summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuca Longinotti <chtekk@gentoo.org>2005-11-02 22:13:28 +0000
committerLuca Longinotti <chtekk@gentoo.org>2005-11-02 22:13:28 +0000
commit908876c04bf9e783bfb350ac9eb5d6cb19f146d9 (patch)
treece25e5b7a87f2066d75cef9b62cb93fcc7bfbab5
parentRemove depend on \!<app-text/ghostscript-7.07.1-r2 because we no longer have ... (diff)
downloadhistorical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.tar.gz
historical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.tar.bz2
historical-908876c04bf9e783bfb350ac9eb5d6cb19f146d9.zip
PHP security-update.
Package-Manager: portage-2.0.53_rc6
-rw-r--r--dev-php/mod_php/ChangeLog17
-rw-r--r--dev-php/mod_php/Manifest20
-rw-r--r--dev-php/mod_php/files/digest-mod_php-4.3.11-r3 (renamed from dev-php/mod_php/files/digest-mod_php-4.3.11-r2)0
-rw-r--r--dev-php/mod_php/files/digest-mod_php-4.4.0-r6 (renamed from dev-php/mod_php/files/digest-mod_php-4.4.0-r4)0
-rw-r--r--dev-php/mod_php/files/digest-mod_php-4.4.0-r7 (renamed from dev-php/mod_php/files/digest-mod_php-4.4.0-r5)0
-rw-r--r--dev-php/mod_php/files/php4.3.11-curl_safemode.patch141
-rw-r--r--dev-php/mod_php/files/php4.3.11-globals_overwrite.patch559
-rw-r--r--dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch75
-rw-r--r--dev-php/mod_php/files/php4.4.0-curl_safemode.patch46
-rw-r--r--dev-php/mod_php/files/php4.4.0-globals_overwrite.patch314
-rw-r--r--dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch42
-rw-r--r--dev-php/mod_php/mod_php-4.3.11-r3.ebuild (renamed from dev-php/mod_php/mod_php-4.3.11-r2.ebuild)11
-rw-r--r--dev-php/mod_php/mod_php-4.4.0-r6.ebuild (renamed from dev-php/mod_php/mod_php-4.4.0-r4.ebuild)11
-rw-r--r--dev-php/mod_php/mod_php-4.4.0-r7.ebuild (renamed from dev-php/mod_php/mod_php-4.4.0-r5.ebuild)11
-rw-r--r--dev-php/php-cgi/ChangeLog15
-rw-r--r--dev-php/php-cgi/Manifest16
-rw-r--r--dev-php/php-cgi/files/digest-php-cgi-4.3.11-r4 (renamed from dev-php/php-cgi/files/digest-php-cgi-4.3.11-r3)0
-rw-r--r--dev-php/php-cgi/files/digest-php-cgi-4.4.0-r4 (renamed from dev-php/php-cgi/files/digest-php-cgi-4.4.0-r3)0
-rw-r--r--dev-php/php-cgi/files/php4.3.11-curl_safemode.patch141
-rw-r--r--dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch559
-rw-r--r--dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch75
-rw-r--r--dev-php/php-cgi/files/php4.4.0-curl_safemode.patch46
-rw-r--r--dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch314
-rw-r--r--dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch42
-rw-r--r--dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild (renamed from dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild)11
-rw-r--r--dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild (renamed from dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild)11
-rw-r--r--dev-php/php/ChangeLog14
-rw-r--r--dev-php/php/Manifest16
-rw-r--r--dev-php/php/files/digest-php-4.3.11-r3 (renamed from dev-php/php/files/digest-php-4.3.11-r2)0
-rw-r--r--dev-php/php/files/digest-php-4.4.0-r3 (renamed from dev-php/php/files/digest-php-4.4.0-r2)0
-rw-r--r--dev-php/php/files/php4.3.11-curl_safemode.patch141
-rw-r--r--dev-php/php/files/php4.3.11-globals_overwrite.patch559
-rw-r--r--dev-php/php/files/php4.3.11-phpinfo_xss.patch75
-rw-r--r--dev-php/php/files/php4.4.0-curl_safemode.patch46
-rw-r--r--dev-php/php/files/php4.4.0-globals_overwrite.patch314
-rw-r--r--dev-php/php/files/php4.4.0-phpinfo_xss.patch42
-rw-r--r--dev-php/php/php-4.3.11-r3.ebuild (renamed from dev-php/php/php-4.3.11-r2.ebuild)11
-rw-r--r--dev-php/php/php-4.4.0-r3.ebuild (renamed from dev-php/php/php-4.4.0-r2.ebuild)11
38 files changed, 3679 insertions, 27 deletions
diff --git a/dev-php/mod_php/ChangeLog b/dev-php/mod_php/ChangeLog
index 2afd96717a94..48835dd5f353 100644
--- a/dev-php/mod_php/ChangeLog
+++ b/dev-php/mod_php/ChangeLog
@@ -1,6 +1,21 @@
# ChangeLog for dev-php/mod_php
# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/ChangeLog,v 1.279 2005/10/29 22:16:12 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/ChangeLog,v 1.280 2005/11/02 22:13:28 chtekk Exp $
+
+*mod_php-4.4.0-r7 (02 Nov 2005)
+*mod_php-4.4.0-r6 (02 Nov 2005)
+*mod_php-4.3.11-r3 (02 Nov 2005)
+
+ 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org>
+ +files/php4.3.11-curl_safemode.patch,
+ +files/php4.3.11-globals_overwrite.patch,
+ +files/php4.3.11-phpinfo_xss.patch, +files/php4.4.0-curl_safemode.patch,
+ +files/php4.4.0-globals_overwrite.patch,
+ +files/php4.4.0-phpinfo_xss.patch, -mod_php-4.3.11-r2.ebuild,
+ +mod_php-4.3.11-r3.ebuild, -mod_php-4.4.0-r4.ebuild,
+ -mod_php-4.4.0-r5.ebuild, +mod_php-4.4.0-r6.ebuild,
+ +mod_php-4.4.0-r7.ebuild:
+ Security-update: fix bugs #111032, #111015, #111011 and bug #111014.
*mod_php-4.4.0-r5 (29 Oct 2005)
*mod_php-4.4.0-r4 (29 Oct 2005)
diff --git a/dev-php/mod_php/Manifest b/dev-php/mod_php/Manifest
index 4b807539b4d3..36727ed638c0 100644
--- a/dev-php/mod_php/Manifest
+++ b/dev-php/mod_php/Manifest
@@ -1,4 +1,4 @@
-MD5 419b38aaecd3d763323952b1af301bc1 ChangeLog 49036
+MD5 024feb9b815939516a63961ebdee8aeb ChangeLog 49660
MD5 158cb07377a3e2a0028947b0aeb505cb files/4.3.10-r1/70_mod_php.conf 1017
MD5 2dfe55aa49dbca0c3316e859f8bebcb1 files/4.3.11-r2/70_mod_php.conf 1125
MD5 389638f1d46b6c41cd4d87b471572f4b files/4.4.0-a1/70_mod_php.conf 484
@@ -6,37 +6,43 @@ MD5 ee36e31632adb08b7abf70f78b5b2125 files/4.4.0-a2/70_mod_php.conf 485
MD5 79ed63479c494aeb2ed0bc7f5c059fb9 files/70_mod_php.conf 1022
MD5 cc21a816357d93a1d31cd44f861183c7 files/digest-mod_php-4.3.11 287
MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r1 364
-MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r2 364
+MD5 05df4c881b1833626d9a75a08a0098fd files/digest-mod_php-4.3.11-r3 364
MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-mod_php-4.4.0 285
MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-mod_php-4.4.0-r1 285
MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r2 362
MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r3 362
-MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r4 362
-MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r5 362
+MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r6 362
+MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-mod_php-4.4.0-r7 362
MD5 7515e9b1dc298a0fb1c12d35a58c265d files/mod_php-4.3.4-amd64hack.diff 1028
MD5 3bf664b414787f8f3c1dcbda5750aef4 files/mod_php-4.3.5-apache1security.diff 425
MD5 cceddd5c262e0ffef31d45b7da269851 files/mod_php.conf 148
MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694
MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925
+MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481
MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573
+MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395
MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238
MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031
+MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518
MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482
MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938
+MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481
MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883
+MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115
MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238
MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177
+MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284
MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482
MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132
MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384
MD5 90610a0b9cdbcbec3cd33fcef432e00c mod_php-4.3.11-r1.ebuild 7127
-MD5 4d0ebe3699f952c088db37797aa0348e mod_php-4.3.11-r2.ebuild 7698
+MD5 d1c596d415ff3b0491499dc6d8171511 mod_php-4.3.11-r3.ebuild 8056
MD5 cd88a76d8ca70243cb58ed076582a857 mod_php-4.3.11.ebuild 6387
MD5 29d9e7ef90de139245d7c5e06dd9b67c mod_php-4.4.0-r1.ebuild 6561
MD5 68092beafbec1bd1b054a153b834bd13 mod_php-4.4.0-r2.ebuild 7074
MD5 47959bde0d770eddf3d212d43766332d mod_php-4.4.0-r3.ebuild 6145
-MD5 ef50cfbb47812f5d93a4619ec6a17d0b mod_php-4.4.0-r4.ebuild 7641
-MD5 fa007aafea862145346c99a03f1bb9dc mod_php-4.4.0-r5.ebuild 6714
+MD5 b57df48a882e6a150a3203bb01a936b7 mod_php-4.4.0-r6.ebuild 7996
+MD5 394f186272ba1f810907d07e3f2aa6f8 mod_php-4.4.0-r7.ebuild 7069
MD5 b7f57c4f896ce046f8a6b4472ddfcb2b mod_php-4.4.0.ebuild 6336
diff --git a/dev-php/mod_php/files/digest-mod_php-4.3.11-r2 b/dev-php/mod_php/files/digest-mod_php-4.3.11-r3
index 8a51d50e2303..8a51d50e2303 100644
--- a/dev-php/mod_php/files/digest-mod_php-4.3.11-r2
+++ b/dev-php/mod_php/files/digest-mod_php-4.3.11-r3
diff --git a/dev-php/mod_php/files/digest-mod_php-4.4.0-r4 b/dev-php/mod_php/files/digest-mod_php-4.4.0-r6
index dfbd3919a8b5..dfbd3919a8b5 100644
--- a/dev-php/mod_php/files/digest-mod_php-4.4.0-r4
+++ b/dev-php/mod_php/files/digest-mod_php-4.4.0-r6
diff --git a/dev-php/mod_php/files/digest-mod_php-4.4.0-r5 b/dev-php/mod_php/files/digest-mod_php-4.4.0-r7
index dfbd3919a8b5..dfbd3919a8b5 100644
--- a/dev-php/mod_php/files/digest-mod_php-4.4.0-r5
+++ b/dev-php/mod_php/files/digest-mod_php-4.4.0-r7
diff --git a/dev-php/mod_php/files/php4.3.11-curl_safemode.patch b/dev-php/mod_php/files/php4.3.11-curl_safemode.patch
new file mode 100644
index 000000000000..f308dea57dde
--- /dev/null
+++ b/dev-php/mod_php/files/php4.3.11-curl_safemode.patch
@@ -0,0 +1,141 @@
+--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -436,10 +436,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -495,10 +497,12 @@
+ zend_list_addref(t->fd);
+ ZVAL_LONG(argv[2], (int) size * nmemb);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 3, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -553,10 +557,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -606,10 +612,12 @@
+ ZVAL_STRING(argv[1], prompt, 1);
+ ZVAL_LONG(argv[2], buflen);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C));
+ } else if (Z_TYPE_P(retval) == IS_STRING) {
+@@ -680,7 +688,9 @@
+ (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write));
+ (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read));
+ memset(&(*ch)->err, 0, sizeof((*ch)->err));
+-
++
++ (*ch)->in_callback = 0;
++
+ zend_llist_init(&(*ch)->to_free.str, sizeof(char *),
+ (void(*)(void *)) curl_free_string, 0);
+ zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist),
+@@ -982,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
+@@ -1337,7 +1352,11 @@
+ WRONG_PARAM_COUNT;
+ }
+ ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl);
+-
++
++ if (ch->in_callback) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback");
++ return;
++ }
+ zend_list_delete(Z_LVAL_PP(zid));
+ }
+ /* }}} */
+--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100
++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */
++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */
+
+ #ifndef _PHP_CURL_H
+ #define _PHP_CURL_H
+@@ -93,6 +93,7 @@
+ struct _php_curl_free to_free;
+ long id;
+ unsigned int uses;
++ zend_bool in_callback;
+ } php_curl;
+
+ /* streams support */
diff --git a/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch b/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch
new file mode 100644
index 000000000000..d3eb55c5ee3e
--- /dev/null
+++ b/dev-php/mod_php/files/php4.3.11-globals_overwrite.patch
@@ -0,0 +1,559 @@
+--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100
++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -631,7 +640,7 @@
+ s = *((Bucket **) b);
+
+ if (f->nKeyLength) {
+- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength);
++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1);
+ Z_STRLEN(key1) = f->nKeyLength-1;
+ Z_TYPE(key1) = IS_STRING;
+ } else {
+@@ -639,7 +648,7 @@
+ Z_TYPE(key1) = IS_LONG;
+ }
+ if (s->nKeyLength) {
+- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength);
++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1);
+ Z_STRLEN(key2) = s->nKeyLength-1;
+ Z_TYPE(key2) = IS_STRING;
+ } else {
+@@ -1243,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1291,14 +1304,18 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+- (*entry)->is_ref = 1;
++ if ((*var_array)->refcount > 1) {
++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
++ } else {
++ (*entry)->is_ref = 1;
++ }
+ zval_add_ref(entry);
+ zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL);
+ }
+@@ -1818,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1896,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2384,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2483,7 +2500,7 @@
+ zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL);
+ break;
+ case HASH_KEY_IS_STRING:
+- new_key=estrndup(string_key,str_key_len);
++ new_key=estrndup(string_key,str_key_len - 1);
+ if (change_to_upper)
+ php_strtoupper(new_key, str_key_len - 1);
+ else
+@@ -2609,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2759,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3229,8 +3264,11 @@
+ efree(callback_name);
+
+ if (ZEND_NUM_ARGS() > 2) {
+- convert_to_long_ex(initial);
+- result = *initial;
++ ALLOC_ZVAL(result);
++ *result = **initial;
++ zval_copy_ctor(result);
++ convert_to_long(result);
++ INIT_PZVAL(result);
+ } else {
+ MAKE_STD_ZVAL(result);
+ ZVAL_NULL(result);
+@@ -3246,6 +3284,7 @@
+ if (result) {
+ *return_value = *result;
+ zval_copy_ctor(return_value);
++ zval_ptr_dtor(&result);
+ }
+ return;
+ }
+@@ -3282,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3300,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3311,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3334,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3401,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100
++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -944,6 +933,13 @@
+ static void php_putenv_destructor(putenv_entry *pe)
+ {
+ if (pe->previous_value) {
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe->key, "bugbug");
++#endif
+ putenv(pe->previous_value);
+ } else {
+ # if HAVE_UNSETENV
+@@ -1232,11 +1228,10 @@
+ }
+ STR_FREE(BG(locale_string));
+
+- if (FG(stream_wrappers)) {
+- zend_hash_destroy(FG(stream_wrappers));
+- efree(FG(stream_wrappers));
+- FG(stream_wrappers) = NULL;
+- }
++ /*
++ FG(stream_wrappers) are destroyed
++ during php_request_shutdown()
++ */
+
+ PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+ PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+@@ -1430,6 +1425,14 @@
+ }
+ }
+
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe.key, "bugbug");
++#endif
++
+ if (putenv(pe.putenv_string) == 0) { /* success */
+ zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL);
+ #ifdef HAVE_TZSET
+@@ -2089,17 +2092,21 @@
+ static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC)
+ {
+ zval retval;
++ char *function_name = NULL;
+
+- if (call_user_function( EG(function_table), NULL,
+- shutdown_function_entry->arguments[0],
+- &retval,
+- shutdown_function_entry->arg_count - 1,
+- shutdown_function_entry->arguments + 1
+- TSRMLS_CC ) == SUCCESS ) {
++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
++ } else if (call_user_function(EG(function_table), NULL,
++ shutdown_function_entry->arguments[0],
++ &retval,
++ shutdown_function_entry->arg_count - 1,
++ shutdown_function_entry->arguments + 1
++ TSRMLS_CC ) == SUCCESS)
++ {
+ zval_dtor(&retval);
+-
+- } else {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0]));
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+ return 0;
+ }
+@@ -2192,6 +2199,7 @@
+ PHP_FUNCTION(register_shutdown_function)
+ {
+ php_shutdown_function_entry shutdown_function_entry;
++ char *function_name = NULL;
+ int i;
+
+ shutdown_function_entry.arg_count = ZEND_NUM_ARGS();
+@@ -2200,26 +2208,31 @@
+ WRONG_PARAM_COUNT;
+ }
+
+- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0);
++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
+
+ if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+- /* Prevent entering of anything but arrays/strings */
+- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) {
+- convert_to_string(shutdown_function_entry.arguments[0]);
+- }
+-
+- if (!BG(user_shutdown_function_names)) {
+- ALLOC_HASHTABLE(BG(user_shutdown_function_names));
+- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
+- }
++ /* Prevent entering of anything but valid callback (syntax check only!) */
++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name);
++ efree(shutdown_function_entry.arguments);
++ RETVAL_FALSE;
++ } else {
++ if (!BG(user_shutdown_function_names)) {
++ ALLOC_HASHTABLE(BG(user_shutdown_function_names));
++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
++ }
+
+- for (i = 0; i < shutdown_function_entry.arg_count; i++) {
+- shutdown_function_entry.arguments[i]->refcount++;
++ for (i = 0; i < shutdown_function_entry.arg_count; i++) {
++ shutdown_function_entry.arguments[i]->refcount++;
++ }
++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
+ }
+ /* }}} */
+
+@@ -3014,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100
++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -1317,8 +1317,6 @@
+ if (!Z_STRLEN_PP(needle)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter.");
+ efree(haystack_orig);
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ RETURN_FALSE;
+ }
+
+@@ -1339,8 +1337,6 @@
+ RETVAL_FALSE;
+ }
+
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ efree(haystack_orig);
+ }
+ /* }}} */
+@@ -1576,7 +1572,13 @@
+ }
+
+ if (chunklen > Z_STRLEN_PP(p_str)) {
+- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1);
++ /* to maintain BC, we must return original string + ending */
++ result_len = endlen + Z_STRLEN_PP(p_str);
++ result = emalloc(result_len + 1);
++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str));
++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen);
++ result[result_len] = '\0';
++ RETURN_STRINGL(result, result_len, 0);
+ }
+
+ if (!Z_STRLEN_PP(p_str)) {
+@@ -3169,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3182,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
+@@ -182,11 +193,25 @@
+ if (!index) {
+ zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ } else {
++ zval **tmp;
++
+ if (PG(magic_quotes_gpc) && (index!=var)) {
+ char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
++
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) {
++ efree(escaped_index);
++ break;
++ }
++
+ zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ efree(escaped_index);
+ } else {
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) {
++ break;
++ }
++
+ zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ }
+ }
diff --git a/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch b/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch
new file mode 100644
index 000000000000..2c7d9991794f
--- /dev/null
+++ b/dev-php/mod_php/files/php4.3.11-phpinfo_xss.patch
@@ -0,0 +1,75 @@
+--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
+@@ -408,7 +419,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ if ((ta->tm_mon==3) && (ta->tm_mday==1)) {
+ PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>");
+@@ -510,7 +529,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n");
+ }
+@@ -525,7 +546,9 @@
+ php_info_print_hr();
+ PUTS("<h1><a href=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">");
+ PUTS("PHP Credits");
diff --git a/dev-php/mod_php/files/php4.4.0-curl_safemode.patch b/dev-php/mod_php/files/php4.4.0-curl_safemode.patch
new file mode 100644
index 000000000000..32a82e072077
--- /dev/null
+++ b/dev-php/mod_php/files/php4.4.0-curl_safemode.patch
@@ -0,0 +1,46 @@
+--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -992,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
diff --git a/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch b/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch
new file mode 100644
index 000000000000..3aefaee16295
--- /dev/null
+++ b/dev-php/mod_php/files/php4.4.0-globals_overwrite.patch
@@ -0,0 +1,314 @@
+--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200
++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -1252,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1300,11 +1304,11 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+ if ((*var_array)->refcount > 1) {
+@@ -1831,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1909,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2397,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2622,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2772,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3299,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3317,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3328,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3351,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3418,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200
++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -3038,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200
++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -3179,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3192,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200
++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
diff --git a/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch b/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch
new file mode 100644
index 000000000000..2f03ce4e273e
--- /dev/null
+++ b/dev-php/mod_php/files/php4.4.0-phpinfo_xss.patch
@@ -0,0 +1,42 @@
+--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
diff --git a/dev-php/mod_php/mod_php-4.3.11-r2.ebuild b/dev-php/mod_php/mod_php-4.3.11-r3.ebuild
index fa5d55b0b0ff..dfa2a7bb9ca9 100644
--- a/dev-php/mod_php/mod_php-4.3.11-r2.ebuild
+++ b/dev-php/mod_php/mod_php-4.3.11-r3.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.3.11-r2.ebuild,v 1.10 2005/10/29 22:16:12 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.3.11-r3.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $
IUSE="apache2"
@@ -113,6 +113,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch"
diff --git a/dev-php/mod_php/mod_php-4.4.0-r4.ebuild b/dev-php/mod_php/mod_php-4.4.0-r6.ebuild
index 90417295bea9..d47f97cf8178 100644
--- a/dev-php/mod_php/mod_php-4.4.0-r4.ebuild
+++ b/dev-php/mod_php/mod_php-4.4.0-r6.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r4.ebuild,v 1.1 2005/10/29 22:16:12 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r6.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $
IUSE="apache2"
@@ -107,6 +107,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch"
diff --git a/dev-php/mod_php/mod_php-4.4.0-r5.ebuild b/dev-php/mod_php/mod_php-4.4.0-r7.ebuild
index f4875b578a06..c93b5d79e74f 100644
--- a/dev-php/mod_php/mod_php-4.4.0-r5.ebuild
+++ b/dev-php/mod_php/mod_php-4.4.0-r7.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r5.ebuild,v 1.1 2005/10/29 22:16:12 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/mod_php/mod_php-4.4.0-r7.ebuild,v 1.1 2005/11/02 22:13:28 chtekk Exp $
IUSE="apache2"
@@ -115,6 +115,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch"
diff --git a/dev-php/php-cgi/ChangeLog b/dev-php/php-cgi/ChangeLog
index e809f1e031b0..4c29535facd9 100644
--- a/dev-php/php-cgi/ChangeLog
+++ b/dev-php/php-cgi/ChangeLog
@@ -1,6 +1,19 @@
# ChangeLog for dev-php/php-cgi
# Copyright 2000-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/ChangeLog,v 1.102 2005/10/29 22:16:13 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/ChangeLog,v 1.103 2005/11/02 22:11:28 chtekk Exp $
+
+*php-cgi-4.4.0-r4 (02 Nov 2005)
+*php-cgi-4.3.11-r4 (02 Nov 2005)
+
+ 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org>
+ +files/php4.3.11-curl_safemode.patch, +files/php4.3.11-phpinfo_xss.patch,
+ +files/php4.3.11-globals_overwrite.patch,
+ +files/php4.4.0-curl_safemode.patch,
+ +files/php4.4.0-globals_overwrite.patch,
+ +files/php4.4.0-phpinfo_xss.patch, -php-cgi-4.3.11-r3.ebuild,
+ +php-cgi-4.3.11-r4.ebuild, -php-cgi-4.4.0-r3.ebuild,
+ +php-cgi-4.4.0-r4.ebuild:
+ Security-update: fix bugs #111032, #111015, #111011 and bug #111014.
*php-cgi-4.4.0-r3 (29 Oct 2005)
*php-cgi-4.3.11-r3 (29 Oct 2005)
diff --git a/dev-php/php-cgi/Manifest b/dev-php/php-cgi/Manifest
index 74ddccbf79d4..1eb158e5135f 100644
--- a/dev-php/php-cgi/Manifest
+++ b/dev-php/php-cgi/Manifest
@@ -1,30 +1,36 @@
-MD5 cf0ea805b8d4c87b9a7595c95f4de856 ChangeLog 14791
+MD5 3e134cc7b91aa025b2b7abd694c2806d ChangeLog 15329
MD5 cc21a816357d93a1d31cd44f861183c7 files/digest-php-cgi-4.3.11-r1 287
MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r2 364
-MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r3 364
+MD5 05df4c881b1833626d9a75a08a0098fd files/digest-php-cgi-4.3.11-r4 364
MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-php-cgi-4.4.0 285
MD5 09d7dee078c684b0de0e4de6209ef634 files/digest-php-cgi-4.4.0-r1 285
MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r2 362
-MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r3 362
+MD5 472ce8342d69fdad9d2a642b03b31bac files/digest-php-cgi-4.4.0-r4 362
MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694
MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925
+MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481
MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573
+MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395
MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238
MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031
+MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518
MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482
MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938
+MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481
MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883
+MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115
MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238
MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177
+MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284
MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482
MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132
MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384
MD5 ff97ecdd5c6b9744c3770bf335bb1157 php-cgi-4.3.11-r1.ebuild 1116
MD5 f03786f41f7eb2be4bf8854c52d09f97 php-cgi-4.3.11-r2.ebuild 1866
-MD5 fe5e55c8edc33fb56da83cf767b3cb25 php-cgi-4.3.11-r3.ebuild 2436
+MD5 09490da529c8203551a9d325294bc744 php-cgi-4.3.11-r4.ebuild 2794
MD5 56118eb0c5d90c47c6f73c9db6eccb69 php-cgi-4.4.0-r1.ebuild 972
MD5 d9deaac08b78b996c648e1cbc9640ffa php-cgi-4.4.0-r2.ebuild 1711
-MD5 66062f07ef6eda420c58d8183afd86b7 php-cgi-4.4.0-r3.ebuild 2278
+MD5 fd58309f2a3593a4fe7833fcbed57769 php-cgi-4.4.0-r4.ebuild 2633
MD5 daa51bac42996b36311b5c6049f95b4e php-cgi-4.4.0.ebuild 972
diff --git a/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r3 b/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r4
index 8a51d50e2303..8a51d50e2303 100644
--- a/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r3
+++ b/dev-php/php-cgi/files/digest-php-cgi-4.3.11-r4
diff --git a/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r3 b/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r4
index dfbd3919a8b5..dfbd3919a8b5 100644
--- a/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r3
+++ b/dev-php/php-cgi/files/digest-php-cgi-4.4.0-r4
diff --git a/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch b/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch
new file mode 100644
index 000000000000..f308dea57dde
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.3.11-curl_safemode.patch
@@ -0,0 +1,141 @@
+--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -436,10 +436,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -495,10 +497,12 @@
+ zend_list_addref(t->fd);
+ ZVAL_LONG(argv[2], (int) size * nmemb);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 3, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -553,10 +557,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -606,10 +612,12 @@
+ ZVAL_STRING(argv[1], prompt, 1);
+ ZVAL_LONG(argv[2], buflen);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C));
+ } else if (Z_TYPE_P(retval) == IS_STRING) {
+@@ -680,7 +688,9 @@
+ (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write));
+ (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read));
+ memset(&(*ch)->err, 0, sizeof((*ch)->err));
+-
++
++ (*ch)->in_callback = 0;
++
+ zend_llist_init(&(*ch)->to_free.str, sizeof(char *),
+ (void(*)(void *)) curl_free_string, 0);
+ zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist),
+@@ -982,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
+@@ -1337,7 +1352,11 @@
+ WRONG_PARAM_COUNT;
+ }
+ ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl);
+-
++
++ if (ch->in_callback) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback");
++ return;
++ }
+ zend_list_delete(Z_LVAL_PP(zid));
+ }
+ /* }}} */
+--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100
++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */
++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */
+
+ #ifndef _PHP_CURL_H
+ #define _PHP_CURL_H
+@@ -93,6 +93,7 @@
+ struct _php_curl_free to_free;
+ long id;
+ unsigned int uses;
++ zend_bool in_callback;
+ } php_curl;
+
+ /* streams support */
diff --git a/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch b/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch
new file mode 100644
index 000000000000..d3eb55c5ee3e
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.3.11-globals_overwrite.patch
@@ -0,0 +1,559 @@
+--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100
++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -631,7 +640,7 @@
+ s = *((Bucket **) b);
+
+ if (f->nKeyLength) {
+- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength);
++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1);
+ Z_STRLEN(key1) = f->nKeyLength-1;
+ Z_TYPE(key1) = IS_STRING;
+ } else {
+@@ -639,7 +648,7 @@
+ Z_TYPE(key1) = IS_LONG;
+ }
+ if (s->nKeyLength) {
+- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength);
++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1);
+ Z_STRLEN(key2) = s->nKeyLength-1;
+ Z_TYPE(key2) = IS_STRING;
+ } else {
+@@ -1243,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1291,14 +1304,18 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+- (*entry)->is_ref = 1;
++ if ((*var_array)->refcount > 1) {
++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
++ } else {
++ (*entry)->is_ref = 1;
++ }
+ zval_add_ref(entry);
+ zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL);
+ }
+@@ -1818,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1896,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2384,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2483,7 +2500,7 @@
+ zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL);
+ break;
+ case HASH_KEY_IS_STRING:
+- new_key=estrndup(string_key,str_key_len);
++ new_key=estrndup(string_key,str_key_len - 1);
+ if (change_to_upper)
+ php_strtoupper(new_key, str_key_len - 1);
+ else
+@@ -2609,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2759,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3229,8 +3264,11 @@
+ efree(callback_name);
+
+ if (ZEND_NUM_ARGS() > 2) {
+- convert_to_long_ex(initial);
+- result = *initial;
++ ALLOC_ZVAL(result);
++ *result = **initial;
++ zval_copy_ctor(result);
++ convert_to_long(result);
++ INIT_PZVAL(result);
+ } else {
+ MAKE_STD_ZVAL(result);
+ ZVAL_NULL(result);
+@@ -3246,6 +3284,7 @@
+ if (result) {
+ *return_value = *result;
+ zval_copy_ctor(return_value);
++ zval_ptr_dtor(&result);
+ }
+ return;
+ }
+@@ -3282,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3300,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3311,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3334,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3401,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100
++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -944,6 +933,13 @@
+ static void php_putenv_destructor(putenv_entry *pe)
+ {
+ if (pe->previous_value) {
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe->key, "bugbug");
++#endif
+ putenv(pe->previous_value);
+ } else {
+ # if HAVE_UNSETENV
+@@ -1232,11 +1228,10 @@
+ }
+ STR_FREE(BG(locale_string));
+
+- if (FG(stream_wrappers)) {
+- zend_hash_destroy(FG(stream_wrappers));
+- efree(FG(stream_wrappers));
+- FG(stream_wrappers) = NULL;
+- }
++ /*
++ FG(stream_wrappers) are destroyed
++ during php_request_shutdown()
++ */
+
+ PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+ PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+@@ -1430,6 +1425,14 @@
+ }
+ }
+
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe.key, "bugbug");
++#endif
++
+ if (putenv(pe.putenv_string) == 0) { /* success */
+ zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL);
+ #ifdef HAVE_TZSET
+@@ -2089,17 +2092,21 @@
+ static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC)
+ {
+ zval retval;
++ char *function_name = NULL;
+
+- if (call_user_function( EG(function_table), NULL,
+- shutdown_function_entry->arguments[0],
+- &retval,
+- shutdown_function_entry->arg_count - 1,
+- shutdown_function_entry->arguments + 1
+- TSRMLS_CC ) == SUCCESS ) {
++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
++ } else if (call_user_function(EG(function_table), NULL,
++ shutdown_function_entry->arguments[0],
++ &retval,
++ shutdown_function_entry->arg_count - 1,
++ shutdown_function_entry->arguments + 1
++ TSRMLS_CC ) == SUCCESS)
++ {
+ zval_dtor(&retval);
+-
+- } else {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0]));
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+ return 0;
+ }
+@@ -2192,6 +2199,7 @@
+ PHP_FUNCTION(register_shutdown_function)
+ {
+ php_shutdown_function_entry shutdown_function_entry;
++ char *function_name = NULL;
+ int i;
+
+ shutdown_function_entry.arg_count = ZEND_NUM_ARGS();
+@@ -2200,26 +2208,31 @@
+ WRONG_PARAM_COUNT;
+ }
+
+- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0);
++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
+
+ if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+- /* Prevent entering of anything but arrays/strings */
+- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) {
+- convert_to_string(shutdown_function_entry.arguments[0]);
+- }
+-
+- if (!BG(user_shutdown_function_names)) {
+- ALLOC_HASHTABLE(BG(user_shutdown_function_names));
+- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
+- }
++ /* Prevent entering of anything but valid callback (syntax check only!) */
++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name);
++ efree(shutdown_function_entry.arguments);
++ RETVAL_FALSE;
++ } else {
++ if (!BG(user_shutdown_function_names)) {
++ ALLOC_HASHTABLE(BG(user_shutdown_function_names));
++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
++ }
+
+- for (i = 0; i < shutdown_function_entry.arg_count; i++) {
+- shutdown_function_entry.arguments[i]->refcount++;
++ for (i = 0; i < shutdown_function_entry.arg_count; i++) {
++ shutdown_function_entry.arguments[i]->refcount++;
++ }
++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
+ }
+ /* }}} */
+
+@@ -3014,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100
++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -1317,8 +1317,6 @@
+ if (!Z_STRLEN_PP(needle)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter.");
+ efree(haystack_orig);
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ RETURN_FALSE;
+ }
+
+@@ -1339,8 +1337,6 @@
+ RETVAL_FALSE;
+ }
+
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ efree(haystack_orig);
+ }
+ /* }}} */
+@@ -1576,7 +1572,13 @@
+ }
+
+ if (chunklen > Z_STRLEN_PP(p_str)) {
+- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1);
++ /* to maintain BC, we must return original string + ending */
++ result_len = endlen + Z_STRLEN_PP(p_str);
++ result = emalloc(result_len + 1);
++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str));
++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen);
++ result[result_len] = '\0';
++ RETURN_STRINGL(result, result_len, 0);
+ }
+
+ if (!Z_STRLEN_PP(p_str)) {
+@@ -3169,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3182,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
+@@ -182,11 +193,25 @@
+ if (!index) {
+ zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ } else {
++ zval **tmp;
++
+ if (PG(magic_quotes_gpc) && (index!=var)) {
+ char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
++
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) {
++ efree(escaped_index);
++ break;
++ }
++
+ zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ efree(escaped_index);
+ } else {
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) {
++ break;
++ }
++
+ zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ }
+ }
diff --git a/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch b/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch
new file mode 100644
index 000000000000..2c7d9991794f
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.3.11-phpinfo_xss.patch
@@ -0,0 +1,75 @@
+--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
+@@ -408,7 +419,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ if ((ta->tm_mon==3) && (ta->tm_mday==1)) {
+ PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>");
+@@ -510,7 +529,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n");
+ }
+@@ -525,7 +546,9 @@
+ php_info_print_hr();
+ PUTS("<h1><a href=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">");
+ PUTS("PHP Credits");
diff --git a/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch b/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch
new file mode 100644
index 000000000000..32a82e072077
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.4.0-curl_safemode.patch
@@ -0,0 +1,46 @@
+--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -992,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
diff --git a/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch b/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch
new file mode 100644
index 000000000000..3aefaee16295
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.4.0-globals_overwrite.patch
@@ -0,0 +1,314 @@
+--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200
++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -1252,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1300,11 +1304,11 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+ if ((*var_array)->refcount > 1) {
+@@ -1831,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1909,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2397,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2622,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2772,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3299,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3317,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3328,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3351,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3418,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200
++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -3038,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200
++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -3179,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3192,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200
++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
diff --git a/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch b/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch
new file mode 100644
index 000000000000..2f03ce4e273e
--- /dev/null
+++ b/dev-php/php-cgi/files/php4.4.0-phpinfo_xss.patch
@@ -0,0 +1,42 @@
+--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
diff --git a/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild b/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild
index da81c96245a2..f2b937064d64 100644
--- a/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild
+++ b/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.3.11-r3.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.3.11-r4.ebuild,v 1.1 2005/11/02 22:11:28 chtekk Exp $
PHPSAPI="cgi"
inherit php-sapi eutils
@@ -37,6 +37,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch"
diff --git a/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild b/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild
index baf1865e49d7..4664d63c983a 100644
--- a/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild
+++ b/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.4.0-r3.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php-cgi/php-cgi-4.4.0-r4.ebuild,v 1.1 2005/11/02 22:11:28 chtekk Exp $
PHPSAPI="cgi"
inherit php-sapi eutils
@@ -31,6 +31,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch"
diff --git a/dev-php/php/ChangeLog b/dev-php/php/ChangeLog
index 3bf7ef81a868..b4ec9f588b37 100644
--- a/dev-php/php/ChangeLog
+++ b/dev-php/php/ChangeLog
@@ -1,6 +1,18 @@
# ChangeLog for dev-php/php
# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php/ChangeLog,v 1.196 2005/10/29 22:16:13 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php/ChangeLog,v 1.197 2005/11/02 22:10:15 chtekk Exp $
+
+*php-4.4.0-r3 (02 Nov 2005)
+*php-4.3.11-r3 (02 Nov 2005)
+
+ 02 Nov 2005; Luca Longinotti <chtekk@gentoo.org>
+ +files/php4.3.11-curl_safemode.patch, +files/php4.3.11-phpinfo_xss.patch,
+ +files/php4.3.11-globals_overwrite.patch,
+ +files/php4.4.0-curl_safemode.patch,
+ +files/php4.4.0-globals_overwrite.patch,
+ +files/php4.4.0-phpinfo_xss.patch, -php-4.3.11-r2.ebuild,
+ +php-4.3.11-r3.ebuild, -php-4.4.0-r2.ebuild, +php-4.4.0-r3.ebuild:
+ Security-update: fix bugs #111032, #111015, #111011 and bug #111014.
*php-4.4.0-r2 (29 Oct 2005)
*php-4.3.11-r2 (29 Oct 2005)
diff --git a/dev-php/php/Manifest b/dev-php/php/Manifest
index 98cfe0d7f0b9..03ed3f68b37b 100644
--- a/dev-php/php/Manifest
+++ b/dev-php/php/Manifest
@@ -1,29 +1,35 @@
-MD5 0e7ae5c94a581934de8321f4179340c2 ChangeLog 27393
+MD5 ac7ffd887fa7a1e038a43a8b0ec9a50e ChangeLog 27905
MD5 289778209b2df87dbc5052351e604b1a files/digest-php-4.3.11 213
MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r1 290
-MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r2 290
+MD5 a7b81d42cc56fdd6c72fbe2549dbe898 files/digest-php-4.3.11-r3 290
MD5 f25bbe20f37a0eb83f7a57ca2c3a25e3 files/digest-php-4.4.0 211
MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r1 288
-MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r2 288
+MD5 43c5b30a9e9bde68a44cf414341e32e8 files/digest-php-4.4.0-r3 288
MD5 cdec3284251432935f950c2d15a405b7 files/php-4.3.11-flash.patch 694
MD5 b2aa5952d5c805b3e57a5a6bf0f0b8d0 files/php-4.3.11-gmp.patch 925
MD5 7515e9b1dc298a0fb1c12d35a58c265d files/php-4.3.4-amd64hack.diff 1028
+MD5 09637e8f6f861b1f3698ec0390ec6b57 files/php4.3.11-curl_safemode.patch 5129
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.3.11-fopen_wrappers.patch 1481
MD5 4db8e0b66cde22dd4e4d9f51e59f6098 files/php4.3.11-gd_safe_mode.patch 1573
+MD5 480060d9a5de72030e2fce541e2830f8 files/php4.3.11-globals_overwrite.patch 18395
MD5 47a031979331eeb527d0918d2c38cdbe files/php4.3.11-imap-symlink.diff 1238
MD5 a9b932952f12aa01a9f98a7fcbf32ed9 files/php4.3.11-pcre-security.patch 6031
+MD5 43b4113d1fb159955b0d5ed307cac143 files/php4.3.11-phpinfo_xss.patch 2518
MD5 48d9c939434e9b01d0696410d59c503c files/php4.3.11-pspell-ext-segf.patch 8482
MD5 17b906361a7ab8a3008446871623eeae files/php4.3.11-session_save_path-segf.patch 4938
+MD5 0429f8334ba4bab659a2e41ce5debc80 files/php4.4.0-curl_safemode.patch 1937
MD5 cb36a386184ed6a887f62d2205f57173 files/php4.4.0-fopen_wrappers.patch 1481
MD5 a540c54ba22dc16b157edcf1ecb6258f files/php4.4.0-gd_safe_mode.patch 883
+MD5 ac3e0691fbecf920d030a35bc8e02109 files/php4.4.0-globals_overwrite.patch 10115
MD5 4c86d8ed96f2bb38b94e826c1f028c80 files/php4.4.0-imap-symlink.diff 1238
MD5 54a4ad0766f89185d7de2c6d07b07296 files/php4.4.0-pcre-security.patch 6177
+MD5 57644300fb52ad610fa52ae8ba6b522b files/php4.4.0-phpinfo_xss.patch 1284
MD5 48d9c939434e9b01d0696410d59c503c files/php4.4.0-pspell-ext-segf.patch 8482
MD5 83fb9efb602c178741ea2e40e13b014f files/php4.4.0-session_save_path-segf.patch 4132
MD5 38fe937e954ab7109395cefa86fcd2d4 metadata.xml 384
MD5 5c877d02b146b5885cecc89b9f445c73 php-4.3.11-r1.ebuild 1972
-MD5 993a56d986729657e17be455f21d42e0 php-4.3.11-r2.ebuild 2543
+MD5 f819c0ccba33f6eb08037f5c02e7d5ba php-4.3.11-r3.ebuild 2901
MD5 7b0585a1b1826288946cd49c26d85d61 php-4.3.11.ebuild 1219
MD5 1bbf33997259477ea2ff61296875184e php-4.4.0-r1.ebuild 1831
-MD5 1543fa29d256cba7fc330a62ab00eecb php-4.4.0-r2.ebuild 2401
+MD5 750cdbe958d9343beb3817a9277ff623 php-4.4.0-r3.ebuild 2756
MD5 3457e095190ae0497eff026b2351bb14 php-4.4.0.ebuild 1082
diff --git a/dev-php/php/files/digest-php-4.3.11-r2 b/dev-php/php/files/digest-php-4.3.11-r3
index 252c3a932b24..252c3a932b24 100644
--- a/dev-php/php/files/digest-php-4.3.11-r2
+++ b/dev-php/php/files/digest-php-4.3.11-r3
diff --git a/dev-php/php/files/digest-php-4.4.0-r2 b/dev-php/php/files/digest-php-4.4.0-r3
index 077ffb8eedda..077ffb8eedda 100644
--- a/dev-php/php/files/digest-php-4.4.0-r2
+++ b/dev-php/php/files/digest-php-4.4.0-r3
diff --git a/dev-php/php/files/php4.3.11-curl_safemode.patch b/dev-php/php/files/php4.3.11-curl_safemode.patch
new file mode 100644
index 000000000000..f308dea57dde
--- /dev/null
+++ b/dev-php/php/files/php4.3.11-curl_safemode.patch
@@ -0,0 +1,141 @@
+--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -436,10 +436,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -495,10 +497,12 @@
+ zend_list_addref(t->fd);
+ ZVAL_LONG(argv[2], (int) size * nmemb);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 3, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -553,10 +557,12 @@
+ zend_list_addref(ch->id);
+ ZVAL_STRINGL(argv[1], data, length, 1);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ t->func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION",
+ get_active_function_name(TSRMLS_C));
+@@ -606,10 +612,12 @@
+ ZVAL_STRING(argv[1], prompt, 1);
+ ZVAL_LONG(argv[2], buflen);
+
++ ch->in_callback = 1;
+ error = call_user_function(EG(function_table),
+ NULL,
+ func,
+ retval, 2, argv TSRMLS_CC);
++ ch->in_callback = 0;
+ if (error == FAILURE) {
+ php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C));
+ } else if (Z_TYPE_P(retval) == IS_STRING) {
+@@ -680,7 +688,9 @@
+ (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write));
+ (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read));
+ memset(&(*ch)->err, 0, sizeof((*ch)->err));
+-
++
++ (*ch)->in_callback = 0;
++
+ zend_llist_init(&(*ch)->to_free.str, sizeof(char *),
+ (void(*)(void *)) curl_free_string, 0);
+ zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist),
+@@ -982,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
+@@ -1337,7 +1352,11 @@
+ WRONG_PARAM_COUNT;
+ }
+ ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl);
+-
++
++ if (ch->in_callback) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback");
++ return;
++ }
+ zend_list_delete(Z_LVAL_PP(zid));
+ }
+ /* }}} */
+--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100
++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */
++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */
+
+ #ifndef _PHP_CURL_H
+ #define _PHP_CURL_H
+@@ -93,6 +93,7 @@
+ struct _php_curl_free to_free;
+ long id;
+ unsigned int uses;
++ zend_bool in_callback;
+ } php_curl;
+
+ /* streams support */
diff --git a/dev-php/php/files/php4.3.11-globals_overwrite.patch b/dev-php/php/files/php4.3.11-globals_overwrite.patch
new file mode 100644
index 000000000000..d3eb55c5ee3e
--- /dev/null
+++ b/dev-php/php/files/php4.3.11-globals_overwrite.patch
@@ -0,0 +1,559 @@
+--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100
++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -631,7 +640,7 @@
+ s = *((Bucket **) b);
+
+ if (f->nKeyLength) {
+- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength);
++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1);
+ Z_STRLEN(key1) = f->nKeyLength-1;
+ Z_TYPE(key1) = IS_STRING;
+ } else {
+@@ -639,7 +648,7 @@
+ Z_TYPE(key1) = IS_LONG;
+ }
+ if (s->nKeyLength) {
+- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength);
++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1);
+ Z_STRLEN(key2) = s->nKeyLength-1;
+ Z_TYPE(key2) = IS_STRING;
+ } else {
+@@ -1243,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1291,14 +1304,18 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+- (*entry)->is_ref = 1;
++ if ((*var_array)->refcount > 1) {
++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
++ } else {
++ (*entry)->is_ref = 1;
++ }
+ zval_add_ref(entry);
+ zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL);
+ }
+@@ -1818,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1896,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2384,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2483,7 +2500,7 @@
+ zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL);
+ break;
+ case HASH_KEY_IS_STRING:
+- new_key=estrndup(string_key,str_key_len);
++ new_key=estrndup(string_key,str_key_len - 1);
+ if (change_to_upper)
+ php_strtoupper(new_key, str_key_len - 1);
+ else
+@@ -2609,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2759,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3229,8 +3264,11 @@
+ efree(callback_name);
+
+ if (ZEND_NUM_ARGS() > 2) {
+- convert_to_long_ex(initial);
+- result = *initial;
++ ALLOC_ZVAL(result);
++ *result = **initial;
++ zval_copy_ctor(result);
++ convert_to_long(result);
++ INIT_PZVAL(result);
+ } else {
+ MAKE_STD_ZVAL(result);
+ ZVAL_NULL(result);
+@@ -3246,6 +3284,7 @@
+ if (result) {
+ *return_value = *result;
+ zval_copy_ctor(return_value);
++ zval_ptr_dtor(&result);
+ }
+ return;
+ }
+@@ -3282,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3300,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3311,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3334,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3401,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100
++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -944,6 +933,13 @@
+ static void php_putenv_destructor(putenv_entry *pe)
+ {
+ if (pe->previous_value) {
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe->key, "bugbug");
++#endif
+ putenv(pe->previous_value);
+ } else {
+ # if HAVE_UNSETENV
+@@ -1232,11 +1228,10 @@
+ }
+ STR_FREE(BG(locale_string));
+
+- if (FG(stream_wrappers)) {
+- zend_hash_destroy(FG(stream_wrappers));
+- efree(FG(stream_wrappers));
+- FG(stream_wrappers) = NULL;
+- }
++ /*
++ FG(stream_wrappers) are destroyed
++ during php_request_shutdown()
++ */
+
+ PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+ PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU);
+@@ -1430,6 +1425,14 @@
+ }
+ }
+
++#if _MSC_VER
++ /* VS.Net has a bug in putenv() when setting a variable that
++ * is already set; if the SetEnvironmentVariable() API call
++ * fails, the Crt will double free() a string.
++ * We try to avoid this by setting our own value first */
++ SetEnvironmentVariable(pe.key, "bugbug");
++#endif
++
+ if (putenv(pe.putenv_string) == 0) { /* success */
+ zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL);
+ #ifdef HAVE_TZSET
+@@ -2089,17 +2092,21 @@
+ static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC)
+ {
+ zval retval;
++ char *function_name = NULL;
+
+- if (call_user_function( EG(function_table), NULL,
+- shutdown_function_entry->arguments[0],
+- &retval,
+- shutdown_function_entry->arg_count - 1,
+- shutdown_function_entry->arguments + 1
+- TSRMLS_CC ) == SUCCESS ) {
++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
++ } else if (call_user_function(EG(function_table), NULL,
++ shutdown_function_entry->arguments[0],
++ &retval,
++ shutdown_function_entry->arg_count - 1,
++ shutdown_function_entry->arguments + 1
++ TSRMLS_CC ) == SUCCESS)
++ {
+ zval_dtor(&retval);
+-
+- } else {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0]));
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+ return 0;
+ }
+@@ -2192,6 +2199,7 @@
+ PHP_FUNCTION(register_shutdown_function)
+ {
+ php_shutdown_function_entry shutdown_function_entry;
++ char *function_name = NULL;
+ int i;
+
+ shutdown_function_entry.arg_count = ZEND_NUM_ARGS();
+@@ -2200,26 +2208,31 @@
+ WRONG_PARAM_COUNT;
+ }
+
+- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0);
++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
+
+ if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+- /* Prevent entering of anything but arrays/strings */
+- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) {
+- convert_to_string(shutdown_function_entry.arguments[0]);
+- }
+-
+- if (!BG(user_shutdown_function_names)) {
+- ALLOC_HASHTABLE(BG(user_shutdown_function_names));
+- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
+- }
++ /* Prevent entering of anything but valid callback (syntax check only!) */
++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name);
++ efree(shutdown_function_entry.arguments);
++ RETVAL_FALSE;
++ } else {
++ if (!BG(user_shutdown_function_names)) {
++ ALLOC_HASHTABLE(BG(user_shutdown_function_names));
++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
++ }
+
+- for (i = 0; i < shutdown_function_entry.arg_count; i++) {
+- shutdown_function_entry.arguments[i]->refcount++;
++ for (i = 0; i < shutdown_function_entry.arg_count; i++) {
++ shutdown_function_entry.arguments[i]->refcount++;
++ }
++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
++ }
++ if (function_name) {
++ efree(function_name);
+ }
+- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
+ }
+ /* }}} */
+
+@@ -3014,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100
++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -1317,8 +1317,6 @@
+ if (!Z_STRLEN_PP(needle)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter.");
+ efree(haystack_orig);
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ RETURN_FALSE;
+ }
+
+@@ -1339,8 +1337,6 @@
+ RETVAL_FALSE;
+ }
+
+- zval_ptr_dtor(haystack);
+- zval_ptr_dtor(needle);
+ efree(haystack_orig);
+ }
+ /* }}} */
+@@ -1576,7 +1572,13 @@
+ }
+
+ if (chunklen > Z_STRLEN_PP(p_str)) {
+- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1);
++ /* to maintain BC, we must return original string + ending */
++ result_len = endlen + Z_STRLEN_PP(p_str);
++ result = emalloc(result_len + 1);
++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str));
++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen);
++ result[result_len] = '\0';
++ RETURN_STRINGL(result, result_len, 0);
+ }
+
+ if (!Z_STRLEN_PP(p_str)) {
+@@ -3169,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3182,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
+@@ -182,11 +193,25 @@
+ if (!index) {
+ zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ } else {
++ zval **tmp;
++
+ if (PG(magic_quotes_gpc) && (index!=var)) {
+ char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
++
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) {
++ efree(escaped_index);
++ break;
++ }
++
+ zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ efree(escaped_index);
+ } else {
++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) {
++ break;
++ }
++
+ zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ }
+ }
diff --git a/dev-php/php/files/php4.3.11-phpinfo_xss.patch b/dev-php/php/files/php4.3.11-phpinfo_xss.patch
new file mode 100644
index 000000000000..2c7d9991794f
--- /dev/null
+++ b/dev-php/php/files/php4.3.11-phpinfo_xss.patch
@@ -0,0 +1,75 @@
+--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
+@@ -408,7 +419,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ if ((ta->tm_mon==3) && (ta->tm_mday==1)) {
+ PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>");
+@@ -510,7 +529,9 @@
+ if (expose_php && !sapi_module.phpinfo_as_text) {
+ PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n");
+ }
+@@ -525,7 +546,9 @@
+ php_info_print_hr();
+ PUTS("<h1><a href=\"");
+ if (SG(request_info).request_uri) {
+- PUTS(SG(request_info).request_uri);
++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
+ }
+ PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">");
+ PUTS("PHP Credits");
diff --git a/dev-php/php/files/php4.4.0-curl_safemode.patch b/dev-php/php/files/php4.4.0-curl_safemode.patch
new file mode 100644
index 000000000000..32a82e072077
--- /dev/null
+++ b/dev-php/php/files/php4.4.0-curl_safemode.patch
@@ -0,0 +1,46 @@
+--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200
++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
+@@ -16,7 +16,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */
++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */
+
+ #ifdef HAVE_CONFIG_H
+ #include "config.h"
+@@ -66,7 +66,7 @@
+ #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
+
+ #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
+- if (PG(open_basedir) && *PG(open_basedir) && \
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
+ { \
+ php_url *tmp_url; \
+@@ -76,7 +76,7 @@
+ RETURN_FALSE; \
+ } \
+ \
+- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+ ) { \
+ php_url_free(tmp_url); \
+@@ -992,10 +992,15 @@
+
+ postval = Z_STRVAL_PP(current);
+ if (*postval == '@') {
++ ++postval;
++ /* safe_mode / open_basedir check */
++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
++ RETURN_FALSE;
++ }
+ error = curl_formadd(&first, &last,
+ CURLFORM_COPYNAME, string_key,
+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
+- CURLFORM_FILE, ++postval,
++ CURLFORM_FILE, postval,
+ CURLFORM_END);
+ }
+ else {
diff --git a/dev-php/php/files/php4.4.0-globals_overwrite.patch b/dev-php/php/files/php4.4.0-globals_overwrite.patch
new file mode 100644
index 000000000000..3aefaee16295
--- /dev/null
+++ b/dev-php/php/files/php4.4.0-globals_overwrite.patch
@@ -0,0 +1,314 @@
+--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200
++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100
+@@ -22,7 +22,7 @@
+ */
+
+
+-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */
++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -1252,6 +1252,10 @@
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
++ /* GLOBALS protection */
++ if (var_exists && !strcmp(var_name, "GLOBALS")) {
++ break;
++ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
+ break;
+
+@@ -1300,11 +1304,11 @@
+ zval **orig_var;
+
+ if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
+- zval_ptr_dtor(orig_var);
+-
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
++ zval_ptr_dtor(orig_var);
++
+ *orig_var = *entry;
+ } else {
+ if ((*var_array)->refcount > 1) {
+@@ -1831,8 +1835,8 @@
+ hashtable and replace it with new one */
+ new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL);
+ zend_hash_destroy(Z_ARRVAL_P(stack));
+- efree(Z_ARRVAL_P(stack));
+- Z_ARRVAL_P(stack) = new_hash;
++ *Z_ARRVAL_P(stack) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up and return the number of elements in the stack */
+ efree(args);
+@@ -1909,8 +1913,8 @@
+
+ /* Replace input array's hashtable with the new one */
+ zend_hash_destroy(Z_ARRVAL_P(array));
+- efree(Z_ARRVAL_P(array));
+- Z_ARRVAL_P(array) = new_hash;
++ *Z_ARRVAL_P(array) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ if (argc == 4)
+@@ -2397,8 +2401,8 @@
+
+ /* Copy the result hash into return value */
+ zend_hash_destroy(Z_ARRVAL_P(return_value));
+- efree(Z_ARRVAL_P(return_value));
+- Z_ARRVAL_P(return_value) = new_hash;
++ *Z_ARRVAL_P(return_value) = *new_hash;
++ FREE_HASHTABLE(new_hash);
+
+ /* Clean up */
+ efree(pads);
+@@ -2622,6 +2626,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for common values */
+ while (*ptrs[0]) {
+@@ -2772,6 +2785,15 @@
+ /* copy the argument array */
+ *return_value = **args[0];
+ zval_copy_ctor(return_value);
++ if (return_value->value.ht == &EG(symbol_table)) {
++ HashTable *ht;
++ zval *tmp;
++
++ ALLOC_HASHTABLE(ht);
++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0);
++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
++ return_value->value.ht = ht;
++ }
+
+ /* go through the lists and look for values of ptr[0]
+ that are not in the others */
+@@ -3299,6 +3321,7 @@
+ PHP_FUNCTION(array_filter)
+ {
+ zval **input, **callback = NULL;
++ zval *array, *func = NULL;
+ zval **operand;
+ zval **args[1];
+ zval *retval = NULL;
+@@ -3317,9 +3340,13 @@
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array");
+ return;
+ }
++ if (callback) {
++ func = *callback;
++ }
++ array = *input;
+
+ if (ZEND_NUM_ARGS() > 1) {
+- if (!zend_is_callable(*callback, 0, &callback_name)) {
++ if (!zend_is_callable(func, 0, &callback_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name);
+ efree(callback_name);
+ return;
+@@ -3328,16 +3355,16 @@
+ }
+
+ array_init(return_value);
+- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0)
++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0)
+ return;
+
+- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos);
+- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS;
+- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) {
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos);
++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS;
++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) {
+
+- if (callback) {
++ if (func) {
+ args[0] = operand;
+- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) {
+ if (!zend_is_true(retval)) {
+ zval_ptr_dtor(&retval);
+ continue;
+@@ -3351,7 +3378,7 @@
+ continue;
+
+ zval_add_ref(operand);
+- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) {
++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) {
+ case HASH_KEY_IS_STRING:
+ zend_hash_update(Z_ARRVAL_P(return_value), string_key,
+ string_key_len, operand, sizeof(zval *), NULL);
+@@ -3418,6 +3445,7 @@
+ efree(array_pos);
+ return;
+ }
++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]);
+ args[i] = *pargs[i];
+ array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i]));
+ if (array_len[i] > maxlen) {
+--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200
++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100
+@@ -17,7 +17,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */
++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_streams.h"
+@@ -42,18 +42,7 @@
+ #include <time.h>
+ #include <stdio.h>
+
+-#ifndef NETWARE
+ #include <netdb.h>
+-#else
+-/*#include "netware/env.h"*/ /* Temporary */
+-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */
+-#include <netinet/in.h>
+-/*#include <arpa/inet.h>*/
+-#include <netdb.h>
+-#else
+-#include <sys/socket.h>
+-#endif
+-#endif
+
+ #if HAVE_ARPA_INET_H
+ # include <arpa/inet.h>
+@@ -813,8 +802,8 @@
+ PHP_FE(prev, first_arg_force_ref)
+ PHP_FE(next, first_arg_force_ref)
+ PHP_FE(reset, first_arg_force_ref)
+- PHP_FE(current, first_arg_force_ref)
+- PHP_FE(key, first_arg_force_ref)
++ PHP_FE(current, NULL)
++ PHP_FE(key, NULL)
+ PHP_FE(min, NULL)
+ PHP_FE(max, NULL)
+ PHP_FE(in_array, NULL)
+@@ -3038,11 +3027,25 @@
+ prefix = va_arg(args, char *);
+ prefix_len = va_arg(args, uint);
+
+- new_key_len = prefix_len + hash_key->nKeyLength;
+- new_key = (char *) emalloc(new_key_len);
++ if (!prefix_len) {
++ if (!hash_key->nKeyLength) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
++ return 0;
++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
++ return 0;
++ }
++ }
++
++ if (hash_key->nKeyLength) {
++ new_key_len = prefix_len + hash_key->nKeyLength;
++ new_key = (char *) emalloc(new_key_len);
+
+- memcpy(new_key, prefix, prefix_len);
+- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ memcpy(new_key, prefix, prefix_len);
++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
++ } else {
++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
++ }
+
+ zend_hash_del(&EG(symbol_table), new_key, new_key_len);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
+--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200
++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */
++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */
+
+ /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
+
+@@ -3179,7 +3179,6 @@
+ zval *sarg;
+ char *res = NULL;
+ int argCount;
+- int old_rg;
+
+ argCount = ARG_COUNT(ht);
+ if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
+@@ -3192,19 +3191,18 @@
+ res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
+ }
+
+- old_rg = PG(register_globals);
+ if (argCount == 1) {
+- PG(register_globals) = 1;
+- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
++ zval tmp;
++ Z_ARRVAL(tmp) = EG(active_symbol_table);
++
++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
+ } else {
+- PG(register_globals) = 0;
+ /* Clear out the array that was passed in. */
+ zval_dtor(*arrayArg);
+ array_init(*arrayArg);
+
+ sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
+ }
+- PG(register_globals) = old_rg;
+ }
+ /* }}} */
+
+--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200
++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100
+@@ -16,7 +16,7 @@
+ | Zeev Suraski <zeev@zend.com> |
+ +----------------------------------------------------------------------+
+ */
+-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */
++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */
+
+ #include <stdio.h>
+ #include "php.h"
+@@ -73,6 +73,10 @@
+ symtable1 = Z_ARRVAL_P(track_vars_array);
+ } else if (PG(register_globals)) {
+ symtable1 = EG(active_symbol_table);
++ /* GLOBALS hijack attempt, reject parameter */
++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
++ return;
++ }
+ }
+ if (!symtable1) {
+ /* Nothing to do */
+@@ -99,6 +103,13 @@
+ zval_dtor(val);
+ return;
+ }
++
++ /* GLOBALS hijack attempt, reject parameter */
++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
++ zval_dtor(val);
++ return;
++ }
++
+ /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
+ for (p=var; *p; p++) {
+ switch(*p) {
diff --git a/dev-php/php/files/php4.4.0-phpinfo_xss.patch b/dev-php/php/files/php4.4.0-phpinfo_xss.patch
new file mode 100644
index 000000000000..2f03ce4e273e
--- /dev/null
+++ b/dev-php/php/files/php4.4.0-phpinfo_xss.patch
@@ -0,0 +1,42 @@
+--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200
++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100
+@@ -18,7 +18,7 @@
+ +----------------------------------------------------------------------+
+ */
+
+-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */
++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */
+
+ #include "php.h"
+ #include "php_ini.h"
+@@ -133,10 +133,21 @@
+ PUTS(" => ");
+ }
+ if (Z_TYPE_PP(tmp) == IS_ARRAY) {
++ zval *tmp3;
++ MAKE_STD_ZVAL(tmp3);
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("<pre>");
+ }
++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
+ zend_print_zval_r(*tmp, 0);
++ php_ob_get_buffer(tmp3 TSRMLS_CC);
++ php_end_ob_buffer(0, 0 TSRMLS_CC);
++
++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
++ PUTS(elem_esc);
++ efree(elem_esc);
++ zval_ptr_dtor(&tmp3);
++
+ if (!sapi_module.phpinfo_as_text) {
+ PUTS("</pre>");
+ }
+@@ -196,7 +207,7 @@
+ PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
+ {
+ int new_len;
+- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+ }
+ /* }}} */
+
diff --git a/dev-php/php/php-4.3.11-r2.ebuild b/dev-php/php/php-4.3.11-r3.ebuild
index 450cd3ea9a62..2eca9ef61b13 100644
--- a/dev-php/php/php-4.3.11-r2.ebuild
+++ b/dev-php/php/php-4.3.11-r3.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.3.11-r2.ebuild,v 1.1 2005/10/29 22:16:13 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.3.11-r3.ebuild,v 1.1 2005/11/02 22:10:15 chtekk Exp $
PHPSAPI="cli"
inherit php-sapi eutils
@@ -34,6 +34,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.3.11-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.3.11-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.3.11-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.3.11-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.3.11-fopen_wrappers.patch"
diff --git a/dev-php/php/php-4.4.0-r2.ebuild b/dev-php/php/php-4.4.0-r3.ebuild
index 27681fe9d6e5..a2f79f5f4dc1 100644
--- a/dev-php/php/php-4.4.0-r2.ebuild
+++ b/dev-php/php/php-4.4.0-r3.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.4.0-r2.ebuild,v 1.3 2005/10/29 22:33:54 chtekk Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-php/php/php-4.4.0-r3.ebuild,v 1.1 2005/11/02 22:10:15 chtekk Exp $
PHPSAPI="cli"
inherit php-sapi eutils
@@ -28,6 +28,15 @@ src_unpack() {
epatch "${FILESDIR}/php4.4.0-gd_safe_mode.patch"
fi
+ # patch fo fix safe_mode bypass in CURL extension, bug #111032
+ use curl && epatch "${FILESDIR}/php4.4.0-curl_safemode.patch"
+
+ # patch $GLOBALS overwrite vulnerability, bug #111011 and bug #111014
+ epatch "${FILESDIR}/php4.4.0-globals_overwrite.patch"
+
+ # patch phpinfo() XSS vulnerability, bug #111015
+ epatch "${FILESDIR}/php4.4.0-phpinfo_xss.patch"
+
# patch open_basedir directory bypass, bug #102943
epatch "${FILESDIR}/php4.4.0-fopen_wrappers.patch"