8080 <<EOF
GET / HTTP/1.1
User-Agent: PHP-Test-Env/1.2
Accept: */*
Host: 127.0.0.1:8080
Connection: Keep-Alive
Content-Length: 555555555555555

test
EOF
# the php development server crashes
! pgrep '^php$' && echo 'Test FAIL: The PHP server crashed'


Expected result:
----------------
The PHP server should not crash when a client issues a HTTP request with an invalid Content-Length.

Actual result:
--------------
The output observed when executing the Test Script is:

php -S 127.0.0.1:8080
PHP 7.0.22-0ubuntu0.16.04.1 Development Server
Listening on http://127.0.0.1:8080
Document root is /tmp
Press Ctrl-C to quit.
Out of memory

Debugging the PHP server shows that the malloc that runs out of memory is performed at php_cli_server_client_read_request_on_body:

(gdb) bt
 59 #0  __GI___libc_malloc (bytes=34359738368) at malloc.c:2902
 60 #1  0x00000000008350e9 in __zend_malloc (len=34359738368) at php-src/Zend/zend_alloc.c:2884
 61 #2  0x0000000000911d69 in php_cli_server_client_read_request_on_body (parser=<optimized out>, at=0x7fffffff8767 
 63 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-05 07:31 UTC] laruence@php.net
PHP built-in webserver is used for debugging purpose... and in this case it should bailout because out of memory, so I think there is nothing need to be fixed.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC