Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:rkwasny
php
php-5.1.4-security-fix-3.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-5.1.4-security-fix-3.patch of Package php
--- php-5.1.2/ext/curl/interface.c +++ php-5.1.2/ext/curl/interface.c @@ -119,6 +119,11 @@ RETURN_FALSE; \ } \ \ + if (php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Url '%s' contains unencoded control characters.", str); \ + RETURN_FALSE; \ + } \ + \ if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ ) { \ @@ -979,7 +984,6 @@ case CURLOPT_FTPLISTONLY: case CURLOPT_FTPAPPEND: case CURLOPT_NETRC: - case CURLOPT_FOLLOWLOCATION: case CURLOPT_PUT: #if CURLOPT_MUTE != 0 case CURLOPT_MUTE: @@ -1030,6 +1034,16 @@ convert_to_long_ex(zvalue); error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); break; + case CURLOPT_FOLLOWLOCATION: + convert_to_long_ex(zvalue); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + if (Z_LVAL_PP(zvalue) != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set"); + RETURN_FALSE; + } + } + error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); + break; case CURLOPT_URL: case CURLOPT_PROXY: case CURLOPT_USERPWD: --- php-5.1.2/ext/curl/streams.c +++ php-5.1.2/ext/curl/streams.c @@ -289,7 +289,11 @@ curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream); /* currently buggy (bug is in curl) */ - curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0); + } else { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + } curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr); curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0); --- php-5.1.2/ext/standard/basic_functions.c +++ php-5.1.2/ext/standard/basic_functions.c @@ -2024,7 +2024,7 @@ break; case 3: /*save to a file */ - stream = php_stream_open_wrapper(opt, "a", IGNORE_URL | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); + stream = php_stream_open_wrapper(opt, "a", IGNORE_URL_WIN | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!stream) return FAILURE; php_stream_write(stream, message, strlen(message)); --- php-5.1.2/ext/standard/string.c +++ php-5.1.2/ext/standard/string.c @@ -632,7 +632,8 @@ { const char *text, *breakchar = "\n"; char *newtext; - int textlen, breakcharlen = 1, newtextlen, alloced, chk; + int textlen, breakcharlen = 1, newtextlen, chk; + size_t alloced; long current = 0, laststart = 0, lastspace = 0; long linelength = 75; zend_bool docut = 0; @@ -4194,7 +4195,7 @@ zval **input_str; /* Input string */ zval **mult; /* Multiplier */ char *result; /* Resulting string */ - int result_len; /* Length of the resulting string */ + size_t result_len; /* Length of the resulting string */ if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) { WRONG_PARAM_COUNT; @@ -4219,11 +4220,7 @@ /* Initialize the result string */ result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult); - if (result_len < 1 || result_len > 2147483647) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes"); - RETURN_FALSE; - } - result = (char *)emalloc(result_len + 1); + result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1); /* Heavy optimization for situations where input string is 1 byte long */ if (Z_STRLEN_PP(input_str) == 1) { --- php-5.1.2/main/main.c +++ php-5.1.2/main/main.c @@ -1091,6 +1091,11 @@ sapi_add_header(SAPI_PHP_VERSION_HEADER, sizeof(SAPI_PHP_VERSION_HEADER)-1, 1); } + /* Disable realpath cache if safe_mode or open_basedir are set */ + if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { + CWDG(realpath_cache_size_limit) = 0; + } + if (PG(output_handler) && PG(output_handler)[0]) { php_start_ob_buffer_named(PG(output_handler), 0, 1 TSRMLS_CC); } else if (PG(output_buffering)) { --- php-5.1.2/Zend/zend_alloc.c +++ php-5.1.2/Zend/zend_alloc.c @@ -72,7 +72,15 @@ #define CHECK_MEMORY_LIMIT(s, rs) _CHECK_MEMORY_LIMIT(s, rs, NULL, 0) # endif -#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\ +#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { if ((ssize_t)(rs) > (ssize_t)(INT_MAX - AG(allocated_memory))) { \ + if (file) { \ + fprintf(stderr, "Integer overflow in memory_limit check detected at %s:%d\n", file, lineno); \ + } else { \ + fprintf(stderr, "Integer overflow in memory_limit check detected\n"); \ + } \ + exit(1); \ + } \ + AG(allocated_memory) += rs;\ if (AG(memory_limit)<AG(allocated_memory)) {\ int php_mem_limit = AG(memory_limit); \ AG(allocated_memory) -= rs; \ @@ -142,11 +150,15 @@ ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) { - zend_mem_header *p; + zend_mem_header *p = NULL; DECLARE_CACHE_VARS(); TSRMLS_FETCH(); CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size); + + if (size > INT_MAX || SIZE < size) { + goto emalloc_error; + } #if !ZEND_DISABLE_MEMORY_CACHE if ((CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) { @@ -184,6 +196,8 @@ } #endif +emalloc_error: + HANDLE_BLOCK_INTERRUPTIONS(); if (!p) { @@ -357,6 +371,13 @@ CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size); HANDLE_BLOCK_INTERRUPTIONS(); + + if (size > INT_MAX || SIZE < size) { + REMOVE_POINTER_FROM_LIST(p); + p = NULL; + goto erealloc_error; + } + #if MEMORY_LIMIT CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size)); if (AG(allocated_memory) > AG(allocated_memory_peak)) { @@ -365,6 +386,7 @@ #endif REMOVE_POINTER_FROM_LIST(p); p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE); +erealloc_error: if (!p) { if (!allow_failure) { fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size); --- php-5.1.2/ext/wddx/wddx.c 2006/04/23 16:02:05 1.119.2.10 +++ php-5.1.2/ext/wddx/wddx.c 2006/08/02 22:03:47 1.119.2.10.2.6 @@ -366,53 +366,22 @@ /* {{{ php_wddx_serialize_string */ -static void php_wddx_serialize_string(wddx_packet *packet, zval *var) +static void php_wddx_serialize_string(wddx_packet *packet, zval *var TSRMLS_DC) { - char *buf, - *p, - *vend, - control_buf[WDDX_BUF_LEN]; - int l; - php_wddx_add_chunk_static(packet, WDDX_STRING_S); if (Z_STRLEN_P(var) > 0) { - l = 0; - vend = Z_STRVAL_P(var) + Z_STRLEN_P(var); - buf = (char *)emalloc(Z_STRLEN_P(var) + 1); - - for(p = Z_STRVAL_P(var); p != vend; p++) { - switch (*p) { - case '<': - FLUSH_BUF(); - php_wddx_add_chunk_static(packet, "<"); - break; - - case '&': - FLUSH_BUF(); - php_wddx_add_chunk_static(packet, "&"); - break; - - case '>': - FLUSH_BUF(); - php_wddx_add_chunk_static(packet, ">"); - break; - - default: - if (iscntrl((int)*(unsigned char *)p)) { - FLUSH_BUF(); - sprintf(control_buf, WDDX_CHAR, *p); - php_wddx_add_chunk(packet, control_buf); - } else - buf[l++] = *p; - break; - } - } + char *buf, *enc; + int buf_len, enc_len; + + buf = php_escape_html_entities(Z_STRVAL_P(var), Z_STRLEN_P(var), &buf_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + enc = xml_utf8_encode(buf, buf_len, &enc_len, "ISO-8859-1"); + + php_wddx_add_chunk_ex(packet, enc, enc_len); - FLUSH_BUF(); efree(buf); + efree(enc); } - php_wddx_add_chunk_static(packet, WDDX_STRING_E); } /* }}} */ @@ -638,7 +607,7 @@ switch(Z_TYPE_P(var)) { case IS_STRING: - php_wddx_serialize_string(packet, var); + php_wddx_serialize_string(packet, var TSRMLS_CC); break; case IS_LONG: @@ -723,7 +692,7 @@ if (!strcmp(name, EL_PACKET)) { int i; - for (i=0; atts[i]; i++) { + if (atts) for (i=0; atts[i]; i++) { if (!strcmp(atts[i], EL_VERSION)) { /* nothing for now */ } @@ -751,7 +720,7 @@ } else if (!strcmp(name, EL_CHAR)) { int i; - for (i = 0; atts[i]; i++) { + if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) { char tmp_buf[2]; @@ -771,7 +740,7 @@ } else if (!strcmp(name, EL_BOOLEAN)) { int i; - for (i = 0; atts[i]; i++) { + if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) { ent.type = ST_BOOLEAN; SET_STACK_VARNAME; @@ -812,7 +781,7 @@ } else if (!strcmp(name, EL_VAR)) { int i; - for (i = 0; atts[i]; i++) { + if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { char *decoded; int decoded_len; @@ -829,7 +798,7 @@ MAKE_STD_ZVAL(ent.data); array_init(ent.data); - for (i = 0; atts[i]; i++) { + if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) { zval *tmp; char *key; @@ -869,7 +838,7 @@ ent.varname = NULL; ent.data = NULL; - for (i = 0; atts[i]; i++) { + if (atts) for (i = 0; atts[i]; i++) { if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { char *decoded; int decoded_len; --- php-5.1.2/ext/xml/xml.c 2006/06/15 18:33:09 1.157.2.4.2.1 +++ php-5.1.2/ext/xml/xml.c 2006/08/02 15:21:54 1.157.2.4.2.2 @@ -79,7 +79,6 @@ inline static char xml_decode_iso_8859_1(unsigned short); inline static unsigned short xml_encode_us_ascii(unsigned char); inline static char xml_decode_us_ascii(unsigned short); -static XML_Char *xml_utf8_encode(const char *, int, int *, const XML_Char *); static zval *xml_call_handler(xml_parser *, zval *, zend_function *, int, zval **); static zval *_xml_xmlchar_zval(const XML_Char *, int, const XML_Char *); static int _xml_xmlcharlen(const XML_Char *); @@ -497,7 +496,7 @@ /* }}} */ /* {{{ xml_utf8_encode */ -static XML_Char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding) +PHPAPI char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding) { int pos = len; char *newbuf; --- php-5.1.2/ext/xml/php_xml.h 2006/06/15 18:33:09 1.28.2.2.2.1 +++ php-5.1.2/ext/xml/php_xml.h 2006/08/02 15:21:54 1.28.2.2.2.2 @@ -141,6 +141,7 @@ PHPAPI char *_xml_zval_strdup(zval *val); PHPAPI char *xml_utf8_decode(const XML_Char *, int, int *, const XML_Char *); +PHPAPI char *xml_utf8_encode(const char *s, int len, int *newlen, const XML_Char *encoding); #endif /* HAVE_LIBEXPAT */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
