PHP Server Side Request Forgery Security Bypass Vulnerability（CVE-2017-7272）

For historical reasons, fsockopen() accepts the port and hostname
separately: fsockopen(‘127.0.0.1’, 80)

However, with the introdcution of stream transports in PHP 4.3,
it became possible to include the port in the hostname specifier:

fsockopen(‘127.0.0.1:80’)
Or more formally: fsockopen(‘tcp://127.0.0.1:80’)

Confusing results when these two forms are combined, however.
fsockopen(‘127.0.0.1:80’, 443) results in fsockopen() attempting
to connect to ‘127.0.0.1:80:443’ which any reasonable stack would
consider invalid.

Unfortunately, PHP parses the address looking for the first colon
(with special handling for IPv6, don’t worry) and calls atoi()
from there. atoi() in turn, simply stops parsing at the first
non-numeric character and returns the value so far.

The end result is that the explicitly supplied port is treated
as ignored garbage, rather than producing an error.

This diff replaces atoi() with strtol() and inspects the
stop character. If additional “garbage” of any kind is found,
it fails and returns an error.