diff options
author | Ilia Alshanetsky <iliaa@php.net> | 2006-08-10 17:16:35 +0000 |
---|---|---|
committer | Ilia Alshanetsky <iliaa@php.net> | 2006-08-10 17:16:35 +0000 |
commit | 4ab6f610814337fc344bef7d29d21c180dc8fe3f (patch) | |
tree | 1e6b723e84aa6f28cae43ee830a1a5de26ac36d2 | |
parent | 1016df1c1a766c6b55d400f8789cda221b40d5fc (diff) | |
download | php-git-4ab6f610814337fc344bef7d29d21c180dc8fe3f.tar.gz |
Various security fixes backported from 5.2
# part 2
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | ext/curl/interface.c | 11 | ||||
-rw-r--r-- | ext/curl/streams.c | 6 | ||||
-rw-r--r-- | ext/standard/string.c | 21 |
4 files changed, 34 insertions, 10 deletions
@@ -1,6 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2006, PHP 5.1.5 +- Fixed memory_limit on 64bit systems. (Stefan E.) +- Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.) +- Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are + enabled. (Stefan E., Ilia) - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code execution). (Tony) - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus) @@ -21,6 +25,8 @@ PHP NEWS - Fixed bug #37360 (invalid gif size) (Pierre) - Fixed bug #37306 (max_execution_time = max_input_time). (Dmitry) - Fixed Bug #37278 (SOAP not respecting uri in __soapCall). (Dmitry) +- Fixed bug #37265 (Added missing safe_mode & open_basedir checks to + imap_body()). (Ilia) - Fixed bug #37256 (php-fastcgi dosen't handle connection abort). (Dmitry) 04 May 2006, PHP 5.1.4 diff --git a/ext/curl/interface.c b/ext/curl/interface.c index bf8b804f5c..4815492dbc 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1070,7 +1070,6 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu case CURLOPT_FTPLISTONLY: case CURLOPT_FTPAPPEND: case CURLOPT_NETRC: - case CURLOPT_FOLLOWLOCATION: case CURLOPT_PUT: #if CURLOPT_MUTE != 0 case CURLOPT_MUTE: @@ -1121,6 +1120,16 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu convert_to_long_ex(zvalue); error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); break; + case CURLOPT_FOLLOWLOCATION: + convert_to_long_ex(zvalue); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + if (Z_LVAL_PP(zvalue) != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set"); + RETURN_FALSE; + } + } + error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); + break; case CURLOPT_URL: case CURLOPT_PROXY: case CURLOPT_USERPWD: diff --git a/ext/curl/streams.c b/ext/curl/streams.c index 829fe3eb71..ab5c4c99fd 100644 --- a/ext/curl/streams.c +++ b/ext/curl/streams.c @@ -289,7 +289,11 @@ php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *filename, curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream); /* currently buggy (bug is in curl) */ - curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0); + } else { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + } curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr); curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0); diff --git a/ext/standard/string.c b/ext/standard/string.c index c923e84ab0..bb4de137ef 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -632,7 +632,8 @@ PHP_FUNCTION(wordwrap) { const char *text, *breakchar = "\n"; char *newtext; - int textlen, breakcharlen = 1, newtextlen, alloced, chk; + int textlen, breakcharlen = 1, newtextlen, chk; + size_t alloced; long current = 0, laststart = 0, lastspace = 0; long linelength = 75; zend_bool docut = 0; @@ -1612,10 +1613,18 @@ PHP_FUNCTION(stripos) RETURN_FALSE; } + if (haystack_len == 0) { + RETURN_FALSE; + } + haystack_dup = estrndup(haystack, haystack_len); php_strtolower(haystack_dup, haystack_len); if (Z_TYPE_P(needle) == IS_STRING) { + if ((Z_STRLEN_P(needle) == 0 || Z_STRLEN_P(needle) > haystack_len) { + efree(haystack_dup); + RETURN_FALSE; + } needle_dup = estrndup(Z_STRVAL_P(needle), Z_STRLEN_P(needle)); php_strtolower(needle_dup, Z_STRLEN_P(needle)); found = php_memnstr(haystack_dup + offset, needle_dup, Z_STRLEN_P(needle), haystack_dup + haystack_len); @@ -4194,7 +4203,7 @@ PHP_FUNCTION(str_repeat) zval **input_str; /* Input string */ zval **mult; /* Multiplier */ char *result; /* Resulting string */ - int result_len; /* Length of the resulting string */ + size_t result_len; /* Length of the resulting string */ if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) { WRONG_PARAM_COUNT; @@ -4219,11 +4228,7 @@ PHP_FUNCTION(str_repeat) /* Initialize the result string */ result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult); - if (result_len < 1 || result_len > 2147483647) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes"); - RETURN_FALSE; - } - result = (char *)emalloc(result_len + 1); + result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1); /* Heavy optimization for situations where input string is 1 byte long */ if (Z_STRLEN_PP(input_str) == 1) { @@ -4894,7 +4899,7 @@ PHP_FUNCTION(substr_compare) offset = (offset < 0) ? 0 : offset; } - if ((offset + len) >= s1_len) { + if ((offset + len) > s1_len) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "The start position cannot exceed initial string length"); RETURN_FALSE; } |