Pullup ticket #5799 - requested by taca

lang/php70: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.224
- lang/php70/Makefile                                           1.11-1.12
- lang/php70/Makefile.php                                       1.8-1.9
- lang/php70/distinfo                                           1.46-1.47
- lang/php70/patches/patch-disable-filter-url                   1.1

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Mon Jul 16 10:58:50 UTC 2018

   Modified Files:
   	pkgsrc/lang/php70: Makefile Makefile.php
   	pkgsrc/lang/php71: Makefile Makefile.php
   	pkgsrc/lang/php72: Makefile Makefile.php

   Log Message:
   php*: disable global regs on i386.
   Fixes PR pkg/53222 that resurfaced

   Remove the previous workaround to add GCC_REQD, which isn't sufficient
   any more, possibly due to enabling ssp/fortify?

   XXX bumping PKGREVISION might not be sufficient, for the same reason the
   GCC_REQD had to be moved to Makefile.php, it affects modules too.

---
   Module Name:	pkgsrc
   Committed By:	manu
   Date:		Wed Jul 18 07:33:12 UTC 2018

   Modified Files:
   	pkgsrc/lang/php56: Makefile.php distinfo
   	pkgsrc/lang/php70: Makefile.php distinfo
   	pkgsrc/lang/php71: Makefile.php distinfo
   	pkgsrc/lang/php72: Makefile.php distinfo
   Added Files:
   	pkgsrc/lang/php56/patches: patch-disable-filter-url
   	pkgsrc/lang/php70/patches: patch-disable-filter-url
   	pkgsrc/lang/php71/patches: patch-disable-filter-url
   	pkgsrc/lang/php72/patches: patch-disable-filter-url

   Log Message:
   Add pkgsrc build option disable-filter-url to disable php://filter URL

   php://filter URL is a feature documented here:
   http://php.net/manual/en/wrappers.php.php

   Unfortunately, it allows remote control of include() behavior
   beyond what many developpers expected, enabling easy dump of
   PHP source files. The administrator may want to disable the
   feature for security sake, and this option makes that possible.

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jul 20 13:27:28 UTC 2018

   Modified Files:
   	pkgsrc/lang/php: phpversion.mk
   	pkgsrc/lang/php70: Makefile distinfo

   Log Message:
   lang/php70: update to 7.0.31

   19 Jul 2018 PHP 7.0.31

   - Exif:
     . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
       exif_thumbnail_extract of exif.c). (Stas)
     . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
       data). (Stas)

   - Win32:
     . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)

5 files changed, 55 insertions, 15 deletions

diff --git a/lang/php/phpversion.mk b/lang/php/phpversion.mk
index 53c7d53e19f..79dd165b7bd 100644
--- a/lang/php/phpversion.mk
+++ b/lang/php/phpversion.mk
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.221.2.2 2018/08/17 16:08:38 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.221.2.3 2018/08/17 17:37:21 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -88,7 +88,7 @@ PHPVERSION_MK=	defined
 
 # Define each PHP's version.
 PHP56_VERSION=	5.6.36
-PHP70_VERSION=	7.0.30
+PHP70_VERSION=	7.0.31
 PHP71_VERSION=	7.1.20
 PHP72_VERSION=	7.2.8
 
diff --git a/lang/php70/Makefile b/lang/php70/Makefile
index b6dd72d6311..6d29ff1fa6f 100644
--- a/lang/php70/Makefile
+++ b/lang/php70/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.10 2017/10/27 08:46:49 taca Exp $
+# $NetBSD: Makefile,v 1.10.6.1 2018/08/17 17:37:22 bsiegert Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
@@ -48,6 +48,12 @@ INSTALLATION_DIRS+=	${CGIDIR} ${PHP_EXTENSION_DIR} ${EGDIR} share/php
 CONFIGURE_ARGS+=	--without-pcre-jit
 .endif
 
+.if ${MACHINE_ARCH} == "i386"
+# segfaults when buidling with many compilers
+# https://bugs.php.net/bug.php?id=74527
+CONFIGURE_ARGS+=	--disable-gcc-global-regs
+.endif
+
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=	yes
diff --git a/lang/php70/Makefile.php b/lang/php70/Makefile.php
index c07f1eee32f..49c76c1bbe4 100644
--- a/lang/php70/Makefile.php
+++ b/lang/php70/Makefile.php
@@ -1,13 +1,8 @@
-# $NetBSD: Makefile.php,v 1.7 2017/08/04 23:07:28 taca Exp $
+# $NetBSD: Makefile.php,v 1.7.10.1 2018/08/17 17:37:22 bsiegert Exp $
 # used by lang/php70/Makefile
 # used by www/ap-php/Makefile
 # used by www/php-fpm/Makefile
 
-# PHP bug #74526 - segfaults on build with GCC 4.8.5 i386
-.if ${MACHINE_ARCH} == "i386"
-GCC_REQD+=              4.9
-.endif
-
 .include "../../lang/php70/Makefile.common"
 
 DISTINFO_FILE=	${.CURDIR}/../../lang/php70/distinfo
@@ -45,7 +40,7 @@ CONFIGURE_ARGS+=	--with-libxml-dir=${PREFIX}
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl readline
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
@@ -92,5 +87,9 @@ CONFIGURE_ARGS+=	--enable-dtrace
 INSTALL_MAKE_FLAGS+=	-r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+CFLAGS+=		-DDISABLE_FILTER_URL
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
diff --git a/lang/php70/distinfo b/lang/php70/distinfo
index 2456dab1fa2..b0aee1087a5 100644
--- a/lang/php70/distinfo
+++ b/lang/php70/distinfo
@@ -1,11 +1,12 @@
-$NetBSD: distinfo,v 1.45 2018/04/26 15:46:57 taca Exp $
+$NetBSD: distinfo,v 1.45.2.1 2018/08/17 17:37:22 bsiegert Exp $
 
-SHA1 (php-7.0.30.tar.bz2) = 774d76578f06e4acc035ed65692f7750f7d9c9b1
-RMD160 (php-7.0.30.tar.bz2) = f3bf11cfb9d02988d1458d9b30a223af3191e970
-SHA512 (php-7.0.30.tar.bz2) = 37b39b3163ad5c5f7d42e22bb5fe9d8708a0559add4f29624c4640c11ef0cbcdfe010cbf69032b741099c9d4f87c9878c19c1d2f3f98817271686aa177956002
-Size (php-7.0.30.tar.bz2) = 14641553 bytes
+SHA1 (php-7.0.31.tar.bz2) = 4da4e41b37445b0f5166df37583d23c78ca8e358
+RMD160 (php-7.0.31.tar.bz2) = f34a43e8809a25b0b8af78a62ab92d8f3012825e
+SHA512 (php-7.0.31.tar.bz2) = f496ca871245c0ddbbc848ad2c46d24e789c8cc3f1be489b87d25d353c5773ea9c54c2a54dfb2c4e9fc6b08cdf812305fa6bd0d80615f33f0db9d21edee3636b
+Size (php-7.0.31.tar.bz2) = 14641488 bytes
 SHA1 (patch-acinclude.m4) = 81a8f33a536500978ea5a9aa2d2875c61c843e56
 SHA1 (patch-configure) = 68ca63d7623feee2f12c9e1abacf4a5d7827d96c
+SHA1 (patch-disable-filter-url) = e9e92d686ddd1d1a1ece10fe4feee4e368fe510c
 SHA1 (patch-ext_gd_config.m4) = bde93678626592cdcee619189bfc6532d0913a76
 SHA1 (patch-ext_imap_config.m4) = f4e10ab81697b72019313f63bc630627a08efd92
 SHA1 (patch-ext_intl_config.m4) = 222e35fc2c3e9e559696293fdf66171f8abfca7f
diff --git a/lang/php70/patches/patch-disable-filter-url b/lang/php70/patches/patch-disable-filter-url
new file mode 100644
index 00000000000..e6d9e83b2b0
--- /dev/null
+++ b/lang/php70/patches/patch-disable-filter-url
@@ -0,0 +1,34 @@
+$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 17:37:22 bsiegert Exp $
+
+Add build-time disable option for dangerous php://filter URL
+
+php://filter URL is a feature documented here:
+http://php.net/manual/en/wrappers.php.php
+
+Unfortunately, it allows remote control of include() behavior
+beyond what many developpers expected, enabling easy dump of
+PHP source files. The administrator may want to disable the
+feature for security sake, and this patch makes that possible.
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+ 				"Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifndef DISABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* !DISABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;