Pullup ticket #5798 - requested by taca

lang/php72: security fix

Revisions pulled up:
- lang/php/phpversion.mk                                        1.223
- lang/php72/Makefile                                           1.9-1.12
- lang/php72/Makefile.php                                       1.5-1.6
- lang/php72/distinfo                                           1.27-1.28
- lang/php72/patches/patch-disable-filter-url                   1.1

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Mon Jul 16 10:58:50 UTC 2018

   Modified Files:
   	pkgsrc/lang/php70: Makefile Makefile.php
   	pkgsrc/lang/php71: Makefile Makefile.php
   	pkgsrc/lang/php72: Makefile Makefile.php

   Log Message:
   php*: disable global regs on i386.
   Fixes PR pkg/53222 that resurfaced

   Remove the previous workaround to add GCC_REQD, which isn't sufficient
   any more, possibly due to enabling ssp/fortify?

   XXX bumping PKGREVISION might not be sufficient, for the same reason the
   GCC_REQD had to be moved to Makefile.php, it affects modules too.

---
   Module Name:	pkgsrc
   Committed By:	manu
   Date:		Wed Jul 18 07:33:12 UTC 2018

   Modified Files:
   	pkgsrc/lang/php56: Makefile.php distinfo
   	pkgsrc/lang/php70: Makefile.php distinfo
   	pkgsrc/lang/php71: Makefile.php distinfo
   	pkgsrc/lang/php72: Makefile.php distinfo
   Added Files:
   	pkgsrc/lang/php56/patches: patch-disable-filter-url
   	pkgsrc/lang/php70/patches: patch-disable-filter-url
   	pkgsrc/lang/php71/patches: patch-disable-filter-url
   	pkgsrc/lang/php72/patches: patch-disable-filter-url

   Log Message:
   Add pkgsrc build option disable-filter-url to disable php://filter URL

   php://filter URL is a feature documented here:
   http://php.net/manual/en/wrappers.php.php

   Unfortunately, it allows remote control of include() behavior
   beyond what many developpers expected, enabling easy dump of
   PHP source files. The administrator may want to disable the
   feature for security sake, and this option makes that possible.

---
   Module Name:	pkgsrc
   Committed By:	ryoon
   Date:		Fri Jul 20 03:34:33 UTC 2018

   Modified Files:
   	pkgsrc/lang/php72: Makefile


   Log Message:
   Recursive revbump from textproc/icu-62.1

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jul 20 13:25:26 UTC 2018

   Modified Files:
   	pkgsrc/lang/php: phpversion.mk
   	pkgsrc/lang/php72: Makefile distinfo

   Log Message:
   lang/php72: update to 7.2.8

   19 Jul 2018, PHP 7.2.8

   - Core:
     . Fixed bug #76534 (PHP hangs on 'illegal string offset on string references
       with an error handler). (Laruence)
     . Fixed bug #76520 (Object creation leaks memory when executed over HTTP).
       (Nikita)
     . Fixed bug #76502 (Chain of mixed exceptions and errors does not serialize
       properly). (Nikita)

   - Date:
     . Fixed bug #76462 (Undefined property: DateInterval::$f). (Anatol)

   - EXIF:
     . Fixed bug #76409 (heap use after free in _php_stream_free). (cmb)
     . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in
       exif_thumbnail_extract of exif.c). (Stas)
     . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif
       data). (Stas)

   - FPM:
     . Fixed bug #73342 (Vulnerability in php-fpm by changing stdin to
       non-blocking). (Nikita)

   - GMP:
     . Fixed bug #74670 (Integer Underflow when unserializing GMP and possible
       other classes). (Nikita)

   - intl:
     . Fixed bug #76556 (get_debug_info handler for BreakIterator shows wrong
       type). (cmb)

   - mbstring:
     . Fixed bug #76532 (Integer overflow and excessive memory usage
       in mb_strimwidth). (MarcusSchwarz)

   - Opcache:
     . Fixed bug #76477 (Opcache causes empty return value).
       (Nikita, Laruence)

   - PGSQL:
     . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol)

   - phpdbg:
     . Fix arginfo wrt. optional/required parameters. (cmb)

   - Reflection:
     . Fixed bug #76536 (PHP crashes with core dump when throwing exception in
       error handler). (Laruence)
     . Fixed bug #75231 (ReflectionProperty#getValue() incorrectly works with
       inherited classes). (Nikita)

   - Standard:
     . Fixed bug #76505 (array_merge_recursive() is duplicating sub-array keys).
       (Laruence)
     . Fixed bug #71848 (getimagesize with $imageinfo returns false). (cmb)

   - Win32:
     . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)

   - ZIP:
     . Fixed bug #76461 (OPSYS_Z_CPM defined instead of OPSYS_CPM).
       (Dennis Birkholz, Remi)

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Fri Jul 20 13:29:51 UTC 2018

   Modified Files:
   	pkgsrc/lang/php72: Makefile

   Log Message:
   lang/php72: reset PKGREVISION

   Reset PKGREVISION along with update to 7.2.8.

5 files changed, 55 insertions, 15 deletions

diff --git a/lang/php/phpversion.mk b/lang/php/phpversion.mk
index 2bf38f8914b..53c7d53e19f 100644
--- a/lang/php/phpversion.mk
+++ b/lang/php/phpversion.mk
@@ -1,4 +1,4 @@
-# $NetBSD: phpversion.mk,v 1.221.2.1 2018/08/17 16:04:00 bsiegert Exp $
+# $NetBSD: phpversion.mk,v 1.221.2.2 2018/08/17 16:08:38 bsiegert Exp $
 #
 # This file selects a PHP version, based on the user's preferences and
 # the installed packages. It does not add a dependency on the PHP
@@ -90,7 +90,7 @@ PHPVERSION_MK=	defined
 PHP56_VERSION=	5.6.36
 PHP70_VERSION=	7.0.30
 PHP71_VERSION=	7.1.20
-PHP72_VERSION=	7.2.7
+PHP72_VERSION=	7.2.8
 
 # Define initial release of major version.
 PHP56_RELDATE=	20140828
diff --git a/lang/php72/Makefile b/lang/php72/Makefile
index e8a30063f95..6d825481f3e 100644
--- a/lang/php72/Makefile
+++ b/lang/php72/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.8 2018/04/26 15:44:15 taca Exp $
+# $NetBSD: Makefile,v 1.8.2.1 2018/08/17 16:08:38 bsiegert Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_VERSION:S/RC/rc/}
-CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 7.2
@@ -41,6 +40,12 @@ SUBST_SED.path+=	-e 's,@PREFIX@,${PREFIX},g'
 
 INSTALLATION_DIRS+=	${CGIDIR} ${PHP_EXTENSION_DIR} ${EGDIR} share/php
 
+# segfaults when buidling with many compilers
+# https://bugs.php.net/bug.php?id=74527
+.if ${MACHINE_ARCH} == "i386"
+CONFIGURE_ARGS+=	--disable-gcc-global-regs
+.endif
+
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=	yes
diff --git a/lang/php72/Makefile.php b/lang/php72/Makefile.php
index 94efbcc28a8..e1988591478 100644
--- a/lang/php72/Makefile.php
+++ b/lang/php72/Makefile.php
@@ -1,13 +1,8 @@
-# $NetBSD: Makefile.php,v 1.4 2018/02/05 08:51:25 jdolecek Exp $
+# $NetBSD: Makefile.php,v 1.4.4.1 2018/08/17 16:08:38 bsiegert Exp $
 # used by lang/php72/Makefile
 # used by www/ap-php/Makefile
 # used by www/php-fpm/Makefile
 
-# PHP bug #74526 - segfaults on build with GCC 4.8.5 i386
-.if ${MACHINE_ARCH} == "i386"
-GCC_REQD+=              4.9
-.endif
-
 # the binary actually needs full dep on PCRE
 BUILDLINK_DEPMETHOD.pcre=	full
 
@@ -51,6 +46,7 @@ CONFIGURE_ARGS+=	--with-pcre-regex=${BUILDLINK_PREFIX.pcre}
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
 PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline argon2 sqlite3
+PKG_SUPPORTED_OPTIONS+=	disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl readline sqlite3
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
@@ -109,5 +105,9 @@ CONFIGURE_ARGS+=	--with-sqlite3=${BUILDLINK_PREFIX.sqlite3}
 CONFIGURE_ARGS+=    --without-sqlite3
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+CFLAGS+=		-DDISABLE_FILTER_URL
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
diff --git a/lang/php72/distinfo b/lang/php72/distinfo
index 1cfe1d48c45..0701ff72289 100644
--- a/lang/php72/distinfo
+++ b/lang/php72/distinfo
@@ -1,10 +1,11 @@
-$NetBSD: distinfo,v 1.26 2018/06/24 10:34:47 taca Exp $
+$NetBSD: distinfo,v 1.26.2.1 2018/08/17 16:08:38 bsiegert Exp $
 
-SHA1 (php-7.2.7.tar.bz2) = e56adc671e9a19bcbe2b84e510cd2c2cec571970
-RMD160 (php-7.2.7.tar.bz2) = ba76b61f709eda603bf6c6b2d31baf6111210e13
-SHA512 (php-7.2.7.tar.bz2) = 7817e082963a4f185c5dd4a7bdd9358e25ae1dc83fa6b353313660c9907a2ead308676be86d5e1f7d586d394308e451dd8139a7879a68ab5d0c4a59fcbe73027
-Size (php-7.2.7.tar.bz2) = 15050410 bytes
+SHA1 (php-7.2.8.tar.bz2) = b0aa50ba30be0e93bf4b1087f6a6326ffe0dd06f
+RMD160 (php-7.2.8.tar.bz2) = b73b220a5ef91d3d17de726adbe9fc04abc6c0ba
+SHA512 (php-7.2.8.tar.bz2) = 4eaab35ff99c6829e4e67b99d0dbc1d25b83210c9d894fbb9e6810dd3de8b7d5bd62b2d8a9f2ecb3c1f2f5a9c28116a22b36f019a21b8770f02fe1e3149728d9
+Size (php-7.2.8.tar.bz2) = 15035638 bytes
 SHA1 (patch-configure) = 47f2ede97390cc7e46d04c2769dd97459b19450a
+SHA1 (patch-disable-filter-url) = e9e92d686ddd1d1a1ece10fe4feee4e368fe510c
 SHA1 (patch-ext_gd_config.m4) = 67730ccc13410adaf8829f77a6b044f16e412489
 SHA1 (patch-ext_phar_Makefile.frag) = 558869b60f8ed6674a3ba1d595a65f010df4c426
 SHA1 (patch-ext_phar_phar_phar.php) = f630e3946b21b76d4fe857a43e00e25c9445f2c8
diff --git a/lang/php72/patches/patch-disable-filter-url b/lang/php72/patches/patch-disable-filter-url
new file mode 100644
index 00000000000..b9b758aab4e
--- /dev/null
+++ b/lang/php72/patches/patch-disable-filter-url
@@ -0,0 +1,34 @@
+$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 16:08:38 bsiegert Exp $
+
+Add build-time disable option for dangerous php://filter URL
+
+php://filter URL is a feature documented here:
+http://php.net/manual/en/wrappers.php.php
+
+Unfortunately, it allows remote control of include() behavior
+beyond what many developpers expected, enabling easy dump of
+PHP source files. The administrator may want to disable the
+feature for security sake, and this patch makes that possible.
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+ 				"Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifndef DISABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* !DISABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;