PHP :: Bug #75760 :: The php development server crashes on GET/POST request with huge Content-Length

Bug #75760	The php development server crashes on GET/POST request with huge Content-Length
Submitted:	2018-01-04 16:30 UTC	Modified:	2018-01-05 07:31 UTC
From:	speirofr at gmail dot com	Assigned:
Status:	Open	Package:	Built-in web server
PHP Version:	7.0.27	OS:	Ubuntu 16
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	speirofr at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2018-01-04 16:30 UTC] speirofr at gmail dot com

Description:
------------
The PHP development server crashes when a GET/POST request is performed with a huge Content-Length header, as the PHP server attempts to allocate the memory requested by the client (same as https://bugs.php.net/bug.php?id=61461).

The steps to reproduce the bug are provided in the Test Script,
on the PHP debian package php7.0 (7.0.22-0ubuntu0.16.04.1),
as well as on previous PHP versions starting with PHP5 (php 5.6.30).

Test script:
---------------
# start php development server
! pgrep '^php$' && php -S 127.0.0.1:8080 &
sleep 1
# send GET/POST request with huge content-length
nc 127.0.0.1 8080 <<EOF
GET / HTTP/1.1
User-Agent: PHP-Test-Env/1.2
Accept: */*
Host: 127.0.0.1:8080
Connection: Keep-Alive
Content-Length: 555555555555555

test
EOF
# the php development server crashes
! pgrep '^php$' && echo 'Test FAIL: The PHP server crashed'


Expected result:
----------------
The PHP server should not crash when a client issues a HTTP request with an invalid Content-Length.

Actual result:
--------------
The output observed when executing the Test Script is:

php -S 127.0.0.1:8080
PHP 7.0.22-0ubuntu0.16.04.1 Development Server
Listening on http://127.0.0.1:8080
Document root is /tmp
Press Ctrl-C to quit.
Out of memory

Debugging the PHP server shows that the malloc that runs out of memory is performed at php_cli_server_client_read_request_on_body:

(gdb) bt
 59 #0  __GI___libc_malloc (bytes=34359738368) at malloc.c:2902
 60 #1  0x00000000008350e9 in __zend_malloc (len=34359738368) at php-src/Zend/zend_alloc.c:2884
 61 #2  0x0000000000911d69 in php_cli_server_client_read_request_on_body (parser=<optimized out>, at=0x7fffffff8767 
 63

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-01-05 07:31 UTC] laruence@php.net

PHP built-in webserver is used for debugging purpose... and in this case it should bailout because out of memory, so I think there is nothing need to be fixed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 17:01:32 2024 UTC