[Runtime] Trust argv on CLI-like SAPIs to fix subprocess args#64346
Merged
nicolas-grekas merged 1 commit intoMay 23, 2026
symfony:5.4symfony/symfony:5.4from
nicolas-grekas:runtime-trust-argv-on-cli-sapinicolas-grekas/symfony:runtime-trust-argv-on-cli-sapiCopy head branch name to clipboard
Merged
[Runtime] Trust argv on CLI-like SAPIs to fix subprocess args#64346nicolas-grekas merged 1 commit intosymfony:5.4symfony/symfony:5.4from nicolas-grekas:runtime-trust-argv-on-cli-sapinicolas-grekas/symfony:runtime-trust-argv-on-cli-sapiCopy head branch name to clipboard
nicolas-grekas merged 1 commit into
symfony:5.4symfony/symfony:5.4from
nicolas-grekas:runtime-trust-argv-on-cli-sapinicolas-grekas/symfony:runtime-trust-argv-on-cli-sapiCopy head branch name to clipboard
Conversation
$_SERVER['QUERY_STRING'] can leak into CLI subprocesses (notably when spawned from PHP-FPM, where the SAPI exposes FastCGI request-context vars through getenv() and $_ENV that then propagate via Process). The QUERY_STRING gate added for CVE-2024-50340 was therefore tripped in CLI subprocesses, dropping argv processing and stripping command names and options. Trust argv when PHP_SAPI is cli/phpdbg/embed: in CLI SAPIs argv is the real OS argv, never derived from QUERY_STRING (that's a web-SAPI-only behavior of register_argc_argv), so the gate is unnecessary there. The gate still applies on actual web SAPIs. The two phpt tests that simulated the CVE attack from cli SAPI by mocking $_SERVER no longer represent a real attack vector under this model and are removed; the protection on real web SAPIs is unchanged.
nicolas-grekas
added a commit
that referenced
this pull request
May 23, 2026
… subprocesses (nicolas-grekas) This PR was merged into the 6.4 branch. Discussion ---------- [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #64327 | License | MIT Some SAPIs (notably PHP-FPM and CGI, via `cgi_php_import_environment_variables`) expose request-scoped CGI/FastCGI vars (`QUERY_STRING`, `HTTP_*`, `REQUEST_*`, etc.) through `$_SERVER`, `$_ENV` and `getenv()`, even though they aren't real OS env vars. `Process::getDefaultEnv()` then propagated them to subprocesses, where they would confuse runtimes: e.g. `$_SERVER['QUERY_STRING']` leaking into a `bin/console` subprocess made `SymfonyRuntime` treat it as a web request, drop argv processing and strip the command name and options. This PR strips the standard CGI variable names (RFC 3875 + PHP/FPM additions) and the `HTTP_`/`ORIG_`/`REDIRECT_` prefixes from the default env. Custom `fastcgi_param` entries and user-set `$_ENV` vars are unaffected. A companion PR for `Runtime` against 5.4 (#64346) makes `SymfonyRuntime` trust argv on CLI-like SAPIs as defense in depth. Commits ------- 020da5f [Process] Stop leaking CGI/FastCGI request-context vars to subprocesses
This was referenced May 27, 2026
Merged
Merged
Merged
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
$_SERVER['QUERY_STRING']can leak into CLI subprocesses (notably when spawned from PHP-FPM, where the SAPI exposes FastCGI request-context vars throughgetenv()and$_ENVthat then propagate viaProcess). TheQUERY_STRINGgate added for CVE-2024-50340 was therefore tripped in CLI subprocesses, dropping argv processing and stripping command names and options.This PR trusts argv when
PHP_SAPIiscli/phpdbg/embed: in CLI SAPIs argv is the real OS argv, never derived fromQUERY_STRING(that's a web-SAPI-only behavior ofregister_argc_argv), so the gate is unnecessary there. The gate still applies on actual web SAPIs.The two phpt tests that simulated the CVE attack from cli SAPI by mocking
$_SERVERno longer represent a real attack vector under this model and are removed; the protection on real web SAPIs is unchanged.A companion PR for
Processagainst 6.4 (#64347) plugs the actual env leak as defense in depth.