From: Wouter de Jong <wouter@wouterj.nl>
Date: Tue, 15 Oct 2024 10:18:46 +0200
Subject: Do not read from argv on non-CLI SAPIs

Origin: upstream, https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
Bug: https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-50340
---
 src/Symfony/Component/Runtime/SymfonyRuntime.php       |  6 +++++-
 src/Symfony/Component/Runtime/Tests/phpt/kernel.php    |  8 +++++---
 src/Symfony/Component/Runtime/Tests/phpt/kernel.phpt   |  2 +-
 .../Runtime/Tests/phpt/kernel_register_argc_argv.phpt  | 18 ++++++++++++++++++
 4 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 src/Symfony/Component/Runtime/Tests/phpt/kernel_register_argc_argv.phpt

diff --git a/src/Symfony/Component/Runtime/SymfonyRuntime.php b/src/Symfony/Component/Runtime/SymfonyRuntime.php
index 0ca9713..5612b3e 100644
--- a/src/Symfony/Component/Runtime/SymfonyRuntime.php
+++ b/src/Symfony/Component/Runtime/SymfonyRuntime.php
@@ -95,7 +95,7 @@ class SymfonyRuntime extends GenericRuntime
 
         if (isset($options['env'])) {
             $_SERVER[$envKey] = $options['env'];
-        } elseif (isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
+        } elseif (empty($_GET) && isset($_SERVER['argv']) && class_exists(ArgvInput::class)) {
             $this->options = $options;
             $this->getInput();
         }
@@ -216,6 +216,10 @@ class SymfonyRuntime extends GenericRuntime
 
     private function getInput(): ArgvInput
     {
+        if (!empty($_GET) && filter_var(ini_get('register_argc_argv'), \FILTER_VALIDATE_BOOL)) {
+            throw new \Exception('CLI applications cannot be run safely on non-CLI SAPIs with register_argc_argv=On.');
+        }
+
         if (null !== $this->input) {
             return $this->input;
         }
diff --git a/src/Symfony/Component/Runtime/Tests/phpt/kernel.php b/src/Symfony/Component/Runtime/Tests/phpt/kernel.php
index ba29d34..b7c43c5 100644
--- a/src/Symfony/Component/Runtime/Tests/phpt/kernel.php
+++ b/src/Symfony/Component/Runtime/Tests/phpt/kernel.php
@@ -17,19 +17,21 @@ require __DIR__.'/autoload.php';
 
 class TestKernel implements HttpKernelInterface
 {
+    private $env;
     private $var;
 
-    public function __construct(string $var)
+    public function __construct(string $env, string $var)
     {
+        $this->env = $env;
         $this->var = $var;
     }
 
     public function handle(Request $request, $type = self::MASTER_REQUEST, $catch = true): Response
     {
-        return new Response('OK Kernel '.$this->var);
+        return new Response('OK Kernel (env='.$this->env.') '.$this->var);
     }
 }
 
 return function (array $context) {
-    return new TestKernel($context['SOME_VAR']);
+    return new TestKernel($context['APP_ENV'], $context['SOME_VAR']);
 };
diff --git a/src/Symfony/Component/Runtime/Tests/phpt/kernel.phpt b/src/Symfony/Component/Runtime/Tests/phpt/kernel.phpt
index e739eb0..e7df91e 100644
--- a/src/Symfony/Component/Runtime/Tests/phpt/kernel.phpt
+++ b/src/Symfony/Component/Runtime/Tests/phpt/kernel.phpt
@@ -9,4 +9,4 @@ require $_SERVER['SCRIPT_FILENAME'] = __DIR__.'/kernel.php';
 
 ?>
 --EXPECTF--
-OK Kernel foo_bar
+OK Kernel (env=dev) foo_bar
diff --git a/src/Symfony/Component/Runtime/Tests/phpt/kernel_register_argc_argv.phpt b/src/Symfony/Component/Runtime/Tests/phpt/kernel_register_argc_argv.phpt
new file mode 100644
index 0000000..4da82d2
--- /dev/null
+++ b/src/Symfony/Component/Runtime/Tests/phpt/kernel_register_argc_argv.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Test HttpKernelInterface with register_argc_argv=1
+--INI--
+display_errors=1
+register_argc_argv=1
+--FILE--
+<?php
+
+// emulating PHP behavior with register_argc_argv=1
+$_GET['-e_test'] = '';
+$_SERVER['argc'] = 1;
+$_SERVER['argv'] = [' ', '-e', 'test'];
+
+require $_SERVER['SCRIPT_FILENAME'] = __DIR__.'/kernel.php';
+
+?>
+--EXPECTF--
+OK Kernel (env=dev) foo_bar