From 09696eee9d4374e79bd443bbbd5c5d38bfb9fb68 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 22 Apr 2021 13:22:18 +0200
Subject: [PATCH] Fix #80901: Info leak in ftp extension

We ensure that inbuf is NUL terminated on `ftp_readline()` failure.

Closes GH-6894.
---
 NEWS                        |  3 +++
 ext/ftp/ftp.c               |  2 ++
 ext/ftp/tests/bug80901.phpt | 22 ++++++++++++++++++++++
 ext/ftp/tests/server.inc    |  3 +++
 4 files changed, 30 insertions(+)
 create mode 100644 ext/ftp/tests/bug80901.phpt

diff --git a/NEWS b/NEWS
index cb7179bd40c..d6698a9cebc 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ PHP                                                                        NEWS
   . Fixed bug #67792 (HTTP Authorization schemes are treated as case-sensitive).
     (cmb)
 
+- FTP:
+  . Fixed bug #80901 (Info leak in ftp extension). (cmb)
+
 - pgsql:
   . Fixed php_pgsql_fd_cast() wrt. php_stream_can_cast(). (cmb)
 
diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
index f2da6e5153f..9b04edcd099 100644
--- a/ext/ftp/ftp.c
+++ b/ext/ftp/ftp.c
@@ -1349,10 +1349,12 @@ ftp_readline(ftpbuf_t *ftp)
 
 		data = eol;
 		if ((rcvd = my_recv(ftp, ftp->fd, data, size)) < 1) {
+			*data = 0;
 			return 0;
 		}
 	} while (size);
 
+	*data = 0;
 	return 0;
 }
 /* }}} */
diff --git a/ext/ftp/tests/bug80901.phpt b/ext/ftp/tests/bug80901.phpt
new file mode 100644
index 00000000000..6196bdce963
--- /dev/null
+++ b/ext/ftp/tests/bug80901.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #80901 (Info leak in ftp extension)
+--SKIPIF--
+<?php
+require 'skipif.inc';
+?>
+--INI--
+log_errors_max_len=0
+--FILE--
+<?php
+$bug80901 = true;
+require 'server.inc';
+
+$ftp = ftp_connect("127.0.0.1", $port);
+if (!$ftp) die("Couldn't connect to the server");
+var_dump(ftp_login($ftp, 'user', 'pass'));
+ftp_systype($ftp);
+?>
+--EXPECTF--
+bool(true)
+
+Warning: ftp_systype(): **************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************** in %s on line %d
diff --git a/ext/ftp/tests/server.inc b/ext/ftp/tests/server.inc
index ed21843f431..71f0881dea6 100644
--- a/ext/ftp/tests/server.inc
+++ b/ext/ftp/tests/server.inc
@@ -107,6 +107,7 @@ if ($pid) {
 				fputs($s, "234 auth type accepted\r\n");
 			} else {
 				fputs($s, "666 dummy\r\n");
+				sleep(1);
 				fputs($s, "666 bogus msg\r\n");
 				exit;
 			}
@@ -197,6 +198,8 @@ if ($pid) {
 		} elseif ($buf === "SYST\r\n") {
 			if (isset($bug27809)) {
 				fputs($s, "215   OS/400 is the remote operating system. The TCP/IP version is \"V5R2M0\"\r\n");
+			} elseif (isset($bug80901)) {
+				fputs($s, "\r\n" . str_repeat("*", 4096) . "\r\n");
 			} else {
 				fputs($s, "215 UNIX Type: L8.\r\n");
 			}