head 1.19;
access;
symbols
OPENPKG_E1_MP_HEAD:1.16
OPENPKG_E1_MP:1.16
OPENPKG_E1_MP_2_STABLE:1.13.2.1
OPENPKG_E1_FP:1.13.2.1
OPENPKG_2_STABLE_MP:1.18
OPENPKG_2_STABLE_20061018:1.13.2.1
OPENPKG_2_STABLE:1.13.0.2
OPENPKG_2_STABLE_BP:1.13
OPENPKG_2_5_RELEASE:1.11
OPENPKG_2_5_SOLID:1.11.0.2
OPENPKG_2_5_SOLID_BP:1.11
OPENPKG_2_4_RELEASE:1.10
OPENPKG_2_4_SOLID:1.10.0.2
OPENPKG_2_4_SOLID_BP:1.10
OPENPKG_CW_FP:1.9
OPENPKG_2_3_RELEASE:1.9
OPENPKG_2_3_SOLID:1.9.0.2
OPENPKG_2_3_SOLID_BP:1.9
OPENPKG_2_2_RELEASE:1.8
OPENPKG_2_2_SOLID:1.8.0.2
OPENPKG_2_2_SOLID_BP:1.8
OPENPKG_2_1_RELEASE:1.7
OPENPKG_2_1_SOLID:1.7.0.2
OPENPKG_2_1_SOLID_BP:1.7
OPENPKG_2_0_RELEASE:1.5
OPENPKG_2_0_SOLID:1.5.0.2
OPENPKG_2_0_SOLID_BP:1.5
OPENPKG_1_3_RELEASE:1.3.2.2
OPENPKG_1_3_SOLID:1.3.2.2.0.2
OPENPKG_1_3_SOLID_BP:1.3.2.2
OPENPKG_1_STABLE:1.3.0.2
OPENPKG_1_STABLE_MP:1.4
OPENPKG_1_1_SOLID:1.1.0.2;
locks; strict;
comment @# @;
1.19
date 2009.07.01.08.13.01; author rse; state Exp;
branches;
next 1.18;
commitid 3T4zMjjPTKny1ZTt;
1.18
date 2007.02.08.20.51.43; author rse; state dead;
branches;
next 1.17;
commitid YoqRDrGuTtuDjJ5s;
1.17
date 2007.02.08.19.54.32; author rse; state Exp;
branches;
next 1.16;
commitid 9a7mYqCJg7U00J5s;
1.16
date 2006.11.08.08.36.30; author rse; state Exp;
branches;
next 1.15;
commitid bDmaezuLfStLcQTr;
1.15
date 2006.11.03.07.51.16; author rse; state Exp;
branches;
next 1.14;
commitid Z2PAWWBu4uNc7cTr;
1.14
date 2006.10.17.07.02.47; author rse; state Exp;
branches;
next 1.13;
commitid EAiEzTWw8huro0Rr;
1.13
date 2006.05.28.09.45.56; author rse; state dead;
branches
1.13.2.1;
next 1.12;
commitid ljlf8BNPzK5qRLyr;
1.12
date 2005.10.31.18.58.08; author rse; state Exp;
branches;
next 1.11;
commitid odJTd7VnVdgnDX7r;
1.11
date 2005.10.04.19.54.54; author rse; state Exp;
branches
1.11.2.1;
next 1.10;
1.10
date 2005.04.01.06.19.31; author rse; state Exp;
branches
1.10.2.1;
next 1.9;
1.9
date 2005.02.06.13.41.53; author rse; state Exp;
branches
1.9.2.1;
next 1.8;
1.8
date 2004.07.25.09.39.57; author rse; state Exp;
branches
1.8.2.1;
next 1.7;
1.7
date 2004.06.11.09.57.45; author rse; state Exp;
branches
1.7.2.1;
next 1.6;
1.6
date 2004.06.11.08.40.05; author cs; state Exp;
branches;
next 1.5;
1.5
date 2003.08.28.09.22.44; author mlelstv; state dead;
branches
1.5.2.1;
next 1.4;
1.4
date 2003.07.28.13.10.00; author mlelstv; state Exp;
branches;
next 1.3;
1.3
date 2003.07.01.11.56.12; author mlelstv; state Exp;
branches
1.3.2.1;
next 1.2;
1.2
date 2003.07.01.10.13.04; author mlelstv; state Exp;
branches;
next 1.1;
1.1
date 2003.01.22.12.22.07; author thl; state dead;
branches
1.1.2.1;
next ;
1.13.2.1
date 2006.10.17.07.04.18; author rse; state Exp;
branches;
next 1.13.2.2;
commitid wWOE0nqGAemYo0Rr;
1.13.2.2
date 2006.11.03.22.31.15; author rse; state Exp;
branches;
next 1.13.2.3;
commitid z5yZRq1fj6T4ZgTr;
1.13.2.3
date 2006.12.22.19.13.31; author thl; state Exp;
branches;
next 1.13.2.4;
commitid 2LefOfqsS8nsjyZr;
1.13.2.4
date 2007.02.11.14.56.46; author rse; state dead;
branches;
next ;
commitid g1kA0REfT80Tf56s;
1.11.2.1
date 2005.12.03.17.04.16; author rse; state Exp;
branches;
next ;
commitid M1OSb36LjPqwWbcr;
1.10.2.1
date 2005.10.04.19.57.35; author rse; state Exp;
branches;
next 1.10.2.2;
1.10.2.2
date 2005.12.03.17.09.53; author rse; state Exp;
branches;
next ;
commitid pVU3KYkrklMsYbcr;
1.9.2.1
date 2005.10.04.20.00.38; author rse; state Exp;
branches;
next 1.9.2.2;
1.9.2.2
date 2005.12.03.17.16.50; author rse; state Exp;
branches;
next ;
commitid HTS7TZFvBWYP0ccr;
1.8.2.1
date 2004.12.16.16.50.20; author rse; state Exp;
branches;
next 1.8.2.2;
1.8.2.2
date 2004.12.16.20.19.51; author rse; state Exp;
branches;
next 1.8.2.3;
1.8.2.3
date 2004.12.16.20.21.07; author rse; state Exp;
branches;
next ;
1.7.2.1
date 2004.08.11.17.12.28; author rse; state Exp;
branches;
next 1.7.2.2;
1.7.2.2
date 2004.12.16.16.54.25; author rse; state Exp;
branches;
next 1.7.2.3;
1.7.2.3
date 2004.12.16.20.24.42; author rse; state Exp;
branches;
next ;
1.5.2.1
date 2004.07.22.14.29.19; author thl; state Exp;
branches;
next ;
1.3.2.1
date 2003.07.24.20.44.58; author rse; state Exp;
branches;
next 1.3.2.2;
1.3.2.2
date 2003.07.28.13.23.43; author rse; state Exp;
branches;
next ;
1.1.2.1
date 2003.01.22.12.22.07; author thl; state Exp;
branches;
next 1.1.2.2;
1.1.2.2
date 2003.07.07.13.48.26; author thl; state Exp;
branches;
next ;
desc
@@
1.19
log
@adjust packaging for PHP 5.3.0
@
text
@Index: ext/gd/libgd/gd_arc.c
--- ext/gd/libgd/gd_arc.c.orig 2009-05-26 22:14:31 +0200
+++ ext/gd/libgd/gd_arc.c 2009-07-01 08:56:12 +0200
@@@@ -53,6 +53,7 @@@@
}
}
+#if 0
void gdImageFilledEllipse (gdImagePtr im, int mx, int my, int w, int h, int c)
{
int x=0,mx1=0,mx2=0,my1=0,my2=0;
@@@@ -106,5 +107,6 @@@@
old_y1 = my1;
}
}
+#endif
@
1.18
log
@get rid of obsolete patch
@
text
@d1 6
a6 2
Allow building against cURL 7.16.0 and higher
(http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.12&r2=1.62.2.14.2.13&view=patch)
d8 6
a13 33
Index: ext/curl/interface.c
--- ext/curl/interface.c.orig 2006-10-11 01:12:59 +0200
+++ ext/curl/interface.c 2006-11-08 09:26:28 +0100
@@@@ -369,7 +369,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FTPAPPEND);
REGISTER_CURL_CONSTANT(CURLOPT_NETRC);
REGISTER_CURL_CONSTANT(CURLOPT_FOLLOWLOCATION);
+#if CURLOPT_FTPASCII != 0
REGISTER_CURL_CONSTANT(CURLOPT_FTPASCII);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_PUT);
#if CURLOPT_MUTE != 0
REGISTER_CURL_CONSTANT(CURLOPT_MUTE);
@@@@ -409,7 +411,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FILETIME);
REGISTER_CURL_CONSTANT(CURLOPT_WRITEFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_READFUNCTION);
+#if CURLOPT_PASSWDFUNCTION != 0
REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_HEADERFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_MAXREDIRS);
REGISTER_CURL_CONSTANT(CURLOPT_MAXCONNECTS);
@@@@ -1157,12 +1161,13 @@@@
dupch->handlers->write_header->fp = ch->handlers->write_header->fp;
dupch->handlers->read->fp = ch->handlers->read->fp;
dupch->handlers->read->fd = ch->handlers->read->fd;
-
+#if CURLOPT_PASSWDDATA != 0
if (ch->handlers->passwd) {
zval_add_ref(&ch->handlers->passwd);
dupch->handlers->passwd = ch->handlers->passwd;
curl_easy_setopt(ch->cp, CURLOPT_PASSWDDATA, (void *) dupch);
d15 1
d17 2
a18 3
if (ch->handlers->write->func_name) {
zval_add_ref(&ch->handlers->write->func_name);
dupch->handlers->write->func_name = ch->handlers->write->func_name;
@
1.17
log
@remove already applied patch
@
text
@@
1.16
log
@fix building against our latest cURL 7.16
@
text
@a0 17
Security Fix (CVE-2006-4625)
Index: Zend/zend_ini.c
--- Zend/zend_ini.c.orig 2006-09-06 10:54:44 +0200
+++ Zend/zend_ini.c 2006-11-03 08:46:12 +0100
@@@@ -235,7 +235,8 @@@@
char *duplicate;
TSRMLS_FETCH();
- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER)==0)) {
return FAILURE;
}
-----------------------------------------------------------------------------
@
1.15
log
@upgrading package: php 5.1.6 -> 5.2.0
@
text
@d15 5
d21 38
@
1.14
log
@Security Fixes (CVE-2006-4625, CVE-2006-4812, CVE-2006-5178)
@
text
@d4 4
a7 4
--- Zend/zend_ini.c.orig 2006-01-05 00:53:04 +0100
+++ Zend/zend_ini.c 2006-10-17 08:24:12 +0200
@@@@ -256,8 +256,8 @@@@
zend_ini_entry *ini_entry;
a10 1
- return FAILURE;
d12 2
a13 1
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE;
a15 67
zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC);
-----------------------------------------------------------------------------
Security Fix (CVE-2006-4812)
Index: Zend/zend_alloc.c
--- Zend/zend_alloc.c.orig 2006-08-10 19:16:24 +0200
+++ Zend/zend_alloc.c 2006-10-17 08:25:42 +0200
@@@@ -328,15 +328,14 @@@@
ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
{
void *p;
- int final_size = size*nmemb;
HANDLE_BLOCK_INTERRUPTIONS();
- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+ p = _safe_emalloc(nmemb, size, 0 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
if (!p) {
HANDLE_UNBLOCK_INTERRUPTIONS();
return (void *) p;
}
- memset(p, 0, final_size);
+ memset(p, 0, size * nmemb);
HANDLE_UNBLOCK_INTERRUPTIONS();
return p;
}
-----------------------------------------------------------------------------
Security Fix (CVE-2006-5178)
Index: main/php_open_temporary_file.c
--- main/php_open_temporary_file.c.orig 2006-05-24 01:22:26 +0200
+++ main/php_open_temporary_file.c 2006-10-17 08:26:02 +0200
@@@@ -206,6 +206,7 @@@@
PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
{
int fd;
+ const char *temp_dir;
if (!pfx) {
pfx = "tmp.";
@@@@ -214,11 +215,22 @@@@
*opened_path_p = NULL;
}
+ if (!dir || *dir == '\0') {
+def_tmp:
+ temp_dir = php_get_temporary_directory();
+
+ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
+ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
+ } else {
+ return -1;
+ }
+ }
+
/* Try the directory given as parameter. */
fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
if (fd == -1) {
/* Use default temporary directory. */
- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
+ goto def_tmp;
}
return fd;
}
@
1.13
log
@upgrade stand-alone PHP from 4.4.2 to 5.1.4
@
text
@d1 14
a14 6
Index: ext/pdf/pdf.c
--- ext/pdf/pdf.c.orig 2004-09-13 19:12:13 +0200
+++ ext/pdf/pdf.c 2005-04-01 07:52:31 +0200
@@@@ -240,6 +240,16 @@@@
ZEND_GET_MODULE(pdf)
#endif
d16 26
a41 14
+ZEND_BEGIN_MODULE_GLOBALS(pdf)
+FILE *fp;
+ZEND_END_MODULE_GLOBALS(pdf)
+ZEND_DECLARE_MODULE_GLOBALS(pdf)
+#ifdef ZTS
+#define PDF_G(v) TSRMG(pdf_globals_id, zend_pdf_globals *, v)
+#else
+#define PDF_G(v) (pdf_globals.v)
+#endif
+
/* {{{ _free_pdf_doc
*/
static void _free_pdf_doc(zend_rsrc_list_entry *rsrc TSRMLS_DC)
@@@@ -305,6 +315,15 @@@@
d43 10
a52 23
/* }}} */
+/* {{{ pdf_flushwrite_fp
+ */
+static size_t pdf_flushwrite_fp(PDF *p, void *data, size_t size)
+{
+ FILE *fp = PDF_G(fp);
+ return fwrite(data, size, 1, fp);
+}
+/* }}} */
+
/* {{{ pdf_flushwrite
*/
static size_t pdf_flushwrite(PDF *p, void *data, size_t size)
@@@@ -339,8 +358,13 @@@@
/* {{{ PHP_MINIT_FUNCTION
*/
+static void php_pdf_init_globals (zend_pdf_globals *g)
+{
+ g->fp = NULL;
+}
PHP_MINIT_FUNCTION(pdf)
d54 2
a55 6
+ ZEND_INIT_MODULE_GLOBALS(pdf, php_pdf_init_globals, NULL);
if ((PDF_get_majorversion() != PDFLIB_MAJORVERSION) ||
(PDF_get_minorversion() != PDFLIB_MINORVERSION)) {
php_error(E_ERROR,"PDFlib error: Version mismatch in wrapper code");
@@@@ -469,9 +493,8 @@@@
pdf = PDF_new2(custom_errorhandler, pdf_emalloc, pdf_realloc, pdf_efree, NULL);
d57 4
a60 8
if(fp) {
- if (PDF_open_fp(pdf, fp) < 0) {
- RETURN_FALSE;
- }
+ PDF_G(fp) = fp;
+ PDF_begin_document_callback(pdf, pdf_flushwrite_fp, "");
} else {
PDF_open_mem(pdf, pdf_flushwrite);
a61 5
Index: scripts/phpize.in
--- scripts/phpize.in.orig 2005-01-25 13:55:55 +0100
+++ scripts/phpize.in 2005-04-01 07:52:55 +0200
@@@@ -1,5 +1,25 @@@@
#!/bin/sh
d63 3
a65 2
+PATH="@@l_prefix@@/bin:@@l_prefix@@/sbin:$PATH"
+export PATH
d67 6
a72 16
+prereq_fail=""
+for prereq in autoconf automake libtool; do
+ @@l_rpm@@ --quiet -q $prereq
+ if [ $? -ne 0 ]; then
+ prereq_fail="$prereq_fail $prereq"
+ fi
+done
+if [ ".$prereq_fail" != . ]; then
+ ( echo "OpenPKG: ERROR: please install following OpenPKG packages first"
+ echo "before running $0:"
+ for prereq in $prereq_fail; do
+ echo "o $prereq"
+ done
+ ) | @@l_rpmtool@@ msg -b -t error
+ exit 1
+fi
d74 9
a82 4
# Variable declaration
prefix='@@prefix@@'
phpdir="$prefix/lib/php/build"
@
1.13.2.1
log
@Security Fixes (CVE-2006-4625, CVE-2006-4812, CVE-2006-5178)
@
text
@d1 23
a23 8
Security Fix (CVE-2006-4625)
Index: Zend/zend_ini.c
--- Zend/zend_ini.c.orig 2006-01-05 00:53:04 +0100
+++ Zend/zend_ini.c 2006-10-17 08:24:12 +0200
@@@@ -256,8 +256,8 @@@@
zend_ini_entry *ini_entry;
TSRMLS_FETCH();
d25 13
a37 5
- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
- return FAILURE;
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE;
}
d39 7
a45 11
zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC);
-----------------------------------------------------------------------------
Security Fix (CVE-2006-4812)
Index: Zend/zend_alloc.c
--- Zend/zend_alloc.c.orig 2006-08-10 19:16:24 +0200
+++ Zend/zend_alloc.c 2006-10-17 08:25:42 +0200
@@@@ -328,15 +328,14 @@@@
ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
d47 6
a52 28
void *p;
- int final_size = size*nmemb;
HANDLE_BLOCK_INTERRUPTIONS();
- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+ p = _safe_emalloc(nmemb, size, 0 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
if (!p) {
HANDLE_UNBLOCK_INTERRUPTIONS();
return (void *) p;
}
- memset(p, 0, final_size);
+ memset(p, 0, size * nmemb);
HANDLE_UNBLOCK_INTERRUPTIONS();
return p;
}
-----------------------------------------------------------------------------
Security Fix (CVE-2006-5178)
Index: main/php_open_temporary_file.c
--- main/php_open_temporary_file.c.orig 2006-05-24 01:22:26 +0200
+++ main/php_open_temporary_file.c 2006-10-17 08:26:02 +0200
@@@@ -206,6 +206,7 @@@@
PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
{
int fd;
+ const char *temp_dir;
d54 8
a61 4
if (!pfx) {
pfx = "tmp.";
@@@@ -214,11 +215,22 @@@@
*opened_path_p = NULL;
d63 5
d69 2
a70 3
+ if (!dir || *dir == '\0') {
+def_tmp:
+ temp_dir = php_get_temporary_directory();
d72 16
a87 6
+ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
+ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
+ } else {
+ return -1;
+ }
+ }
d89 4
a92 9
/* Try the directory given as parameter. */
fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
if (fd == -1) {
/* Use default temporary directory. */
- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
+ goto def_tmp;
}
return fd;
}
@
1.13.2.2
log
@MFC: security fixed upstream version
@
text
@d4 4
a7 4
--- Zend/zend_ini.c.orig 2006-09-06 10:54:44 +0200
+++ Zend/zend_ini.c 2006-11-03 08:46:12 +0100
@@@@ -235,7 +235,8 @@@@
char *duplicate;
d11 1
d13 1
a13 2
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER)==0)) {
return FAILURE;
d16 67
@
1.13.2.3
log
@MFC: make up leeway for 2_STABLE by virtue of build-time results
@
text
@a14 5
-----------------------------------------------------------------------------
Allow building against cURL 7.16.0 and higher
(http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.12&r2=1.62.2.14.2.13&view=patch)
a15 38
Index: ext/curl/interface.c
--- ext/curl/interface.c.orig 2006-10-11 01:12:59 +0200
+++ ext/curl/interface.c 2006-11-08 09:26:28 +0100
@@@@ -369,7 +369,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FTPAPPEND);
REGISTER_CURL_CONSTANT(CURLOPT_NETRC);
REGISTER_CURL_CONSTANT(CURLOPT_FOLLOWLOCATION);
+#if CURLOPT_FTPASCII != 0
REGISTER_CURL_CONSTANT(CURLOPT_FTPASCII);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_PUT);
#if CURLOPT_MUTE != 0
REGISTER_CURL_CONSTANT(CURLOPT_MUTE);
@@@@ -409,7 +411,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FILETIME);
REGISTER_CURL_CONSTANT(CURLOPT_WRITEFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_READFUNCTION);
+#if CURLOPT_PASSWDFUNCTION != 0
REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_HEADERFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_MAXREDIRS);
REGISTER_CURL_CONSTANT(CURLOPT_MAXCONNECTS);
@@@@ -1157,12 +1161,13 @@@@
dupch->handlers->write_header->fp = ch->handlers->write_header->fp;
dupch->handlers->read->fp = ch->handlers->read->fp;
dupch->handlers->read->fd = ch->handlers->read->fd;
-
+#if CURLOPT_PASSWDDATA != 0
if (ch->handlers->passwd) {
zval_add_ref(&ch->handlers->passwd);
dupch->handlers->passwd = ch->handlers->passwd;
curl_easy_setopt(ch->cp, CURLOPT_PASSWDDATA, (void *) dupch);
}
+#endif
if (ch->handlers->write->func_name) {
zval_add_ref(&ch->handlers->write->func_name);
dupch->handlers->write->func_name = ch->handlers->write->func_name;
@
1.13.2.4
log
@MFC: security fixed version
@
text
@@
1.12
log
@upgrading package: php 4.4.0 -> 4.4.1
@
text
@@
1.11
log
@Security Fix (CAN-2005-3054)
@
text
@a92 18
-----------------------------------------------------------------------------
Security Fix (CAN-2005-3054)
Index: main/fopen_wrappers.c
--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
+++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
@@@@ -120,8 +120,8 @@@@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
@
1.11.2.1
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a110 247
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3390)
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2005-06-21 14:11:19 +0200
+++ ext/standard/array.c 2005-12-03 17:54:00 +0100
@@@@ -1252,6 +1252,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2005-05-16 10:55:31 +0200
+++ ext/standard/basic_functions.c 2005-12-03 17:54:00 +0100
@@@@ -3038,11 +3038,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/php_variables.c
--- main/php_variables.c.orig 2005-05-17 20:42:35 +0200
+++ main/php_variables.c 2005-12-03 17:54:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/curl/curl.c
--- ext/curl/curl.c.orig 2005-06-02 23:05:06 +0200
+++ ext/curl/curl.c 2005-12-03 17:57:09 +0100
@@@@ -66,7 +66,7 @@@@
#define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
- if (PG(open_basedir) && *PG(open_basedir) && \
+ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
{ \
php_url *tmp_url; \
@@@@ -76,7 +76,7 @@@@
RETURN_FALSE; \
} \
\
- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
@@@@ -992,10 +992,15 @@@@
postval = Z_STRVAL_PP(current);
if (*postval == '@@') {
+ ++postval;
+ /* safe_mode / open_basedir check */
+ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+ RETURN_FALSE;
+ }
error = curl_formadd(&first, &last,
CURLFORM_COPYNAME, string_key,
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
- CURLFORM_FILE, ++postval,
+ CURLFORM_FILE, postval,
CURLFORM_END);
}
else {
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.10
log
@upgrading package: php 4.3.10 -> 4.3.11
@
text
@d92 19
@
1.10.2.1
log
@Security Fix (CAN-2005-3054)
@
text
@a91 19
-----------------------------------------------------------------------------
Security Fix (CAN-2005-3054)
Index: main/fopen_wrappers.c
--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
+++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
@@@@ -120,8 +120,8 @@@@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
@
1.10.2.2
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a110 247
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3390)
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2005-06-21 14:11:19 +0200
+++ ext/standard/array.c 2005-12-03 17:54:00 +0100
@@@@ -1252,6 +1252,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2005-05-16 10:55:31 +0200
+++ ext/standard/basic_functions.c 2005-12-03 17:54:00 +0100
@@@@ -3038,11 +3038,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/php_variables.c
--- main/php_variables.c.orig 2005-05-17 20:42:35 +0200
+++ main/php_variables.c 2005-12-03 17:54:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/curl/curl.c
--- ext/curl/curl.c.orig 2005-06-02 23:05:06 +0200
+++ ext/curl/curl.c 2005-12-03 17:57:09 +0100
@@@@ -66,7 +66,7 @@@@
#define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
- if (PG(open_basedir) && *PG(open_basedir) && \
+ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
{ \
php_url *tmp_url; \
@@@@ -76,7 +76,7 @@@@
RETURN_FALSE; \
} \
\
- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
@@@@ -992,10 +992,15 @@@@
postval = Z_STRVAL_PP(current);
if (*postval == '@@') {
+ ++postval;
+ /* safe_mode / open_basedir check */
+ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+ RETURN_FALSE;
+ }
error = curl_formadd(&first, &last,
CURLFORM_COPYNAME, string_key,
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
- CURLFORM_FILE, ++postval,
+ CURLFORM_FILE, postval,
CURLFORM_END);
}
else {
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.9
log
@port to ia64-freebsd5.3 and ix86-solaris10
@
text
@a0 29
Index: scripts/phpize.in
--- scripts/phpize.in.orig 2003-11-14 04:21:15.000000000 +0100
+++ scripts/phpize.in 2004-06-11 09:27:51.866609632 +0200
@@@@ -1,5 +1,25 @@@@
#! /bin/sh
+PATH="@@l_prefix@@/bin:@@l_prefix@@/sbin:$PATH"
+export PATH
+
+prereq_fail=""
+for prereq in autoconf automake libtool; do
+ @@l_rpm@@ --quiet -q $prereq
+ if [ $? -ne 0 ]; then
+ prereq_fail="$prereq_fail $prereq"
+ fi
+done
+if [ ".$prereq_fail" != . ]; then
+ ( echo "OpenPKG: ERROR: please install following OpenPKG packages first"
+ echo "before running $0:"
+ for prereq in $prereq_fail; do
+ echo "o $prereq"
+ done
+ ) | @@l_rpmtool@@ msg -b -t error
+ exit 1
+fi
+
prefix='@@prefix@@'
phpdir="$prefix/lib/php/build"
includedir="$prefix/include/php"
d2 2
a3 2
--- ext/pdf/pdf.c.orig 2004-02-28 23:58:56 +0100
+++ ext/pdf/pdf.c 2004-07-25 11:35:57 +0200
d63 5
a67 20
Index: Zend/zend_strtod.c
--- Zend/zend_strtod.c.orig 2004-12-14 09:35:26 +0100
+++ Zend/zend_strtod.c 2005-02-06 14:15:09 +0100
@@@@ -95,7 +95,7 @@@@
static char *rcsid = "$OpenBSD: strtod.c,v 1.19 2004/02/03 16:52:11 drahn Exp $";
#endif /* LIBC_SCCS and not lint */
-#if defined(__m68k__) || defined(__sparc__) || defined(__i386__) || \
+#if defined(__m68k__) || defined(__sparc__) || defined(__i386__) || defined(__ia64__) || \
defined(__mips__) || defined(__ns32k__) || defined(__alpha__) || \
defined(__powerpc__) || defined(__ppc__) || defined(__m88k__) || \
defined(__hppa__) || defined(__x86_64__) || (defined(__arm__) && \
@@@@ -127,7 +127,7 @@@@
#define IEEE_LITTLE_ENDIAN
#endif
-#if defined(__sparc__) || defined(__ppc__)
+#if defined(__sparc__) || defined(__ppc__) || defined(__sun__)
#define u_int32_t uint32_t
#endif
d69 23
@
1.9.2.1
log
@Security Fix (CAN-2005-3054)
@
text
@a112 18
-----------------------------------------------------------------------------
Security Fix (CAN-2005-3054)
Index: main/fopen_wrappers.c
--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
+++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
@@@@ -120,8 +120,8 @@@@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
@
1.9.2.2
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a130 229
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2004-12-02 17:36:41 +0100
+++ ext/standard/array.c 2005-12-03 18:12:00 +0100
@@@@ -1243,6 +1243,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2004-11-16 00:26:40 +0100
+++ ext/standard/basic_functions.c 2005-12-03 18:12:00 +0100
@@@@ -3002,11 +3002,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/main.c
--- main/main.c.orig 2004-10-01 16:27:13 +0200
+++ main/main.c 2005-12-03 18:12:01 +0100
@@@@ -1339,6 +1339,7 @@@@
ulong num_key;
HashPosition pos;
int key_type;
+ int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
zend_hash_internal_pointer_reset_ex(src, &pos);
while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
@@@@ -1349,7 +1350,12 @@@@
|| Z_TYPE_PP(dest_entry) != IS_ARRAY) {
(*src_entry)->refcount++;
if (key_type == HASH_KEY_IS_STRING) {
- zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
+ /* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
+ if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
+ zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
+ } else {
+ (*src_entry)->refcount--;
+ }
} else {
zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
}
Index: main/php_variables.c
--- main/php_variables.c.orig 2004-10-18 17:08:46 +0200
+++ main/php_variables.c 2005-12-03 18:12:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.8
log
@fix building against PDFLib 6.0.0p1 which no longer has a PDF_open_fp() function
@
text
@d92 21
@
1.8.2.1
log
@Security Fixes (OpenPKG-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065)
@
text
@a91 417
-----------------------------------------------------------------------------
Security Fixes (OpenPKG-2004.053-php):
o CAN-2004-1018:
shmop_write() out of bounds memory write access.
(ext/shmop/shmop.c)
o CAN-2004-1018:
integer overflow/underflow in pack() and unpack() functions.
(main/php.h, ext/standard/pack.c)
o CAN-2004-1019:
possible information disclosure, double free and negative reference
index array underflow in deserialization code.
(ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
o CAN-2004-1020:
addslashes() not escaping \0 correctly.
(ext/standard/string.c)
o CAN-2004-1063:
safe_mode execution directory bypass.
(ext/standard/link.c)
o CAN-2004-1064:
arbitrary file access through path truncation.
(main/safe_mode.c)
o CAN-2004-1065:
exif_read_data() overflow on long sectionname.
(ext/exif/exif.c)
o XXX-XXXX-XXXX:
magic_quotes_gpc could lead to one level directory traversal with
file uploads.
(main/rfc1867.c)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2003-12-17 10:08:37 +0100
+++ ext/exif/exif.c 2004-12-16 17:36:48 +0100
@@@@ -2712,7 +2712,7 @@@@
// JPEG does not use absolute pointers instead its pointers are relative to the start
// of the TIFF header in APP1 section.
*/
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM)) {
+ if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
@@@@ -3750,7 +3750,7 @@@@
}
}
for (i=0; i shmop->size) {
+ if (offset < 0 || offset > shmop->size) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "offset out of range");
RETURN_FALSE;
}
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2004-07-11 23:24:47 +0200
+++ ext/standard/string.c 2004-12-16 17:36:48 +0100
@@@@ -2443,7 +2443,13 @@@@
p = str;
if (!type) {
while (p < e) {
- if (php_esc_list[(int)(unsigned char)*p]) {
+ int c = php_esc_list[(int)(unsigned char)*p];
+ if (c == 2) {
+ *ps++ = '\\';
+ *ps++ = '0';
+ p++;
+ continue;
+ } else if (c) {
*ps++ = '\\';
}
*ps++ = *p++;
Index: ext/standard/pack.c
--- ext/standard/pack.c.orig 2004-02-25 13:36:24 +0100
+++ ext/standard/pack.c 2004-12-16 17:36:48 +0100
@@@@ -63,6 +63,13 @@@@
#include
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
@@@@ -246,7 +253,7 @@@@
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4 bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */
break;
case 'a':
@@@@ -254,34 +261,34 @@@@
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
@@@@ -650,6 +657,11 @@@@
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
@@@@ -820,6 +832,10 @@@@
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
Index: ext/standard/var_unserializer.re
--- ext/standard/var_unserializer.re.orig 2004-03-27 02:17:06 +0100
+++ ext/standard/var_unserializer.re 2004-12-16 17:36:48 +0100
@@@@ -62,7 +62,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -139,7 +139,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -161,9 +161,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -311,6 +317,8 @@@@
} else {
str = estrndup(YYCURSOR, len);
}
+
+ if (*rval == *rval_ref) return 0;
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/var_unserializer.c
--- ext/standard/var_unserializer.c.orig 2004-09-21 00:32:00 +0200
+++ ext/standard/var_unserializer.c 2004-12-16 17:36:48 +0100
@@@@ -63,7 +63,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -134,7 +134,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -156,9 +156,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -566,6 +572,8 @@@@
str = estrndup(YYCURSOR, len);
}
+ if (*rval == *rval_ref) return 0;
+
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/link.c
--- ext/standard/link.c.orig 2002-12-31 17:35:31 +0100
+++ ext/standard/link.c 2004-12-16 17:36:48 +0100
@@@@ -65,6 +65,14 @@@@
}
convert_to_string_ex(filename);
+ if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(filename), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+ RETURN_FALSE;
+ }
+
+ if (php_check_open_basedir(Z_STRVAL_PP(filename) TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
ret = readlink(Z_STRVAL_PP(filename), buff, MAXPATHLEN-1);
if (ret == -1) {
Index: main/php.h
--- main/php.h.orig 2003-09-25 01:22:32 +0200
+++ main/php.h 2004-12-16 17:36:48 +0100
@@@@ -226,6 +226,14 @@@@
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
Index: main/safe_mode.c
--- main/safe_mode.c.orig 2003-03-17 14:50:23 +0100
+++ main/safe_mode.c 2004-12-16 17:36:48 +0100
@@@@ -54,13 +54,16 @@@@
php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
- strlcpy(filenamecopy, filename, MAXPATHLEN);
- filename=(char *)&filenamecopy;
-
if (!filename) {
return 0; /* path must be provided */
}
+ if (strlcpy(filenamecopy, filename, MAXPATHLEN)>=MAXPATHLEN) {
+ return 0;
+ }
+ filename=(char *)&filenamecopy;
+
+
if (fopen_mode) {
if (fopen_mode[0] == 'r') {
mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
Index: main/rfc1867.c
--- main/rfc1867.c.orig 2004-09-13 18:00:50 +0200
+++ main/rfc1867.c 2004-12-16 17:36:48 +0100
@@@@ -126,6 +126,7 @@@@
#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
#define UPLOAD_ERROR_C 3 /* Partially uploaded */
#define UPLOAD_ERROR_D 4 /* No file uploaded */
+#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
void php_rfc1867_register_constants(TSRMLS_D)
{
@@@@ -134,6 +135,7 @@@@
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
}
static void normalize_protected_variable(char *varname TSRMLS_DC)
@@@@ -956,12 +958,14 @@@@
}
}
+ total_bytes = cancel_upload = 0;
+
if (!skip_upload) {
/* Handle file */
fp = php_open_temporary_file(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
if (!fp) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
- skip_upload = 1;
+ cancel_upload = UPLOAD_ERROR_E;
}
}
if (skip_upload) {
@@@@ -970,9 +974,6 @@@@
continue;
}
- total_bytes = 0;
- cancel_upload = 0;
-
if(strlen(filename) == 0) {
#ifdef DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "No file uploaded");
@@@@ -999,10 +1000,12 @@@@
}
}
}
- fclose(fp);
+ if (fp) {
+ fclose(fp);
+ }
#ifdef DEBUG_FILE_UPLOAD
- if(strlen(filename) > 0 && total_bytes == 0) {
+ if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
cancel_upload = 5;
}
@@@@ -1010,7 +1013,9 @@@@
if (cancel_upload) {
if (temp_filename) {
- unlink(temp_filename);
+ if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
+ unlink(temp_filename);
+ }
efree(temp_filename);
}
temp_filename="";
@@@@ -1076,6 +1081,14 @@@@
s = tmp;
}
#endif
+ if (PG(magic_quotes_gpc)) {
+ s = s ? s : filename;
+ tmp = strrchr(s, '\'');
+ s = tmp > s ? tmp : s;
+ tmp = strrchr(s, '"');
+ s = tmp > s ? tmp : s;
+ }
+
if (s && s > filename) {
safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC);
} else {
@
1.8.2.2
log
@Shit happens: one hunk too much, others missing plus a whole file not patched
@
text
@d274 1
a274 1
+++ ext/standard/var_unserializer.re 2004-12-16 21:06:33 +0100
d309 3
a311 13
@@@@ -398,7 +404,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -406,7 +411,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d313 2
d316 1
a317 10
@@@@ -414,8 +418,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
d320 1
a320 1
+++ ext/standard/var_unserializer.c 2004-12-16 21:07:00 +0100
d355 2
a356 13
@@@@ -435,7 +441,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -443,7 +448,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d359 3
a362 7
@@@@ -451,8 +455,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
a363 2
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
a508 103
Index: TSRM/tsrm_virtual_cwd.c
--- TSRM/tsrm_virtual_cwd.c.orig 2003-07-28 20:35:34 +0200
+++ TSRM/tsrm_virtual_cwd.c 2004-12-16 21:13:42 +0100
@@@@ -301,15 +301,22 @@@@
if (path_length == 0)
return (0);
+ if (path_length >= MAXPATHLEN)
+ return (1);
#if !defined(TSRM_WIN32) && !defined(NETWARE)
/* cwd_length can be 0 when getcwd() fails.
* This can happen under solaris when a dir does not have read permissions
* but *does* have execute permissions */
if (IS_ABSOLUTE_PATH(path, path_length) || (state->cwd_length < 1)) {
- if (use_realpath && realpath(path, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (use_realpath) {
+ if (realpath(path, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ return 1; */
+ }
}
} else { /* Concat current directory with relative path and then run realpath() on it */
char *tmp;
@@@@ -325,9 +332,19 @@@@
memcpy(ptr, path, path_length);
ptr += path_length;
*ptr = '\0';
- if (use_realpath && realpath(tmp, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (strlen(tmp) >= MAXPATHLEN) {
+ free(tmp);
+ return 1;
+ }
+ if (use_realpath) {
+ if (realpath(tmp, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ free(tmp);
+ return 1; */
+ }
}
free(tmp);
}
@@@@ -818,13 +835,24 @@@@
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC)
{
int command_length;
+ int dir_length, extra = 0;
char *command_line;
- char *ptr;
+ char *ptr, *dir;
FILE *retval;
command_length = strlen(command);
- ptr = command_line = (char *) malloc(command_length + sizeof("cd ; ") + CWDG(cwd).cwd_length+1);
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+ while (dir_length > 0) {
+ if (*dir == '\'') extra+=3;
+ dir++;
+ dir_length--;
+ }
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+
+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1);
if (!command_line) {
return NULL;
}
@@@@ -834,8 +862,21 @@@@
if (CWDG(cwd).cwd_length == 0) {
*ptr++ = DEFAULT_SLASH;
} else {
- memcpy(ptr, CWDG(cwd).cwd, CWDG(cwd).cwd_length);
- ptr += CWDG(cwd).cwd_length;
+ *ptr++ = '\'';
+ while (dir_length > 0) {
+ switch (*dir) {
+ case '\'':
+ *ptr++ = '\'';
+ *ptr++ = '\\';
+ *ptr++ = '\'';
+ /* fall-through */
+ default:
+ *ptr++ = *dir;
+ }
+ dir++;
+ dir_length--;
+ }
+ *ptr++ = '\'';
}
*ptr++ = ' ';
@
1.8.2.3
log
@mention newly patched file, too
@
text
@d116 1
a116 1
(ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)
@
1.7
log
@fix typo (semicolon instead of colon) and use more portable sub-shell construct
@
text
@d1 3
a3 2
--- php-4.3.7/scripts/phpize.in.orig 2003-11-14 04:21:15.000000000 +0100
+++ php-4.3.7/scripts/phpize.in 2004-06-11 09:27:51.866609632 +0200
d30 62
@
1.7.2.1
log
@MFC: fix building against PDFLib 6.0.0p1 which no longer has a PDF_open_fp() function
@
text
@d1 2
a2 3
Index: scripts/phpize.in
--- scripts/phpize.in.orig 2003-11-14 04:21:15.000000000 +0100
+++ scripts/phpize.in 2004-06-11 09:27:51.866609632 +0200
a28 62
Index: ext/pdf/pdf.c
--- ext/pdf/pdf.c.orig 2004-02-28 23:58:56 +0100
+++ ext/pdf/pdf.c 2004-07-25 11:35:57 +0200
@@@@ -240,6 +240,16 @@@@
ZEND_GET_MODULE(pdf)
#endif
+ZEND_BEGIN_MODULE_GLOBALS(pdf)
+FILE *fp;
+ZEND_END_MODULE_GLOBALS(pdf)
+ZEND_DECLARE_MODULE_GLOBALS(pdf)
+#ifdef ZTS
+#define PDF_G(v) TSRMG(pdf_globals_id, zend_pdf_globals *, v)
+#else
+#define PDF_G(v) (pdf_globals.v)
+#endif
+
/* {{{ _free_pdf_doc
*/
static void _free_pdf_doc(zend_rsrc_list_entry *rsrc TSRMLS_DC)
@@@@ -305,6 +315,15 @@@@
}
/* }}} */
+/* {{{ pdf_flushwrite_fp
+ */
+static size_t pdf_flushwrite_fp(PDF *p, void *data, size_t size)
+{
+ FILE *fp = PDF_G(fp);
+ return fwrite(data, size, 1, fp);
+}
+/* }}} */
+
/* {{{ pdf_flushwrite
*/
static size_t pdf_flushwrite(PDF *p, void *data, size_t size)
@@@@ -339,8 +358,13 @@@@
/* {{{ PHP_MINIT_FUNCTION
*/
+static void php_pdf_init_globals (zend_pdf_globals *g)
+{
+ g->fp = NULL;
+}
PHP_MINIT_FUNCTION(pdf)
{
+ ZEND_INIT_MODULE_GLOBALS(pdf, php_pdf_init_globals, NULL);
if ((PDF_get_majorversion() != PDFLIB_MAJORVERSION) ||
(PDF_get_minorversion() != PDFLIB_MINORVERSION)) {
php_error(E_ERROR,"PDFlib error: Version mismatch in wrapper code");
@@@@ -469,9 +493,8 @@@@
pdf = PDF_new2(custom_errorhandler, pdf_emalloc, pdf_realloc, pdf_efree, NULL);
if(fp) {
- if (PDF_open_fp(pdf, fp) < 0) {
- RETURN_FALSE;
- }
+ PDF_G(fp) = fp;
+ PDF_begin_document_callback(pdf, pdf_flushwrite_fp, "");
} else {
PDF_open_mem(pdf, pdf_flushwrite);
}
@
1.7.2.2
log
@Security Fixes (OpenPKG-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065)
@
text
@a91 400
-----------------------------------------------------------------------------
Security Fixes (OpenPKG-2004.053-php):
o CAN-2004-1018:
shmop_write() out of bounds memory write access.
(ext/shmop/shmop.c)
o CAN-2004-1018:
integer overflow/underflow in pack() and unpack() functions.
(main/php.h, ext/standard/pack.c)
o CAN-2004-1019:
possible information disclosure, double free and negative reference
index array underflow in deserialization code.
(ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
o CAN-2004-1020:
addslashes() not escaping \0 correctly.
(ext/standard/string.c)
**** NOT NECCESSARY IN PHP 4.3.8!! ****
o CAN-2004-1063:
safe_mode execution directory bypass.
(ext/standard/link.c)
o CAN-2004-1064:
arbitrary file access through path truncation.
(main/safe_mode.c)
o CAN-2004-1065:
exif_read_data() overflow on long sectionname.
(ext/exif/exif.c)
o XXX-XXXX-XXXX:
magic_quotes_gpc could lead to one level directory traversal with
file uploads.
(main/rfc1867.c)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2003-12-17 10:08:37 +0100
+++ ext/exif/exif.c 2004-12-16 17:20:05 +0100
@@@@ -2712,7 +2712,7 @@@@
// JPEG does not use absolute pointers instead its pointers are relative to the start
// of the TIFF header in APP1 section.
*/
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM)) {
+ if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
@@@@ -3750,7 +3750,7 @@@@
}
}
for (i=0; i shmop->size) {
+ if (offset < 0 || offset > shmop->size) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "offset out of range");
RETURN_FALSE;
}
Index: ext/standard/link.c
--- ext/standard/link.c.orig 2002-12-31 17:35:31 +0100
+++ ext/standard/link.c 2004-12-16 17:20:05 +0100
@@@@ -65,6 +65,14 @@@@
}
convert_to_string_ex(filename);
+ if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(filename), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+ RETURN_FALSE;
+ }
+
+ if (php_check_open_basedir(Z_STRVAL_PP(filename) TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
ret = readlink(Z_STRVAL_PP(filename), buff, MAXPATHLEN-1);
if (ret == -1) {
Index: ext/standard/pack.c
--- ext/standard/pack.c.orig 2004-02-25 13:36:24 +0100
+++ ext/standard/pack.c 2004-12-16 17:20:05 +0100
@@@@ -63,6 +63,13 @@@@
#include
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
@@@@ -246,7 +253,7 @@@@
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4 bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */
break;
case 'a':
@@@@ -254,34 +261,34 @@@@
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
@@@@ -650,6 +657,11 @@@@
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
@@@@ -820,6 +832,10 @@@@
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
Index: ext/standard/var_unserializer.re
--- ext/standard/var_unserializer.re.orig 2004-03-27 02:17:06 +0100
+++ ext/standard/var_unserializer.re 2004-12-16 17:20:05 +0100
@@@@ -62,7 +62,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -139,7 +139,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -161,9 +161,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -311,6 +317,8 @@@@
} else {
str = estrndup(YYCURSOR, len);
}
+
+ if (*rval == *rval_ref) return 0;
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/var_unserializer.c
--- ext/standard/var_unserializer.c.orig 2004-07-13 16:53:12 +0200
+++ ext/standard/var_unserializer.c 2004-12-16 17:20:05 +0100
@@@@ -63,7 +63,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -134,7 +134,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -156,9 +156,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -566,6 +572,8 @@@@
str = estrndup(YYCURSOR, len);
}
+ if (*rval == *rval_ref) return 0;
+
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: main/php.h
--- main/php.h.orig 2003-09-25 01:22:32 +0200
+++ main/php.h 2004-12-16 17:20:05 +0100
@@@@ -226,6 +226,14 @@@@
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
Index: main/safe_mode.c
--- main/safe_mode.c.orig 2003-03-17 14:50:23 +0100
+++ main/safe_mode.c 2004-12-16 17:20:05 +0100
@@@@ -54,13 +54,16 @@@@
php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
- strlcpy(filenamecopy, filename, MAXPATHLEN);
- filename=(char *)&filenamecopy;
-
if (!filename) {
return 0; /* path must be provided */
}
+ if (strlcpy(filenamecopy, filename, MAXPATHLEN)>=MAXPATHLEN) {
+ return 0;
+ }
+ filename=(char *)&filenamecopy;
+
+
if (fopen_mode) {
if (fopen_mode[0] == 'r') {
mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
Index: main/rfc1867.c
--- main/rfc1867.c.orig 2004-07-13 15:15:31 +0200
+++ main/rfc1867.c 2004-12-16 17:20:05 +0100
@@@@ -126,6 +126,7 @@@@
#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
#define UPLOAD_ERROR_C 3 /* Partially uploaded */
#define UPLOAD_ERROR_D 4 /* No file uploaded */
+#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
void php_rfc1867_register_constants(TSRMLS_D)
{
@@@@ -134,6 +135,7 @@@@
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
}
static void normalize_protected_variable(char *varname TSRMLS_DC)
@@@@ -924,12 +926,14 @@@@
SAFE_RETURN;
}
+ total_bytes = cancel_upload = 0;
+
if (!skip_upload) {
/* Handle file */
fp = php_open_temporary_file(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
if (!fp) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
- skip_upload = 1;
+ cancel_upload = UPLOAD_ERROR_E;
}
}
if (skip_upload) {
@@@@ -938,9 +942,6 @@@@
continue;
}
- total_bytes = 0;
- cancel_upload = 0;
-
if(strlen(filename) == 0) {
#ifdef DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "No file uploaded");
@@@@ -967,10 +968,12 @@@@
}
}
}
- fclose(fp);
+ if (fp) {
+ fclose(fp);
+ }
#ifdef DEBUG_FILE_UPLOAD
- if(strlen(filename) > 0 && total_bytes == 0) {
+ if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
cancel_upload = 5;
}
@@@@ -978,7 +981,9 @@@@
if (cancel_upload) {
if (temp_filename) {
- unlink(temp_filename);
+ if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
+ unlink(temp_filename);
+ }
efree(temp_filename);
}
temp_filename="";
@@@@ -1048,6 +1053,14 @@@@
s = tmp;
}
#endif
+ if (PG(magic_quotes_gpc)) {
+ s = s ? s : filename;
+ tmp = strrchr(s, '\'');
+ s = tmp > s ? tmp : s;
+ tmp = strrchr(s, '"');
+ s = tmp > s ? tmp : s;
+ }
+
if (s && s > filename) {
safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC);
} else {
@
1.7.2.3
log
@Shit happens: one hunk too much, others missing plus a whole file not patched
@
text
@d117 1
a117 1
(ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)
d275 1
a275 1
+++ ext/standard/var_unserializer.re 2004-12-16 21:09:57 +0100
d310 3
a312 13
@@@@ -398,7 +404,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -406,7 +411,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d314 2
d317 1
a318 10
@@@@ -414,8 +418,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
d321 1
a321 1
+++ ext/standard/var_unserializer.c 2004-12-16 21:10:16 +0100
d356 2
a357 13
@@@@ -435,7 +441,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -443,7 +448,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d360 3
a363 7
@@@@ -451,8 +455,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
a364 2
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
a491 103
Index: TSRM/tsrm_virtual_cwd.c
--- TSRM/tsrm_virtual_cwd.c.orig 2003-07-28 20:35:34 +0200
+++ TSRM/tsrm_virtual_cwd.c 2004-12-16 21:15:08 +0100
@@@@ -301,15 +301,22 @@@@
if (path_length == 0)
return (0);
+ if (path_length >= MAXPATHLEN)
+ return (1);
#if !defined(TSRM_WIN32) && !defined(NETWARE)
/* cwd_length can be 0 when getcwd() fails.
* This can happen under solaris when a dir does not have read permissions
* but *does* have execute permissions */
if (IS_ABSOLUTE_PATH(path, path_length) || (state->cwd_length < 1)) {
- if (use_realpath && realpath(path, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (use_realpath) {
+ if (realpath(path, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ return 1; */
+ }
}
} else { /* Concat current directory with relative path and then run realpath() on it */
char *tmp;
@@@@ -325,9 +332,19 @@@@
memcpy(ptr, path, path_length);
ptr += path_length;
*ptr = '\0';
- if (use_realpath && realpath(tmp, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (strlen(tmp) >= MAXPATHLEN) {
+ free(tmp);
+ return 1;
+ }
+ if (use_realpath) {
+ if (realpath(tmp, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ free(tmp);
+ return 1; */
+ }
}
free(tmp);
}
@@@@ -818,13 +835,24 @@@@
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC)
{
int command_length;
+ int dir_length, extra = 0;
char *command_line;
- char *ptr;
+ char *ptr, *dir;
FILE *retval;
command_length = strlen(command);
- ptr = command_line = (char *) malloc(command_length + sizeof("cd ; ") + CWDG(cwd).cwd_length+1);
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+ while (dir_length > 0) {
+ if (*dir == '\'') extra+=3;
+ dir++;
+ dir_length--;
+ }
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+
+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1);
if (!command_line) {
return NULL;
}
@@@@ -834,8 +862,21 @@@@
if (CWDG(cwd).cwd_length == 0) {
*ptr++ = DEFAULT_SLASH;
} else {
- memcpy(ptr, CWDG(cwd).cwd, CWDG(cwd).cwd_length);
- ptr += CWDG(cwd).cwd_length;
+ *ptr++ = '\'';
+ while (dir_length > 0) {
+ switch (*dir) {
+ case '\'':
+ *ptr++ = '\'';
+ *ptr++ = '\\';
+ *ptr++ = '\'';
+ /* fall-through */
+ default:
+ *ptr++ = *dir;
+ }
+ dir++;
+ dir_length--;
+ }
+ *ptr++ = '\'';
}
*ptr++ = ' ';
@
1.6
log
@made phpize operable introducing a soft dependency to autoconf, automake, libtool
@
text
@d6 1
a6 1
+PATH="@@l_prefix@@/bin;@@l_prefix@@/sbin:$PATH"
d17 1
a17 1
+ { echo "OpenPKG: ERROR: please install following OpenPKG packages first"
d22 1
a22 1
+ } | @@l_rpmtool@@ msg -b -t error
@
1.5
log
@upgrade 4.3.2 -> 4.3.3 ; vendor rolled in equivalent patches
@
text
@d1 4
a4 7
--- php-4.3.2/ext/oci8/config.m4.dist 2003-07-01 09:55:33.000000000 +0200
+++ php-4.3.2/ext/oci8/config.m4 2003-07-01 0:56:01.000000000 +0200
@@@@ -100,7 +100,6 @@@@
PHP_ADD_LIBRARY(clntsh, 1, OCI8_SHARED_LIBADD)
PHP_ADD_LIBPATH($OCI8_DIR/lib, OCI8_SHARED_LIBADD)
AC_DEFINE(HAVE_OCI8_ATTR_STATEMENT,1,[ ])
- AC_DEFINE(HAVE_OCI8_SHARED_MODE,1,[ ])
d6 23
a28 45
dnl These functions are only available in version >= 9.2
PHP_CHECK_LIBRARY(clntsh, OCIEnvNlsCreate,
--- php-4.3.2/configure.dist 2003-07-01 13:52:41.000000000 +0200
+++ php-4.3.2/configure 2003-07-01 13:53:15.000000000 +0200
@@@@ -51349,10 +51349,6 @@@@
#define HAVE_OCI8_ATTR_STATEMENT 1
EOF
- cat >> confdefs.h <<\EOF
-#define HAVE_OCI8_SHARED_MODE 1
-EOF
-
save_old_LDFLAGS=$LDFLAGS
--- php-4.3.2/pear/PEAR/Installer.php.dist 2003-07-28 13:57:01.000000000 +0200
+++ php-4.3.2/pear/PEAR/Installer.php 2003-07-28 14:00:12.000000000 +0200
@@@@ -115,7 +115,6 @@@@
parent::PEAR_Common();
$this->setFrontendObject($ui);
$this->debug = $this->config->get('verbose');
- $this->registry = &new PEAR_Registry($this->config->get('php_dir'));
}
// }}}
@@@@ -786,6 +785,19 @@@@
function checkDeps(&$pkginfo)
{
+ if ($this->registry == null) {
+ $php_dir = $this->config->get('php_dir');
+ if (isset($options['installroot'])) {
+ if (substr($options['installroot'], -1) == DIRECTORY_SEPARATOR) {
+ $options['installroot'] = substr($options['installroot'], 0, -1);
+ }
+ $this->installroot = $options['installroot'];
+ $php_dir = $this->_prependPath($php_dir, $this->installroot);
+ } else {
+ $this->installroot = '';
+ }
+ $this->registry = &new PEAR_Registry($php_dir);
+ }
$depchecker = &new PEAR_Dependency($this->registry);
$error = $errors = '';
$failed_deps = array();
@
1.5.2.1
log
@SA-2004.034-php; CAN-2004-0594, CAN-2004-0595
@
text
@d1 30
a30 547
OpenPKG-SA-2004.034-php; CAN-2004-0594, CAN-2004-0595
Index: php-4.3.4/Zend/zend_alloc.c
===================================================================
--- php-4.3.4.orig/Zend/zend_alloc.c 2004-07-14 12:48:39.063013753 +0200
+++ php-4.3.4/Zend/zend_alloc.c 2004-07-14 12:48:53.975006655 +0200
@@@@ -67,7 +67,7 @@@@
#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\
if (AG(memory_limit) AG(allocated_memory) - rs) { \
+ if (EG(in_execution) && AG(memory_limit)+1048576 > AG(allocated_memory) - rs) { \
AG(memory_limit) = AG(allocated_memory) + 1048576; \
if (file) { \
zend_error(E_ERROR,"Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes)", php_mem_limit, file, lineno, s); \
Index: php-4.3.4/Zend/zend_hash.c
===================================================================
--- php-4.3.4.orig/Zend/zend_hash.c 2004-07-14 13:14:45.475609161 +0200
+++ php-4.3.4/Zend/zend_hash.c 2004-07-14 13:14:55.865900116 +0200
@@@@ -174,6 +174,7 @@@@
ZEND_API int zend_hash_init(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, int persistent)
{
uint i = 3;
+ Bucket **tmp;
SET_INCONSISTENT(HT_OK);
@@@@ -183,14 +184,6 @@@@
ht->nTableSize = 1 << i;
ht->nTableMask = ht->nTableSize - 1;
-
- /* Uses ecalloc() so that Bucket* == NULL */
- ht->arBuckets = (Bucket **) pecalloc(ht->nTableSize, sizeof(Bucket *), persistent);
-
- if (!ht->arBuckets) {
- return FAILURE;
- }
-
ht->pDestructor = pDestructor;
ht->pListHead = NULL;
ht->pListTail = NULL;
@@@@ -200,6 +193,16 @@@@
ht->persistent = persistent;
ht->nApplyCount = 0;
ht->bApplyProtection = 1;
+ ht->arBuckets = NULL;
+
+ /* Uses ecalloc() so that Bucket* == NULL */
+ tmp = (Bucket **) pecalloc(ht->nTableSize, sizeof(Bucket *), persistent);
+
+ if (!tmp) {
+ return FAILURE;
+ }
+ ht->arBuckets = tmp;
+
return SUCCESS;
}
Index: php-4.3.4/Zend/zend_variables.c
===================================================================
--- php-4.3.4.orig/Zend/zend_variables.c 2004-07-14 13:14:45.481608752 +0200
+++ php-4.3.4/Zend/zend_variables.c 2004-07-14 13:14:55.865900116 +0200
@@@@ -114,27 +114,31 @@@@
case IS_CONSTANT_ARRAY: {
zval *tmp;
HashTable *original_ht = zvalue->value.ht;
+ HashTable *tmp_ht = NULL;
TSRMLS_FETCH();
if (zvalue->value.ht == &EG(symbol_table)) {
return SUCCESS; /* do nothing */
}
- ALLOC_HASHTABLE_REL(zvalue->value.ht);
- zend_hash_init(zvalue->value.ht, 0, NULL, ZVAL_PTR_DTOR, 0);
- zend_hash_copy(zvalue->value.ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ ALLOC_HASHTABLE_REL(tmp_ht);
+ zend_hash_init(tmp_ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ zvalue->value.ht = tmp_ht;
}
break;
case IS_OBJECT: {
zval *tmp;
HashTable *original_ht = zvalue->value.obj.properties;
+ HashTable *tmp_ht = NULL;
TSRMLS_FETCH();
if (zvalue->value.obj.properties == &EG(symbol_table)) {
return SUCCESS; /* do nothing */
}
- ALLOC_HASHTABLE_REL(zvalue->value.obj.properties);
- zend_hash_init(zvalue->value.obj.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
- zend_hash_copy(zvalue->value.obj.properties, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ ALLOC_HASHTABLE_REL(tmp_ht);
+ zend_hash_init(tmp_ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ zvalue->value.obj.properties = tmp_ht;
}
break;
}
Index: php-4.3.4/ext/mssql/php_mssql.c
===================================================================
--- php-4.3.4.orig/ext/mssql/php_mssql.c 2004-07-14 13:14:45.428612368 +0200
+++ php-4.3.4/ext/mssql/php_mssql.c 2004-07-14 13:14:55.868899911 +0200
@@@@ -343,6 +343,7 @@@@
PHP_RSHUTDOWN_FUNCTION(mssql)
{
STR_FREE(MS_SQL_G(appname));
+ MS_SQL_G(appname) = NULL;
if (MS_SQL_G(server_message)) {
STR_FREE(MS_SQL_G(server_message));
}
Index: php-4.3.4/ext/session/session.c
===================================================================
--- php-4.3.4.orig/ext/session/session.c 2004-07-14 13:14:45.433612027 +0200
+++ php-4.3.4/ext/session/session.c 2004-07-14 13:14:55.869899843 +0200
@@@@ -499,13 +499,16 @@@@
static void php_session_track_init(TSRMLS_D)
{
+ zval *session_vars = NULL;
+
/* Unconditionally destroy existing arrays -- possible dirty data */
zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION"));
- MAKE_STD_ZVAL(PS(http_session_vars));
- array_init(PS(http_session_vars));
+ MAKE_STD_ZVAL(session_vars);
+ array_init(session_vars);
+ PS(http_session_vars) = session_vars;
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1);
Index: php-4.3.4/ext/sybase/php_sybase_db.c
===================================================================
--- php-4.3.4.orig/ext/sybase/php_sybase_db.c 2004-07-14 13:14:45.456610458 +0200
+++ php-4.3.4/ext/sybase/php_sybase_db.c 2004-07-14 13:14:55.871899707 +0200
@@@@ -297,7 +297,9 @@@@
PHP_RSHUTDOWN_FUNCTION(sybase)
{
efree(php_sybase_module.appname);
+ php_sybase_module.appname = NULL;
STR_FREE(php_sybase_module.server_message);
+ php_sybase_module.server_message = NULL;
return SUCCESS;
}
Index: php-4.3.4/ext/sybase_ct/php_sybase_ct.c
===================================================================
--- php-4.3.4.orig/ext/sybase_ct/php_sybase_ct.c 2004-07-14 13:14:45.470609502 +0200
+++ php-4.3.4/ext/sybase_ct/php_sybase_ct.c 2004-07-14 13:14:55.874899502 +0200
@@@@ -407,11 +407,13 @@@@
PHP_RSHUTDOWN_FUNCTION(sybase)
{
efree(SybCtG(appname));
+ SybCtG(appname) = NULL;
if (SybCtG(callback_name)) {
zval_ptr_dtor(&SybCtG(callback_name));
SybCtG(callback_name)= NULL;
}
STR_FREE(SybCtG(server_message));
+ SybCtG(server_message) = NULL;
return SUCCESS;
}
Index: php-4.3.4/ext/w32api/w32api.c
===================================================================
--- php-4.3.4.orig/ext/w32api/w32api.c 2004-07-14 13:14:45.450610867 +0200
+++ php-4.3.4/ext/w32api/w32api.c 2004-07-14 13:14:55.876899366 +0200
@@@@ -290,20 +290,26 @@@@
*/
PHP_RINIT_FUNCTION(w32api)
{
+ HashTable *tmp;
+ WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL;
+
/* Allocate Request Specific HT's here
*/
- ALLOC_HASHTABLE(WG(funcs));
- zend_hash_init(WG(funcs), 1, NULL, php_w32api_hash_func_dtor, 1);
-
- ALLOC_HASHTABLE(WG(libraries));
- zend_hash_init(WG(libraries), 1, NULL, php_w32api_hash_lib_dtor, 1);
-
- ALLOC_HASHTABLE(WG(callbacks));
- zend_hash_init(WG(callbacks), 1, NULL, php_w32api_hash_callback_dtor, 1);
-
- ALLOC_HASHTABLE(WG(types));
- zend_hash_init(WG(types), 1, NULL, php_w32api_hash_type_dtor, 1);
-
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_func_dtor, 1);
+ WG(funcs) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_lib_dtor, 1);
+ WG(libraries) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_callback_dtor, 1);
+ WG(callbacks) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_type_dtor, 1);
+ WG(types) = tmp;
return SUCCESS;
@@@@ -330,6 +336,7 @@@@
zend_hash_destroy(WG(types));
FREE_HASHTABLE(WG(types));
+ WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL;
return SUCCESS;
}
Index: php-4.3.4/main/main.c
===================================================================
--- php-4.3.4.orig/main/main.c 2004-07-14 13:14:45.491608069 +0200
+++ php-4.3.4/main/main.c 2004-07-14 13:14:55.878899229 +0200
@@@@ -1367,6 +1367,7 @@@@
int _gpc_flags[5] = {0, 0, 0, 0, 0};
zend_bool have_variables_order;
zval *dummy_track_vars_array = NULL;
+ zval *env_vars = NULL;
zend_bool initialized_dummy_track_vars_array=0;
int i;
char *variables_order;
@@@@ -1399,9 +1400,10 @@@@
} else {
variables_order = PG(gpc_order);
have_variables_order=0;
- ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]);
- array_init(PG(http_globals)[TRACK_VARS_ENV]);
- INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]);
+ ALLOC_ZVAL(env_vars);
+ array_init(env_vars);
+ INIT_PZVAL(env_vars);
+ PG(http_globals)[TRACK_VARS_ENV] = env_vars;
php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
if (PG(register_globals)) {
php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC);
@@@@ -1444,9 +1446,10 @@@@
case 'E':
if (!_gpc_flags[3]) {
if (have_variables_order) {
- ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]);
- array_init(PG(http_globals)[TRACK_VARS_ENV]);
- INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]);
+ ALLOC_ZVAL(env_vars);
+ array_init(env_vars);
+ INIT_PZVAL(env_vars);
+ PG(http_globals)[TRACK_VARS_ENV] = env_vars;
php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
if (PG(register_globals)) {
php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC);
Index: php-4.3.4/main/rfc1867.c
===================================================================
--- php-4.3.4.orig/main/rfc1867.c 2004-07-14 13:14:45.485608479 +0200
+++ php-4.3.4/main/rfc1867.c 2004-07-14 13:16:53.079904285 +0200
@@@@ -693,7 +693,7 @@@@
char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;
char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL;
int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0, max_file_size=0, skip_upload=0;
- zval *http_post_files=NULL;
+ zval *http_post_files=NULL; HashTable *uploaded_files=NULL;
zend_bool magic_quotes_gpc;
multipart_buffer *mbuff;
zval *array_ptr = (zval *) arg;
@@@@ -743,8 +743,9 @@@@
/* Initialize $_FILES[] */
zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);
- ALLOC_HASHTABLE(SG(rfc1867_uploaded_files));
- zend_hash_init(SG(rfc1867_uploaded_files), 5, NULL, (dtor_func_t) free_estring, 0);
+ ALLOC_HASHTABLE(uploaded_files);
+ zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0);
+ SG(rfc1867_uploaded_files) = uploaded_files;
ALLOC_ZVAL(http_post_files);
array_init(http_post_files);
Patches within this file... More or less security related
---------------------------------------------------------
Fixed: Alloca replaced by emalloc() where the size is user supplied
Zend/zend_constants.c
ext/msession/msession.c
ext/pcntl/pcntl.c
ext/session/mod_mm.c
ext/wddx/wddx.c
Fixed: Off-By-One in memory allocation for IMAP addresses
ext/imap/php_imap.c
Fixed: Correctly disable CLIENT_LOCAL_FILE option when open_basedir set
ext/mysql/php_mysql.c
Fixed: Added missing safe_mode check
ext/standard/ftok.c
ext/standard/iptc.c
Fixed: Made strip_slashes binary safe to work around an IE bug (feature?)
ext/standard/string.c
before strip_slashes($input, ""); would believe <\0whatever>
is a valid tag (because it would search in "" for "<\0"
and of course our friend internet explorer accepts <\0whatever>
as
Index: php-4.3.4/Zend/zend_constants.c
===================================================================
--- php-4.3.4.orig/Zend/zend_constants.c 2004-07-14 13:16:57.582597240 +0200
+++ php-4.3.4/Zend/zend_constants.c 2004-07-14 13:20:37.300623859 +0200
@@@@ -220,8 +220,7 @@@@
int retval = 1;
if (zend_hash_find(EG(zend_constants), name, name_len+1, (void **) &c) == FAILURE) {
- lookup_name = do_alloca(name_len+1);
- memcpy(lookup_name, name, name_len+1);
+ lookup_name = estrndup(name, name_len);
zend_str_tolower(lookup_name, name_len);
if (zend_hash_find(EG(zend_constants), lookup_name, name_len+1, (void **) &c)==SUCCESS) {
@@@@ -231,7 +230,7 @@@@
} else {
retval=0;
}
- free_alloca(lookup_name);
+ efree(lookup_name);
}
if (retval) {
@@@@ -252,9 +251,7 @@@@
printf("Registering constant for module %d\n", c->module_number);
#endif
- lowercase_name = do_alloca(c->name_len);
-
- memcpy(lowercase_name, c->name, c->name_len);
+ lowercase_name = estrndup(c->name, c->name_len);
if (!(c->flags & CONST_CS)) {
zend_str_tolower(lowercase_name, c->name_len);
@@@@ -268,7 +265,7 @@@@
zend_error(E_NOTICE,"Constant %s already defined", lowercase_name);
ret = FAILURE;
}
- free_alloca(lowercase_name);
+ efree(lowercase_name);
return ret;
}
Index: php-4.3.4/ext/imap/php_imap.c
===================================================================
--- php-4.3.4.orig/ext/imap/php_imap.c 2004-07-14 13:16:57.532600650 +0200
+++ php-4.3.4/ext/imap/php_imap.c 2004-07-14 13:16:59.114492780 +0200
@@@@ -3674,7 +3674,7 @@@@
addresstmp = addresslist;
if ((len = _php_imap_address_size(addresstmp))) {
- tmpstr = (char *) malloc (len);
+ tmpstr = (char *) malloc(len + 1);
tmpstr[0] = '\0';
rfc822_write_address(tmpstr, addresstmp);
*fulladdress = tmpstr;
Index: php-4.3.4/ext/msession/msession.c
===================================================================
--- php-4.3.4.orig/ext/msession/msession.c 2004-07-14 13:16:57.577597581 +0200
+++ php-4.3.4/ext/msession/msession.c 2004-07-14 13:16:59.116492644 +0200
@@@@ -1266,7 +1266,7 @@@@
{
int port;
int len = strlen(save_path)+1;
- char * path = alloca(len);
+ char * path = emalloc(len);
char * szport;
strcpy(path, save_path);
@@@@ -1285,7 +1285,13 @@@@
ELOG( "ps_open_msession");
PS_SET_MOD_DATA((void *)1); /* session.c needs a non-zero here! */
- return PHPMsessionConnect(path, port) ? SUCCESS : FAILURE;
+ if (PHPMsessionConnect(path, port)) {
+ efree(path);
+ return SUCCESS;
+ } else {
+ efree(path);
+ return FAILURE;
+ }
}
PS_CLOSE_FUNC(msession)
Index: php-4.3.4/ext/mysql/php_mysql.c
===================================================================
--- php-4.3.4.orig/ext/mysql/php_mysql.c 2004-07-14 13:16:57.544599832 +0200
+++ php-4.3.4/ext/mysql/php_mysql.c 2004-07-14 13:16:59.118492507 +0200
@@@@ -259,6 +259,9 @@@@
*/
static void php_mysql_set_default_link(int id TSRMLS_DC)
{
+ if (MySG(default_link) != -1) {
+ zend_list_delete(MySG(default_link));
+ }
MySG(default_link) = id;
zend_list_addref(id);
}
@@@@ -591,7 +594,7 @@@@
break;
}
/* disable local infile option for open_basedir */
- if (PG(open_basedir) && strlen(PG(open_basedir))) {
+ if (PG(open_basedir) && strlen(PG(open_basedir)) && (client_flags & CLIENT_LOCAL_FILES)) {
client_flags ^= CLIENT_LOCAL_FILES;
}
Index: php-4.3.4/ext/pcntl/pcntl.c
===================================================================
--- php-4.3.4.orig/ext/pcntl/pcntl.c 2004-07-14 13:16:57.550599422 +0200
+++ php-4.3.4/ext/pcntl/pcntl.c 2004-07-14 13:16:59.119492439 +0200
@@@@ -386,7 +386,7 @@@@
args_hash = HASH_OF(args);
argc = zend_hash_num_elements(args_hash);
- argv = alloca((argc+2) * sizeof(char *));
+ argv = safe_emalloc((argc + 2), sizeof(char *), 0);
*argv = path;
for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1;
(argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
@@@@ -397,7 +397,7 @@@@
}
*(current_arg) = NULL;
} else {
- argv = alloca(2 * sizeof(char *));
+ argv = emalloc(2 * sizeof(char *));
*argv = path;
*(argv+1) = NULL;
}
@@@@ -407,13 +407,13 @@@@
envs_hash = HASH_OF(envs);
envc = zend_hash_num_elements(envs_hash);
- envp = alloca((envc+1) * sizeof(char *));
+ envp = safe_emalloc((envc + 1), sizeof(char *), 0);
for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp;
(envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS));
(envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) {
case HASH_KEY_IS_LONG:
- key = alloca(101);
+ key = emalloc(101);
snprintf(key, 100, "%ld", key_num);
key_length = strlen(key);
break;
@@@@ -432,7 +432,7 @@@@
strlcat(*pair, Z_STRVAL_PP(element), pair_length);
/* Cleanup */
- if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
+ if (return_val == HASH_KEY_IS_LONG) efree(key);
}
*(pair) = NULL;
}
@@@@ -445,10 +445,10 @@@@
/* Cleanup */
if (envp != NULL) {
for (pair = envp; *pair != NULL; pair++) efree(*pair);
- free_alloca(envp);
+ efree(envp);
}
- free_alloca(argv);
+ efree(argv);
RETURN_FALSE;
}
Index: php-4.3.4/ext/session/mod_mm.c
===================================================================
--- php-4.3.4.orig/ext/session/mod_mm.c 2004-07-14 13:16:57.555599082 +0200
+++ php-4.3.4/ext/session/mod_mm.c 2004-07-14 13:16:59.120492371 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: mod_mm.c,v 1.39.4.3 2002/12/31 16:35:20 sebastian Exp $ */
+/* $Id: mod_mm.c,v 1.39.4.4 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
@@@@ -264,7 +264,7 @@@@
return FAILURE;
/* Directory + '/' + File + Module Name + Effective UID + \0 */
- ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
+ ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@@@@ -277,7 +277,7 @@@@
ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
- free_alloca(ps_mm_path);
+ efree(ps_mm_path);
if (ret != SUCCESS) {
free(ps_mm_instance);
Index: php-4.3.4/ext/standard/ftok.c
===================================================================
--- php-4.3.4.orig/ext/standard/ftok.c 2004-07-14 13:16:57.560598741 +0200
+++ php-4.3.4/ext/standard/ftok.c 2004-07-14 13:16:59.120492371 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: ftok.c,v 1.9.2.1 2002/12/31 16:35:28 sebastian Exp $ */
+/* $Id: ftok.c,v 1.9.2.2 2004/06/24 00:48:56 iliaa Exp $ */
#include "php.h"
@@@@ -52,6 +52,10 @@@@
RETURN_LONG(-1);
}
+ if ((PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(pathname), NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(Z_STRVAL_PP(pathname) TSRMLS_CC)) {
+ RETURN_LONG(-1);
+ }
+
k = ftok(Z_STRVAL_PP(pathname),Z_STRVAL_PP(proj)[0]);
RETURN_LONG(k);
Index: php-4.3.4/ext/standard/iptc.c
===================================================================
--- php-4.3.4.orig/ext/standard/iptc.c 2004-07-14 13:16:57.565598400 +0200
+++ php-4.3.4/ext/standard/iptc.c 2004-07-14 13:16:59.121492303 +0200
@@@@ -208,6 +208,10 @@@@
break;
d33 2
a34 50
+ if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(jpeg_file), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+
if (php_check_open_basedir(Z_STRVAL_PP(jpeg_file) TSRMLS_CC)) {
RETURN_FALSE;
}
@@@@ -347,7 +351,7 @@@@
inx += 2;
}
- sprintf(key, "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
+ snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
if ((len > length) || (inx + len) > length)
break;
Index: php-4.3.4/ext/standard/string.c
===================================================================
--- php-4.3.4.orig/ext/standard/string.c 2004-07-14 13:16:57.572597922 +0200
+++ php-4.3.4/ext/standard/string.c 2004-07-14 13:16:59.125492030 +0200
@@@@ -3349,6 +3349,8 @@@@
while (i < len) {
switch (c) {
+ case '\0':
+ break;
case '<':
if (isspace(*(p + 1))) {
goto reg_char;
Index: php-4.3.4/ext/wddx/wddx.c
===================================================================
--- php-4.3.4.orig/ext/wddx/wddx.c 2004-07-14 13:16:57.538600241 +0200
+++ php-4.3.4/ext/wddx/wddx.c 2004-07-14 13:16:59.126491962 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: wddx.c,v 1.96.2.5 2003/10/20 15:42:10 moriyoshi Exp $ */
+/* $Id: wddx.c,v 1.96.2.6 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
#include "php_wddx.h"
@@@@ -1069,7 +1069,7 @@@@
case ST_DATETIME: {
char *tmp;
- tmp = do_alloca(len + 1);
+ tmp = emalloc(len + 1);
memcpy(tmp, s, len);
tmp[len] = '\0';
d36 18
a53 10
@@@@ -1080,7 +1080,7 @@@@
Z_STRLEN_P(ent->data) = len;
Z_STRVAL_P(ent->data) = estrndup(s, len);
}
- free_alloca(tmp);
+ efree(tmp);
}
default:
break;
@
1.4
log
@prevent PEAR installer from touching target directory during installation
@
text
@@
1.3
log
@also patch vendor configure script, we don't run autoconf
@
text
@d24 30
@
1.3.2.1
log
@mass Merge-From-CURRENT (MFC) in preparation for OpenPKG 1.3 [class BASE only]
@
text
@@
1.3.2.2
log
@MFC: changes to PHP since last merge
@
text
@a23 30
--- php-4.3.2/pear/PEAR/Installer.php.dist 2003-07-28 13:57:01.000000000 +0200
+++ php-4.3.2/pear/PEAR/Installer.php 2003-07-28 14:00:12.000000000 +0200
@@@@ -115,7 +115,6 @@@@
parent::PEAR_Common();
$this->setFrontendObject($ui);
$this->debug = $this->config->get('verbose');
- $this->registry = &new PEAR_Registry($this->config->get('php_dir'));
}
// }}}
@@@@ -786,6 +785,19 @@@@
function checkDeps(&$pkginfo)
{
+ if ($this->registry == null) {
+ $php_dir = $this->config->get('php_dir');
+ if (isset($options['installroot'])) {
+ if (substr($options['installroot'], -1) == DIRECTORY_SEPARATOR) {
+ $options['installroot'] = substr($options['installroot'], 0, -1);
+ }
+ $this->installroot = $options['installroot'];
+ $php_dir = $this->_prependPath($php_dir, $this->installroot);
+ } else {
+ $this->installroot = '';
+ }
+ $this->registry = &new PEAR_Registry($php_dir);
+ }
$depchecker = &new PEAR_Dependency($this->registry);
$error = $errors = '';
$failed_deps = array();
@
1.2
log
@php oci8 driver: don't use OCI_SHARED_MODE by default
@
text
@d11 13
@
1.1
log
@file php.patch was initially added on branch OPENPKG_1_1_SOLID.
@
text
@d1 10
@
1.1.2.1
log
@SA-2003.005-php; CAN-2002-1396
@
text
@a0 105
--- ext/standard/string.c.orig Wed Jan 22 10:10:45 2003
+++ ext/standard/string.c Wed Jan 22 11:40:13 2003
@@@@ -616,7 +616,7 @@@@
{
const char *text, *breakchar = "\n";
char *newtext;
- int textlen, breakcharlen = 1, newtextlen;
+ int textlen, breakcharlen = 1, newtextlen, alloced, chk;
long current = 0, laststart = 0, lastspace = 0;
long linelength = 75;
zend_bool docut = 0;
@@@@ -642,38 +642,40 @@@@
for (current = 0; current < textlen; current++) {
if (text[current] == breakchar[0]) {
laststart = lastspace = current;
- }
- else if (text[current] == ' ') {
+ } else if (text[current] == ' ') {
if (current - laststart >= linelength) {
newtext[current] = breakchar[0];
laststart = current;
}
lastspace = current;
- }
- else if (current - laststart >= linelength
- && laststart != lastspace) {
+ } else if (current - laststart >= linelength && laststart != lastspace) {
newtext[lastspace] = breakchar[0];
laststart = lastspace;
}
}
RETURN_STRINGL(newtext, textlen, 0);
- }
- else {
+ } else {
/* Multiple character line break or forced cut */
if (linelength > 0) {
- newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
- }
- else {
- newtextlen = textlen * (breakcharlen + 1) + 1;
+ chk = (int)(textlen/linelength + 1);
+ alloced = textlen + chk * breakcharlen + 1;
+ } else {
+ chk = textlen;
+ alloced = textlen * (breakcharlen + 1) + 1;
}
- newtext = emalloc(newtextlen);
+ newtext = emalloc(alloced);
/* now keep track of the actual new text length */
newtextlen = 0;
laststart = lastspace = 0;
for (current = 0; current < textlen; current++) {
+ if (chk <= 0) {
+ alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
+ newtext = erealloc(newtext, alloced);
+ chk = (int) ((textlen - current)/linelength) + 1;
+ }
/* when we hit an existing break, copy to new buffer, and
* fix up laststart and lastspace */
if (text[current] == breakchar[0]
@@@@ -683,6 +685,7 @@@@
newtextlen += current-laststart+breakcharlen;
current += breakcharlen - 1;
laststart = lastspace = current + 1;
+ chk--;
}
/* if it is a space, check if it is at the line boundary,
* copy and insert a break, or just keep track of it */
@@@@ -693,6 +696,7 @@@@
memcpy(newtext+newtextlen, breakchar, breakcharlen);
newtextlen += breakcharlen;
laststart = current + 1;
+ chk--;
}
lastspace = current;
}
@@@@ -706,6 +710,7 @@@@
memcpy(newtext+newtextlen, breakchar, breakcharlen);
newtextlen += breakcharlen;
laststart = lastspace = current;
+ chk--;
}
/* if the current word puts us over the linelength, copy
* back up until the last space, insert a break, and move
@@@@ -717,6 +722,7 @@@@
memcpy(newtext+newtextlen, breakchar, breakcharlen);
newtextlen += breakcharlen;
laststart = lastspace = lastspace + 1;
+ chk--;
}
}
@@@@ -727,6 +733,8 @@@@
}
newtext[newtextlen] = '\0';
+ /* free unused memory */
+ newtext = erealloc(newtext, newtextlen+1);
RETURN_STRINGL(newtext, newtextlen, 0);
}
@
1.1.2.2
log
@SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442
@
text
@a105 85
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
The mail function in PHP 4.x to 4.2.2 may allow remote attackers to
bypass safe mode restrictions and modify command line arguments to
the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
behavior and possibly executing commands.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986
The mail function in PHP 4.x to 4.2.2 does not filter ASCII control
characters from its arguments, which could allow remote attackers to
modify mail message content, including mail headers, and possibly
use PHP as a "spam proxy."
diff -u -r1.48 -r1.48.2.3
--- ext/standard/mail.c 28 Feb 2002 08:26:46 -0000 1.48
+++ ext/standard/mail.c 24 Aug 2002 11:38:13 -0000 1.48.2.3
@@@@ -70,8 +70,12 @@@@
PHP_FUNCTION(mail)
{
char *to=NULL, *message=NULL, *headers=NULL, *subject=NULL, *extra_cmd=NULL;
- int to_len,message_len,headers_len,subject_len,extra_cmd_len;
+ int to_len,message_len,headers_len,subject_len,extra_cmd_len,i;
+ if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
+ php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C));
+ RETURN_FALSE;
+ }
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss",
&to, &to_len,
@@@@ -83,14 +87,28 @@@@
return;
}
- for(to_len--;to_len;to_len--) {
- if(!isspace(to[to_len]))break;
- to[to_len]='\0';
+ if (to_len > 0) {
+ for(;to_len;to_len--) {
+ if(!isspace((unsigned char)to[to_len-1]))break;
+ to[to_len-1]='\0';
+ }
+ for(i=0;to[i];i++) {
+ if (iscntrl((unsigned char)to[i])) {
+ to[i]=' ';
+ }
+ }
}
- for(subject_len--;subject_len;subject_len--) {
- if(!isspace(subject[subject_len]))break;
- subject[subject_len]='\0';
+ if (subject_len > 0) {
+ for(;subject_len;subject_len--) {
+ if(!isspace((unsigned char)subject[subject_len-1]))break;
+ subject[subject_len-1]='\0';
+ }
+ for(i=0;subject[i];i++) {
+ if (iscntrl((unsigned char)subject[i])) {
+ subject[i]=' ';
+ }
+ }
}
if(extra_cmd)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
Cross-site scripting (XSS) vulnerability in the transparent SID
support capability for PHP before 4.3.2 (session.use_trans_sid)
allows remote attackers to insert arbitrary script via the PHPSESSID
parameter.
--- ext/session/session.c.orig
+++ ext/session/session.c
@@@@ -84,7 +84,9 @@@@
static void php_session_output_handler(char *output, uint output_len, char **handled_output, uint *handled_output_len, int mode TSRMLS_DC)
{
if ((PS(session_status) == php_session_active)) {
- *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), PS(id), handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
+ char *encoded = php_url_encode(PS(id), strlen(PS(id)), NULL);
+ *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), encoded, handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC);
+ efree(encoded);
} else {
*handled_output = NULL;
}
@