diff options
| author | Christopher Jones <sixd@php.net> | 2010-11-16 19:33:31 +0000 |
|---|---|---|
| committer | Christopher Jones <sixd@php.net> | 2010-11-16 19:33:31 +0000 |
| commit | 314c9b92338c2cffe4e9ce4299d5d39c35751a3a (patch) | |
| tree | 00563494a3344e0110721e578b4461699d07f7ad | |
| parent | 87fd3737b4a6e64fcdcfa4c8d352a1b99f925302 (diff) | |
| download | php-git-314c9b92338c2cffe4e9ce4299d5d39c35751a3a.tar.gz | |
Protect against null bytes in LOB filenames (rasmus)
| -rw-r--r-- | ext/oci8/oci8_interface.c | 18 | ||||
| -rw-r--r-- | ext/oci8/package.xml | 29 | ||||
| -rw-r--r-- | ext/oci8/php_oci8.h | 2 | ||||
| -rw-r--r-- | ext/oci8/tests/null_byte_1.phpt | 38 | ||||
| -rw-r--r-- | ext/oci8/tests/null_byte_2.phpt | 69 |
5 files changed, 145 insertions, 11 deletions
diff --git a/ext/oci8/oci8_interface.c b/ext/oci8/oci8_interface.c index b9e79f9fe9..3143d492ba 100644 --- a/ext/oci8/oci8_interface.c +++ b/ext/oci8/oci8_interface.c @@ -242,7 +242,12 @@ PHP_FUNCTION(oci_lob_import) return; } } - + + if (strlen(filename) != filename_len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes"); + RETURN_FALSE; + } + if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property"); RETURN_FALSE; @@ -894,7 +899,12 @@ PHP_FUNCTION(oci_lob_export) RETURN_FALSE; } } - + + if (strlen(filename) != filename_len) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes"); + RETURN_FALSE; + } + if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property"); RETURN_FALSE; @@ -1662,8 +1672,8 @@ PHP_FUNCTION(oci_num_fields) } /* }}} */ -/* {{{ proto resource oci_parse(resource connection, string query) - Parse a query and return a statement */ +/* {{{ proto resource oci_parse(resource connection, string statement) + Parse a SQL or PL/SQL statement and return a statement resource */ PHP_FUNCTION(oci_parse) { zval *z_connection; diff --git a/ext/oci8/package.xml b/ext/oci8/package.xml index ed4349ea04..a56c010129 100644 --- a/ext/oci8/package.xml +++ b/ext/oci8/package.xml @@ -33,21 +33,20 @@ http://pear.php.net/dtd/package-2.0.xsd"> <active>no</active> </lead> - <date>2010-11-10</date> + <date>2010-11-16</date> <time>15:00:00</time> <version> - <release>1.4.4</release> - <api>1.4.4</api> + <release>1.4.5</release> + <api>1.4.5</api> </version> <stability> - <release>stable</release> + <release>devel</release> <api>stable</api> </stability> <license uri="http://www.php.net/license">PHP</license> <notes> - Fixed bug #53284 (Valgrind warnings in oci_set_* functions) - Enhancement - improve startup failure error messages + Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202) </notes> <contents> <dir name="/"> @@ -306,6 +305,8 @@ http://pear.php.net/dtd/package-2.0.xsd"> <file name="lob_temp1.phpt" role="test" /> <file name="lob_temp.phpt" role="test" /> <file name="minfo.phpt" role="test" /> + <file name="null_byte_1.phpt" role="test" /> + <file name="null_byte_2.phpt" role="test" /> <file name="num.phpt" role="test" /> <file name="oci8safemode.phpt" role="test" /> <file name="oci_execute_segfault.phpt" role="test" /> @@ -379,6 +380,22 @@ http://pear.php.net/dtd/package-2.0.xsd"> <release> <version> + <release>1.4.4</release> + <api>1.4.4</api> + </version> + <stability> + <release>stable</release> + <api>stable</api> + </stability> + <license uri="http://www.php.net/license">PHP</license> + <notes> + Fixed bug #53284 (Valgrind warnings in oci_set_* functions) + Enhancement - improve startup failure error messages + </notes> +</release> + +<release> + <version> <release>1.4.3</release> <api>1.4.3</api> </version> diff --git a/ext/oci8/php_oci8.h b/ext/oci8/php_oci8.h index 3f7a514a74..02dee73d27 100644 --- a/ext/oci8/php_oci8.h +++ b/ext/oci8/php_oci8.h @@ -46,7 +46,7 @@ */ #undef PHP_OCI8_VERSION #endif -#define PHP_OCI8_VERSION "1.4.4" +#define PHP_OCI8_VERSION "1.4.5-devel" extern zend_module_entry oci8_module_entry; #define phpext_oci8_ptr &oci8_module_entry diff --git a/ext/oci8/tests/null_byte_1.phpt b/ext/oci8/tests/null_byte_1.phpt new file mode 100644 index 0000000000..1439bd5d66 --- /dev/null +++ b/ext/oci8/tests/null_byte_1.phpt @@ -0,0 +1,38 @@ +--TEST-- +Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202) +--SKIPIF-- +<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?> +--INI-- +display_errors = On +error_reporting = E_WARNING +--FILE-- +<?php + +require(dirname(__FILE__).'/connect.inc'); + +// Run Test + +echo "Test 1: Import\n"; + +$lob = oci_new_descriptor($c, OCI_D_LOB); +$r = $lob->savefile("/tmp/abc\0def"); +var_dump($r); + +echo "Test 2: Export\n"; + +$r = $lob->export("/tmp/abc\0def"); +var_dump($r); + +?> +===DONE=== +<?php exit(0); ?> +--EXPECTF-- +Test 1: Import + +Warning: OCI-Lob::savefile(): Filename cannot contain null bytes in %snull_byte_1.php on line %d +bool(false) +Test 2: Export + +Warning: OCI-Lob::export(): Filename cannot contain null bytes in %snull_byte_1.php on line %d +bool(false) +===DONE=== diff --git a/ext/oci8/tests/null_byte_2.phpt b/ext/oci8/tests/null_byte_2.phpt new file mode 100644 index 0000000000..b4c9b61ad4 --- /dev/null +++ b/ext/oci8/tests/null_byte_2.phpt @@ -0,0 +1,69 @@ +--TEST-- +Null bytes in SQL statements +--SKIPIF-- +<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?> +--INI-- +display_errors = On +error_reporting = E_WARNING +--FILE-- +<?php + +require(dirname(__FILE__).'/connect.inc'); + +// Run Test + +echo "Test 1: Valid use of a null byte\n"; + +$s = oci_parse($c, "select * \0from dual"); +oci_execute($s); +oci_fetch_all($s, $res); +var_dump($res); + +echo "Test 2: Invalid use of a null byte\n"; + +$s = oci_parse($c, "select * from du\0al"); +oci_execute($s); + +echo "Test 3: Using a null byte in a bind variable name\n"; + +$s = oci_parse($c, "select * from dual where :bv = 1"); +$bv = 1; +oci_bind_by_name($s, ":bv\0:bv", $bv); +oci_execute($s); + +echo "Test 4: Using a null byte in a bind variable value causing WHERE clause to fail\n"; + +$s = oci_parse($c, "select * from dual where :bv = 'abc'"); +$bv = 'abc\0abc'; +oci_bind_by_name($s, ":bv", $bv); +oci_execute($s); +oci_fetch_all($s, $res); +var_dump($res); + +?> +===DONE=== +<?php exit(0); ?> +--EXPECTF-- +Test 1: Valid use of a null byte +array(1) { + ["DUMMY"]=> + array(1) { + [0]=> + string(1) "X" + } +} +Test 2: Invalid use of a null byte + +Warning: oci_execute(): ORA-00942: %s in %snull_byte_2.php on line %d +Test 3: Using a null byte in a bind variable name + +Warning: oci_bind_by_name(): ORA-01036: %s in %snull_byte_2.php on line %d + +Warning: oci_execute(): ORA-01008: %s in %snull_byte_2.php on line %d +Test 4: Using a null byte in a bind variable value causing WHERE clause to fail +array(1) { + ["DUMMY"]=> + array(0) { + } +} +===DONE=== |