pajoye Thu, 18 Nov 2010 15:22:22 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=305507
Log:
- fix #39863, do not accept paths with NULL in them. See
http://news.php.net/php.internals/50191, trunk will have the patch later
(adding a macro and/or changing (some) APIs. Patch by Rasmus
Bug: http://bugs.php.net/39863 (Open) file_exists() silently truncates after a
null byte
Changed paths:
U php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
U php/php-src/branches/PHP_5_3/ext/bz2/bz2.c
U php/php-src/branches/PHP_5_3/ext/com_dotnet/com_persist.c
U php/php-src/branches/PHP_5_3/ext/enchant/enchant.c
U php/php-src/branches/PHP_5_3/ext/fileinfo/fileinfo.c
U php/php-src/branches/PHP_5_3/ext/gd/gd.c
U php/php-src/branches/PHP_5_3/ext/gd/gd_ctx.c
U php/php-src/branches/PHP_5_3/ext/imap/php_imap.c
U php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c
U php/php-src/branches/PHP_5_3/ext/odbc/php_odbc.c
U php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
U php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c
U php/php-src/branches/PHP_5_3/ext/posix/posix.c
U php/php-src/branches/PHP_5_3/ext/pspell/pspell.c
U php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c
U php/php-src/branches/PHP_5_3/ext/sqlite3/sqlite3.c
U php/php-src/branches/PHP_5_3/ext/standard/basic_functions.c
U php/php-src/branches/PHP_5_3/ext/standard/dir.c
U php/php-src/branches/PHP_5_3/ext/standard/file.c
U php/php-src/branches/PHP_5_3/ext/standard/filestat.c
U php/php-src/branches/PHP_5_3/ext/standard/ftok.c
U php/php-src/branches/PHP_5_3/ext/standard/iptc.c
U php/php-src/branches/PHP_5_3/ext/standard/link.c
U php/php-src/branches/PHP_5_3/ext/tidy/tidy.c
U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c
U php/php-src/branches/PHP_5_3/ext/zip/php_zip.c
U php/php-src/branches/PHP_5_3/main/fopen_wrappers.c
Modified: php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/Zend/zend_vm_execute.h 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1880,6 +1880,16 @@
return_value_used = RETURN_VALUE_USED(opline);
+ if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+ if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+ Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ } else {
+ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ }
+ goto done;
+ }
+
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -1933,6 +1943,7 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
+done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -5154,6 +5165,16 @@
return_value_used = RETURN_VALUE_USED(opline);
+ if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+ if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+ Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ } else {
+ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ }
+ goto done;
+ }
+
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -5207,6 +5228,7 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
+done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -8524,6 +8546,16 @@
return_value_used = RETURN_VALUE_USED(opline);
+ if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+ if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+ Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ } else {
+ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ }
+ goto done;
+ }
+
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -8577,6 +8609,7 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
+done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
@@ -22387,6 +22420,16 @@
return_value_used = RETURN_VALUE_USED(opline);
+ if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+ if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+ Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+ zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ } else {
+ zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+ }
+ goto done;
+ }
+
switch (Z_LVAL(opline->op2.u.constant)) {
case ZEND_INCLUDE_ONCE:
case ZEND_REQUIRE_ONCE: {
@@ -22440,6 +22483,7 @@
break;
EMPTY_SWITCH_DEFAULT_CASE()
}
+done:
if (inc_filename==&tmp_inc_filename) {
zval_dtor(&tmp_inc_filename);
}
Modified: php/php-src/branches/PHP_5_3/ext/bz2/bz2.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/bz2/bz2.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/bz2/bz2.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -387,6 +387,9 @@
if (Z_TYPE_PP(file) == IS_STRING) {
convert_to_string_ex(file);
+ if (strlen(Z_STRVAL_PP(file)) != Z_STRLEN_PP(file)) {
+ RETURN_FALSE;
+ }
if (Z_STRLEN_PP(file) == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "filename cannot be empty");
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/com_dotnet/com_persist.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/com_dotnet/com_persist.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/com_dotnet/com_persist.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -389,6 +389,9 @@
}
if (filename) {
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
fullpath = expand_filepath(filename, NULL TSRMLS_CC);
if (!fullpath) {
RETURN_FALSE;
@@ -453,6 +456,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
RETURN_FALSE;
}
Modified: php/php-src/branches/PHP_5_3/ext/enchant/enchant.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/enchant/enchant.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/enchant/enchant.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -591,6 +591,10 @@
RETURN_FALSE;
}
+ if (strlen(pwl) != pwllen) {
+ RETURN_FALSE;
+ }
+
#if PHP_API_VERSION < 20100412
if ((PG(safe_mode) && (!php_checkuid(pwl, NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(pwl TSRMLS_CC)) {
#else
Modified: php/php-src/branches/PHP_5_3/ext/fileinfo/fileinfo.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/fileinfo/fileinfo.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/fileinfo/fileinfo.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -294,6 +294,9 @@
if (file_len == 0) {
file = NULL;
} else if (file && *file) { /* user specified file, perform open_basedir checks */
+ if (strlen(file) != file_len) {
+ RETURN_FALSE;
+ }
if (!VCWD_REALPATH(file, resolved_path)) {
RETURN_FALSE;
}
Modified: php/php-src/branches/PHP_5_3/ext/gd/gd.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/gd/gd.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/gd/gd.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -2642,6 +2642,9 @@
}
if (argc >= 2 && file_len) {
+ if (strlen(file) != file_len) {
+ RETURN_FALSE;
+ }
PHP_GD_CHECK_OPEN_BASEDIR(fn, "Invalid filename");
fp = VCWD_FOPEN(fn, "wb");
@@ -4552,6 +4555,14 @@
dest_width = width;
int_threshold = threshold;
+ if (strlen(f_org) != f_org_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(f_dest) != f_dest_len) {
+ RETURN_FALSE;
+ }
+
/* Check threshold value */
if (int_threshold < 0 || int_threshold > 8) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid threshold value '%d'", int_threshold);
Modified: php/php-src/branches/PHP_5_3/ext/gd/gd_ctx.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/gd/gd_ctx.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/gd/gd_ctx.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -91,6 +91,9 @@
}
if (argc > 1 && file_len) {
+ if (strlen(file) != file_len) {
+ RETURN_FALSE;
+ }
PHP_GD_CHECK_OPEN_BASEDIR(file, "Invalid filename");
fp = VCWD_FOPEN(file, "wb");
Modified: php/php-src/branches/PHP_5_3/ext/imap/php_imap.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/imap/php_imap.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/imap/php_imap.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1218,10 +1218,14 @@
}
/* local filename, need to perform open_basedir and safe_mode checks */
- if (mailbox[0] != '{' &&
- (php_check_open_basedir(mailbox TSRMLS_CC) ||
- (PG(safe_mode) && !php_checkuid(mailbox, NULL, CHECKUID_CHECK_FILE_AND_DIR)))) {
- RETURN_FALSE;
+ if (mailbox[0] != '{') {
+ if (strlen(mailbox) != mailbox_len) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(mailbox TSRMLS_CC) ||
+ (PG(safe_mode) && !php_checkuid(mailbox, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
}
IMAPG(imap_user) = estrndup(user, user_len);
Modified: php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -276,6 +276,10 @@
return;
}
}
+
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
@@ -667,7 +671,7 @@
RETURN_FALSE;
}
}
-
+
if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
RETURN_FALSE;
@@ -928,6 +932,10 @@
/* nothing to write, fail silently */
RETURN_FALSE;
}
+
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
if (PG(safe_mode) && (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/odbc/php_odbc.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/odbc/php_odbc.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/odbc/php_odbc.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1317,8 +1317,11 @@
if (Z_STRLEN_PP(tmp) > 2 &&
Z_STRVAL_PP(tmp)[0] == '\'' &&
Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') {
+ if (strlen(tmp) != Z_STRLEN_PP(tmp)) {
+ RETURN_FALSE;
+ }
+
filename = estrndup(&Z_STRVAL_PP(tmp)[1], Z_STRLEN_PP(tmp) - 2);
- filename[strlen(filename)] = '\0';
/* Check for safe mode. */
if (PG(safe_mode) && (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
Modified: php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1771,6 +1771,10 @@
return;
RETVAL_FALSE;
+
+ if (strlen(filename) != filename_len) {
+ return;
+ }
cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC);
if (cert == NULL) {
@@ -2219,6 +2223,10 @@
}
RETVAL_FALSE;
+ if (strlen(filename) != filename_len) {
+ return;
+ }
+
csr = php_openssl_csr_from_zval(&zcsr, 0, &csr_resource TSRMLS_CC);
if (csr == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get CSR from parameter 1");
@@ -3003,6 +3011,10 @@
}
RETVAL_FALSE;
+ if (strlen(filename) != filename_len) {
+ return;
+ }
+
key = php_openssl_evp_from_zval(zpkey, 0, passphrase, 0, &key_resource TSRMLS_CC);
if (key == NULL) {
@@ -3395,7 +3407,14 @@
&outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &cipherid) == FAILURE)
return;
-
+ if (strlen(infilename) != infilename_len) {
+ return;
+ }
+
+ if (strlen(outfilename) != outfilename_len) {
+ return;
+ }
+
if (php_openssl_safe_mode_chk(infilename TSRMLS_CC) || php_openssl_safe_mode_chk(outfilename TSRMLS_CC)) {
return;
}
@@ -3527,15 +3546,23 @@
char * outfilename; int outfilename_len;
char * extracertsfilename = NULL; int extracertsfilename_len;
+ RETVAL_FALSE;
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZZa!|ls",
&infilename, &infilename_len, &outfilename, &outfilename_len,
&zcert, &zprivkey, &zheaders, &flags, &extracertsfilename,
&extracertsfilename_len) == FAILURE) {
return;
}
-
- RETVAL_FALSE;
+ if (strlen(infilename) != infilename_len) {
+ return;
+ }
+
+ if (strlen(outfilename) != outfilename_len) {
+ return;
+ }
+
if (extracertsfilename) {
others = load_all_certs_from_file(extracertsfilename);
if (others == NULL) {
@@ -3631,13 +3658,21 @@
char * infilename; int infilename_len;
char * outfilename; int outfilename_len;
+ RETVAL_FALSE;
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZ|Z", &infilename, &infilename_len,
&outfilename, &outfilename_len, &recipcert, &recipkey) == FAILURE) {
return;
}
- RETVAL_FALSE;
+ if (strlen(infilename) != infilename_len) {
+ return;
+ }
+ if (strlen(outfilename) != outfilename_len) {
+ return;
+ }
+
cert = php_openssl_x509_from_zval(recipcert, 0, &certresval TSRMLS_CC);
if (cert == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to coerce parameter 3 to x509 cert");
Modified: php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/pgsql/pgsql.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -3339,6 +3339,10 @@
WRONG_PARAM_COUNT;
}
+ if (strlen(file_in) != name_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) &&(!php_checkuid(file_in, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
@@ -3476,6 +3480,10 @@
RETURN_FALSE;
}
+ if (strlen(file_out) != name_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) &&(!php_checkuid(file_out, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
Modified: php/php-src/branches/PHP_5_3/ext/posix/posix.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/posix/posix.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/posix/posix.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -842,6 +842,10 @@
RETURN_FALSE;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))) {
RETURN_FALSE;
@@ -877,6 +881,10 @@
RETURN_FALSE;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
(PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))) {
RETURN_FALSE;
@@ -957,6 +965,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
path = expand_filepath(filename, NULL TSRMLS_CC);
if (!path) {
POSIX_G(last_error) = EIO;
Modified: php/php-src/branches/PHP_5_3/ext/pspell/pspell.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/pspell/pspell.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/pspell/pspell.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -402,6 +402,10 @@
}
#endif
+ if (strlen(personal) != personal_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) && (!php_checkuid(personal, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
delete_pspell_config(config);
RETURN_FALSE;
@@ -834,6 +838,10 @@
return;
}
+ if (strlen(value) != value_len) {
+ RETURN_FALSE;
+ }
+
PSPELL_FETCH_CONFIG;
if (PG(safe_mode) && (!php_checkuid(value, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
@@ -891,6 +899,10 @@
pspell_config_replace(config, "save-repl", "true");
+ if (strlen(repl) != repl_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) && (!php_checkuid(repl, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
Modified: php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/sqlite/sqlite.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1560,6 +1560,9 @@
ZVAL_NULL(errmsg);
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
/* resolve the fully-qualified path name to use as the hash key */
if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
@@ -1637,6 +1640,9 @@
ZVAL_NULL(errmsg);
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
/* resolve the fully-qualified path name to use as the hash key */
if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
@@ -1690,6 +1696,10 @@
ZVAL_NULL(errmsg);
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
/* resolve the fully-qualified path name to use as the hash key */
if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
Modified: php/php-src/branches/PHP_5_3/ext/sqlite3/sqlite3.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/sqlite3/sqlite3.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/sqlite3/sqlite3.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -114,6 +114,9 @@
zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Already initialised DB Object", 0 TSRMLS_CC);
}
+ if (strlen(filename) != filename_len) {
+ return;
+ }
if (strncmp(filename, ":memory:", 8) != 0) {
if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Unable to expand filepath", 0 TSRMLS_CC);
Modified: php/php-src/branches/PHP_5_3/ext/standard/basic_functions.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/basic_functions.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/basic_functions.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -4673,6 +4673,12 @@
opt_err = erropt;
}
+ if (opt_err == 3) {
+ if (strlen(opt) != opt_len) {
+ RETURN_FALSE;
+ }
+ }
+
if (_php_error_log_ex(opt_err, message, message_len, opt, headers TSRMLS_CC) == FAILURE) {
RETURN_FALSE;
}
@@ -5161,6 +5167,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (i) {
php_start_ob_buffer (NULL, 0, 1 TSRMLS_CC);
}
@@ -5207,6 +5217,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
file_handle.type = ZEND_HANDLE_FILENAME;
file_handle.filename = filename;
file_handle.free_filename = 0;
@@ -5467,6 +5481,11 @@
return;
}
+ /* No nulls allowed in paths */
+ if (strlen(new_value) != new_value_len) {
+ RETURN_FALSE;
+ }
+
old_value = zend_ini_string("include_path", sizeof("include_path"), 0);
/* copy to return here, because alter might free it! */
if (old_value) {
@@ -5777,6 +5796,10 @@
return;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
if (zend_hash_exists(SG(rfc1867_uploaded_files), path, path_len + 1)) {
RETURN_TRUE;
} else {
@@ -5817,6 +5840,14 @@
RETURN_FALSE;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(new_path) != new_path_len) {
+ RETURN_FALSE;
+ }
+
VCWD_UNLINK(new_path);
if (VCWD_RENAME(path, new_path) == 0) {
successful = 1;
@@ -5960,6 +5991,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
/* Set callback function */
if (process_sections) {
BG(active_ini_file_section) = NULL;
Modified: php/php-src/branches/PHP_5_3/ext/standard/dir.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/dir.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/dir.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -325,6 +325,10 @@
RETURN_FALSE;
}
+ if (strlen(str) != str_len) {
+ RETURN_FALSE;
+ }
+
if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
RETURN_FALSE;
}
@@ -436,6 +440,10 @@
return;
}
+ if (strlen(pattern) != pattern_len) {
+ RETURN_FALSE;
+ }
+
if (pattern_len >= MAXPATHLEN) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
RETURN_FALSE;
@@ -557,6 +565,10 @@
return;
}
+ if (strlen(dirn) != dirn_len) {
+ RETURN_FALSE;
+ }
+
if (dirn_len < 1) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Directory name cannot be empty");
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/standard/file.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/file.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/file.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -386,6 +386,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
md.stream = php_stream_open_wrapper(filename, "rb",
(use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS,
NULL);
@@ -539,6 +543,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (ZEND_NUM_ARGS() == 5 && maxlen < 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "length must be greater than or equal to zero");
RETURN_FALSE;
@@ -595,6 +603,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (Z_TYPE_P(data) == IS_RESOURCE) {
php_stream_from_zval(srcstream, &data);
}
@@ -739,6 +751,11 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|lr!", &filename, &filename_len, &flags, &zcontext) == FAILURE) {
return;
}
+
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (flags < 0 || flags > (PHP_FILE_USE_INCLUDE_PATH | PHP_FILE_IGNORE_NEW_LINES | PHP_FILE_SKIP_EMPTY_LINES | PHP_FILE_NO_DEFAULT_CONTEXT)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "'%ld' flag is not supported", flags);
RETURN_FALSE;
@@ -836,6 +853,14 @@
return;
}
+ if (strlen(dir) != dir_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(prefix) != prefix_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) &&(!php_checkuid(dir, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
@@ -894,6 +919,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
context = php_stream_context_from_zval(zcontext, 0);
stream = php_stream_open_wrapper_ex(filename, mode, (use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL, context);
@@ -1397,6 +1426,10 @@
RETURN_FALSE;
}
+ if (strlen(dir) != dir_len) {
+ RETURN_FALSE;
+ }
+
context = php_stream_context_from_zval(zcontext, 0);
RETURN_BOOL(php_stream_mkdir(dir, mode, (recursive ? PHP_STREAM_MKDIR_RECURSIVE : 0) | REPORT_ERRORS, context));
@@ -1416,6 +1449,10 @@
RETURN_FALSE;
}
+ if (strlen(dir) != dir_len) {
+ RETURN_FALSE;
+ }
+
context = php_stream_context_from_zval(zcontext, 0);
RETURN_BOOL(php_stream_rmdir(dir, REPORT_ERRORS, context));
@@ -1438,6 +1475,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
context = php_stream_context_from_zval(zcontext, 0);
stream = php_stream_open_wrapper_ex(filename, "rb", (use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL, context);
@@ -1511,6 +1552,14 @@
RETURN_FALSE;
}
+ if (strlen(old_name) != old_name_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(new_name) != new_name_len) {
+ RETURN_FALSE;
+ }
+
wrapper = php_stream_locate_url_wrapper(old_name, NULL, 0 TSRMLS_CC);
if (!wrapper || !wrapper->wops) {
@@ -1548,6 +1597,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
context = php_stream_context_from_zval(zcontext, 0);
wrapper = php_stream_locate_url_wrapper(filename, NULL, 0 TSRMLS_CC);
@@ -1684,6 +1737,14 @@
return;
}
+ if (strlen(source) != source_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(target) != target_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) &&(!php_checkuid(source, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
@@ -2385,6 +2446,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (VCWD_REALPATH(filename, resolved_path_buff)) {
if (PG(safe_mode) && (!php_checkuid(resolved_path_buff, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
@@ -2527,6 +2592,14 @@
return;
}
+ if (strlen(pattern) != pattern_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (filename_len >= MAXPATHLEN) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/standard/filestat.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/filestat.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/filestat.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -379,6 +379,10 @@
RETURN_FALSE;
}
+ if (strlen(path) != path_len) {
+ RETURN_FALSE;
+ }
+
if (php_disk_free_space(path, &bytesfree TSRMLS_CC) == SUCCESS) {
RETURN_DOUBLE(bytesfree);
}
@@ -399,6 +403,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (Z_TYPE_P(group) == IS_LONG) {
gid = (gid_t)Z_LVAL_P(group);
} else if (Z_TYPE_P(group) == IS_STRING) {
@@ -500,6 +508,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (Z_TYPE_P(user) == IS_LONG) {
uid = (uid_t)Z_LVAL_P(user);
} else if (Z_TYPE_P(user) == IS_STRING) {
@@ -607,6 +619,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
/* Check the basedir */
if (php_check_open_basedir(filename TSRMLS_CC)) {
RETURN_FALSE;
@@ -660,6 +676,10 @@
return;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
switch (argc) {
case 1:
#ifdef HAVE_UTIME_NULL
@@ -715,8 +735,9 @@
PHPAPI void php_clear_stat_cache(zend_bool clear_realpath_cache, const char *filename, int filename_len TSRMLS_DC)
{
/* always clear CurrentStatFile and CurrentLStatFile even if filename is not NULL
- * as it may contains outdated data (e.g. "nlink" for a directory when deleting a file
+ * as it may contain outdated data (e.g. "nlink" for a directory when deleting a file
* in this directory, as shown by lstat_stat_variation9.phpt) */
+
if (BG(CurrentStatFile)) {
efree(BG(CurrentStatFile));
BG(CurrentStatFile) = NULL;
@@ -777,6 +798,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_length) {
+ RETURN_FALSE;
+ }
+
if ((wrapper = php_stream_locate_url_wrapper(filename, &local, 0 TSRMLS_CC)) == &php_plain_files_wrapper) {
if (php_check_open_basedir(local TSRMLS_CC)) {
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/standard/ftok.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/ftok.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/ftok.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -39,6 +39,10 @@
return;
}
+ if (strlen(pathname) != pathname_len) {
+ RETURN_FALSE;
+ }
+
if (pathname_len == 0){
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pathname is invalid");
RETURN_LONG(-1);
Modified: php/php-src/branches/PHP_5_3/ext/standard/iptc.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/iptc.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/iptc.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -190,6 +190,10 @@
return;
}
+ if (strlen(jpeg_file) != jpeg_file_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) && (!php_checkuid(jpeg_file, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
RETURN_FALSE;
}
Modified: php/php-src/branches/PHP_5_3/ext/standard/link.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/link.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/standard/link.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -64,6 +64,10 @@
return;
}
+ if (strlen(link) != link_len) {
+ RETURN_FALSE;
+ }
+
if (PG(safe_mode) && !php_checkuid(link, NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
RETURN_FALSE;
}
@@ -123,6 +127,14 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &topath, &topath_len, &frompath, &frompath_len) == FAILURE) {
return;
}
+
+ if (strlen(topath) != topath_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(frompath) != frompath_len) {
+ RETURN_FALSE;
+ }
if (!expand_filepath(frompath, source_p TSRMLS_CC)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "No such file or directory");
@@ -188,6 +200,14 @@
return;
}
+ if (strlen(topath) != topath_len) {
+ RETURN_FALSE;
+ }
+
+ if (strlen(frompath) != frompath_len) {
+ RETURN_FALSE;
+ }
+
if (!expand_filepath(frompath, source_p TSRMLS_CC) || !expand_filepath(topath, dest_p TSRMLS_CC)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "No such file or directory");
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/tidy/tidy.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/tidy/tidy.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/tidy/tidy.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -567,6 +567,9 @@
}
if (is_file) {
+ if (strlen(arg1) != arg1_len) {
+ RETURN_FALSE;
+ }
if (!(data = php_tidy_file_to_mem(arg1, use_include_path, &data_len TSRMLS_CC))) {
RETURN_FALSE;
}
@@ -1221,6 +1224,9 @@
RETURN_FALSE;
}
+ if (strlen(inputfile) != input_len) {
+ RETURN_FALSE;
+ }
tidy_instanciate(tidy_ce_doc, return_value TSRMLS_CC);
obj = (PHPTidyObj *) zend_object_store_get_object(return_value TSRMLS_CC);
@@ -1534,10 +1540,13 @@
&options, &enc, &enc_len, &use_include_path) == FAILURE) {
RETURN_FALSE;
}
-
+
obj = (PHPTidyObj *)zend_object_store_get_object(object TSRMLS_CC);
if (inputfile) {
+ if (strlen(inputfile) != input_len) {
+ RETURN_FALSE;
+ }
if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
return;
@@ -1568,7 +1577,10 @@
&options, &enc, &enc_len, &use_include_path) == FAILURE) {
RETURN_FALSE;
}
-
+
+ if (strlen(inputfile) != input_len) {
+ RETURN_FALSE;
+ }
if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
RETURN_FALSE;
Modified: php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -642,6 +642,9 @@
ret = -1;
if (newdocp) {
+ if (strlen(uri) != uri_len) {
+ RETURN_FALSE;
+ }
ret = xsltSaveResultToFilename(uri, newdocp, sheetp, 0);
xmlFreeDoc(newdocp);
}
@@ -845,7 +848,7 @@
if (intern->profiling) {
efree(intern->profiling);
}
- if (filename != NULL) {
+ if (filename != NULL && strlen(filename) == filename_len) {
intern->profiling = estrndup(filename,filename_len);
} else {
intern->profiling = NULL;
Modified: php/php-src/branches/PHP_5_3/ext/zip/php_zip.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/zip/php_zip.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/ext/zip/php_zip.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -1148,6 +1148,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (ZIP_OPENBASEDIR_CHECKPATH(filename)) {
RETURN_FALSE;
}
@@ -1437,6 +1441,10 @@
RETURN_FALSE;
}
+ if (strlen(filename) != filename_len) {
+ RETURN_FALSE;
+ }
+
if (ZIP_OPENBASEDIR_CHECKPATH(filename)) {
RETURN_FALSE;
}
@@ -2363,6 +2371,10 @@
RETURN_FALSE;
}
+ if (strlen(pathto) != pathto_len) {
+ RETURN_FALSE;
+ }
+
if (php_stream_stat_path(pathto, &ssb) < 0) {
ret = php_stream_mkdir(pathto, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL);
if (!ret) {
@@ -2449,6 +2461,9 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ll", &filename, &filename_len, &len, &flags) == FAILURE) {
return;
}
+ if (strlen(filename) != filename_len) {
+ return;
+ }
PHP_ZIP_STAT_PATH(intern, filename, filename_len, flags, sb);
} else {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l|ll", &index, &len, &flags) == FAILURE) {
Modified: php/php-src/branches/PHP_5_3/main/fopen_wrappers.c
===================================================================
--- php/php-src/branches/PHP_5_3/main/fopen_wrappers.c 2010-11-18 14:59:28 UTC (rev 305506)
+++ php/php-src/branches/PHP_5_3/main/fopen_wrappers.c 2010-11-18 15:22:22 UTC (rev 305507)
@@ -538,6 +538,10 @@
return NULL;
}
+ if (strlen(filename) != filename_length) {
+ return NULL;
+ }
+
/* Don't resolve paths which contain protocol (except of file://) */
for (p = filename; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) {
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
