Merge branch 'PHP-5.6'

* PHP-5.6:
  NEWS
  adapt test for error message introduce in fix for #68463
  Fix bug #68463 listen.allowed_clients can silently result in no allowed access

Author: remicollet

sapi/fpm/fpm/fastcgi.c

@@ -280,6 +280,10 @@ void fcgi_set_allowed_clients(char *ip)
 		}
 		allowed_clients[n].sa.sa_family = 0;
 		free(ip);
+		if (!n) {
+			zlog(ZLOG_ERROR, "There are no allowed addresses for this pool");
+			/* don't clear allowed_clients as it will create an "open for all" security issue */
+		}
 	}
 }
 

sapi/fpm/tests/015.phpt

@@ -8,19 +8,28 @@ FPM: Test various messages on start, from master and childs
 include "include.inc";
 
 $logfile = dirname(__FILE__).'/php-fpm.log.tmp';
-$port = 9000+PHP_INT_SIZE;
+$port1 = 9000+PHP_INT_SIZE;
+$port2 = 9001+PHP_INT_SIZE;
 
 $cfg = <<<EOT
 [global]
 error_log = $logfile
 log_level = notice
-[unconfined]
-listen = 127.0.0.1:$port
-listen.allowed_clients=127.0.0.1,xxx
+[pool1]
+listen = 127.0.0.1:$port1
+listen.allowed_clients=127.0.0.1
 user = foo
 pm = dynamic
 pm.max_children = 5
-;pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+catch_workers_output = yes
+[pool2]
+listen = 127.0.0.1:$port2
+listen.allowed_clients=xxx
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 catch_workers_output = yes
@@ -29,7 +38,7 @@ EOT;
 $fpm = run_fpm($cfg, $tail);
 if (is_resource($fpm)) {
     $i = 0;
-	while (($i++ < 30) && !($fp = @fsockopen('127.0.0.1', $port))) {
+	while (($i++ < 30) && !($fp = @fsockopen('127.0.0.1', $port1))) {
 		usleep(10000);
 	}
 	if ($fp) {
@@ -38,11 +47,16 @@ if (is_resource($fpm)) {
 	}
 	for ($i=0 ; $i<10 ; $i++) {
 		try {
-			run_request('127.0.0.1', $port);
+			run_request('127.0.0.1', $port1);
 		} catch (Exception $e) {
-			echo "Error\n";
+			echo "Error 1\n";
 		}
 	}
+	try {
+		run_request('127.0.0.1', $port2);
+	} catch (Exception $e) {
+		echo "Error 2\n";
+	}
 	proc_terminate($fpm);
 	if (!feof($tail)) {
 		echo stream_get_contents($tail);
@@ -55,12 +69,14 @@ if (is_resource($fpm)) {
 Done
 --EXPECTF--
 Started
-[%s] NOTICE: [pool unconfined] pm.start_servers is not set. It's been set to 2.
-[%s] NOTICE: [pool unconfined] 'user' directive is ignored when FPM is not running as root
+Error 2
+[%s] NOTICE: [pool pool1] pm.start_servers is not set. It's been set to 2.
+[%s] NOTICE: [pool pool1] 'user' directive is ignored when FPM is not running as root
 [%s] NOTICE: fpm is running, pid %d
 [%s] NOTICE: ready to handle connections
-[%s] WARNING: [pool unconfined] child %d said into stderr: "ERROR: Wrong IP address 'xxx' in listen.allowed_clients"
-[%s] WARNING: [pool unconfined] child %d said into stderr: "ERROR: Wrong IP address 'xxx' in listen.allowed_clients"
+[%s] WARNING: [pool pool2] child %d said into stderr: "ERROR: Wrong IP address 'xxx' in listen.allowed_clients"
+[%s] WARNING: [pool pool2] child %d said into stderr: "ERROR: There are no allowed addresses for this pool"
+[%s] WARNING: [pool pool2] child %d said into stderr: "ERROR: Connection disallowed: IP address '127.0.0.1' has been dropped."
 [%s] NOTICE: Terminating ...
 [%s] NOTICE: exiting, bye-bye!
 Done