iliaa Thu Aug 10 17:16:35 2006 UTC
Modified files: (Branch: PHP_5_1)
/php-src NEWS
/php-src/ext/standard string.c
/php-src/ext/curl interface.c streams.c
Log:
Various security fixes backported from 5.2
# part 2
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.562&r2=1.2027.2.563&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.562 php-src/NEWS:1.2027.2.563
--- php-src/NEWS:1.2027.2.562 Fri Aug 4 20:34:31 2006
+++ php-src/NEWS Thu Aug 10 17:16:35 2006
@@ -1,6 +1,10 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2006, PHP 5.1.5
+- Fixed memory_limit on 64bit systems. (Stefan E.)
+- Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.)
+- Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are
+ enabled. (Stefan E., Ilia)
- Fixed bug #38322 (reading past array in sscanf() leads to arbitary code
execution). (Tony)
- Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus)
@@ -21,6 +25,8 @@
- Fixed bug #37360 (invalid gif size) (Pierre)
- Fixed bug #37306 (max_execution_time = max_input_time). (Dmitry)
- Fixed Bug #37278 (SOAP not respecting uri in __soapCall). (Dmitry)
+- Fixed bug #37265 (Added missing safe_mode & open_basedir checks to
+ imap_body()). (Ilia)
- Fixed bug #37256 (php-fastcgi dosen't handle connection abort). (Dmitry)
04 May 2006, PHP 5.1.4
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.445.2.14&r2=1.445.2.15&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.445.2.14
php-src/ext/standard/string.c:1.445.2.15
--- php-src/ext/standard/string.c:1.445.2.14 Tue Apr 25 12:48:41 2006
+++ php-src/ext/standard/string.c Thu Aug 10 17:16:35 2006
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: string.c,v 1.445.2.14 2006/04/25 12:48:41 tony2001 Exp $ */
+/* $Id: string.c,v 1.445.2.15 2006/08/10 17:16:35 iliaa Exp $ */
/* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
@@ -632,7 +632,8 @@
{
const char *text, *breakchar = "\n";
char *newtext;
- int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+ int textlen, breakcharlen = 1, newtextlen, chk;
+ size_t alloced;
long current = 0, laststart = 0, lastspace = 0;
long linelength = 75;
zend_bool docut = 0;
@@ -1612,10 +1613,18 @@
RETURN_FALSE;
}
+ if (haystack_len == 0) {
+ RETURN_FALSE;
+ }
+
haystack_dup = estrndup(haystack, haystack_len);
php_strtolower(haystack_dup, haystack_len);
if (Z_TYPE_P(needle) == IS_STRING) {
+ if ((Z_STRLEN_P(needle) == 0 || Z_STRLEN_P(needle) >
haystack_len) {
+ efree(haystack_dup);
+ RETURN_FALSE;
+ }
needle_dup = estrndup(Z_STRVAL_P(needle), Z_STRLEN_P(needle));
php_strtolower(needle_dup, Z_STRLEN_P(needle));
found = php_memnstr(haystack_dup + offset, needle_dup,
Z_STRLEN_P(needle), haystack_dup + haystack_len);
@@ -4194,7 +4203,7 @@
zval **input_str; /* Input string */
zval **mult; /* Multiplier */
char *result; /* Resulting string */
- int result_len; /* Length of the resulting
string */
+ size_t result_len; /* Length of the resulting
string */
if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str,
&mult) == FAILURE) {
WRONG_PARAM_COUNT;
@@ -4219,11 +4228,7 @@
/* Initialize the result string */
result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult);
- if (result_len < 1 || result_len > 2147483647) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create
strings longer than 2147483647 bytes");
- RETURN_FALSE;
- }
- result = (char *)emalloc(result_len + 1);
+ result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult),
1);
/* Heavy optimization for situations where input string is 1 byte long
*/
if (Z_STRLEN_PP(input_str) == 1) {
@@ -4894,7 +4899,7 @@
offset = (offset < 0) ? 0 : offset;
}
- if ((offset + len) >= s1_len) {
+ if ((offset + len) > s1_len) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position
cannot exceed initial string length");
RETURN_FALSE;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.15&r2=1.62.2.16&diff_format=u
Index: php-src/ext/curl/interface.c
diff -u php-src/ext/curl/interface.c:1.62.2.15
php-src/ext/curl/interface.c:1.62.2.16
--- php-src/ext/curl/interface.c:1.62.2.15 Sun May 21 16:33:39 2006
+++ php-src/ext/curl/interface.c Thu Aug 10 17:16:35 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: interface.c,v 1.62.2.15 2006/05/21 16:33:39 iliaa Exp $ */
+/* $Id: interface.c,v 1.62.2.16 2006/08/10 17:16:35 iliaa Exp $ */
#define ZEND_INCLUDE_FULL_WINDOWS_HEADERS
@@ -1070,7 +1070,6 @@
case CURLOPT_FTPLISTONLY:
case CURLOPT_FTPAPPEND:
case CURLOPT_NETRC:
- case CURLOPT_FOLLOWLOCATION:
case CURLOPT_PUT:
#if CURLOPT_MUTE != 0
case CURLOPT_MUTE:
@@ -1121,6 +1120,16 @@
convert_to_long_ex(zvalue);
error = curl_easy_setopt(ch->cp, option,
Z_LVAL_PP(zvalue));
break;
+ case CURLOPT_FOLLOWLOCATION:
+ convert_to_long_ex(zvalue);
+ if ((PG(open_basedir) && *PG(open_basedir)) ||
PG(safe_mode)) {
+ if (Z_LVAL_PP(zvalue) != 0) {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an
open_basedir is set");
+ RETURN_FALSE;
+ }
+ }
+ error = curl_easy_setopt(ch->cp, option,
Z_LVAL_PP(zvalue));
+ break;
case CURLOPT_URL:
case CURLOPT_PROXY:
case CURLOPT_USERPWD:
http://cvs.php.net/viewvc.cgi/php-src/ext/curl/streams.c?r1=1.14.2.2&r2=1.14.2.3&diff_format=u
Index: php-src/ext/curl/streams.c
diff -u php-src/ext/curl/streams.c:1.14.2.2 php-src/ext/curl/streams.c:1.14.2.3
--- php-src/ext/curl/streams.c:1.14.2.2 Sun Jan 1 12:50:01 2006
+++ php-src/ext/curl/streams.c Thu Aug 10 17:16:35 2006
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: streams.c,v 1.14.2.2 2006/01/01 12:50:01 sniper Exp $ */
+/* $Id: streams.c,v 1.14.2.3 2006/08/10 17:16:35 iliaa Exp $ */
/* This file implements cURL based wrappers.
* NOTE: If you are implementing your own streams that are intended to
@@ -289,7 +289,11 @@
curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream);
/* currently buggy (bug is in curl) */
- curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+ if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+ curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+ } else {
+ curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+ }
curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER,
curlstream->errstr);
curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
