Merge pull request #43 from glensc/CVE-2021-3007

Backport of fix for CVE-2021-3007 in Zend_Http_Response_Stream
zf1s · Jan 7, 2021 · d04c889 · d04c889
2 parents a476428 + 5ed35fb
commit d04c889
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 1 deletion.
diff --git a/packages/zend-http/library/Zend/Http/Response/Stream.php b/packages/zend-http/library/Zend/Http/Response/Stream.php
@@ -227,7 +227,7 @@ public function __destruct()
             fclose($this->stream);
             $this->stream = null;
         }
-        if($this->_cleanup) {
+        if($this->_cleanup && is_string($this->stream_name) && file_exists($this->stream_name)) {
             @unlink($this->stream_name);
         }
     }

diff --git a/tests/Zend/Http/ResponseTest.php b/tests/Zend/Http/ResponseTest.php
@@ -20,11 +20,15 @@
  * @version    $Id$
  */
 
+use Zend\Http\StreamObject;
+
 /**
  * Zend_Http_Response
  */
 // require_once 'Zend/Http/Response.php';
 
+require_once __DIR__ . '/StreamObject.php';
+
 /**
  * Zend_Http_Response unit tests
  *
@@ -38,9 +42,19 @@
  */
 class Zend_Http_ResponseTest extends PHPUnit_Framework_TestCase
 {
+    /** @var null|string */
+    private $tempFile;
+
     public function setUp()
     { }
 
+    public function tearDown()
+    {
+        if ($this->tempFile !== null && file_exists($this->tempFile)) {
+            unlink($this->tempFile);
+        }
+    }
+
     public function testGzipResponse ()
     {
         $response_text = file_get_contents(dirname(__FILE__) . '/_files/response_gzip');
@@ -173,6 +187,23 @@ public function test300isRedirect()
         $this->assertFalse($response->isSuccessful(), 'Response is a redirection, but isSuccessful() returned true');
     }
 
+    /**
+     * @see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
+     */
+    public function testDestructionDoesNothingIfStreamIsNotAResourceAndStreamNameIsNotAString()
+    {
+        $this->tempFile = tempnam(sys_get_temp_dir(), 'lhrs');
+        $streamObject = new StreamObject($this->tempFile);
+
+        $response = new Zend_Http_Response_Stream(200, array());
+        $response->setCleanup(true);
+        $response->setStreamName($streamObject);
+
+        unset($response);
+
+        $this->assertFileExists($this->tempFile);
+    }
+
     public function test200Ok()
     {
         $response = Zend_Http_Response::fromString($this->readResponse('response_deflate'));

diff --git a/tests/Zend/Http/StreamObject.php b/tests/Zend/Http/StreamObject.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Zend\Http;
+
+class StreamObject
+{
+    private $tempFile;
+
+    public function __construct($tempFile)
+    {
+        $this->tempFile = $tempFile;
+    }
+
+    public function __toString()
+    {
+        return $this->tempFile;
+    }
+}