[PHP-CVS] svn: /SVNROOT/ header.ezt
philip Thu, 01 Apr 2010 03:35:38 + Revision: http://svn.php.net/viewvc?view=revision&revision=297255 Log: Changed 'PHP 6' reference to 'PHP Trunk' Changed paths: U SVNROOT/header.ezt Modified: SVNROOT/header.ezt === --- SVNROOT/header.ezt 2010-04-01 03:32:34 UTC (rev 297254) +++ SVNROOT/header.ezt 2010-04-01 03:35:38 UTC (rev 297255) @@ -30,7 +30,7 @@ Main trees: PHP 5.2 | PHP 5.3 | -PHP 6 | +PHP Trunk | pecl | pear | pear-core -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/ext/filter/logical_filters.c branches/PHP_5_3/ext/filter/logical_filters.c trunk/ext/filter/logical_filters.c
rasmus Wed, 31 Mar 2010 23:56:30 + Revision: http://svn.php.net/viewvc?view=revision&revision=297250 Log: Fix FILTER_VALIDATE_URL - Host names can't start with '.' or '-' Changed paths: U php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c U php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c U php/php-src/trunk/ext/filter/logical_filters.c Modified: php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c === --- php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-03-31 23:11:35 UTC (rev 297249) +++ php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-03-31 23:56:30 UTC (rev 297250) @@ -465,6 +465,11 @@ e = url->host + strlen(url->host); s = url->host; + /* First char of hostname must be alphanumeric */ + if(!isalnum((int)*(unsigned char *)s)) { + goto bad_url; + } + while (s < e) { if (!isalnum((int)*(unsigned char *)s) && *s != '-' && *s != '.') { goto bad_url; Modified: php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c === --- php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c 2010-03-31 23:11:35 UTC (rev 297249) +++ php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c 2010-03-31 23:56:30 UTC (rev 297250) @@ -465,6 +465,11 @@ e = url->host + strlen(url->host); s = url->host; + /* First char of hostname must be alphanumeric */ + if(!isalnum((int)*(unsigned char *)s)) { + goto bad_url; + } + while (s < e) { if (!isalnum((int)*(unsigned char *)s) && *s != '-' && *s != '.') { goto bad_url; Modified: php/php-src/trunk/ext/filter/logical_filters.c === --- php/php-src/trunk/ext/filter/logical_filters.c 2010-03-31 23:11:35 UTC (rev 297249) +++ php/php-src/trunk/ext/filter/logical_filters.c 2010-03-31 23:56:30 UTC (rev 297250) @@ -465,6 +465,11 @@ e = url->host + strlen(url->host); s = url->host; + /* First char of hostname must be alphanumeric */ + if(!isalnum((int)*(unsigned char *)s)) { + goto bad_url; + } + while (s < e) { if (!isalnum((int)*(unsigned char *)s) && *s != '-' && *s != '.') { goto bad_url; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ NEWS
rasmus Wed, 31 Mar 2010 23:01:38 + Revision: http://svn.php.net/viewvc?view=revision&revision=297246 Log: Moved to 5.3 Changed paths: U php/php-src/trunk/NEWS Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2010-03-31 22:59:09 UTC (rev 297245) +++ php/php-src/trunk/NEWS 2010-03-31 23:01:38 UTC (rev 297246) @@ -11,7 +11,6 @@ ReflectionExtension::isPersistent(). (Johannes) - Added ReflectionZendExtension class. (Johannes) - Added command line option --rz to CLI. (Johannes) -- Added full_special_chars filter to ext/filter (Rasmus) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - default session.entropy_file is now /dev/urandom or /dev/arandom if either @@ -22,6 +21,7 @@ - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Added full_special_chars filter to ext/filter (Rasmus) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS ext/filter/filter.c ext/filter/filter_private.h ext/filter/php_filter.h ext/filter/sanitizing_filters.c
rasmus Wed, 31 Mar 2010 22:59:09 + Revision: http://svn.php.net/viewvc?view=revision&revision=297245 Log: full_special_chars filter from trunk - approved by johannes Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/filter/filter.c U php/php-src/branches/PHP_5_3/ext/filter/filter_private.h U php/php-src/branches/PHP_5_3/ext/filter/php_filter.h U php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2010-03-31 22:49:08 UTC (rev 297244) +++ php/php-src/branches/PHP_5_3/NEWS 2010-03-31 22:59:09 UTC (rev 297245) @@ -6,6 +6,7 @@ - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Added full_special_chars filter to ext/filter (Rasmus) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) Modified: php/php-src/branches/PHP_5_3/ext/filter/filter.c === --- php/php-src/branches/PHP_5_3/ext/filter/filter.c2010-03-31 22:49:08 UTC (rev 297244) +++ php/php-src/branches/PHP_5_3/ext/filter/filter.c2010-03-31 22:59:09 UTC (rev 297245) @@ -52,6 +52,7 @@ { "stripped",FILTER_SANITIZE_STRING,php_filter_string }, { "encoded", FILTER_SANITIZE_ENCODED, php_filter_encoded }, { "special_chars", FILTER_SANITIZE_SPECIAL_CHARS, php_filter_special_chars }, + { "full_special_chars", FILTER_SANITIZE_FULL_SPECIAL_CHARS, php_filter_full_special_chars }, { "unsafe_raw", FILTER_UNSAFE_RAW, php_filter_unsafe_raw }, { "email", FILTER_SANITIZE_EMAIL, php_filter_email }, { "url", FILTER_SANITIZE_URL, php_filter_url }, @@ -238,6 +239,7 @@ REGISTER_LONG_CONSTANT("FILTER_SANITIZE_STRIPPED", FILTER_SANITIZE_STRING, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_ENCODED", FILTER_SANITIZE_ENCODED, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FILTER_SANITIZE_FULL_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_EMAIL", FILTER_SANITIZE_EMAIL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_URL", FILTER_SANITIZE_URL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_NUMBER_INT", FILTER_SANITIZE_NUMBER_INT, CONST_CS | CONST_PERSISTENT); Modified: php/php-src/branches/PHP_5_3/ext/filter/filter_private.h === --- php/php-src/branches/PHP_5_3/ext/filter/filter_private.h2010-03-31 22:49:08 UTC (rev 297244) +++ php/php-src/branches/PHP_5_3/ext/filter/filter_private.h2010-03-31 22:59:09 UTC (rev 297245) @@ -78,7 +78,8 @@ #define FILTER_SANITIZE_NUMBER_INT0x0207 #define FILTER_SANITIZE_NUMBER_FLOAT 0x0208 #define FILTER_SANITIZE_MAGIC_QUOTES 0x0209 -#define FILTER_SANITIZE_LAST 0x0209 +#define FILTER_SANITIZE_FULL_SPECIAL_CHARS 0x020a +#define FILTER_SANITIZE_LAST 0x020a #define FILTER_SANITIZE_ALL 0x0200 Modified: php/php-src/branches/PHP_5_3/ext/filter/php_filter.h === --- php/php-src/branches/PHP_5_3/ext/filter/php_filter.h2010-03-31 22:49:08 UTC (rev 297244) +++ php/php-src/branches/PHP_5_3/ext/filter/php_filter.h2010-03-31 22:59:09 UTC (rev 297245) @@ -28,6 +28,7 @@ #include "php_ini.h" #include "ext/standard/info.h" #include "ext/standard/php_string.h" +#include "ext/standard/html.h" #include "php_variables.h" extern zend_module_entry filter_module_entry; @@ -81,6 +82,7 @@ void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL); Modified: php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c === --- php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c 2010-03-31 22:49:08 UTC (rev 297244) +++ php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c 2010-03-31 22:59:09 UTC (rev 297245) @@ -242,6 +242,24 @@ } /* }}} */ +/* {{{ php_filter_full_special_char
[PHP-CVS] svn: /php/php-src/trunk/ NEWS ext/filter/filter.c ext/filter/filter_private.h ext/filter/php_filter.h ext/filter/sanitizing_filters.c
rasmus Wed, 31 Mar 2010 21:50:36 + Revision: http://svn.php.net/viewvc?view=revision&revision=297239 Log: Added the full htmlspecialchars() functionality which includes utf-8 validation as a default filter. Changed paths: U php/php-src/trunk/NEWS U php/php-src/trunk/ext/filter/filter.c U php/php-src/trunk/ext/filter/filter_private.h U php/php-src/trunk/ext/filter/php_filter.h U php/php-src/trunk/ext/filter/sanitizing_filters.c Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2010-03-31 21:38:38 UTC (rev 297238) +++ php/php-src/trunk/NEWS 2010-03-31 21:50:36 UTC (rev 297239) @@ -11,6 +11,7 @@ ReflectionExtension::isPersistent(). (Johannes) - Added ReflectionZendExtension class. (Johannes) - Added command line option --rz to CLI. (Johannes) +- Added full_special_chars filter to ext/filter (Rasmus) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - default session.entropy_file is now /dev/urandom or /dev/arandom if either Modified: php/php-src/trunk/ext/filter/filter.c === --- php/php-src/trunk/ext/filter/filter.c 2010-03-31 21:38:38 UTC (rev 297238) +++ php/php-src/trunk/ext/filter/filter.c 2010-03-31 21:50:36 UTC (rev 297239) @@ -52,6 +52,7 @@ { "stripped",FILTER_SANITIZE_STRING,php_filter_string }, { "encoded", FILTER_SANITIZE_ENCODED, php_filter_encoded }, { "special_chars", FILTER_SANITIZE_SPECIAL_CHARS, php_filter_special_chars }, + { "full_special_chars", FILTER_SANITIZE_FULL_SPECIAL_CHARS, php_filter_full_special_chars }, { "unsafe_raw", FILTER_UNSAFE_RAW, php_filter_unsafe_raw }, { "email", FILTER_SANITIZE_EMAIL, php_filter_email }, { "url", FILTER_SANITIZE_URL, php_filter_url }, @@ -238,6 +239,7 @@ REGISTER_LONG_CONSTANT("FILTER_SANITIZE_STRIPPED", FILTER_SANITIZE_STRING, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_ENCODED", FILTER_SANITIZE_ENCODED, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("FILTER_SANITIZE_FULL_SPECIAL_CHARS", FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_EMAIL", FILTER_SANITIZE_EMAIL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_URL", FILTER_SANITIZE_URL, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("FILTER_SANITIZE_NUMBER_INT", FILTER_SANITIZE_NUMBER_INT, CONST_CS | CONST_PERSISTENT); Modified: php/php-src/trunk/ext/filter/filter_private.h === --- php/php-src/trunk/ext/filter/filter_private.h 2010-03-31 21:38:38 UTC (rev 297238) +++ php/php-src/trunk/ext/filter/filter_private.h 2010-03-31 21:50:36 UTC (rev 297239) @@ -78,7 +78,8 @@ #define FILTER_SANITIZE_NUMBER_INT0x0207 #define FILTER_SANITIZE_NUMBER_FLOAT 0x0208 #define FILTER_SANITIZE_MAGIC_QUOTES 0x0209 -#define FILTER_SANITIZE_LAST 0x0209 +#define FILTER_SANITIZE_FULL_SPECIAL_CHARS 0x020a +#define FILTER_SANITIZE_LAST 0x020a #define FILTER_SANITIZE_ALL 0x0200 Modified: php/php-src/trunk/ext/filter/php_filter.h === --- php/php-src/trunk/ext/filter/php_filter.h 2010-03-31 21:38:38 UTC (rev 297238) +++ php/php-src/trunk/ext/filter/php_filter.h 2010-03-31 21:50:36 UTC (rev 297239) @@ -28,6 +28,7 @@ #include "php_ini.h" #include "ext/standard/info.h" #include "ext/standard/php_string.h" +#include "ext/standard/html.h" #include "php_variables.h" extern zend_module_entry filter_module_entry; @@ -81,6 +82,7 @@ void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL); +void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL); void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL); Modified: php/php-src/trunk/ext/filter/sanitizing_filters.c === --- php/php-src/trunk/ext/filter/sanitizing_filters.c 2010-03-31 21:38:38 UTC (rev 297238) +++ php/php-src/trunk/ext/filter/sanitizing_filters.c 2010-03-31 21:50:36 UTC (rev 297239) @@ -242,6 +242,24 @@ } /* }}} */ +/* {{{ php_filter_full_special_chars */ +void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL) +{ + char *buf
[PHP-CVS] svn: /php/php-src/trunk/ NEWS UPGRADING Zend/Zend.m4 ext/session/session.c php.ini-development php.ini-production
rasmus Wed, 31 Mar 2010 18:03:17 + Revision: http://svn.php.net/viewvc?view=revision&revision=297232 Log: Set session.entropy_file to /dev/urandom or /dev/arandom by default if present at compile-time. Addresses part of bug #51436 Bug: http://bugs.php.net/51436 (Open) LCG entropy fix insufficient, uniqid leaks entropy, leads to weak session IDs Changed paths: U php/php-src/trunk/NEWS U php/php-src/trunk/UPGRADING U php/php-src/trunk/Zend/Zend.m4 U php/php-src/trunk/ext/session/session.c U php/php-src/trunk/php.ini-development U php/php-src/trunk/php.ini-production Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/NEWS 2010-03-31 18:03:17 UTC (rev 297232) @@ -13,7 +13,9 @@ - Added command line option --rz to CLI. (Johannes) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - +- default session.entropy_file is now /dev/urandom or /dev/arandom if either + is present at compile time. (Rasmus) + ?? ??? 20??, PHP 5.3.3 - Upgraded bundled PCRE to version 8.01. (Ilia) Modified: php/php-src/trunk/UPGRADING === --- php/php-src/trunk/UPGRADING 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/UPGRADING 2010-03-31 18:03:17 UTC (rev 297232) @@ -40,8 +40,20 @@ default_charset = iso-8859-1 - to your php.ini to preserve pre-PHPX.Y behavior + to your php.ini to preserve pre-PHPX.Y behavior. +- We now check at compile time if /dev/urandom or /dev/arandom + are present to provide non-blocking entropy to session id + generation. If either is present, session.entropy_file + now defaults to that file and session.entropy_length defaults + to 32. If you do not want extra entropy for your session ids + for some reason, add: + +session.entropy_file= +session.entropy_length=0 + + to your php.ini to preserve pre-PHPX.Y behavior. + = 2. Reserved words and classes = Modified: php/php-src/trunk/Zend/Zend.m4 === --- php/php-src/trunk/Zend/Zend.m4 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/Zend/Zend.m4 2010-03-31 18:03:17 UTC (rev 297232) @@ -419,4 +419,11 @@ AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) + AC_MSG_CHECKING(whether /dev/arandom exists) + if test -r "/dev/arandom" && test -c "/dev/arandom"; then +AC_DEFINE([HAVE_DEV_ARANDOM], 1, [Define if the target system has /dev/arandom device]) +AC_MSG_RESULT(yes) + else +AC_MSG_RESULT(no) + fi fi Modified: php/php-src/trunk/ext/session/session.c === --- php/php-src/trunk/ext/session/session.c 2010-03-31 17:35:28 UTC (rev 297231) +++ php/php-src/trunk/ext/session/session.c 2010-03-31 18:03:17 UTC (rev 297232) @@ -781,8 +781,16 @@ STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies,php_ps_globals,ps_globals) STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals,ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,ps_globals) +#if HAVE_DEV_URANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals) +#elif HAVE_DEV_ARANDOM + STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals) + STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals) +#else STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals) STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals) +#endif STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals,ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals,ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) Modified: php/php-src/trunk/php.ini-development =