diff options
author | Luca Longinotti <chtekk@gentoo.org> | 2005-11-03 14:09:24 +0000 |
---|---|---|
committer | Luca Longinotti <chtekk@gentoo.org> | 2005-11-03 14:09:24 +0000 |
commit | 614ecb494a09bd259c2319c759ea4b6af83db6e9 (patch) | |
tree | 9fddd904118296b1b81bd324a1368a81576cd630 /dev-lang/php/files | |
parent | Stable on sparc wrt #111116 (diff) | |
download | gentoo-2-614ecb494a09bd259c2319c759ea4b6af83db6e9.tar.gz gentoo-2-614ecb494a09bd259c2319c759ea4b6af83db6e9.tar.bz2 gentoo-2-614ecb494a09bd259c2319c759ea4b6af83db6e9.zip |
PHP security-update.
(Portage version: 2.0.53_rc6)
Diffstat (limited to 'dev-lang/php/files')
16 files changed, 2680 insertions, 0 deletions
diff --git a/dev-lang/php/files/4.3.11/php4.3.11-curl_safemode.patch b/dev-lang/php/files/4.3.11/php4.3.11-curl_safemode.patch new file mode 100644 index 000000000000..f308dea57dde --- /dev/null +++ b/dev-lang/php/files/4.3.11/php4.3.11-curl_safemode.patch @@ -0,0 +1,141 @@ +--- ext/curl/curl.c 2005-03-14 10:03:09.000000000 +0100 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -436,10 +436,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_WRITEFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -495,10 +497,12 @@ + zend_list_addref(t->fd); + ZVAL_LONG(argv[2], (int) size * nmemb); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 3, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Cannot call the CURLOPT_READFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -553,10 +557,12 @@ + zend_list_addref(ch->id); + ZVAL_STRINGL(argv[1], data, length, 1); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + t->func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_HEADERFUNCTION", + get_active_function_name(TSRMLS_C)); +@@ -606,10 +612,12 @@ + ZVAL_STRING(argv[1], prompt, 1); + ZVAL_LONG(argv[2], buflen); + ++ ch->in_callback = 1; + error = call_user_function(EG(function_table), + NULL, + func, + retval, 2, argv TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error(E_WARNING, "%s(): Couldn't call the CURLOPT_PASSWDFUNCTION", get_active_function_name(TSRMLS_C)); + } else if (Z_TYPE_P(retval) == IS_STRING) { +@@ -680,7 +688,9 @@ + (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write)); + (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read)); + memset(&(*ch)->err, 0, sizeof((*ch)->err)); +- ++ ++ (*ch)->in_callback = 0; ++ + zend_llist_init(&(*ch)->to_free.str, sizeof(char *), + (void(*)(void *)) curl_free_string, 0); + zend_llist_init(&(*ch)->to_free.slist, sizeof(struct curl_slist), +@@ -982,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { +@@ -1337,7 +1352,11 @@ + WRONG_PARAM_COUNT; + } + ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl); +- ++ ++ if (ch->in_callback) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback"); ++ return; ++ } + zend_list_delete(Z_LVAL_PP(zid)); + } + /* }}} */ +--- ext/curl/php_curl.h 2002-12-31 17:34:15.000000000 +0100 ++++ ext/curl/php_curl.h 2005-06-02 23:05:06.000000000 +0200 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_curl.h,v 1.29.2.1 2002/12/31 16:34:15 sebastian Exp $ */ ++/* $Id: php_curl.h,v 1.29.2.2 2005/06/02 21:05:06 tony2001 Exp $ */ + + #ifndef _PHP_CURL_H + #define _PHP_CURL_H +@@ -93,6 +93,7 @@ + struct _php_curl_free to_free; + long id; + unsigned int uses; ++ zend_bool in_callback; + } php_curl; + + /* streams support */ diff --git a/dev-lang/php/files/4.3.11/php4.3.11-globals_overwrite.patch b/dev-lang/php/files/4.3.11/php4.3.11-globals_overwrite.patch new file mode 100644 index 000000000000..d3eb55c5ee3e --- /dev/null +++ b/dev-lang/php/files/4.3.11/php4.3.11-globals_overwrite.patch @@ -0,0 +1,559 @@ +--- ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100 ++++ ext/standard/array.c 2005-10-31 23:26:23.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.42 2004/12/23 16:40:03 tony2001 Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -631,7 +640,7 @@ + s = *((Bucket **) b); + + if (f->nKeyLength) { +- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength); ++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1); + Z_STRLEN(key1) = f->nKeyLength-1; + Z_TYPE(key1) = IS_STRING; + } else { +@@ -639,7 +648,7 @@ + Z_TYPE(key1) = IS_LONG; + } + if (s->nKeyLength) { +- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength); ++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1); + Z_STRLEN(key2) = s->nKeyLength-1; + Z_TYPE(key2) = IS_STRING; + } else { +@@ -1243,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1291,14 +1304,18 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { +- (*entry)->is_ref = 1; ++ if ((*var_array)->refcount > 1) { ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); ++ } else { ++ (*entry)->is_ref = 1; ++ } + zval_add_ref(entry); + zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL); + } +@@ -1818,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1896,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2384,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2483,7 +2500,7 @@ + zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL); + break; + case HASH_KEY_IS_STRING: +- new_key=estrndup(string_key,str_key_len); ++ new_key=estrndup(string_key,str_key_len - 1); + if (change_to_upper) + php_strtoupper(new_key, str_key_len - 1); + else +@@ -2609,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2759,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3229,8 +3264,11 @@ + efree(callback_name); + + if (ZEND_NUM_ARGS() > 2) { +- convert_to_long_ex(initial); +- result = *initial; ++ ALLOC_ZVAL(result); ++ *result = **initial; ++ zval_copy_ctor(result); ++ convert_to_long(result); ++ INIT_PZVAL(result); + } else { + MAKE_STD_ZVAL(result); + ZVAL_NULL(result); +@@ -3246,6 +3284,7 @@ + if (result) { + *return_value = *result; + zval_copy_ctor(return_value); ++ zval_ptr_dtor(&result); + } + return; + } +@@ -3282,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3300,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3311,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3334,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3401,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100 ++++ ext/standard/basic_functions.c 2005-10-31 23:29:26.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -944,6 +933,13 @@ + static void php_putenv_destructor(putenv_entry *pe) + { + if (pe->previous_value) { ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe->key, "bugbug"); ++#endif + putenv(pe->previous_value); + } else { + # if HAVE_UNSETENV +@@ -1232,11 +1228,10 @@ + } + STR_FREE(BG(locale_string)); + +- if (FG(stream_wrappers)) { +- zend_hash_destroy(FG(stream_wrappers)); +- efree(FG(stream_wrappers)); +- FG(stream_wrappers) = NULL; +- } ++ /* ++ FG(stream_wrappers) are destroyed ++ during php_request_shutdown() ++ */ + + PHP_RSHUTDOWN(fsock) (SHUTDOWN_FUNC_ARGS_PASSTHRU); + PHP_RSHUTDOWN(filestat) (SHUTDOWN_FUNC_ARGS_PASSTHRU); +@@ -1430,6 +1425,14 @@ + } + } + ++#if _MSC_VER ++ /* VS.Net has a bug in putenv() when setting a variable that ++ * is already set; if the SetEnvironmentVariable() API call ++ * fails, the Crt will double free() a string. ++ * We try to avoid this by setting our own value first */ ++ SetEnvironmentVariable(pe.key, "bugbug"); ++#endif ++ + if (putenv(pe.putenv_string) == 0) { /* success */ + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len+1, (void **) &pe, sizeof(putenv_entry), NULL); + #ifdef HAVE_TZSET +@@ -2089,17 +2092,21 @@ + static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC) + { + zval retval; ++ char *function_name = NULL; + +- if (call_user_function( EG(function_table), NULL, +- shutdown_function_entry->arguments[0], +- &retval, +- shutdown_function_entry->arg_count - 1, +- shutdown_function_entry->arguments + 1 +- TSRMLS_CC ) == SUCCESS ) { ++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) { ++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name); ++ } else if (call_user_function(EG(function_table), NULL, ++ shutdown_function_entry->arguments[0], ++ &retval, ++ shutdown_function_entry->arg_count - 1, ++ shutdown_function_entry->arguments + 1 ++ TSRMLS_CC ) == SUCCESS) ++ { + zval_dtor(&retval); +- +- } else { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0])); ++ } ++ if (function_name) { ++ efree(function_name); + } + return 0; + } +@@ -2192,6 +2199,7 @@ + PHP_FUNCTION(register_shutdown_function) + { + php_shutdown_function_entry shutdown_function_entry; ++ char *function_name = NULL; + int i; + + shutdown_function_entry.arg_count = ZEND_NUM_ARGS(); +@@ -2200,26 +2208,31 @@ + WRONG_PARAM_COUNT; + } + +- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0); ++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0); + + if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) { + RETURN_FALSE; + } + +- /* Prevent entering of anything but arrays/strings */ +- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) { +- convert_to_string(shutdown_function_entry.arguments[0]); +- } +- +- if (!BG(user_shutdown_function_names)) { +- ALLOC_HASHTABLE(BG(user_shutdown_function_names)); +- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); +- } ++ /* Prevent entering of anything but valid callback (syntax check only!) */ ++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name); ++ efree(shutdown_function_entry.arguments); ++ RETVAL_FALSE; ++ } else { ++ if (!BG(user_shutdown_function_names)) { ++ ALLOC_HASHTABLE(BG(user_shutdown_function_names)); ++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); ++ } + +- for (i = 0; i < shutdown_function_entry.arg_count; i++) { +- shutdown_function_entry.arguments[i]->refcount++; ++ for (i = 0; i < shutdown_function_entry.arg_count; i++) { ++ shutdown_function_entry.arguments[i]->refcount++; ++ } ++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); ++ } ++ if (function_name) { ++ efree(function_name); + } +- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); + } + /* }}} */ + +@@ -3014,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-01-20 18:57:41.000000000 +0100 ++++ ext/standard/string.c 2005-10-31 23:34:37.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.48 2005/01/20 17:57:41 iliaa Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -1317,8 +1317,6 @@ + if (!Z_STRLEN_PP(needle)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter."); + efree(haystack_orig); +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + RETURN_FALSE; + } + +@@ -1339,8 +1337,6 @@ + RETVAL_FALSE; + } + +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + efree(haystack_orig); + } + /* }}} */ +@@ -1576,7 +1572,13 @@ + } + + if (chunklen > Z_STRLEN_PP(p_str)) { +- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1); ++ /* to maintain BC, we must return original string + ending */ ++ result_len = endlen + Z_STRLEN_PP(p_str); ++ result = emalloc(result_len + 1); ++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str)); ++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen); ++ result[result_len] = '\0'; ++ RETURN_STRINGL(result, result_len, 0); + } + + if (!Z_STRLEN_PP(p_str)) { +@@ -3169,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3182,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2004-10-18 17:08:46.000000000 +0200 ++++ main/php_variables.c 2005-10-31 23:39:38.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.8 2004/10/18 15:08:46 tony2001 Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { +@@ -182,11 +193,25 @@ + if (!index) { + zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { ++ zval **tmp; ++ + if (PG(magic_quotes_gpc) && (index!=var)) { + char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++ ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) { ++ efree(escaped_index); ++ break; ++ } ++ + zend_hash_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + efree(escaped_index); + } else { ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_hash_find(symtable1, index, index_len+1, (void **) &tmp) != FAILURE) { ++ break; ++ } ++ + zend_hash_update(symtable1, index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } + } diff --git a/dev-lang/php/files/4.3.11/php4.3.11-phpinfo_xss.patch b/dev-lang/php/files/4.3.11/php4.3.11-phpinfo_xss.patch new file mode 100644 index 000000000000..2c7d9991794f --- /dev/null +++ b/dev-lang/php/files/4.3.11/php4.3.11-phpinfo_xss.patch @@ -0,0 +1,75 @@ +--- ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:22:42.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.16 2004/06/09 15:10:19 iliaa Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + +@@ -408,7 +419,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + if ((ta->tm_mon==3) && (ta->tm_mday==1)) { + PUTS("?="PHP_EGG_LOGO_GUID"\" alt=\"Nadia!\" /></a>"); +@@ -510,7 +529,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n"); + } +@@ -525,7 +546,9 @@ + php_info_print_hr(); + PUTS("<h1><a href=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">"); + PUTS("PHP Credits"); diff --git a/dev-lang/php/files/4.4.0/php4.4.0-curl_safemode.patch b/dev-lang/php/files/4.4.0/php4.4.0-curl_safemode.patch new file mode 100644 index 000000000000..32a82e072077 --- /dev/null +++ b/dev-lang/php/files/4.4.0/php4.4.0-curl_safemode.patch @@ -0,0 +1,46 @@ +--- ext/curl/curl.c 2005-06-02 23:05:06.000000000 +0200 ++++ ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: curl.c,v 1.124.2.30 2005/06/02 21:05:06 tony2001 Exp $ */ ++/* $Id: curl.c,v 1.124.2.30.2.3 2005/10/17 02:42:51 iliaa Exp $ */ + + #ifdef HAVE_CONFIG_H + #include "config.h" +@@ -66,7 +66,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -76,7 +76,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -992,10 +992,15 @@ + + postval = Z_STRVAL_PP(current); + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } + else { diff --git a/dev-lang/php/files/4.4.0/php4.4.0-globals_overwrite.patch b/dev-lang/php/files/4.4.0/php4.4.0-globals_overwrite.patch new file mode 100644 index 000000000000..3aefaee16295 --- /dev/null +++ b/dev-lang/php/files/4.4.0/php4.4.0-globals_overwrite.patch @@ -0,0 +1,314 @@ +--- ext/standard/array.c 2005-06-21 14:11:19.000000000 +0200 ++++ ext/standard/array.c 2005-11-01 00:40:11.000000000 +0100 +@@ -22,7 +22,7 @@ + */ + + +-/* $Id: array.c,v 1.199.2.44.2.2 2005/06/21 12:11:19 dmitry Exp $ */ ++/* $Id: array.c,v 1.199.2.44.2.9 2005/10/03 14:05:07 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -1252,6 +1252,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1300,11 +1304,11 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { + if ((*var_array)->refcount > 1) { +@@ -1831,8 +1835,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -1909,8 +1913,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2397,8 +2401,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2622,6 +2626,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for common values */ + while (*ptrs[0]) { +@@ -2772,6 +2785,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + /* go through the lists and look for values of ptr[0] + that are not in the others */ +@@ -3299,6 +3321,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3317,9 +3340,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3328,16 +3355,16 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) + return; + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + args[0] = operand; +- if (call_user_function_ex(EG(function_table), NULL, *callback, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { ++ if (call_user_function_ex(EG(function_table), NULL, func, &retval, 1, args, 0, NULL TSRMLS_CC) == SUCCESS && retval) { + if (!zend_is_true(retval)) { + zval_ptr_dtor(&retval); + continue; +@@ -3351,7 +3378,7 @@ + continue; + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, + string_key_len, operand, sizeof(zval *), NULL); +@@ -3418,6 +3445,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-05-16 10:55:31.000000000 +0200 ++++ ext/standard/basic_functions.c 2005-11-01 00:40:30.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.543.2.51 2005/05/16 08:55:31 tony2001 Exp $ */ ++/* $Id: basic_functions.c,v 1.543.2.51.2.3 2005/09/29 16:31:48 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -42,18 +42,7 @@ + #include <time.h> + #include <stdio.h> + +-#ifndef NETWARE + #include <netdb.h> +-#else +-/*#include "netware/env.h"*/ /* Temporary */ +-#ifdef NEW_LIBC /* Same headers hold good for Winsock and Berkeley sockets */ +-#include <netinet/in.h> +-/*#include <arpa/inet.h>*/ +-#include <netdb.h> +-#else +-#include <sys/socket.h> +-#endif +-#endif + + #if HAVE_ARPA_INET_H + # include <arpa/inet.h> +@@ -813,8 +802,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -3038,11 +3027,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-06-02 10:50:52.000000000 +0200 ++++ ext/standard/string.c 2005-11-01 00:40:20.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.333.2.52 2005/06/02 08:50:52 derick Exp $ */ ++/* $Id: string.c,v 1.333.2.52.2.1 2005/09/28 22:34:04 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -3179,7 +3179,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ARG_COUNT(ht); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3192,19 +3191,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-05-17 20:42:35.000000000 +0200 ++++ main/php_variables.c 2005-11-01 00:42:56.000000000 +0100 +@@ -16,7 +16,7 @@ + | Zeev Suraski <zeev@zend.com> | + +----------------------------------------------------------------------+ + */ +-/* $Id: php_variables.c,v 1.45.2.13 2005/05/17 18:42:35 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.45.2.13.2.4 2005/10/02 11:33:27 rrichards Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -73,6 +73,10 @@ + symtable1 = Z_ARRVAL_P(track_vars_array); + } else if (PG(register_globals)) { + symtable1 = EG(active_symbol_table); ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) { ++ return; ++ } + } + if (!symtable1) { + /* Nothing to do */ +@@ -99,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { diff --git a/dev-lang/php/files/4.4.0/php4.4.0-phpinfo_xss.patch b/dev-lang/php/files/4.4.0/php4.4.0-phpinfo_xss.patch new file mode 100644 index 000000000000..2f03ce4e273e --- /dev/null +++ b/dev-lang/php/files/4.4.0/php4.4.0-phpinfo_xss.patch @@ -0,0 +1,42 @@ +--- ext/standard/info.c 2005-06-07 15:37:33.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:26:54.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.218.2.18.2.1 2005/06/07 13:37:33 derick Exp $ */ ++/* $Id: info.c,v 1.218.2.18.2.4 2005/08/16 00:26:02 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -133,10 +133,21 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ MAKE_STD_ZVAL(tmp3); + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); + zend_print_zval_r(*tmp, 0); ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -196,7 +207,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + diff --git a/dev-lang/php/files/5.0.4/php5.0.4-curl_safemode.patch b/dev-lang/php/files/5.0.4/php5.0.4-curl_safemode.patch new file mode 100644 index 000000000000..6c498a75206b --- /dev/null +++ b/dev-lang/php/files/5.0.4/php5.0.4-curl_safemode.patch @@ -0,0 +1,161 @@ +--- ext/curl/interface.c 2005-03-14 10:02:42.000000000 +0100 ++++ ext/curl/interface.c 2005-10-31 23:09:15.000000000 +0100 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: interface.c,v 1.46.2.7 2005/03/14 09:02:42 sniper Exp $ */ ++/* $Id: interface.c,v 1.46.2.11 2005/10/17 02:42:32 iliaa Exp $ */ + + #define ZEND_INCLUDE_FULL_WINDOWS_HEADERS + +@@ -62,7 +62,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -72,7 +72,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -484,20 +484,22 @@ + fci.no_separation = 0; + fci.symbol_table = NULL; + ++ ch->in_callback = 1; + error = zend_call_function(&fci, &t->fci_cache TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION"); + length = -1; +- } else { ++ } else if (retval_ptr) { + if (Z_TYPE_P(retval_ptr) != IS_LONG) { + convert_to_long_ex(&retval_ptr); + } + length = Z_LVAL_P(retval_ptr); ++ zval_ptr_dtor(&retval_ptr); + } + + zval_ptr_dtor(argv[0]); + zval_ptr_dtor(argv[1]); +- zval_ptr_dtor(&retval_ptr); + break; + } + } +@@ -554,20 +556,22 @@ + fci.no_separation = 0; + fci.symbol_table = NULL; + ++ ch->in_callback = 1; + error = zend_call_function(&fci, &t->fci_cache TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_READFUNCTION"); +- } else { ++ } else if (retval_ptr) { + if (Z_TYPE_P(retval_ptr) == IS_STRING) { + length = MIN(size * nmemb, Z_STRLEN_P(retval_ptr)); + memcpy(data, Z_STRVAL_P(retval_ptr), length); + } ++ zval_ptr_dtor(&retval_ptr); + } + + zval_ptr_dtor(argv[0]); + zval_ptr_dtor(argv[1]); + zval_ptr_dtor(argv[2]); +- zval_ptr_dtor(&retval_ptr); + break; + } + } +@@ -625,19 +629,21 @@ + fci.params = argv; + fci.no_separation = 0; + ++ ch->in_callback = 1; + error = zend_call_function(&fci, &t->fci_cache TSRMLS_CC); ++ ch->in_callback = 0; + if (error == FAILURE) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION"); + length = -1; +- } else { ++ } else if (retval_ptr) { + if (Z_TYPE_P(retval_ptr) != IS_LONG) { + convert_to_long_ex(&retval_ptr); + } + length = Z_LVAL_P(retval_ptr); ++ zval_ptr_dtor(&retval_ptr); + } + zval_ptr_dtor(argv[0]); + zval_ptr_dtor(argv[1]); +- zval_ptr_dtor(&retval_ptr); + break; + } + +@@ -773,6 +779,8 @@ + (*ch)->handlers->write_header = ecalloc(1, sizeof(php_curl_write)); + (*ch)->handlers->read = ecalloc(1, sizeof(php_curl_read)); + ++ (*ch)->in_callback = 0; ++ + memset(&(*ch)->err, 0, sizeof((*ch)->err)); + + zend_llist_init(&(*ch)->to_free.str, sizeof(char *), (void(*)(void *)) curl_free_string, 0); +@@ -1120,10 +1128,15 @@ + * must be explicitly cast to long in curl_formadd + * use since curl needs a long not an int. */ + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } else { + error = curl_formadd(&first, &last, +@@ -1468,6 +1481,12 @@ + } + + ZEND_FETCH_RESOURCE(ch, php_curl *, zid, -1, le_curl_name, le_curl); ++ ++ if (ch->in_callback) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempt to close CURL handle from a callback"); ++ return; ++ } ++ + if (ch->uses) { + ch->uses--; + } else { +--- ext/curl/php_curl.h 2004/03/12 18:37:55 1.41 ++++ ext/curl/php_curl.h 2005/06/02 21:04:43 1.41.2.1 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_curl.h,v 1.41 2004/03/12 18:37:55 sterling Exp $ */ ++/* $Id: php_curl.h,v 1.41.2.1 2005/06/02 21:04:43 tony2001 Exp $ */ + + #ifndef _PHP_CURL_H + #define _PHP_CURL_H +@@ -121,6 +121,7 @@ typedef struct { + php_curl_handlers *handlers; + long id; + unsigned int uses; ++ zend_bool in_callback; + } php_curl; + + typedef struct { diff --git a/dev-lang/php/files/5.0.4/php5.0.4-globals_overwrite.patch b/dev-lang/php/files/5.0.4/php5.0.4-globals_overwrite.patch new file mode 100644 index 000000000000..02a9a83eff0c --- /dev/null +++ b/dev-lang/php/files/5.0.4/php5.0.4-globals_overwrite.patch @@ -0,0 +1,1013 @@ +--- ext/standard/array.c 2005-03-12 11:12:49.000000000 +0100 ++++ ext/standard/array.c 2005-11-01 01:03:21.000000000 +0100 +@@ -21,7 +21,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: array.c,v 1.266.2.15 2005/03/12 10:12:49 andrey Exp $ */ ++/* $Id: array.c,v 1.266.2.29 2005/10/28 09:57:15 dmitry Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -578,43 +578,66 @@ + } + } + +-/* check is comparison function is valid */ ++/* check if comparison function is valid */ + #define PHP_ARRAY_CMP_FUNC_CHECK(func_name) \ + if (!zend_is_callable(*func_name, 0, NULL)) { \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid comparison function."); \ ++ BG(user_compare_fci_cache) = old_user_compare_fci_cache; \ + BG(user_compare_func_name) = old_compare_func; \ + RETURN_FALSE; \ + } \ + ++ /* clear FCI cache otherwise : for example the same or other array with ++ (partly) the same key values has been sorted with uasort() or ++ other sorting function the comparison is cached, however the the name ++ of the function for comparison is not respected. see bug #28739 AND #33295 ++ ++ following defines will assist in backup / restore values. ++ */ ++ ++#define PHP_ARRAY_CMP_FUNC_VARS \ ++ zval **old_compare_func; \ ++ zend_fcall_info_cache old_user_compare_fci_cache ++ ++#define PHP_ARRAY_CMP_FUNC_BACKUP() \ ++ old_compare_func = BG(user_compare_func_name); \ ++ old_user_compare_fci_cache = BG(user_compare_fci_cache); \ ++ BG(user_compare_fci_cache) = empty_fcall_info_cache ++ ++#define PHP_ARRAY_CMP_FUNC_RESTORE() \ ++ BG(user_compare_fci_cache) = old_user_compare_fci_cache; \ ++ BG(user_compare_func_name) = old_compare_func ++ ++ + /* {{{ proto bool usort(array array_arg, string cmp_function) + Sort an array by values using a user-defined comparison function */ + PHP_FUNCTION(usort) + { + zval **array; +- zval **old_compare_func; + HashTable *target_hash; ++ PHP_ARRAY_CMP_FUNC_VARS; ++ ++ PHP_ARRAY_CMP_FUNC_BACKUP(); + +- old_compare_func = BG(user_compare_func_name); +- BG(user_compare_fci_cache) = empty_fcall_info_cache; + + if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &array, &BG(user_compare_func_name)) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + WRONG_PARAM_COUNT; + } + target_hash = HASH_OF(*array); + if (!target_hash) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array"); +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_FALSE; + } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 1 TSRMLS_CC) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_FALSE; + } +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_TRUE; + } + /* }}} */ +@@ -624,29 +647,30 @@ + PHP_FUNCTION(uasort) + { + zval **array; +- zval **old_compare_func; + HashTable *target_hash; ++ PHP_ARRAY_CMP_FUNC_VARS; ++ ++ PHP_ARRAY_CMP_FUNC_BACKUP(); + +- old_compare_func = BG(user_compare_func_name); +- BG(user_compare_fci_cache) = empty_fcall_info_cache; + if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &array, &BG(user_compare_func_name)) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + WRONG_PARAM_COUNT; + } + target_hash = HASH_OF(*array); + if (!target_hash) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array"); +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_FALSE; + } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + + if (zend_hash_sort(target_hash, zend_qsort, array_user_compare, 0 TSRMLS_CC) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_FALSE; + } +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); ++ + RETURN_TRUE; + } + /* }}} */ +@@ -669,7 +693,7 @@ + s = *((Bucket **) b); + + if (f->nKeyLength) { +- Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength); ++ Z_STRVAL(key1) = estrndup(f->arKey, f->nKeyLength-1); + Z_STRLEN(key1) = f->nKeyLength-1; + Z_TYPE(key1) = IS_STRING; + } else { +@@ -677,7 +701,7 @@ + Z_TYPE(key1) = IS_LONG; + } + if (s->nKeyLength) { +- Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength); ++ Z_STRVAL(key2) = estrndup(s->arKey, s->nKeyLength-1); + Z_STRLEN(key2) = s->nKeyLength-1; + Z_TYPE(key2) = IS_STRING; + } else { +@@ -703,28 +727,33 @@ + PHP_FUNCTION(uksort) + { + zval **array; +- zval **old_compare_func; + HashTable *target_hash; ++ PHP_ARRAY_CMP_FUNC_VARS; ++ ++ ++ PHP_ARRAY_CMP_FUNC_BACKUP(); + +- old_compare_func = BG(user_compare_func_name); + if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &array, &BG(user_compare_func_name)) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + WRONG_PARAM_COUNT; + } + target_hash = HASH_OF(*array); + if (!target_hash) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array"); +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); ++ + RETURN_FALSE; + } + + PHP_ARRAY_CMP_FUNC_CHECK(BG(user_compare_func_name)) + + if (zend_hash_sort(target_hash, zend_qsort, array_user_key_compare, 0 TSRMLS_CC) == FAILURE) { +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); ++ + RETURN_FALSE; + } +- BG(user_compare_func_name) = old_compare_func; ++ ++ PHP_ARRAY_CMP_FUNC_RESTORE(); + RETURN_TRUE; + } + /* }}} */ +@@ -1008,6 +1037,7 @@ + uint string_key_len; + ulong num_key; + HashPosition pos; ++ zend_fcall_info_cache array_walk_fci_cache = empty_fcall_info_cache; + + /* Set up known arguments */ + args[1] = &key; +@@ -1020,6 +1050,7 @@ + if (recursive && Z_TYPE_PP(args[0]) == IS_ARRAY) { + HashTable *thash; + ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(args[0]); + thash = HASH_OF(*(args[0])); + if (thash == target_hash) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "recursion detected"); +@@ -1051,7 +1082,7 @@ + fci.no_separation = 0; + + /* Call the userland function */ +- if (zend_call_function(&fci, &BG(array_walk_fci_cache) TSRMLS_CC) == SUCCESS) { ++ if (zend_call_function(&fci, &array_walk_fci_cache TSRMLS_CC) == SUCCESS) { + if (retval_ptr) { + zval_ptr_dtor(&retval_ptr); + } +@@ -1094,7 +1125,6 @@ + HashTable *target_hash; + + argc = ZEND_NUM_ARGS(); +- BG(array_walk_fci_cache) = empty_fcall_info_cache; + old_walk_func_name = BG(array_walk_func_name); + if (argc < 2 || argc > 3 || + zend_get_parameters_ex(argc, &array, &BG(array_walk_func_name), &userdata) == FAILURE) { +@@ -1131,7 +1161,6 @@ + + argc = ZEND_NUM_ARGS(); + old_walk_func_name = BG(array_walk_func_name); +- BG(array_walk_fci_cache) = empty_fcall_info_cache; + + if (argc < 2 || argc > 3 || + zend_get_parameters_ex(argc, &array, &BG(array_walk_func_name), &userdata) == FAILURE) { +@@ -1345,6 +1374,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -1393,14 +1426,18 @@ + zval **orig_var; + + if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) { +- zval_ptr_dtor(orig_var); +- + SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); + zval_add_ref(entry); + ++ zval_ptr_dtor(orig_var); ++ + *orig_var = *entry; + } else { +- (*entry)->is_ref = 1; ++ if ((*var_array)->refcount > 1) { ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry); ++ } else { ++ (*entry)->is_ref = 1; ++ } + zval_add_ref(entry); + zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL); + } +@@ -2005,8 +2042,8 @@ + hashtable and replace it with new one */ + new_hash = php_splice(Z_ARRVAL_P(stack), 0, 0, &args[1], argc-1, NULL); + zend_hash_destroy(Z_ARRVAL_P(stack)); +- efree(Z_ARRVAL_P(stack)); +- Z_ARRVAL_P(stack) = new_hash; ++ *Z_ARRVAL_P(stack) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up and return the number of elements in the stack */ + efree(args); +@@ -2082,8 +2119,8 @@ + + /* Replace input array's hashtable with the new one */ + zend_hash_destroy(Z_ARRVAL_P(array)); +- efree(Z_ARRVAL_P(array)); +- Z_ARRVAL_P(array) = new_hash; ++ *Z_ARRVAL_P(array) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + if (argc == 4) +@@ -2443,7 +2480,6 @@ + zend_hash_internal_pointer_reset_ex(myht, &pos); + while (zend_hash_get_current_data_ex(myht, (void **)&entry, &pos) == SUCCESS) { + if (Z_TYPE_PP(entry) == IS_LONG) { +-int_key: + if (zend_hash_index_find(Z_ARRVAL_P(return_value), + Z_LVAL_PP(entry), + (void**)&tmp) == FAILURE) { +@@ -2456,11 +2492,31 @@ + Z_LVAL_PP(tmp)++; + } + } else if (Z_TYPE_PP(entry) == IS_STRING) { +- /* make sure our array does not end up with numeric string keys */ +- if (is_numeric_string(Z_STRVAL_PP(entry), Z_STRLEN_PP(entry), NULL, NULL, 0) == IS_LONG) { +- SEPARATE_ZVAL(entry); +- convert_to_long_ex(entry); +- goto int_key; ++ /* make sure our array does not end up with numeric string keys ++ * but don't touch those strings that start with 0 */ ++ if (!(Z_STRLEN_PP(entry) > 1 && Z_STRVAL_PP(entry)[0] == '0') && is_numeric_string(Z_STRVAL_PP(entry), Z_STRLEN_PP(entry), NULL, NULL, 0) == IS_LONG) { ++ zval tmp_entry; ++ ++ tmp_entry = **entry; ++ zval_copy_ctor(&tmp_entry); ++ ++ convert_to_long(&tmp_entry); ++ ++ if (zend_hash_index_find(Z_ARRVAL_P(return_value), ++ Z_LVAL(tmp_entry), ++ (void**)&tmp) == FAILURE) { ++ zval *data; ++ MAKE_STD_ZVAL(data); ++ Z_TYPE_P(data) = IS_LONG; ++ Z_LVAL_P(data) = 1; ++ zend_hash_index_update(Z_ARRVAL_P(return_value), Z_LVAL(tmp_entry), &data, sizeof(data), NULL); ++ } else { ++ Z_LVAL_PP(tmp)++; ++ } ++ ++ zval_dtor(&tmp_entry); ++ zend_hash_move_forward_ex(myht, &pos); ++ continue; + } + + if (zend_hash_find(Z_ARRVAL_P(return_value), Z_STRVAL_PP(entry), Z_STRLEN_PP(entry)+1, (void**)&tmp) == FAILURE) { +@@ -2598,8 +2654,8 @@ + + /* Copy the result hash into return value */ + zend_hash_destroy(Z_ARRVAL_P(return_value)); +- efree(Z_ARRVAL_P(return_value)); +- Z_ARRVAL_P(return_value) = new_hash; ++ *Z_ARRVAL_P(return_value) = *new_hash; ++ FREE_HASHTABLE(new_hash); + + /* Clean up */ + efree(pads); +@@ -2697,7 +2753,7 @@ + zend_hash_index_update(Z_ARRVAL_P(return_value), num_key, entry, sizeof(entry), NULL); + break; + case HASH_KEY_IS_STRING: +- new_key=estrndup(string_key,str_key_len); ++ new_key=estrndup(string_key,str_key_len - 1); + if (change_to_upper) + php_strtoupper(new_key, str_key_len - 1); + else +@@ -2787,7 +2843,8 @@ + Bucket ***lists, **list, ***ptrs, *p; + + char *callback_name; +- zval **old_compare_func; ++ PHP_ARRAY_CMP_FUNC_VARS; ++ + + int (*intersect_key_compare_func)(const void *, const void * TSRMLS_DC); + int (*intersect_data_compare_func)(const void *, const void * TSRMLS_DC); +@@ -2801,13 +2858,7 @@ + WRONG_PARAM_COUNT; + } + +- old_compare_func = BG(user_compare_func_name); +- /* clear FCI cache otherwise : for example the same or other array with +- (partly) the same key values has been sorted with uasort() or +- other sorting function the comparison is cached, however the the name +- of the function for comparison is not respected. see bug #28739 +- */ +- BG(user_compare_fci_cache) = empty_fcall_info_cache; ++ PHP_ARRAY_CMP_FUNC_BACKUP(); + + if (behavior == INTERSECT_NORMAL) { + intersect_key_compare_func = array_key_compare; +@@ -2962,6 +3013,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + if (behavior == INTERSECT_NORMAL && data_compare_type == INTERSECT_COMP_DATA_USER) { + /* array_uintersect() */ +@@ -3069,7 +3129,8 @@ + pefree(lists[i], hash->persistent); + } + +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); ++ + + efree(ptrs); + efree(lists); +@@ -3141,7 +3202,8 @@ + Bucket ***lists, **list, ***ptrs, *p; + char *callback_name; + +- zval **old_compare_func; ++ PHP_ARRAY_CMP_FUNC_VARS; ++ + int (*diff_key_compare_func)(const void *, const void * TSRMLS_DC); + int (*diff_data_compare_func)(const void *, const void * TSRMLS_DC); + +@@ -3155,13 +3217,7 @@ + WRONG_PARAM_COUNT; + } + +- old_compare_func = BG(user_compare_func_name); +- /* clear FCI cache otherwise : for example the same or other array with +- (partly) the same key values has been sorted with uasort() or +- other sorting function the comparison is cached, however the the name +- of the function for comparison is not respected. see bug #28739 +- */ +- BG(user_compare_fci_cache) = empty_fcall_info_cache; ++ PHP_ARRAY_CMP_FUNC_BACKUP(); + + if (behavior == DIFF_NORMAL) { + diff_key_compare_func = array_key_compare; +@@ -3316,6 +3372,15 @@ + /* copy the argument array */ + *return_value = **args[0]; + zval_copy_ctor(return_value); ++ if (return_value->value.ht == &EG(symbol_table)) { ++ HashTable *ht; ++ zval *tmp; ++ ++ ALLOC_HASHTABLE(ht); ++ zend_hash_init(ht, 0, NULL, ZVAL_PTR_DTOR, 0); ++ zend_hash_copy(ht, return_value->value.ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); ++ return_value->value.ht = ht; ++ } + + if (behavior == DIFF_NORMAL && data_compare_type == DIFF_COMP_DATA_USER) { + /* array_udiff() */ +@@ -3410,7 +3475,8 @@ + pefree(lists[i], hash->persistent); + } + +- BG(user_compare_func_name) = old_compare_func; ++ PHP_ARRAY_CMP_FUNC_RESTORE(); ++ + + efree(ptrs); + efree(lists); +@@ -3845,8 +3911,11 @@ + efree(callback_name); + + if (ZEND_NUM_ARGS() > 2) { +- convert_to_long_ex(initial); +- result = *initial; ++ ALLOC_ZVAL(result); ++ *result = **initial; ++ zval_copy_ctor(result); ++ convert_to_long(result); ++ INIT_PZVAL(result); + } else { + MAKE_STD_ZVAL(result); + ZVAL_NULL(result); +@@ -3862,6 +3931,7 @@ + if (result) { + *return_value = *result; + zval_copy_ctor(return_value); ++ zval_ptr_dtor(&result); + } + return; + } +@@ -3911,6 +3981,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3930,9 +4001,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } ++ array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -3941,22 +4016,22 @@ + } + + array_init(return_value); +- if (zend_hash_num_elements(Z_ARRVAL_PP(input)) == 0) { ++ if (zend_hash_num_elements(Z_ARRVAL_P(array)) == 0) { + return; + } + +- for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(input), &pos); +- zend_hash_get_current_data_ex(Z_ARRVAL_PP(input), (void **)&operand, &pos) == SUCCESS; +- zend_hash_move_forward_ex(Z_ARRVAL_PP(input), &pos)) { ++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(array), &pos); ++ zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; ++ zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + zend_fcall_info fci; + + args[0] = operand; + + fci.size = sizeof(fci); + fci.function_table = EG(function_table); +- fci.function_name = *callback; ++ fci.function_name = func; + fci.symbol_table = NULL; + fci.object_pp = NULL; + fci.retval_ptr_ptr = &retval; +@@ -3980,7 +4055,7 @@ + } + + zval_add_ref(operand); +- switch (zend_hash_get_current_key_ex(Z_ARRVAL_PP(input), &string_key, &string_key_len, &num_key, 0, &pos)) { ++ switch (zend_hash_get_current_key_ex(Z_ARRVAL_P(array), &string_key, &string_key_len, &num_key, 0, &pos)) { + case HASH_KEY_IS_STRING: + zend_hash_update(Z_ARRVAL_P(return_value), string_key, string_key_len, operand, sizeof(zval *), NULL); + break; +@@ -4046,6 +4121,7 @@ + efree(array_pos); + return; + } ++ SEPARATE_ZVAL_IF_NOT_REF(pargs[i]); + args[i] = *pargs[i]; + array_len[i] = zend_hash_num_elements(Z_ARRVAL_PP(pargs[i])); + if (array_len[i] > maxlen) { +--- ext/standard/basic_functions.c 2005-03-10 13:10:57.000000000 +0100 ++++ ext/standard/basic_functions.c 2005-11-01 01:03:31.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.673.2.13 2005/03/10 12:10:57 hyanantha Exp $ */ ++/* $Id: basic_functions.c,v 1.673.2.21 2005/09/29 16:31:20 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -469,7 +469,6 @@ + PHP_FALIAS(show_source, highlight_file, NULL) + PHP_FE(highlight_string, NULL) + PHP_FE(php_strip_whitespace, NULL) +- PHP_FE(php_check_syntax, second_arg_force_ref) + + PHP_FE(ini_get, NULL) + PHP_FE(ini_get_all, NULL) +@@ -743,8 +743,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -930,7 +930,6 @@ + BG(user_tick_functions) = NULL; + BG(user_filter_map) = NULL; + BG(user_compare_fci_cache) = empty_fcall_info_cache; +- /*BG(array_walk_fci_cache) = empty_fcall_info_cache;*/ + zend_hash_init(&BG(sm_protected_env_vars), 5, NULL, NULL, 1); + BG(sm_allowed_env_vars) = NULL; + +@@ -1192,17 +1191,10 @@ + } + STR_FREE(BG(locale_string)); + +- if (FG(stream_wrappers)) { +- zend_hash_destroy(FG(stream_wrappers)); +- efree(FG(stream_wrappers)); +- FG(stream_wrappers) = NULL; +- } +- +- if (FG(stream_filters)) { +- zend_hash_destroy(FG(stream_filters)); +- efree(FG(stream_filters)); +- FG(stream_filters) = NULL; +- } ++ /* ++ FG(stream_wrappers) and FG(stream_filters) are destroyed ++ during php_request_shutdown() ++ */ + + PHP_RSHUTDOWN(filestat)(SHUTDOWN_FUNC_ARGS_PASSTHRU); + #ifdef HAVE_SYSLOG_H +@@ -2103,17 +2095,21 @@ + static int user_shutdown_function_call(php_shutdown_function_entry *shutdown_function_entry TSRMLS_DC) + { + zval retval; ++ char *function_name = NULL; + +- if (call_user_function( EG(function_table), NULL, +- shutdown_function_entry->arguments[0], +- &retval, +- shutdown_function_entry->arg_count - 1, +- shutdown_function_entry->arguments + 1 +- TSRMLS_CC ) == SUCCESS ) { ++ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) { ++ php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name); ++ } else if (call_user_function(EG(function_table), NULL, ++ shutdown_function_entry->arguments[0], ++ &retval, ++ shutdown_function_entry->arg_count - 1, ++ shutdown_function_entry->arguments + 1 ++ TSRMLS_CC ) == SUCCESS) ++ { + zval_dtor(&retval); +- +- } else { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call %s() - function does not exist", Z_STRVAL_P(shutdown_function_entry->arguments[0])); ++ } ++ if (function_name) { ++ efree(function_name); + } + return 0; + } +@@ -2206,6 +2202,7 @@ + PHP_FUNCTION(register_shutdown_function) + { + php_shutdown_function_entry shutdown_function_entry; ++ char *function_name = NULL; + int i; + + shutdown_function_entry.arg_count = ZEND_NUM_ARGS(); +@@ -2214,26 +2211,31 @@ + WRONG_PARAM_COUNT; + } + +- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval *), shutdown_function_entry.arg_count, 0); ++ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0); + + if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) { + RETURN_FALSE; + } + +- /* Prevent entering of anything but arrays/strings */ +- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) { +- convert_to_string(shutdown_function_entry.arguments[0]); +- } +- +- if (!BG(user_shutdown_function_names)) { +- ALLOC_HASHTABLE(BG(user_shutdown_function_names)); +- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); +- } ++ /* Prevent entering of anything but valid callback (syntax check only!) */ ++ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown callback '%s' passed", function_name); ++ efree(shutdown_function_entry.arguments); ++ RETVAL_FALSE; ++ } else { ++ if (!BG(user_shutdown_function_names)) { ++ ALLOC_HASHTABLE(BG(user_shutdown_function_names)); ++ zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void (*)(void *)) user_shutdown_function_dtor, 0); ++ } + +- for (i = 0; i < shutdown_function_entry.arg_count; i++) { +- shutdown_function_entry.arguments[i]->refcount++; ++ for (i = 0; i < shutdown_function_entry.arg_count; i++) { ++ shutdown_function_entry.arguments[i]->refcount++; ++ } ++ zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); ++ } ++ if (function_name) { ++ efree(function_name); + } +- zend_hash_next_index_insert(BG(user_shutdown_function_names), &shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL); + } + /* }}} */ + +@@ -2323,49 +2325,6 @@ + } + /* }}} */ + +-/* {{{ proto bool php_check_syntax(string file_name [, &$error_message]) +- Check the syntax of the specified file. */ +-PHP_FUNCTION(php_check_syntax) +-{ +- char *filename; +- int filename_len; +- zval *errm=NULL; +- zend_file_handle file_handle = {0}; +- +- int old_errors = PG(display_errors); +- int log_errors = PG(log_errors); +- +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z", &filename, &filename_len, &errm) == FAILURE) { +- RETURN_FALSE; +- } +- +- file_handle.type = ZEND_HANDLE_FILENAME; +- file_handle.filename = filename; +- file_handle.free_filename = 0; +- file_handle.opened_path = NULL; +- +- PG(log_errors) = PG(display_errors) = 0; +- +- if (php_lint_script(&file_handle TSRMLS_CC) != SUCCESS) { +- if (errm) { +- char *error_str; +- +- zval_dtor(errm); +- spprintf(&error_str, 0, "%s in %s on line %d", PG(last_error_message), PG(last_error_file), PG(last_error_lineno)); +- ZVAL_STRING(errm, error_str, 0); +- } +- RETVAL_FALSE; +- } else { +- RETVAL_TRUE; +- } +- +- PG(display_errors) = old_errors; +- PG(log_errors) = log_errors; +- +- return; +-} +-/* }}} */ +- + /* {{{ proto bool highlight_string(string string [, bool return] ) + Syntax highlight a string or optionally return it */ + PHP_FUNCTION(highlight_string) +@@ -3118,11 +3077,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-03-01 16:01:08.000000000 +0100 ++++ ext/standard/string.c 2005-11-01 01:03:40.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.420.2.6 2005/03/01 15:01:08 hyanantha Exp $ */ ++/* $Id: string.c,v 1.420.2.13 2005/09/28 22:35:43 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -1175,6 +1175,22 @@ + return len; + } + } ++#elif defined(NETWARE) ++ /* ++ * Find the first occurence of : from the left ++ * move the path pointer to the position just after : ++ * increment the len_adjust to the length of path till colon character(inclusive) ++ * If there is no character beyond : simple return len ++ */ ++ char *colonpos = NULL; ++ colonpos = strchr(path, ':'); ++ if(colonpos != NULL) { ++ len_adjust = ((colonpos - path) + 1); ++ path += len_adjust; ++ if(len_adjust == len) { ++ return len; ++ } ++ } + #endif + + if (len == 0) { +@@ -1199,9 +1215,21 @@ + } + if (end < path) { + /* No slash found, therefore return '.' */ ++#ifdef NETWARE ++ if(len_adjust == 0) { ++ path[0] = '.'; ++ path[1] = '\0'; ++ return 1; //only one character ++ } ++ else { ++ path[0] = '\0'; ++ return len_adjust; ++ } ++#else + path[0] = '.'; + path[1] = '\0'; + return 1 + len_adjust; ++#endif + } + + /* Strip slashes which came before the file name */ +@@ -1382,8 +1410,6 @@ + if (!Z_STRLEN_PP(needle)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty delimiter."); + efree(haystack_orig); +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + RETURN_FALSE; + } + +@@ -1409,8 +1435,6 @@ + RETVAL_FALSE; + } + +- zval_ptr_dtor(haystack); +- zval_ptr_dtor(needle); + efree(haystack_orig); + } + /* }}} */ +@@ -1839,7 +1863,13 @@ + } + + if (chunklen > Z_STRLEN_PP(p_str)) { +- RETURN_STRINGL(Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str), 1); ++ /* to maintain BC, we must return original string + ending */ ++ result_len = endlen + Z_STRLEN_PP(p_str); ++ result = emalloc(result_len + 1); ++ memcpy(result, Z_STRVAL_PP(p_str), Z_STRLEN_PP(p_str)); ++ memcpy(result + Z_STRLEN_PP(p_str), end, endlen); ++ result[result_len] = '\0'; ++ RETURN_STRINGL(result, result_len, 0); + } + + if (!Z_STRLEN_PP(p_str)) { +@@ -2937,7 +2975,7 @@ + char *source, *target, *tmp, *source_end=str+len, *tmp_end = NULL; + + for (source = str; source < source_end; source++) { +- if (*source == from) { ++ if ((case_sensitivity && *source == from) || (!case_sensitivity && tolower(*source) == tolower(from))) { + char_count++; + } + } +@@ -3771,7 +3809,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ZEND_NUM_ARGS(); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3784,19 +3821,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-02-17 05:46:10.000000000 +0100 ++++ main/php_variables.c 2005-11-01 01:07:38.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_variables.c,v 1.81.2.3 2005/02/17 04:46:10 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.81.2.13 2005/09/28 22:35:42 iliaa Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -103,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { +@@ -186,7 +193,19 @@ + if (!index) { + zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + } else { ++ zval **tmp; + char *escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC); ++ /* ++ * According to rfc2965, more specific paths are listed above the less specific ones. ++ * If we encounter a duplicate cookie name, we should skip it, since it is not possible ++ * to have the same (plain text) cookie name for the same path and we should not overwrite ++ * more specific cookies with the less specific ones. ++ */ ++ if (PG(http_globals)[TRACK_VARS_COOKIE] && symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) && ++ zend_symtable_find(symtable1, escaped_index, index_len+1, (void **) &tmp) != FAILURE) { ++ efree(escaped_index); ++ break; ++ } + zend_symtable_update(symtable1, escaped_index, index_len+1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p); + efree(escaped_index); + } +@@ -250,12 +269,21 @@ + INIT_PZVAL(array_ptr); + switch (arg) { + case PARSE_POST: ++ if (PG(http_globals)[TRACK_VARS_POST]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_POST]); ++ } + PG(http_globals)[TRACK_VARS_POST] = array_ptr; + break; + case PARSE_GET: ++ if (PG(http_globals)[TRACK_VARS_GET]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_GET]); ++ } + PG(http_globals)[TRACK_VARS_GET] = array_ptr; + break; + case PARSE_COOKIE: ++ if (PG(http_globals)[TRACK_VARS_COOKIE]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_COOKIE]); ++ } + PG(http_globals)[TRACK_VARS_COOKIE] = array_ptr; + break; + } +@@ -500,6 +528,9 @@ + ALLOC_ZVAL(array_ptr); + array_init(array_ptr); + INIT_PZVAL(array_ptr); ++ if (PG(http_globals)[TRACK_VARS_SERVER]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); ++ } + PG(http_globals)[TRACK_VARS_SERVER] = array_ptr; + PG(magic_quotes_gpc) = 0; + +@@ -675,8 +706,8 @@ + PG(http_globals)[i] = dummy_track_vars_array; + } + +- zend_hash_update(&EG(symbol_table), auto_global_records[i].name, auto_global_records[i].name_len, &PG(http_globals)[i], sizeof(zval *), NULL); + PG(http_globals)[i]->refcount++; ++ zend_hash_update(&EG(symbol_table), auto_global_records[i].name, auto_global_records[i].name_len, &PG(http_globals)[i], sizeof(zval *), NULL); + if (PG(register_long_arrays)) { + zend_hash_update(&EG(symbol_table), auto_global_records[i].long_name, auto_global_records[i].long_name_len, &PG(http_globals)[i], sizeof(zval *), NULL); + PG(http_globals)[i]->refcount++; +@@ -696,7 +727,18 @@ + + static zend_bool php_auto_globals_create_server(char *name, uint name_len TSRMLS_DC) + { +- php_register_server_variables(TSRMLS_C); ++ if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) { ++ php_register_server_variables(TSRMLS_C); ++ } else { ++ zval *server_vars=NULL; ++ ALLOC_ZVAL(server_vars); ++ array_init(server_vars); ++ INIT_PZVAL(server_vars); ++ if (PG(http_globals)[TRACK_VARS_SERVER]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); ++ } ++ PG(http_globals)[TRACK_VARS_SERVER] = server_vars; ++ } + + zend_hash_update(&EG(symbol_table), name, name_len+1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL); + PG(http_globals)[TRACK_VARS_SERVER]->refcount++; +@@ -716,9 +758,14 @@ + ALLOC_ZVAL(env_vars); + array_init(env_vars); + INIT_PZVAL(env_vars); ++ if (PG(http_globals)[TRACK_VARS_ENV]) { ++ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]); ++ } + PG(http_globals)[TRACK_VARS_ENV] = env_vars; + +- php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); ++ if (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) { ++ php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); ++ } + + zend_hash_update(&EG(symbol_table), name, name_len+1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL); + PG(http_globals)[TRACK_VARS_ENV]->refcount++; diff --git a/dev-lang/php/files/5.0.4/php5.0.4-phpinfo_xss.patch b/dev-lang/php/files/5.0.4/php5.0.4-phpinfo_xss.patch new file mode 100644 index 000000000000..e19c9fe11a53 --- /dev/null +++ b/dev-lang/php/files/5.0.4/php5.0.4-phpinfo_xss.patch @@ -0,0 +1,79 @@ +--- ext/standard/info.c 2004-05-02 15:23:30.000000000 +0200 ++++ ext/standard/info.c 2005-11-01 01:30:58.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: info.c,v 1.245 2004/05/02 13:23:30 helly Exp $ */ ++/* $Id: info.c,v 1.245.2.5 2005/08/16 00:25:46 iliaa Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -135,10 +135,25 @@ + PUTS(" => "); + } + if (Z_TYPE_PP(tmp) == IS_ARRAY) { ++ zval *tmp3; ++ ++ MAKE_STD_ZVAL(tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("<pre>"); + } ++ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC); ++ + zend_print_zval_r(*tmp, 0 TSRMLS_CC); ++ ++ php_ob_get_buffer(tmp3 TSRMLS_CC); ++ php_end_ob_buffer(0, 0 TSRMLS_CC); ++ ++ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); ++ zval_ptr_dtor(&tmp3); ++ + if (!sapi_module.phpinfo_as_text) { + PUTS("</pre>"); + } +@@ -198,7 +213,7 @@ + PHPAPI char *php_info_html_esc(char *string TSRMLS_DC) + { + int new_len; +- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC); ++ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC); + } + /* }}} */ + +@@ -406,7 +421,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.php.net/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="); + logo_guid = php_logo_guid(); +@@ -551,7 +574,9 @@ + if (expose_php && !sapi_module.phpinfo_as_text) { + PUTS("<a href=\"http://www.zend.com/\"><img border=\"0\" src=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?="ZEND_LOGO_GUID"\" alt=\"Zend logo\" /></a>\n"); + } +@@ -570,7 +595,9 @@ + php_info_print_hr(); + PUTS("<h1><a href=\""); + if (SG(request_info).request_uri) { +- PUTS(SG(request_info).request_uri); ++ char *elem_esc = php_info_html_esc(SG(request_info).request_uri TSRMLS_CC); ++ PUTS(elem_esc); ++ efree(elem_esc); + } + PUTS("?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000\">"); + PUTS("PHP Credits"); diff --git a/dev-lang/php/files/5.0.5/php5.0.5-curl_safemode.patch b/dev-lang/php/files/5.0.5/php5.0.5-curl_safemode.patch new file mode 100644 index 000000000000..91424e451974 --- /dev/null +++ b/dev-lang/php/files/5.0.5/php5.0.5-curl_safemode.patch @@ -0,0 +1,46 @@ +--- ext/curl/interface.c 2005-06-02 23:04:43.000000000 +0200 ++++ ext/curl/interface.c.new 2005-10-31 23:18:13.000000000 +0100 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: interface.c,v 1.46.2.8 2005/06/02 21:04:43 tony2001 Exp $ */ ++/* $Id: interface.c,v 1.46.2.11 2005/10/17 02:42:32 iliaa Exp $ */ + + #define ZEND_INCLUDE_FULL_WINDOWS_HEADERS + +@@ -62,7 +62,7 @@ + #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v); + + #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \ +- if (PG(open_basedir) && *PG(open_basedir) && \ ++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \ + strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \ + { \ + php_url *tmp_url; \ +@@ -72,7 +72,7 @@ + RETURN_FALSE; \ + } \ + \ +- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ ++ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \ + (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \ + ) { \ + php_url_free(tmp_url); \ +@@ -1128,10 +1128,15 @@ + * must be explicitly cast to long in curl_formadd + * use since curl needs a long not an int. */ + if (*postval == '@') { ++ ++postval; ++ /* safe_mode / open_basedir check */ ++ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) { ++ RETURN_FALSE; ++ } + error = curl_formadd(&first, &last, + CURLFORM_COPYNAME, string_key, + CURLFORM_NAMELENGTH, (long)string_key_len - 1, +- CURLFORM_FILE, ++postval, ++ CURLFORM_FILE, postval, + CURLFORM_END); + } else { + error = curl_formadd(&first, &last, diff --git a/dev-lang/php/files/5.0.5/php5.0.5-globals_overwrite.patch b/dev-lang/php/files/5.0.5/php5.0.5-globals_overwrite.patch new file mode 100644 index 000000000000..cdae541d5eef --- /dev/null +++ b/dev-lang/php/files/5.0.5/php5.0.5-globals_overwrite.patch @@ -0,0 +1,203 @@ +--- ext/standard/array.c 2005-09-01 14:01:01.000000000 +0200 ++++ ext/standard/array.c 2005-11-01 01:15:13.000000000 +0100 +@@ -21,7 +21,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: array.c,v 1.266.2.25 2005/09/01 12:01:01 dmitry Exp $ */ ++/* $Id: array.c,v 1.266.2.29 2005/10/28 09:57:15 dmitry Exp $ */ + + #include "php.h" + #include "php_ini.h" +@@ -1050,6 +1050,7 @@ + if (recursive && Z_TYPE_PP(args[0]) == IS_ARRAY) { + HashTable *thash; + ++ SEPARATE_ZVAL_TO_MAKE_IS_REF(args[0]); + thash = HASH_OF(*(args[0])); + if (thash == target_hash) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "recursion detected"); +@@ -1373,6 +1374,10 @@ + /* break omitted intentionally */ + + case EXTR_OVERWRITE: ++ /* GLOBALS protection */ ++ if (var_exists && !strcmp(var_name, "GLOBALS")) { ++ break; ++ } + smart_str_appendl(&final_name, var_name, var_name_len); + break; + +@@ -2487,8 +2492,9 @@ + Z_LVAL_PP(tmp)++; + } + } else if (Z_TYPE_PP(entry) == IS_STRING) { +- /* make sure our array does not end up with numeric string keys */ +- if (is_numeric_string(Z_STRVAL_PP(entry), Z_STRLEN_PP(entry), NULL, NULL, 0) == IS_LONG) { ++ /* make sure our array does not end up with numeric string keys ++ * but don't touch those strings that start with 0 */ ++ if (!(Z_STRLEN_PP(entry) > 1 && Z_STRVAL_PP(entry)[0] == '0') && is_numeric_string(Z_STRVAL_PP(entry), Z_STRLEN_PP(entry), NULL, NULL, 0) == IS_LONG) { + zval tmp_entry; + + tmp_entry = **entry; +@@ -3975,7 +3981,7 @@ + PHP_FUNCTION(array_filter) + { + zval **input, **callback = NULL; +- zval *array; ++ zval *array, *func = NULL; + zval **operand; + zval **args[1]; + zval *retval = NULL; +@@ -3995,10 +4001,13 @@ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The first argument should be an array"); + return; + } ++ if (callback) { ++ func = *callback; ++ } + array = *input; + + if (ZEND_NUM_ARGS() > 1) { +- if (!zend_is_callable(*callback, 0, &callback_name)) { ++ if (!zend_is_callable(func, 0, &callback_name)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "The second argument, '%s', should be a valid callback", callback_name); + efree(callback_name); + return; +@@ -4015,14 +4024,14 @@ + zend_hash_get_current_data_ex(Z_ARRVAL_P(array), (void **)&operand, &pos) == SUCCESS; + zend_hash_move_forward_ex(Z_ARRVAL_P(array), &pos)) { + +- if (callback) { ++ if (func) { + zend_fcall_info fci; + + args[0] = operand; + + fci.size = sizeof(fci); + fci.function_table = EG(function_table); +- fci.function_name = *callback; ++ fci.function_name = func; + fci.symbol_table = NULL; + fci.object_pp = NULL; + fci.retval_ptr_ptr = &retval; +--- ext/standard/basic_functions.c 2005-08-21 20:36:33.000000000 +0200 ++++ ext/standard/basic_functions.c 2005-11-01 01:15:20.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: basic_functions.c,v 1.673.2.18 2005/08/21 18:36:33 zeev Exp $ */ ++/* $Id: basic_functions.c,v 1.673.2.21 2005/09/29 16:31:20 iliaa Exp $ */ + + #include "php.h" + #include "php_streams.h" +@@ -742,8 +743,8 @@ + PHP_FE(prev, first_arg_force_ref) + PHP_FE(next, first_arg_force_ref) + PHP_FE(reset, first_arg_force_ref) +- PHP_FE(current, first_arg_force_ref) +- PHP_FE(key, first_arg_force_ref) ++ PHP_FE(current, NULL) ++ PHP_FE(key, NULL) + PHP_FE(min, NULL) + PHP_FE(max, NULL) + PHP_FE(in_array, NULL) +@@ -3076,11 +3077,25 @@ + prefix = va_arg(args, char *); + prefix_len = va_arg(args, uint); + +- new_key_len = prefix_len + hash_key->nKeyLength; +- new_key = (char *) emalloc(new_key_len); ++ if (!prefix_len) { ++ if (!hash_key->nKeyLength) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard."); ++ return 0; ++ } else if (!strcmp(hash_key->arKey, "GLOBALS")) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite."); ++ return 0; ++ } ++ } ++ ++ if (hash_key->nKeyLength) { ++ new_key_len = prefix_len + hash_key->nKeyLength; ++ new_key = (char *) emalloc(new_key_len); + +- memcpy(new_key, prefix, prefix_len); +- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ memcpy(new_key, prefix, prefix_len); ++ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength); ++ } else { ++ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h); ++ } + + zend_hash_del(&EG(symbol_table), new_key, new_key_len); + ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0); +--- ext/standard/string.c 2005-07-16 13:18:35.000000000 +0200 ++++ ext/standard/string.c 2005-11-01 01:15:27.000000000 +0100 +@@ -18,7 +18,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: string.c,v 1.420.2.12 2005/07/16 11:18:35 hyanantha Exp $ */ ++/* $Id: string.c,v 1.420.2.13 2005/09/28 22:35:43 iliaa Exp $ */ + + /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */ + +@@ -3809,7 +3809,6 @@ + zval *sarg; + char *res = NULL; + int argCount; +- int old_rg; + + argCount = ZEND_NUM_ARGS(); + if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) { +@@ -3822,19 +3821,18 @@ + res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg)); + } + +- old_rg = PG(register_globals); + if (argCount == 1) { +- PG(register_globals) = 1; +- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC); ++ zval tmp; ++ Z_ARRVAL(tmp) = EG(active_symbol_table); ++ ++ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC); + } else { +- PG(register_globals) = 0; + /* Clear out the array that was passed in. */ + zval_dtor(*arrayArg); + array_init(*arrayArg); + + sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC); + } +- PG(register_globals) = old_rg; + } + /* }}} */ + +--- main/php_variables.c 2005-09-01 21:15:51.000000000 +0200 ++++ main/php_variables.c 2005-11-01 01:16:22.000000000 +0100 +@@ -17,7 +17,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_variables.c,v 1.81.2.12 2005/09/01 19:15:51 iliaa Exp $ */ ++/* $Id: php_variables.c,v 1.81.2.13 2005/09/28 22:35:42 iliaa Exp $ */ + + #include <stdio.h> + #include "php.h" +@@ -103,6 +103,13 @@ + zval_dtor(val); + return; + } ++ ++ /* GLOBALS hijack attempt, reject parameter */ ++ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) { ++ zval_dtor(val); ++ return; ++ } ++ + /* ensure that we don't have spaces or dots in the variable name (not binary safe) */ + for (p=var; *p; p++) { + switch(*p) { diff --git a/dev-lang/php/files/digest-php-4.3.11-r2 b/dev-lang/php/files/digest-php-4.3.11-r3 index 65531066fd6b..65531066fd6b 100644 --- a/dev-lang/php/files/digest-php-4.3.11-r2 +++ b/dev-lang/php/files/digest-php-4.3.11-r3 diff --git a/dev-lang/php/files/digest-php-4.4.0-r2 b/dev-lang/php/files/digest-php-4.4.0-r3 index 5cf0a8b3bd28..5cf0a8b3bd28 100644 --- a/dev-lang/php/files/digest-php-4.4.0-r2 +++ b/dev-lang/php/files/digest-php-4.4.0-r3 diff --git a/dev-lang/php/files/digest-php-4.4.1 b/dev-lang/php/files/digest-php-4.4.1 new file mode 100644 index 000000000000..f88fc54cea9e --- /dev/null +++ b/dev-lang/php/files/digest-php-4.4.1 @@ -0,0 +1 @@ +MD5 6b5726471189f8a1f26dd7cc5e19b442 php-4.4.1.tar.bz2 4157749 diff --git a/dev-lang/php/files/digest-php-5.0.4-r2 b/dev-lang/php/files/digest-php-5.0.4-r3 index 6b6d1ce71bb5..6b6d1ce71bb5 100644 --- a/dev-lang/php/files/digest-php-5.0.4-r2 +++ b/dev-lang/php/files/digest-php-5.0.4-r3 diff --git a/dev-lang/php/files/digest-php-5.0.5-r2 b/dev-lang/php/files/digest-php-5.0.5-r3 index 9a62d89ecd07..9a62d89ecd07 100644 --- a/dev-lang/php/files/digest-php-5.0.5-r2 +++ b/dev-lang/php/files/digest-php-5.0.5-r3 |