[Process] Stop leaking CGI/FastCGI request-context vars to subprocesses#64347
Merged
nicolas-grekas merged 1 commit intoMay 23, 2026
symfony:6.4symfony/symfony:6.4from
nicolas-grekas:process-strip-cgi-env-varsnicolas-grekas/symfony:process-strip-cgi-env-varsCopy head branch name to clipboard
Merged
[Process] Stop leaking CGI/FastCGI request-context vars to subprocesses#64347nicolas-grekas merged 1 commit intosymfony:6.4symfony/symfony:6.4from nicolas-grekas:process-strip-cgi-env-varsnicolas-grekas/symfony:process-strip-cgi-env-varsCopy head branch name to clipboard
nicolas-grekas merged 1 commit into
symfony:6.4symfony/symfony:6.4from
nicolas-grekas:process-strip-cgi-env-varsnicolas-grekas/symfony:process-strip-cgi-env-varsCopy head branch name to clipboard
Conversation
e3f43c5 to
e9534c6
Compare
Some SAPIs (notably PHP-FPM and CGI, via cgi_php_import_environment_variables) expose request-scoped CGI/FastCGI vars (QUERY_STRING, HTTP_*, REQUEST_*, etc.) through $_SERVER, $_ENV and getenv(), even though they aren't real OS env vars. Process::getDefaultEnv() then propagated them to subprocesses, where they would confuse runtimes: e.g. $_SERVER['QUERY_STRING'] leaking into a bin/console subprocess made SymfonyRuntime treat it as a web request, drop argv processing and strip the command name and options. Strip the standard CGI variable names (RFC 3875 + PHP/FPM additions) and the HTTP_/ORIG_/REDIRECT_ prefixes from the default env. Custom fastcgi_param entries and user-set $_ENV vars are unaffected.
e9534c6 to
020da5f
Compare
nicolas-grekas
added a commit
that referenced
this pull request
May 23, 2026
…rgs (nicolas-grekas) This PR was merged into the 5.4 branch. Discussion ---------- [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #64327 | License | MIT `$_SERVER['QUERY_STRING']` can leak into CLI subprocesses (notably when spawned from PHP-FPM, where the SAPI exposes FastCGI request-context vars through `getenv()` and `$_ENV` that then propagate via `Process`). The `QUERY_STRING` gate added for CVE-2024-50340 was therefore tripped in CLI subprocesses, dropping argv processing and stripping command names and options. This PR trusts argv when `PHP_SAPI` is `cli`/`phpdbg`/`embed`: in CLI SAPIs argv is the real OS argv, never derived from `QUERY_STRING` (that's a web-SAPI-only behavior of `register_argc_argv`), so the gate is unnecessary there. The gate still applies on actual web SAPIs. The two phpt tests that simulated the CVE attack from cli SAPI by mocking `$_SERVER` no longer represent a real attack vector under this model and are removed; the protection on real web SAPIs is unchanged. A companion PR for `Process` against 6.4 (#64347) plugs the actual env leak as defense in depth. Commits ------- b2a338e [Runtime] Trust argv on CLI-like SAPIs to fix subprocess args
This was referenced May 27, 2026
Merged
Merged
Merged
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Some SAPIs (notably PHP-FPM and CGI, via
cgi_php_import_environment_variables) expose request-scoped CGI/FastCGI vars (QUERY_STRING,HTTP_*,REQUEST_*, etc.) through$_SERVER,$_ENVandgetenv(), even though they aren't real OS env vars.Process::getDefaultEnv()then propagated them to subprocesses, where they would confuse runtimes: e.g.$_SERVER['QUERY_STRING']leaking into abin/consolesubprocess madeSymfonyRuntimetreat it as a web request, drop argv processing and strip the command name and options.This PR strips the standard CGI variable names (RFC 3875 + PHP/FPM additions) and the
HTTP_/ORIG_/REDIRECT_prefixes from the default env. Customfastcgi_paramentries and user-set$_ENVvars are unaffected.A companion PR for
Runtimeagainst 5.4 (#64346) makesSymfonyRuntimetrust argv on CLI-like SAPIs as defense in depth.