diff options
author | Luca Longinotti <chtekk@gentoo.org> | 2005-11-02 22:13:28 +0000 |
---|---|---|
committer | Luca Longinotti <chtekk@gentoo.org> | 2005-11-02 22:13:28 +0000 |
commit | 908876c04bf9e783bfb350ac9eb5d6cb19f146d9 (patch) | |
tree | ce25e5b7a87f2066d75cef9b62cb93fcc7bfbab5 | |
parent | Remove depend on \!<app-text/ghostscript-7.07.1-r2 because we no longer have ... (diff) | |
download | historical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.tar.gz historical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.tar.bz2 historical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.zip |
PHP security-update.
Package-Manager: portage-2.0.53_rc6
38 files changed, 3679 insertions, 27 deletions
diff --git a/dev-php/mod_php/ChangeLog b/dev-php/mod_php/ChangeLog index 2afd96717a94..48835dd5f353 100644 --- a/dev-php/mod_php/ChangeLog +++ b/dev-php/mod_php/ChangeLog @@ -1,6 +1,21 @@ # ChangeLog for dev-php/mod_php # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/ChangeLog,v 1.279 2005/10/29 22:16:12 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/ChangeLog,v 1.280 2005/11/02 22:13:28 chtekk Exp $ + +*mod_php-4.4.0-r7 (02 Nov 2005) +*mod_php-4.4.0-r6 (02 Nov 2005) +*mod_php-4.3.11-r3 (02 Nov 2005) + + 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org> + +files/php4.3.11-curl_safemode.patch, + +files/php4.3.11-globals_overwrite.patch, + +files/php4.3.11-phpinfo_xss.patch, +files/php4.4.0-curl_safemode.patch, + +files/php4.4.0-globals_overwrite.patch, + +files/php4.4.0-phpinfo_xss.patch, -mod_php-4.3.11-r2.ebuild, + +mod_php-4.3.11-r3.ebuild, -mod_php-4.4.0-r4.ebuild, + -mod_php-4.4.0-r5.ebuild, +mod_php-4.4.0-r6.ebuild, + +mod_php-4.4.0-r7.ebuild: + Security-update: fix bugs #111032, #111015, #111011 and bug #111014. *mod_php-4.4.0-r5 (29 Oct 2005) *mod_php-4.4.0-r4 (29 Oct 2005) diff --git a/dev-php/mod_php/Manifest b/dev-php/mod_php/Manifest index 4b807539b4d3..36727ed638c0 100644 --- a/dev-php/mod_php/Manifest +++ b/dev-php/mod_php/Manifest @@ -1,4 +1,4 @@ -MD5 419b38aaecd3d763323952b1af301bc1 ChangeLog 49036 +MD5 024feb9b815939516a63961ebdee8aeb ChangeLog 49660 MD5 158cb07377a3e2a0028947b0aeb505cb files/4.3.10-r1/70_mod_php.conf 1017 MD5 2dfe55aa49dbca0c3316e859f8bebcb1 files/4.3.11-r2/70_mod_php.conf 1125 MD5 389638f1d46b6c41cd4d87b471572f4b files/4.4.0-a1/70_mod_php.conf 484 @@ -6,37 +6,43 @@ MD5 ee36e31632adb08b7abf70f78b5b2125 files/4.4.0-a2/70_mod_php.conf 485 MD5 79ed63479c494aeb2ed0bc7f5c059fb9 files/70_mod_php.conf 1022 MD5 cc21a816357d93a1d31cd44f861183c7 files/digest-mod_php-4.3.11 287 MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r1 364 -MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r2 364 +MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r3 364 MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-mod_php-4.4.0 285 MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-mod_php-4.4.0-r1 285 MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r2 362 MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r3 362 -MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r4 362 -MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r5 362 +MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r6 362 +MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r7 362 MD5 7515e9b1dc298a0fb1c12d35a58c265d files/mod_php-4.3.4-amd64hack.diff 1028 MD5 3bf664b414787f8f3c1dcbda5750aef4 files/mod_php-4.3.5-apache1security.diff 425 MD5 cceddd5c262e0ffef31d45b7da269851 files/mod_php.conf 148 MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694 MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925 +MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481 MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573 +MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395 MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238 MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031 +MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518 MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482 MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938 +MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481 MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883 +MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115 MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238 MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177 +MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284 MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482 MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132 MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384 MD5 90610a0b9cdbcbec3cd33fcef432e00c mod_php-4.3.11-r1.ebuild 7127 -MD5 4d0ebe3699f952c088db37797aa0348e mod_php-4.3.11-r2.ebuild 7698 +MD5 d1c596d415ff3b0491499dc6d8171511 mod_php-4.3.11-r3.ebuild 8056 MD5 cd88a76d8ca70243cb58ed076582a857 mod_php-4.3.11.ebuild 6387 MD5 29d9e7ef90de139245d7c5e06dd9b67c mod_php-4.4.0-r1.ebuild 6561 MD5 68092beafbec1bd1b054a153b834bd13 mod_php-4.4.0-r2.ebuild 7074 MD5 47959bde0d770eddf3d212d43766332d mod_php-4.4.0-r3.ebuild 6145 -MD5 ef50cfbb47812f5d93a4619ec6a17d0b mod_php-4.4.0-r4.ebuild 7641 -MD5 fa007aafea862145346c99a03f1bb9dc mod_php-4.4.0-r5.ebuild 6714 +MD5 b57df48a882e6a150a3203bb01a936b7 mod_php-4.4.0-r6.ebuild 7996 +MD5 394f186272ba1f810907d07e3f2aa6f8 mod_php-4.4.0-r7.ebuild 7069 MD5 b7f57c4f896ce046f8a6b4472ddfcb2b mod_php-4.4.0.ebuild 6336 diff --git a/dev-php/mod_php/files/digest-mod_php-4.3.11-r2 b/dev-php/mod_php/files/digest-mod_php-4.3.11-r3 index 8a51d50e2303..8a51d50e2303 100644 --- a/dev-php/mod_php/files/digest-mod_php-4.3.11-r2 +++ b/dev-php/mod_php/files/digest-mod_php-4.3.11-r3 diff --git a/dev-php/mod_php/files/digest-mod_php-4.4.0-r4 b/dev-php/mod_php/files/digest-mod_php-4.4.0-r6 index dfbd3919a8b5..dfbd3919a8b5 100644 --- a/dev-php/mod_php/files/digest-mod_php-4.4.0-r4 +++ b/dev-php/mod_php/files/digest-mod_php-4.4.0-r6 diff --git a/dev-php/mod_php/files/digest-mod_php-4.4.0-r5 b/dev-php/mod_php/files/digest-mod_php-4.4.0-r7 index dfbd3919a8b5..dfbd3919a8b5 100644 --- a/dev-php/mod_php/files/digest-mod_php-4.4.0-r5 +++ b/dev-php/mod_php/files/digest-mod_php-4.4.0-r7 diff --git a/dev-php/mod_php/files/php4.3.11-curl_safemode.patch b/dev-php/mod_php/files/php4.3.11-curl_safemode.patch new file mode 100644 index 000000000000..f308dea57dde --- /dev/null +++ b/dev-php/mod_php/files/php4.3.11-curl_safemode.patch @@ -0,0 +1,141 @@ +--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -436,10 +436,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -495,10 +497,12 @@ + zend_list_addref(t->fd); + ZVAL_LONG(argv[2], (int) size * nmemb); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 3, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -553,10 +557,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -606,10 +612,12 @@ + ZVAL_STRING(argv[1], prompt, 1); + ZVAL_LONG(argv[2], buflen); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C)); + } else if (Z_TYPE_P(retval) == IS_STRING) { +@@ -680,7 +688,9 @@ + (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write)); + (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read)); + memset(&(*ch)->err, 0, sizeof((*ch)->err)); +- ++ ++ (*ch)->in_callback = 0; ++ + zend_llist_init(&(*ch)->to_free.str, sizeof(char *), + (void(*)(void *)) curl_free_string, 0); + zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), +@@ -982,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { +@@ -1337,7 +1352,11 @@ + WRONG_PARAM_COUNT; + } + ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl); +- ++ ++ if (ch->in_callback) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback"); ++ return; ++ } + zend_list_delete(Z_LVAL_PP(zid)); + } + /* }}} */ +--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100 ++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */ ++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */ + + #ifndef _PHP_CURL_H + #define _PHP_CURL_H +@@ -93,6 +93,7 @@ + struct _php_curl_free to_free; + long id; + unsigned int uses; ++ zend_bool in_callback; + } php_curl; + + /* streams support */ diff --git a/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch b/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch new file mode 100644 index 000000000000..d3eb55c5ee3e --- /dev/null +++ b/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch @@ -0,0 +1,559 @@ +--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100 ++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -631,7 +640,7 @@ + s = *((Bucket **) b); + + if (f->nKeyLength) { +- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength); ++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1); + Z_STRLEN(key1) = f->nKeyLength-1; + Z_TYPE(key1) = IS_STRING; + } else { +@@ -639,7 +648,7 @@ + Z_TYPE(key1) = IS_LONG; + } + if (s->nKeyLength) { +- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength); ++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1); + Z_STRLEN(key2) = s->nKeyLength-1; + Z_TYPE(key2) = IS_STRING; + } else { +@@ -1243,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1291,14 +1304,18 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { +- (*entry)->is_ref = 1; ++ if ((*var_array)->refcount > 1) { ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); ++ } else { ++ (*entry)->is_ref = 1; ++ } + zval_add_ref(entry); + zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL); + } +@@ -1818,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1896,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2384,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2483,7 +2500,7 @@ + zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL); + break; + case HASH_KEY_IS_STRING: +- new_key=estrndup(string_key,str_key_len); ++ new_key=estrndup(string_key,str_key_len - 1); + if (change_to_upper) + php_strtoupper(new_key, str_key_len - 1); + else +@@ -2609,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2759,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3229,8 +3264,11 @@ + efree(callback_name); + + if (ZEND_NUM_ARGS() > 2) { +- convert_to_long_ex(initial); +- result = *initial; ++ ALLOC_ZVAL(result); ++ *result = **initial; ++ zval_copy_ctor(result); ++ convert_to_long(result); ++ INIT_PZVAL(result); + } else { + MAKE_STD_ZVAL(result); + ZVAL_NULL(result); +@@ -3246,6 +3284,7 @@ + if (result) { + *return_value = *result; + zval_copy_ctor(return_value); ++ zval_ptr_dtor(&result); + } + return; + } +@@ -3282,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3300,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3311,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3334,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3401,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100 ++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -944,6 +933,13 @@ + static void php_putenv_destructor(putenv_entry *pe) + { + if (pe->previous_value) { ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe->key, "bugbug"); ++#endif + putenv(pe->previous_value); + } else { + # if HAVE_UNSETENV +@@ -1232,11 +1228,10 @@ + } + STR_FREE(BG(locale_string)); + +- if (FG(stream_wrappers)) { +- zend_hash_destroy(FG(stream_wrappers)); +- efree(FG(stream_wrappers)); +- FG(stream_wrappers) = NULL; +- } ++ /* ++ FG(stream_wrappers) are destroyed ++ during php_request_shutdown() ++ */ + + PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU); + PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU); +@@ -1430,6 +1425,14 @@ + } + } + ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe.key, "bugbug"); ++#endif ++ + if (putenv(pe.putenv_string) == 0) { /* success */ + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL); + #ifdef HAVE_TZSET +@@ -2089,17 +2092,21 @@ + static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC) + { + zval retval; ++ char *function_name = NULL; + +- if (call_user_function( EG(function_table), NULL, +- shutdown_function_entry->arguments[0], +- &retval, +- shutdown_function_entry->arg_count - 1, +- shutdown_function_entry->arguments + 1 +- TSRMLS_CC ) == SUCCESS ) { ++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) { ++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name); ++ } else if (call_user_function(EG(function_table), NULL, ++ shutdown_function_entry->arguments[0], ++ &retval, ++ shutdown_function_entry->arg_count - 1, ++ shutdown_function_entry->arguments + 1 ++ TSRMLS_CC ) == SUCCESS) ++ { + zval_dtor(&retval); +- +- } else { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0])); ++ } ++ if (function_name) { ++ efree(function_name); + } + return 0; + } +@@ -2192,6 +2199,7 @@ + PHP_FUNCTION(register_shutdown_function) + { + php_shutdown_function_entry shutdown_function_entry; ++ char *function_name = NULL; + int i; + + shutdown_function_entry.arg_count = ZEND_NUM_ARGS(); +@@ -2200,26 +2208,31 @@ + WRONG_PARAM_COUNT; + } + +- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0); ++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0); + + if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) { + RETURN_FALSE; + } + +- /* Prevent entering of anything but arrays/strings */ +- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) { +- convert_to_string(shutdown_function_entry.arguments[0]); +- } +- +- if (!BG(user_shutdown_function_names)) { +- ALLOC_HASHTABLE(BG(user_shutdown_function_names)); +- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); +- } ++ /* Prevent entering of anything but valid callback (syntax check only!) */ ++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name); ++ efree(shutdown_function_entry.arguments); ++ RETVAL_FALSE; ++ } else { ++ if (!BG(user_shutdown_function_names)) { ++ ALLOC_HASHTABLE(BG(user_shutdown_function_names)); ++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); ++ } + +- for (i = 0; i < shutdown_function_entry.arg_count; i++) { +- shutdown_function_entry.arguments[i]->refcount++; ++ for (i = 0; i < shutdown_function_entry.arg_count; i++) { ++ shutdown_function_entry.arguments[i]->refcount++; ++ } ++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); ++ } ++ if (function_name) { ++ efree(function_name); + } +- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); + } + /* }}} */ + +@@ -3014,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100 ++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -1317,8 +1317,6 @@ + if (!Z_STRLEN_PP(needle)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter."); + efree(haystack_orig); +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + RETURN_FALSE; + } + +@@ -1339,8 +1337,6 @@ + RETVAL_FALSE; + } + +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + efree(haystack_orig); + } + /* }}} */ +@@ -1576,7 +1572,13 @@ + } + + if (chunklen > Z_STRLEN_PP(p_str)) { +- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1); ++ /* to maintain BC, we must return original string + ending */ ++ result_len = endlen + Z_STRLEN_PP(p_str); ++ result = emalloc(result_len + 1); ++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str)); ++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen); ++ result[result_len] = '\0'; ++ RETURN_STRINGL(result, result_len, 0); + } + + if (!Z_STRLEN_PP(p_str)) { +@@ -3169,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3182,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200 ++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { +@@ -182,11 +193,25 @@ + if (!index) { + zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { ++ zval **tmp; ++ + if (PG(magic_quotes_gpc) && (index!=var)) { + char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++ ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) { ++ efree(escaped_index); ++ break; ++ } ++ + zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + efree(escaped_index); + } else { ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) { ++ break; ++ } ++ + zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } + } diff --git a/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch b/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch new file mode 100644 index 000000000000..2c7d9991794f --- /dev/null +++ b/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch @@ -0,0 +1,75 @@ +--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + +@@ -408,7 +419,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + if ((ta->tm_mon==3) && (ta->tm_mday==1)) { + PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>"); +@@ -510,7 +529,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n"); + } +@@ -525,7 +546,9 @@ + php_info_print_hr(); + PUTS("<h1><a href=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">"); + PUTS("PHP Credits"); diff --git a/dev-php/mod_php/files/php4.4.0-curl_safemode.patch b/dev-php/mod_php/files/php4.4.0-curl_safemode.patch new file mode 100644 index 000000000000..32a82e072077 --- /dev/null +++ b/dev-php/mod_php/files/php4.4.0-curl_safemode.patch @@ -0,0 +1,46 @@ +--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -992,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { diff --git a/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch b/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch new file mode 100644 index 000000000000..3aefaee16295 --- /dev/null +++ b/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch @@ -0,0 +1,314 @@ +--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200 ++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -1252,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1300,11 +1304,11 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { + if ((*var_array)->refcount > 1) { +@@ -1831,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1909,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2397,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2622,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2772,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3299,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3317,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3328,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3351,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3418,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200 ++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -3038,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200 ++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200 ++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { diff --git a/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch b/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch new file mode 100644 index 000000000000..2f03ce4e273e --- /dev/null +++ b/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch @@ -0,0 +1,42 @@ +--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + diff --git a/dev-php/mod_php/mod_php-4.3.11-r2.ebuild b/dev-php/mod_php/mod_php-4.3.11-r3.ebuild index fa5d55b0b0ff..dfa2a7bb9ca9 100644 --- a/dev-php/mod_php/mod_php-4.3.11-r2.ebuild +++ b/dev-php/mod_php/mod_php-4.3.11-r3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.3.11-r2.ebuild,v 1.10 2005/10/29 22:16:12 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.3.11-r3.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $ IUSE="apache2" @@ -113,6 +113,15 @@ src_unpack() { epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch" diff --git a/dev-php/mod_php/mod_php-4.4.0-r4.ebuild b/dev-php/mod_php/mod_php-4.4.0-r6.ebuild index 90417295bea9..d47f97cf8178 100644 --- a/dev-php/mod_php/mod_php-4.4.0-r4.ebuild +++ b/dev-php/mod_php/mod_php-4.4.0-r6.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r4.ebuild,v 1.1 2005/10/29 22:16:12 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r6.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $ IUSE="apache2" @@ -107,6 +107,15 @@ src_unpack() { epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch" diff --git a/dev-php/mod_php/mod_php-4.4.0-r5.ebuild b/dev-php/mod_php/mod_php-4.4.0-r7.ebuild index f4875b578a06..c93b5d79e74f 100644 --- a/dev-php/mod_php/mod_php-4.4.0-r5.ebuild +++ b/dev-php/mod_php/mod_php-4.4.0-r7.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r5.ebuild,v 1.1 2005/10/29 22:16:12 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r7.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $ IUSE="apache2" @@ -115,6 +115,15 @@ src_unpack() { epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch" diff --git a/dev-php/php-cgi/ChangeLog b/dev-php/php-cgi/ChangeLog index e809f1e031b0..4c29535facd9 100644 --- a/dev-php/php-cgi/ChangeLog +++ b/dev-php/php-cgi/ChangeLog @@ -1,6 +1,19 @@ # ChangeLog for dev-php/php-cgi # Copyright 2000-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/ChangeLog,v 1.102 2005/10/29 22:16:13 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/ChangeLog,v 1.103 2005/11/02 22:11:28 chtekk Exp $ + +*php-cgi-4.4.0-r4 (02 Nov 2005) +*php-cgi-4.3.11-r4 (02 Nov 2005) + + 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org> + +files/php4.3.11-curl_safemode.patch, +files/php4.3.11-phpinfo_xss.patch, + +files/php4.3.11-globals_overwrite.patch, + +files/php4.4.0-curl_safemode.patch, + +files/php4.4.0-globals_overwrite.patch, + +files/php4.4.0-phpinfo_xss.patch, -php-cgi-4.3.11-r3.ebuild, + +php-cgi-4.3.11-r4.ebuild, -php-cgi-4.4.0-r3.ebuild, + +php-cgi-4.4.0-r4.ebuild: + Security-update: fix bugs #111032, #111015, #111011 and bug #111014. *php-cgi-4.4.0-r3 (29 Oct 2005) *php-cgi-4.3.11-r3 (29 Oct 2005) diff --git a/dev-php/php-cgi/Manifest b/dev-php/php-cgi/Manifest index 74ddccbf79d4..1eb158e5135f 100644 --- a/dev-php/php-cgi/Manifest +++ b/dev-php/php-cgi/Manifest @@ -1,30 +1,36 @@ -MD5 cf0ea805b8d4c87b9a7595c95f4de856 ChangeLog 14791 +MD5 3e134cc7b91aa025b2b7abd694c2806d ChangeLog 15329 MD5 cc21a816357d93a1d31cd44f861183c7 files/digest-php-cgi-4.3.11-r1 287 MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r2 364 -MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r3 364 +MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r4 364 MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-php-cgi-4.4.0 285 MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-php-cgi-4.4.0-r1 285 MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r2 362 -MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r3 362 +MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r4 362 MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694 MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925 +MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481 MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573 +MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395 MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238 MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031 +MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518 MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482 MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938 +MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481 MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883 +MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115 MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238 MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177 +MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284 MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482 MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132 MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384 MD5 ff97ecdd5c6b9744c3770bf335bb1157 php-cgi-4.3.11-r1.ebuild 1116 MD5 f03786f41f7eb2be4bf8854c52d09f97 php-cgi-4.3.11-r2.ebuild 1866 -MD5 fe5e55c8edc33fb56da83cf767b3cb25 php-cgi-4.3.11-r3.ebuild 2436 +MD5 09490da529c8203551a9d325294bc744 php-cgi-4.3.11-r4.ebuild 2794 MD5 56118eb0c5d90c47c6f73c9db6eccb69 php-cgi-4.4.0-r1.ebuild 972 MD5 d9deaac08b78b996c648e1cbc9640ffa php-cgi-4.4.0-r2.ebuild 1711 -MD5 66062f07ef6eda420c58d8183afd86b7 php-cgi-4.4.0-r3.ebuild 2278 +MD5 fd58309f2a3593a4fe7833fcbed57769 php-cgi-4.4.0-r4.ebuild 2633 MD5 daa51bac42996b36311b5c6049f95b4e php-cgi-4.4.0.ebuild 972 diff --git a/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r3 b/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r4 index 8a51d50e2303..8a51d50e2303 100644 --- a/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r3 +++ b/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r4 diff --git a/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r3 b/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r4 index dfbd3919a8b5..dfbd3919a8b5 100644 --- a/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r3 +++ b/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r4 diff --git a/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch b/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch new file mode 100644 index 000000000000..f308dea57dde --- /dev/null +++ b/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch @@ -0,0 +1,141 @@ +--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -436,10 +436,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -495,10 +497,12 @@ + zend_list_addref(t->fd); + ZVAL_LONG(argv[2], (int) size * nmemb); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 3, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -553,10 +557,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -606,10 +612,12 @@ + ZVAL_STRING(argv[1], prompt, 1); + ZVAL_LONG(argv[2], buflen); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C)); + } else if (Z_TYPE_P(retval) == IS_STRING) { +@@ -680,7 +688,9 @@ + (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write)); + (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read)); + memset(&(*ch)->err, 0, sizeof((*ch)->err)); +- ++ ++ (*ch)->in_callback = 0; ++ + zend_llist_init(&(*ch)->to_free.str, sizeof(char *), + (void(*)(void *)) curl_free_string, 0); + zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), +@@ -982,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { +@@ -1337,7 +1352,11 @@ + WRONG_PARAM_COUNT; + } + ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl); +- ++ ++ if (ch->in_callback) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback"); ++ return; ++ } + zend_list_delete(Z_LVAL_PP(zid)); + } + /* }}} */ +--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100 ++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */ ++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */ + + #ifndef _PHP_CURL_H + #define _PHP_CURL_H +@@ -93,6 +93,7 @@ + struct _php_curl_free to_free; + long id; + unsigned int uses; ++ zend_bool in_callback; + } php_curl; + + /* streams support */ diff --git a/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch b/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch new file mode 100644 index 000000000000..d3eb55c5ee3e --- /dev/null +++ b/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch @@ -0,0 +1,559 @@ +--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100 ++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -631,7 +640,7 @@ + s = *((Bucket **) b); + + if (f->nKeyLength) { +- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength); ++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1); + Z_STRLEN(key1) = f->nKeyLength-1; + Z_TYPE(key1) = IS_STRING; + } else { +@@ -639,7 +648,7 @@ + Z_TYPE(key1) = IS_LONG; + } + if (s->nKeyLength) { +- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength); ++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1); + Z_STRLEN(key2) = s->nKeyLength-1; + Z_TYPE(key2) = IS_STRING; + } else { +@@ -1243,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1291,14 +1304,18 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { +- (*entry)->is_ref = 1; ++ if ((*var_array)->refcount > 1) { ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); ++ } else { ++ (*entry)->is_ref = 1; ++ } + zval_add_ref(entry); + zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL); + } +@@ -1818,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1896,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2384,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2483,7 +2500,7 @@ + zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL); + break; + case HASH_KEY_IS_STRING: +- new_key=estrndup(string_key,str_key_len); ++ new_key=estrndup(string_key,str_key_len - 1); + if (change_to_upper) + php_strtoupper(new_key, str_key_len - 1); + else +@@ -2609,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2759,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3229,8 +3264,11 @@ + efree(callback_name); + + if (ZEND_NUM_ARGS() > 2) { +- convert_to_long_ex(initial); +- result = *initial; ++ ALLOC_ZVAL(result); ++ *result = **initial; ++ zval_copy_ctor(result); ++ convert_to_long(result); ++ INIT_PZVAL(result); + } else { + MAKE_STD_ZVAL(result); + ZVAL_NULL(result); +@@ -3246,6 +3284,7 @@ + if (result) { + *return_value = *result; + zval_copy_ctor(return_value); ++ zval_ptr_dtor(&result); + } + return; + } +@@ -3282,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3300,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3311,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3334,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3401,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100 ++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -944,6 +933,13 @@ + static void php_putenv_destructor(putenv_entry *pe) + { + if (pe->previous_value) { ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe->key, "bugbug"); ++#endif + putenv(pe->previous_value); + } else { + # if HAVE_UNSETENV +@@ -1232,11 +1228,10 @@ + } + STR_FREE(BG(locale_string)); + +- if (FG(stream_wrappers)) { +- zend_hash_destroy(FG(stream_wrappers)); +- efree(FG(stream_wrappers)); +- FG(stream_wrappers) = NULL; +- } ++ /* ++ FG(stream_wrappers) are destroyed ++ during php_request_shutdown() ++ */ + + PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU); + PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU); +@@ -1430,6 +1425,14 @@ + } + } + ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe.key, "bugbug"); ++#endif ++ + if (putenv(pe.putenv_string) == 0) { /* success */ + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL); + #ifdef HAVE_TZSET +@@ -2089,17 +2092,21 @@ + static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC) + { + zval retval; ++ char *function_name = NULL; + +- if (call_user_function( EG(function_table), NULL, +- shutdown_function_entry->arguments[0], +- &retval, +- shutdown_function_entry->arg_count - 1, +- shutdown_function_entry->arguments + 1 +- TSRMLS_CC ) == SUCCESS ) { ++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) { ++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name); ++ } else if (call_user_function(EG(function_table), NULL, ++ shutdown_function_entry->arguments[0], ++ &retval, ++ shutdown_function_entry->arg_count - 1, ++ shutdown_function_entry->arguments + 1 ++ TSRMLS_CC ) == SUCCESS) ++ { + zval_dtor(&retval); +- +- } else { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0])); ++ } ++ if (function_name) { ++ efree(function_name); + } + return 0; + } +@@ -2192,6 +2199,7 @@ + PHP_FUNCTION(register_shutdown_function) + { + php_shutdown_function_entry shutdown_function_entry; ++ char *function_name = NULL; + int i; + + shutdown_function_entry.arg_count = ZEND_NUM_ARGS(); +@@ -2200,26 +2208,31 @@ + WRONG_PARAM_COUNT; + } + +- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0); ++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0); + + if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) { + RETURN_FALSE; + } + +- /* Prevent entering of anything but arrays/strings */ +- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) { +- convert_to_string(shutdown_function_entry.arguments[0]); +- } +- +- if (!BG(user_shutdown_function_names)) { +- ALLOC_HASHTABLE(BG(user_shutdown_function_names)); +- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); +- } ++ /* Prevent entering of anything but valid callback (syntax check only!) */ ++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name); ++ efree(shutdown_function_entry.arguments); ++ RETVAL_FALSE; ++ } else { ++ if (!BG(user_shutdown_function_names)) { ++ ALLOC_HASHTABLE(BG(user_shutdown_function_names)); ++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); ++ } + +- for (i = 0; i < shutdown_function_entry.arg_count; i++) { +- shutdown_function_entry.arguments[i]->refcount++; ++ for (i = 0; i < shutdown_function_entry.arg_count; i++) { ++ shutdown_function_entry.arguments[i]->refcount++; ++ } ++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); ++ } ++ if (function_name) { ++ efree(function_name); + } +- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); + } + /* }}} */ + +@@ -3014,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100 ++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -1317,8 +1317,6 @@ + if (!Z_STRLEN_PP(needle)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter."); + efree(haystack_orig); +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + RETURN_FALSE; + } + +@@ -1339,8 +1337,6 @@ + RETVAL_FALSE; + } + +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + efree(haystack_orig); + } + /* }}} */ +@@ -1576,7 +1572,13 @@ + } + + if (chunklen > Z_STRLEN_PP(p_str)) { +- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1); ++ /* to maintain BC, we must return original string + ending */ ++ result_len = endlen + Z_STRLEN_PP(p_str); ++ result = emalloc(result_len + 1); ++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str)); ++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen); ++ result[result_len] = '\0'; ++ RETURN_STRINGL(result, result_len, 0); + } + + if (!Z_STRLEN_PP(p_str)) { +@@ -3169,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3182,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200 ++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { +@@ -182,11 +193,25 @@ + if (!index) { + zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { ++ zval **tmp; ++ + if (PG(magic_quotes_gpc) && (index!=var)) { + char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++ ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) { ++ efree(escaped_index); ++ break; ++ } ++ + zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + efree(escaped_index); + } else { ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) { ++ break; ++ } ++ + zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } + } diff --git a/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch b/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch new file mode 100644 index 000000000000..2c7d9991794f --- /dev/null +++ b/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch @@ -0,0 +1,75 @@ +--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + +@@ -408,7 +419,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + if ((ta->tm_mon==3) && (ta->tm_mday==1)) { + PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>"); +@@ -510,7 +529,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n"); + } +@@ -525,7 +546,9 @@ + php_info_print_hr(); + PUTS("<h1><a href=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">"); + PUTS("PHP Credits"); diff --git a/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch b/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch new file mode 100644 index 000000000000..32a82e072077 --- /dev/null +++ b/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch @@ -0,0 +1,46 @@ +--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -992,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { diff --git a/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch b/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch new file mode 100644 index 000000000000..3aefaee16295 --- /dev/null +++ b/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch @@ -0,0 +1,314 @@ +--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200 ++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -1252,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1300,11 +1304,11 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { + if ((*var_array)->refcount > 1) { +@@ -1831,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1909,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2397,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2622,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2772,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3299,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3317,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3328,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3351,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3418,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200 ++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -3038,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200 ++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200 ++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { diff --git a/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch b/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch new file mode 100644 index 000000000000..2f03ce4e273e --- /dev/null +++ b/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch @@ -0,0 +1,42 @@ +--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + diff --git a/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild b/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild index da81c96245a2..f2b937064d64 100644 --- a/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild +++ b/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild,v 1.1 2005/11/02 22:11:28 chtekk Exp $ PHPSAPI="cgi" inherit php-sapi eutils @@ -37,6 +37,15 @@ src_unpack() { epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch" diff --git a/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild b/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild index baf1865e49d7..4664d63c983a 100644 --- a/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild +++ b/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild,v 1.1 2005/11/02 22:11:28 chtekk Exp $ PHPSAPI="cgi" inherit php-sapi eutils @@ -31,6 +31,15 @@ src_unpack() { epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch" diff --git a/dev-php/php/ChangeLog b/dev-php/php/ChangeLog index 3bf7ef81a868..b4ec9f588b37 100644 --- a/dev-php/php/ChangeLog +++ b/dev-php/php/ChangeLog @@ -1,6 +1,18 @@ # ChangeLog for dev-php/php # Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php/ChangeLog,v 1.196 2005/10/29 22:16:13 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php/ChangeLog,v 1.197 2005/11/02 22:10:15 chtekk Exp $ + +*php-4.4.0-r3 (02 Nov 2005) +*php-4.3.11-r3 (02 Nov 2005) + + 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org> + +files/php4.3.11-curl_safemode.patch, +files/php4.3.11-phpinfo_xss.patch, + +files/php4.3.11-globals_overwrite.patch, + +files/php4.4.0-curl_safemode.patch, + +files/php4.4.0-globals_overwrite.patch, + +files/php4.4.0-phpinfo_xss.patch, -php-4.3.11-r2.ebuild, + +php-4.3.11-r3.ebuild, -php-4.4.0-r2.ebuild, +php-4.4.0-r3.ebuild: + Security-update: fix bugs #111032, #111015, #111011 and bug #111014. *php-4.4.0-r2 (29 Oct 2005) *php-4.3.11-r2 (29 Oct 2005) diff --git a/dev-php/php/Manifest b/dev-php/php/Manifest index 98cfe0d7f0b9..03ed3f68b37b 100644 --- a/dev-php/php/Manifest +++ b/dev-php/php/Manifest @@ -1,29 +1,35 @@ -MD5 0e7ae5c94a581934de8321f4179340c2 ChangeLog 27393 +MD5 ac7ffd887fa7a1e038a43a8b0ec9a50e ChangeLog 27905 MD5 289778209b2df87dbc5052351e604b1a files/digest-php-4.3.11 213 MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r1 290 -MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r2 290 +MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r3 290 MD5 f25bbe20f37a0eb83f7a57ca2c3a25e3 files/digest-php-4.4.0 211 MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r1 288 -MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r2 288 +MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r3 288 MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694 MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925 MD5 7515e9b1dc298a0fb1c12d35a58c265d files/php-4.3.4-amd64hack.diff 1028 +MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481 MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573 +MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395 MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238 MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031 +MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518 MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482 MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938 +MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937 MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481 MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883 +MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115 MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238 MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177 +MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284 MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482 MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132 MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384 MD5 5c877d02b146b5885cecc89b9f445c73 php-4.3.11-r1.ebuild 1972 -MD5 993a56d986729657e17be455f21d42e0 php-4.3.11-r2.ebuild 2543 +MD5 f819c0ccba33f6eb08037f5c02e7d5ba php-4.3.11-r3.ebuild 2901 MD5 7b0585a1b1826288946cd49c26d85d61 php-4.3.11.ebuild 1219 MD5 1bbf33997259477ea2ff61296875184e php-4.4.0-r1.ebuild 1831 -MD5 1543fa29d256cba7fc330a62ab00eecb php-4.4.0-r2.ebuild 2401 +MD5 750cdbe958d9343beb3817a9277ff623 php-4.4.0-r3.ebuild 2756 MD5 3457e095190ae0497eff026b2351bb14 php-4.4.0.ebuild 1082 diff --git a/dev-php/php/files/digest-php-4.3.11-r2 b/dev-php/php/files/digest-php-4.3.11-r3 index 252c3a932b24..252c3a932b24 100644 --- a/dev-php/php/files/digest-php-4.3.11-r2 +++ b/dev-php/php/files/digest-php-4.3.11-r3 diff --git a/dev-php/php/files/digest-php-4.4.0-r2 b/dev-php/php/files/digest-php-4.4.0-r3 index 077ffb8eedda..077ffb8eedda 100644 --- a/dev-php/php/files/digest-php-4.4.0-r2 +++ b/dev-php/php/files/digest-php-4.4.0-r3 diff --git a/dev-php/php/files/php4.3.11-curl_safemode.patch b/dev-php/php/files/php4.3.11-curl_safemode.patch new file mode 100644 index 000000000000..f308dea57dde --- /dev/null +++ b/dev-php/php/files/php4.3.11-curl_safemode.patch @@ -0,0 +1,141 @@ +--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -436,10 +436,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -495,10 +497,12 @@ + zend_list_addref(t->fd); + ZVAL_LONG(argv[2], (int) size * nmemb); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 3, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -553,10 +557,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -606,10 +612,12 @@ + ZVAL_STRING(argv[1], prompt, 1); + ZVAL_LONG(argv[2], buflen); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C)); + } else if (Z_TYPE_P(retval) == IS_STRING) { +@@ -680,7 +688,9 @@ + (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write)); + (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read)); + memset(&(*ch)->err, 0, sizeof((*ch)->err)); +- ++ ++ (*ch)->in_callback = 0; ++ + zend_llist_init(&(*ch)->to_free.str, sizeof(char *), + (void(*)(void *)) curl_free_string, 0); + zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), +@@ -982,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { +@@ -1337,7 +1352,11 @@ + WRONG_PARAM_COUNT; + } + ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl); +- ++ ++ if (ch->in_callback) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback"); ++ return; ++ } + zend_list_delete(Z_LVAL_PP(zid)); + } + /* }}} */ +--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100 ++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */ ++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */ + + #ifndef _PHP_CURL_H + #define _PHP_CURL_H +@@ -93,6 +93,7 @@ + struct _php_curl_free to_free; + long id; + unsigned int uses; ++ zend_bool in_callback; + } php_curl; + + /* streams support */ diff --git a/dev-php/php/files/php4.3.11-globals_overwrite.patch b/dev-php/php/files/php4.3.11-globals_overwrite.patch new file mode 100644 index 000000000000..d3eb55c5ee3e --- /dev/null +++ b/dev-php/php/files/php4.3.11-globals_overwrite.patch @@ -0,0 +1,559 @@ +--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100 ++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -631,7 +640,7 @@ + s = *((Bucket **) b); + + if (f->nKeyLength) { +- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength); ++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1); + Z_STRLEN(key1) = f->nKeyLength-1; + Z_TYPE(key1) = IS_STRING; + } else { +@@ -639,7 +648,7 @@ + Z_TYPE(key1) = IS_LONG; + } + if (s->nKeyLength) { +- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength); ++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1); + Z_STRLEN(key2) = s->nKeyLength-1; + Z_TYPE(key2) = IS_STRING; + } else { +@@ -1243,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1291,14 +1304,18 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { +- (*entry)->is_ref = 1; ++ if ((*var_array)->refcount > 1) { ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); ++ } else { ++ (*entry)->is_ref = 1; ++ } + zval_add_ref(entry); + zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL); + } +@@ -1818,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1896,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2384,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2483,7 +2500,7 @@ + zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL); + break; + case HASH_KEY_IS_STRING: +- new_key=estrndup(string_key,str_key_len); ++ new_key=estrndup(string_key,str_key_len - 1); + if (change_to_upper) + php_strtoupper(new_key, str_key_len - 1); + else +@@ -2609,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2759,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3229,8 +3264,11 @@ + efree(callback_name); + + if (ZEND_NUM_ARGS() > 2) { +- convert_to_long_ex(initial); +- result = *initial; ++ ALLOC_ZVAL(result); ++ *result = **initial; ++ zval_copy_ctor(result); ++ convert_to_long(result); ++ INIT_PZVAL(result); + } else { + MAKE_STD_ZVAL(result); + ZVAL_NULL(result); +@@ -3246,6 +3284,7 @@ + if (result) { + *return_value = *result; + zval_copy_ctor(return_value); ++ zval_ptr_dtor(&result); + } + return; + } +@@ -3282,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3300,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3311,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3334,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3401,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100 ++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -944,6 +933,13 @@ + static void php_putenv_destructor(putenv_entry *pe) + { + if (pe->previous_value) { ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe->key, "bugbug"); ++#endif + putenv(pe->previous_value); + } else { + # if HAVE_UNSETENV +@@ -1232,11 +1228,10 @@ + } + STR_FREE(BG(locale_string)); + +- if (FG(stream_wrappers)) { +- zend_hash_destroy(FG(stream_wrappers)); +- efree(FG(stream_wrappers)); +- FG(stream_wrappers) = NULL; +- } ++ /* ++ FG(stream_wrappers) are destroyed ++ during php_request_shutdown() ++ */ + + PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU); + PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU); +@@ -1430,6 +1425,14 @@ + } + } + ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe.key, "bugbug"); ++#endif ++ + if (putenv(pe.putenv_string) == 0) { /* success */ + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL); + #ifdef HAVE_TZSET +@@ -2089,17 +2092,21 @@ + static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC) + { + zval retval; ++ char *function_name = NULL; + +- if (call_user_function( EG(function_table), NULL, +- shutdown_function_entry->arguments[0], +- &retval, +- shutdown_function_entry->arg_count - 1, +- shutdown_function_entry->arguments + 1 +- TSRMLS_CC ) == SUCCESS ) { ++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) { ++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name); ++ } else if (call_user_function(EG(function_table), NULL, ++ shutdown_function_entry->arguments[0], ++ &retval, ++ shutdown_function_entry->arg_count - 1, ++ shutdown_function_entry->arguments + 1 ++ TSRMLS_CC ) == SUCCESS) ++ { + zval_dtor(&retval); +- +- } else { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0])); ++ } ++ if (function_name) { ++ efree(function_name); + } + return 0; + } +@@ -2192,6 +2199,7 @@ + PHP_FUNCTION(register_shutdown_function) + { + php_shutdown_function_entry shutdown_function_entry; ++ char *function_name = NULL; + int i; + + shutdown_function_entry.arg_count = ZEND_NUM_ARGS(); +@@ -2200,26 +2208,31 @@ + WRONG_PARAM_COUNT; + } + +- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0); ++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0); + + if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) { + RETURN_FALSE; + } + +- /* Prevent entering of anything but arrays/strings */ +- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) { +- convert_to_string(shutdown_function_entry.arguments[0]); +- } +- +- if (!BG(user_shutdown_function_names)) { +- ALLOC_HASHTABLE(BG(user_shutdown_function_names)); +- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); +- } ++ /* Prevent entering of anything but valid callback (syntax check only!) */ ++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name); ++ efree(shutdown_function_entry.arguments); ++ RETVAL_FALSE; ++ } else { ++ if (!BG(user_shutdown_function_names)) { ++ ALLOC_HASHTABLE(BG(user_shutdown_function_names)); ++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); ++ } + +- for (i = 0; i < shutdown_function_entry.arg_count; i++) { +- shutdown_function_entry.arguments[i]->refcount++; ++ for (i = 0; i < shutdown_function_entry.arg_count; i++) { ++ shutdown_function_entry.arguments[i]->refcount++; ++ } ++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); ++ } ++ if (function_name) { ++ efree(function_name); + } +- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); + } + /* }}} */ + +@@ -3014,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100 ++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -1317,8 +1317,6 @@ + if (!Z_STRLEN_PP(needle)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter."); + efree(haystack_orig); +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + RETURN_FALSE; + } + +@@ -1339,8 +1337,6 @@ + RETVAL_FALSE; + } + +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + efree(haystack_orig); + } + /* }}} */ +@@ -1576,7 +1572,13 @@ + } + + if (chunklen > Z_STRLEN_PP(p_str)) { +- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1); ++ /* to maintain BC, we must return original string + ending */ ++ result_len = endlen + Z_STRLEN_PP(p_str); ++ result = emalloc(result_len + 1); ++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str)); ++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen); ++ result[result_len] = '\0'; ++ RETURN_STRINGL(result, result_len, 0); + } + + if (!Z_STRLEN_PP(p_str)) { +@@ -3169,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3182,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200 ++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { +@@ -182,11 +193,25 @@ + if (!index) { + zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { ++ zval **tmp; ++ + if (PG(magic_quotes_gpc) && (index!=var)) { + char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++ ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) { ++ efree(escaped_index); ++ break; ++ } ++ + zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + efree(escaped_index); + } else { ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) { ++ break; ++ } ++ + zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } + } diff --git a/dev-php/php/files/php4.3.11-phpinfo_xss.patch b/dev-php/php/files/php4.3.11-phpinfo_xss.patch new file mode 100644 index 000000000000..2c7d9991794f --- /dev/null +++ b/dev-php/php/files/php4.3.11-phpinfo_xss.patch @@ -0,0 +1,75 @@ +--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + +@@ -408,7 +419,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + if ((ta->tm_mon==3) && (ta->tm_mday==1)) { + PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>"); +@@ -510,7 +529,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n"); + } +@@ -525,7 +546,9 @@ + php_info_print_hr(); + PUTS("<h1><a href=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">"); + PUTS("PHP Credits"); diff --git a/dev-php/php/files/php4.4.0-curl_safemode.patch b/dev-php/php/files/php4.4.0-curl_safemode.patch new file mode 100644 index 000000000000..32a82e072077 --- /dev/null +++ b/dev-php/php/files/php4.4.0-curl_safemode.patch @@ -0,0 +1,46 @@ +--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -992,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { diff --git a/dev-php/php/files/php4.4.0-globals_overwrite.patch b/dev-php/php/files/php4.4.0-globals_overwrite.patch new file mode 100644 index 000000000000..3aefaee16295 --- /dev/null +++ b/dev-php/php/files/php4.4.0-globals_overwrite.patch @@ -0,0 +1,314 @@ +--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200 ++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -1252,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1300,11 +1304,11 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { + if ((*var_array)->refcount > 1) { +@@ -1831,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1909,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2397,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2622,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2772,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3299,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3317,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3328,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3351,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3418,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200 ++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -3038,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200 ++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200 ++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { diff --git a/dev-php/php/files/php4.4.0-phpinfo_xss.patch b/dev-php/php/files/php4.4.0-phpinfo_xss.patch new file mode 100644 index 000000000000..2f03ce4e273e --- /dev/null +++ b/dev-php/php/files/php4.4.0-phpinfo_xss.patch @@ -0,0 +1,42 @@ +--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + diff --git a/dev-php/php/php-4.3.11-r2.ebuild b/dev-php/php/php-4.3.11-r3.ebuild index 450cd3ea9a62..2eca9ef61b13 100644 --- a/dev-php/php/php-4.3.11-r2.ebuild +++ b/dev-php/php/php-4.3.11-r3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.3.11-r2.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.3.11-r3.ebuild,v 1.1 2005/11/02 22:10:15 chtekk Exp $ PHPSAPI="cli" inherit php-sapi eutils @@ -34,6 +34,15 @@ src_unpack() { epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch" diff --git a/dev-php/php/php-4.4.0-r2.ebuild b/dev-php/php/php-4.4.0-r3.ebuild index 27681fe9d6e5..a2f79f5f4dc1 100644 --- a/dev-php/php/php-4.4.0-r2.ebuild +++ b/dev-php/php/php-4.4.0-r3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.4.0-r2.ebuild,v 1.3 2005/10/29 22:33:54 chtekk Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.4.0-r3.ebuild,v 1.1 2005/11/02 22:10:15 chtekk Exp $ PHPSAPI="cli" inherit php-sapi eutils @@ -28,6 +28,15 @@ src_unpack() { epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch" fi + # patch fo fix safe_mode bypass in CURL extension, bug #111032 + use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch" + + # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014 + epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch" + + # patch phpinfo() XSS vulnerability, bug #111015 + epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch" + # patch open_basedir directory bypass, bug #102943 epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch" |