Pullup ticket #2939 - requested by taca

php5: security patch Revisions pulled up: - lang/php5/Makefile 1.73-1.74 - lang/php5/distinfo 1.69-1.70 - lang/php5/patches/patch-ag 1.3 - lang/php5/patches/patch-ah 1.2 - lang/php5/patches/patch-ay 1.2 - lang/php5/patches/patch-az 1.1-1.2 - lang/php5/patches/patch-ba 1.1 - lang/php5/patches/patch-bb 1.1 - lang/php5/patches/patch-bc 1.1 - lang/php5/patches/patch-bd 1.1 --- Module Name: pkgsrc Committed By: taca Date: Thu Oct 22 14:49:06 UTC 2009 Modified Files: pkgsrc/lang/php5: Makefile distinfo Added Files: pkgsrc/lang/php5/patches: patch-az Log Message: Add patch to check byte sequence more strictly in htmlspecialchars(). http://bugs.php.net/bug.php?id=49785 These are patch refrects r289411, r289554, r289565, r289567 and r289605 in PHP svn repositry. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: taca Date: Mon Nov 30 06:14:08 UTC 2009 Modified Files: pkgsrc/lang/php5: Makefile distinfo pkgsrc/lang/php5/patches: patch-ag patch-ah patch-ay patch-az Added Files: pkgsrc/lang/php5/patches: patch-ba patch-bb patch-bc patch-bd Log Message: Add fixes for http://secunia.com/advisories/37412/ from PHP's repositry. 1. CVE-2009-3292 is already fixed in 5.2.11. 2. CVE-2009-3558 http://svn.php.net/viewvc?view=revision&revision=288934 3. CVE-2009-3557 http://svn.php.net/viewvc?view=revision&revision=288945 http://svn.php.net/viewvc?view=revision&revision=288971 4. CVE-2009-4017 http://svn.php.net/viewvc?view=revision&revision=289990 http://svn.php.net/viewvc?view=revision&revision=290820 http://svn.php.net/viewvc?view=revision&revision=290885 Other pkgsrc changes: * Don't hardcord /usr/pkg in php.ini-dist and php.ini-recommended. * Add comments to some of patch files. Bump PKGREVISION.
author: tron <tron> 2009-11-30 23:10:19 +0000
committer: tron <tron> 2009-11-30 23:10:19 +0000
commit: 193ed1acdea13f08054c736b37e923b20f2dde16 (patch)
tree: 0d41e8eb1ddc6a0fc9ace6b8a2e25f13c4c128f1
parent: 5289e86b0512325fab54b3ec0c4350df06a14bb1 (diff)
download: pkgsrc-193ed1acdea13f08054c736b37e923b20f2dde16.tar.gz
10 files changed, 538 insertions, 24 deletions
diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index 7cecb7ce1a2..3841ac04b04 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.72 2009/06/09 15:15:07 sketch Exp $
+# $NetBSD: Makefile,v 1.72.4.1 2009/11/30 23:10:19 tron Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		2
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
@@ -36,20 +37,20 @@ MAKE_ENV+=		INSTALL_ROOT=${DESTDIR:Q}
 CONF_FILES=		${EGDIR}/php.ini-recommended ${PKG_SYSCONFDIR}/php.ini
 OWN_DIRS=		${PREFIX}/${PHP_EXTENSION_DIR}
 
-SUBST_CLASSES+=		cgi
-SUBST_MESSAGE.cgi=	Fixing CGI path.
-SUBST_STAGE.cgi=	pre-configure
-SUBST_FILES.cgi=	configure
-SUBST_SED.cgi=		-e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_CLASSES+=		path
+SUBST_MESSAGE.path=	Fixing common paths.
+SUBST_STAGE.path=	pre-configure
+SUBST_FILES.path=	configure php.ini-dist php.ini-recommended
+SUBST_SED.path=		-e 's,@CGIDIR@,${CGIDIR},g'
+SUBST_SED.path+=	-e 's,@PREFIX@,${PREFIX},g'
+
+INSTALLATION_DIRS+=	${CGIDIR}
 
 # Make sure modules can link correctly
 .if ${OPSYS} == "Darwin"
 INSTALL_UNSTRIPPED=	yes
 .endif
 
-pre-install:
-	${INSTALL_DATA_DIR} ${DESTDIR:Q}${CGIDIR:Q}
-
 post-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/sapi/cli/php \
 		${DESTDIR:Q}${PREFIX:Q}/bin/php
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index a76873e5c01..ef1b6e9fe46 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.67.2.1 2009/10/22 21:25:08 tron Exp $
+$NetBSD: distinfo,v 1.67.2.2 2009/11/30 23:10:20 tron Exp $
 
 SHA1 (php-5.2.11/php-5.2.11.tar.bz2) = 819c853ce657ef260d4a73b5a21f961115b97eef
 RMD160 (php-5.2.11/php-5.2.11.tar.bz2) = 6aad53dee864ab89f794a9d3c2aa32d435ed5654
@@ -7,8 +7,8 @@ SHA1 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 248419332131efc53f3306c2
 RMD160 (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 0f6d442aace34c221f9fbff42a63e7f3b4489f15
 Size (php-5.2.11/suhosin-patch-5.2.11-0.9.7.patch.gz) = 23050 bytes
 SHA1 (patch-aa) = 20bc3831e435182d014b11ae9f1f6c537a21af20
-SHA1 (patch-ag) = 4ccb67ba6f5370b1d16b087e3e714de3e5ae604e
-SHA1 (patch-ah) = c7cbd4b9ea0796ea3b7491c2cffb6ddddc518587
+SHA1 (patch-ag) = 901552355a3d57d9b8e23b31cd0edfd28db8b2bb
+SHA1 (patch-ah) = 7702da73f3a457ee381542b454d19b1f4b421e01
 SHA1 (patch-aj) = 54812097499c81e5cb0196ab949cc86a4f24a9cc
 SHA1 (patch-al) = 0ee37782cc0d3bf5ede1a583de0589c2c1316b50
 SHA1 (patch-an) = 8f4174627b8cb5f8bfbc59413c95f71e26b9e602
@@ -16,4 +16,9 @@ SHA1 (patch-ap) = 5eb0e0e4244a993da93e36f8fcb5553454207fce
 SHA1 (patch-aq) = 0c9d48547da2fa80aa8357d23ad8505d1c0330df
 SHA1 (patch-ar) = 2d74ec926cc00bfbb67d16210af78c33ad9ac38d
 SHA1 (patch-as) = f7ce5caffe2acdd1f8e9fc8ae6c7ba1d8c6a25c1
-SHA1 (patch-ay) = c2667dd398c1c58e55f459f2df02613dc028e9cc
+SHA1 (patch-ay) = 7ae502db6574a91fcbb487d37c14a5de644b01b6
+SHA1 (patch-az) = 04e69038e693cc72fb0f67ce04dd1778dacb1756
+SHA1 (patch-ba) = d9483f61b19c297eced12ae3d84d5163e33327b4
+SHA1 (patch-bb) = abbc8747e520d3665d3bcccf9c87741ecc6dc210
+SHA1 (patch-bc) = 9cb2e7fcd6f91d3382a69d68a80d72fdb8fbf2a7
+SHA1 (patch-bd) = 85c891ada42c062b365051b43a3b53c33fa39a92
diff --git a/lang/php5/patches/patch-ag b/lang/php5/patches/patch-ag
index a2304bc5e11..d24403b2091 100644
--- a/lang/php5/patches/patch-ag
+++ b/lang/php5/patches/patch-ag
@@ -1,8 +1,21 @@
-$NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
+$NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $
 
---- php.ini-dist.orig	2005-12-30 19:15:55.000000000 +0200
-+++ php.ini-dist	2006-02-05 15:36:13.000000000 +0200
-@@ -457,8 +457,9 @@
+* Ajust for pkgsrc.
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+	http://svn.php.net/viewvc?view=revision&revision=289990
+
+--- php.ini-dist.orig	2009-02-14 01:55:18.000000000 +0900
++++ php.ini-dist
+@@ -471,7 +471,7 @@ default_mimetype = "text/html"
+ ;;;;;;;;;;;;;;;;;;;;;;;;;
+ 
+ ; UNIX: "/path1:/path2"
+-;include_path = ".:/php/includes"
++include_path = ".:@PREFIX@/lib/php"
+ ;
+ ; Windows: "\path1;\path2"
+ ;include_path = ".;c:\php\includes"
+@@ -487,8 +487,9 @@ doc_root =
  ; if nonempty.
  user_dir =
  
@@ -14,7 +27,7 @@ $NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
  
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -508,7 +509,7 @@
+@@ -546,11 +547,13 @@ file_uploads = On
  
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
@@ -23,3 +36,9 @@ $NetBSD: patch-ag,v 1.2 2006/02/06 06:39:59 martti Exp $
  
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
+ 
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 100
+ 
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
diff --git a/lang/php5/patches/patch-ah b/lang/php5/patches/patch-ah
index 6d2b7dd9bb8..5d4f73c3cec 100644
--- a/lang/php5/patches/patch-ah
+++ b/lang/php5/patches/patch-ah
@@ -1,8 +1,21 @@
-$NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
+$NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $
 
---- php.ini-recommended.orig	2005-11-15 00:14:23.000000000 +0100
+* Ajust for pkgsrc.
+* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+	http://svn.php.net/viewvc?view=revision&revision=289990
+
+--- php.ini-recommended.orig	2009-03-02 13:44:35.000000000 +0900
 +++ php.ini-recommended
-@@ -515,8 +515,9 @@ doc_root =
+@@ -522,7 +522,7 @@ default_mimetype = "text/html"
+ ;;;;;;;;;;;;;;;;;;;;;;;;;
+ 
+ ; UNIX: "/path1:/path2"
+-;include_path = ".:/php/includes"
++include_path = ".:@PREFIX@/lib/php"
+ ;
+ ; Windows: "\path1;\path2"
+ ;include_path = ".;c:\php\includes"
+@@ -538,8 +538,9 @@ doc_root =
  ; if nonempty.
  user_dir =
  
@@ -14,7 +27,7 @@ $NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
  
  ; Whether or not to enable the dl() function.  The dl() function does NOT work
  ; properly in multithreaded servers, such as IIS or Zeus, and is automatically
-@@ -566,7 +567,7 @@ file_uploads = On
+@@ -597,11 +598,13 @@ file_uploads = On
  
  ; Temporary directory for HTTP uploaded files (will use system default if not
  ; specified).
@@ -23,3 +36,9 @@ $NetBSD: patch-ah,v 1.1 2005/12/06 08:32:22 jdolecek Exp $
  
  ; Maximum allowed size for uploaded files.
  upload_max_filesize = 2M
+ 
++; Maximum number of files that can be uploaded via a single request
++max_file_uploads = 100
+ 
+ ;;;;;;;;;;;;;;;;;;
+ ; Fopen wrappers ;
diff --git a/lang/php5/patches/patch-ay b/lang/php5/patches/patch-ay
index 8b841ef5fdc..2d6c27d875f 100644
--- a/lang/php5/patches/patch-ay
+++ b/lang/php5/patches/patch-ay
@@ -1,7 +1,7 @@
-$NetBSD: patch-ay,v 1.1.2.2 2009/10/22 21:25:08 tron Exp $
+$NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $
 
 * Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546
-  from PHP's SVN repositry r289557.
+	http://svn.php.net/viewvc?view=revision&revision=289557
 
 --- ext/gd/libgd/gd_gd.c.orig	2007-08-09 23:21:38.000000000 +0900
 +++ ext/gd/libgd/gd_gd.c
diff --git a/lang/php5/patches/patch-az b/lang/php5/patches/patch-az
new file mode 100644
index 00000000000..184f591054b
--- /dev/null
+++ b/lang/php5/patches/patch-az
@@ -0,0 +1,373 @@
+$NetBSD$
+
+* Fix for htmlspecialchars():
+	http://svn.php.net/viewvc?view=revision&revision=289411
+	http://svn.php.net/viewvc?view=revision&revision=289554
+	http://svn.php.net/viewvc?view=revision&revision=289565
+	http://svn.php.net/viewvc?view=revision&revision=289567
+	http://svn.php.net/viewvc?view=revision&revision=289605
+
+--- ext/standard/html.c.orig	2008-12-31 20:17:49.000000000 +0900
++++ ext/standard/html.c
+@@ -484,15 +484,31 @@ struct basic_entities_dec {
+ 			}                        \
+ 			mbseq[mbpos++] = (mbchar); }
+ 
+-#define CHECK_LEN(pos, chars_need)			\
+-	if((str_len - (pos)) < chars_need) {	\
+-		*status = FAILURE;					\
+-		return 0;							\
++/* skip one byte and return */
++#define MB_FAILURE(pos) do {	\
++		*newpos = pos + 1;		\
++		*status = FAILURE;		\
++		return 0;				\
++	} while (0)
++
++#define CHECK_LEN(pos, chars_need)				\
++	if (chars_need < 1) {						\
++		if((str_len - (pos)) < chars_need) {	\
++			*newpos = pos;						\
++			*status = FAILURE;					\
++			return 0;							\
++		}										\
++	} else {									\
++		if((str_len - (pos)) < chars_need) {	\
++			*newpos = pos + 1;					\
++			*status = FAILURE;					\
++			return 0;							\
++		}										\
+ 	}
+ 
+ /* {{{ get_next_char
+  */
+-inline static unsigned short get_next_char(enum entity_charset charset,
++inline static unsigned int get_next_char(enum entity_charset charset,
+ 		unsigned char * str,
+ 		int str_len,
+ 		int * newpos,
+@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch
+ 	int pos = *newpos;
+ 	int mbpos = 0;
+ 	int mbspace = *mbseqlen;
+-	unsigned short this_char = str[pos++];
++	unsigned int this_char = 0;
+ 	unsigned char next_char;
+ 
+ 	*status = SUCCESS;
+-	
++
+ 	if (mbspace <= 0) {
+ 		*mbseqlen = 0;
+-		return this_char;
++		CHECK_LEN(pos, 1);
++		*newpos = pos + 1;
++		*newpos = pos + 1;
+ 	}
+-	
+-	MB_WRITE((unsigned char)this_char);
+-	
++
+ 	switch (charset) {
+ 		case cs_utf_8:
+ 			{
+-				unsigned long utf = 0;
+-				int stat = 0;
+-				int more = 1;
+-
+-				/* unpack utf-8 encoding into a wide char.
+-				 * Code stolen from the mbstring extension */
+-
+-				do {
+-					if (this_char < 0x80) {
+-						more = 0;
+-						if(stat) {
+-							/* we didn't finish the UTF sequence correctly */
+-							*status = FAILURE;
+-						}
+-						break;
+-					} else if (this_char < 0xc0) {
+-						switch (stat) {
+-							case 0x10:	/* 2, 2nd */
+-							case 0x21:	/* 3, 3rd */
+-							case 0x32:	/* 4, 4th */
+-							case 0x43:	/* 5, 5th */
+-							case 0x54:	/* 6, 6th */
+-								/* last byte in sequence */
+-								more = 0;
+-								utf |= (this_char & 0x3f);
+-								this_char = (unsigned short)utf;
+-								break;
+-							case 0x20:	/* 3, 2nd */
+-							case 0x31:	/* 4, 3rd */
+-							case 0x42:	/* 5, 4th */
+-							case 0x53:	/* 6, 5th */
+-								/* penultimate char */
+-								utf |= ((this_char & 0x3f) << 6);
+-								stat++;
+-								break;
+-							case 0x30:	/* 4, 2nd */
+-							case 0x41:	/* 5, 3rd */
+-							case 0x52:	/* 6, 4th */
+-								utf |= ((this_char & 0x3f) << 12);
+-								stat++;
+-								break;
+-							case 0x40:	/* 5, 2nd */
+-							case 0x51:
+-								utf |= ((this_char & 0x3f) << 18);
+-								stat++;
+-								break;
+-							case 0x50:	/* 6, 2nd */
+-								utf |= ((this_char & 0x3f) << 24);
+-								stat++;
+-								break;
+-							default:
+-								/* invalid */
+-								*status = FAILURE;
+-								more = 0;
+-						}
+-					}
+-					/* lead byte */
+-					else if (this_char < 0xe0) {
+-						stat = 0x10;	/* 2 byte */
+-						utf = (this_char & 0x1f) << 6;
+-						CHECK_LEN(pos, 1);
+-					} else if (this_char < 0xf0) {
+-						stat = 0x20;	/* 3 byte */
+-						utf = (this_char & 0xf) << 12;
+-						CHECK_LEN(pos, 2);
+-					} else if (this_char < 0xf8) {
+-						stat = 0x30;	/* 4 byte */
+-						utf = (this_char & 0x7) << 18;
+-						CHECK_LEN(pos, 3);
+-					} else if (this_char < 0xfc) {
+-						stat = 0x40;	/* 5 byte */
+-						utf = (this_char & 0x3) << 24;
+-						CHECK_LEN(pos, 4);
+-					} else if (this_char < 0xfe) {
+-						stat = 0x50;	/* 6 byte */
+-						utf = (this_char & 0x1) << 30;
+-						CHECK_LEN(pos, 5);
+-					} else {
+-						/* invalid; bail */
+-						more = 0;
+-						*status = FAILURE;
+-						break;
++				unsigned char c;
++				CHECK_LEN(pos, 1);
++				c = str[pos];
++				if (c < 0x80) {
++					MB_WRITE(c);
++					this_char = c;
++					pos++;
++				} else if (c < 0xc0) {
++					MB_FAILURE(pos);
++				} else if (c < 0xe0) {
++					CHECK_LEN(pos, 2);
++					if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
++						MB_FAILURE(pos);
+ 					}
+-
+-					if (more) {
+-						this_char = str[pos++];
+-						MB_WRITE((unsigned char)this_char);
++					this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
++					if (this_char < 0x80) {
++						MB_FAILURE(pos);
+ 					}
+-				} while (more);
++					MB_WRITE((unsigned char)c);
++					MB_WRITE((unsigned char)str[pos + 1]);
++					pos += 2;
++				} else if (c < 0xf0) {
++					CHECK_LEN(pos, 3);
++					if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
++						MB_FAILURE(pos);
++					}
++					if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) {
++						MB_FAILURE(pos);
++					}
++					this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
++					if (this_char < 0x800) {
++						MB_FAILURE(pos);
++					}
++					MB_WRITE((unsigned char)c);
++					MB_WRITE((unsigned char)str[pos + 1]);
++					MB_WRITE((unsigned char)str[pos + 2]);
++					pos += 3;
++				} else if (c < 0xf8) {
++					CHECK_LEN(pos, 4);
++					if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) {
++						MB_FAILURE(pos);
++					}
++					if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) {
++						MB_FAILURE(pos);
++					}
++					if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) {
++						MB_FAILURE(pos);
++					}
++					this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
++					if (this_char < 0x10000) {
++						MB_FAILURE(pos);
++					}
++					MB_WRITE((unsigned char)c);
++					MB_WRITE((unsigned char)str[pos + 1]);
++					MB_WRITE((unsigned char)str[pos + 2]);
++					MB_WRITE((unsigned char)str[pos + 3]);
++					pos += 4;
++				} else {
++					MB_FAILURE(pos);
++				}
+ 			}
+ 			break;
+ 		case cs_big5:
+ 		case cs_gb2312:
+ 		case cs_big5hkscs:
+ 			{
++				CHECK_LEN(pos, 1);
++				this_char = str[pos++];
+ 				/* check if this is the first of a 2-byte sequence */
+-				if (this_char >= 0xa1 && this_char <= 0xfe) {
++				if (this_char >= 0x81 && this_char <= 0xfe) {
+ 					/* peek at the next char */
+ 					CHECK_LEN(pos, 1);
+-					next_char = str[pos];
++					next_char = str[pos++];
+ 					if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ 							(next_char >= 0xa1 && next_char <= 0xfe)) {
+ 						/* yes, this a wide char */
+-						this_char <<= 8;
++						MB_WRITE(this_char); 
+ 						MB_WRITE(next_char);
+-						this_char |= next_char;
+-						pos++;
++						this_char = (this_char << 8) | next_char;
++					} else {
++						MB_FAILURE(pos);
+ 					}
+-					
++				} else {
++					MB_WRITE(this_char);
+ 				}
+-				break;
+ 			}
++			break;
+ 		case cs_sjis:
+ 			{
++				CHECK_LEN(pos, 1);
++				this_char = str[pos++];
+ 				/* check if this is the first of a 2-byte sequence */
+-				if ( (this_char >= 0x81 && this_char <= 0x9f) ||
+-					 (this_char >= 0xe0 && this_char <= 0xef)
+-					) {
++				if ((this_char >= 0x81 && this_char <= 0x9f) ||
++					(this_char >= 0xe0 && this_char <= 0xfc)) {
+ 					/* peek at the next char */
+ 					CHECK_LEN(pos, 1);
+-					next_char = str[pos];
++					next_char = str[pos++];
+ 					if ((next_char >= 0x40 && next_char <= 0x7e) ||
+ 						(next_char >= 0x80 && next_char <= 0xfc))
+ 					{
+ 						/* yes, this a wide char */
+-						this_char <<= 8;
++						MB_WRITE(this_char);
+ 						MB_WRITE(next_char);
+-						this_char |= next_char;
+-						pos++;
++						this_char = (this_char << 8) | next_char;
++					} else {
++						MB_FAILURE(pos);
+ 					}
+-					
++				} else {
++					MB_WRITE(this_char);
+ 				}
+ 				break;
+ 			}
+ 		case cs_eucjp:
+ 			{
++				CHECK_LEN(pos, 1);
++				this_char = str[pos++];
+ 				/* check if this is the first of a multi-byte sequence */
+ 				if (this_char >= 0xa1 && this_char <= 0xfe) {
+ 					/* peek at the next char */
+ 					CHECK_LEN(pos, 1);
+-					next_char = str[pos];
++					next_char = str[pos++];
+ 					if (next_char >= 0xa1 && next_char <= 0xfe) {
+ 						/* yes, this a jis kanji char */
+-						this_char <<= 8;
++						MB_WRITE(this_char);
+ 						MB_WRITE(next_char);
+-						this_char |= next_char;
+-						pos++;
++						this_char = (this_char << 8) | next_char;
++					} else {
++						MB_FAILURE(pos);
+ 					}
+-					
+ 				} else if (this_char == 0x8e) {
+ 					/* peek at the next char */
+ 					CHECK_LEN(pos, 1);
+-					next_char = str[pos];
++					next_char = str[pos++];
+ 					if (next_char >= 0xa1 && next_char <= 0xdf) {
+ 						/* JIS X 0201 kana */
+-						this_char <<= 8;
++						MB_WRITE(this_char);
+ 						MB_WRITE(next_char);
+-						this_char |= next_char;
+-						pos++;
++						this_char = (this_char << 8) | next_char;
++					} else {
++						MB_FAILURE(pos);
+ 					}
+-					
+ 				} else if (this_char == 0x8f) {
+ 					/* peek at the next two char */
+ 					unsigned char next2_char;
+ 					CHECK_LEN(pos, 2);
+ 					next_char = str[pos];
+-					next2_char = str[pos+1];
++					next2_char = str[pos + 1];
++					pos += 2;
+ 					if ((next_char >= 0xa1 && next_char <= 0xfe) &&
+ 						(next2_char >= 0xa1 && next2_char <= 0xfe)) {
+ 						/* JIS X 0212 hojo-kanji */
+-						this_char <<= 8;
++						MB_WRITE(this_char);
+ 						MB_WRITE(next_char);
+-						this_char |= next_char;
+-						pos++;
+-						this_char <<= 8;
+ 						MB_WRITE(next2_char);
+-						this_char |= next2_char;
+-						pos++;
++						this_char = (this_char << 16) | (next_char << 8) | next2_char;
++					} else {
++						MB_FAILURE(pos);
+ 					}
+-					
++				} else {
++					MB_WRITE(this_char);
+ 				}
+ 				break;
+ 			}
+ 		default:
++			/* single-byte charsets */
++			CHECK_LEN(pos, 1);
++			this_char = str[pos++];
++			MB_WRITE(this_char);
+ 			break;
+ 	}
+ 	MB_RETURN;
+@@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex
+ 		unsigned char mbsequence[16];	/* allow up to 15 characters in a multibyte sequence */
+ 		int mbseqlen = sizeof(mbsequence);
+ 		int status = SUCCESS;
+-		unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
++		unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status);
+ 
+ 		if(status == FAILURE) {
+ 			/* invalid MB sequence */
diff --git a/lang/php5/patches/patch-ba b/lang/php5/patches/patch-ba
new file mode 100644
index 00000000000..36f0ac78796
--- /dev/null
+++ b/lang/php5/patches/patch-ba
@@ -0,0 +1,17 @@
+$NetBSD: patch-ba,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558:
+	http://svn.php.net/viewvc?view=revision&revision=288934
+
+--- ext/posix/posix.c.orig	2009-08-06 20:11:15.000000000 +0900
++++ ext/posix/posix.c
+@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo)
+ 		RETURN_FALSE;
+ 	}
+ 
+-	if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
++	if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
++		(PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+ 		RETURN_FALSE;
+ 	}
+ 
diff --git a/lang/php5/patches/patch-bb b/lang/php5/patches/patch-bb
new file mode 100644
index 00000000000..07c69816914
--- /dev/null
+++ b/lang/php5/patches/patch-bb
@@ -0,0 +1,19 @@
+$NetBSD: patch-bb,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557:
+	http://svn.php.net/viewvc?view=revision&revision=288945
+	http://svn.php.net/viewvc?view=revision&revision=288971
+
+--- ext/standard/file.c.orig	2009-11-30 10:04:51.000000000 +0900
++++ ext/standard/file.c
+@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam)
+ 	convert_to_string_ex(arg1);
+ 	convert_to_string_ex(arg2);
+ 
++	if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) {
++		RETURN_FALSE;
++	}
++
+ 	if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
+ 		RETURN_FALSE;
+ 	}
diff --git a/lang/php5/patches/patch-bc b/lang/php5/patches/patch-bc
new file mode 100644
index 00000000000..6377089a28a
--- /dev/null
+++ b/lang/php5/patches/patch-bc
@@ -0,0 +1,15 @@
+$NetBSD: patch-bc,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+	http://svn.php.net/viewvc?view=revision&revision=289990
+
+--- main/main.c.orig	2009-11-30 10:04:51.000000000 +0900
++++ main/main.c
+@@ -455,6 +455,7 @@ PHP_INI_BEGIN()
+ 	PHP_INI_ENTRY("mail.force_extra_parameters",NULL,		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnChangeMailForceExtra)
+ 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
+ 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
++	PHP_INI_ENTRY("max_file_uploads",			"100",		PHP_INI_SYSTEM,		NULL)
+ 
+ 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,	core_globals)
+ 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,	core_globals)
diff --git a/lang/php5/patches/patch-bd b/lang/php5/patches/patch-bd
new file mode 100644
index 00000000000..7032c8ee22b
--- /dev/null
+++ b/lang/php5/patches/patch-bd
@@ -0,0 +1,46 @@
+$NetBSD: patch-bd,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $
+
+Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017:
+	http://svn.php.net/viewvc?view=revision&revision=289990
+	http://svn.php.net/viewvc?view=revision&revision=290820
+	http://svn.php.net/viewvc?view=revision&revision=290885
+
+--- main/rfc1867.c.orig	2008-12-31 20:17:49.000000000 +0900
++++ main/rfc1867.c
+@@ -32,6 +32,7 @@
+ #include "php_globals.h"
+ #include "php_variables.h"
+ #include "rfc1867.h"
++#include "php_ini.h"
+ 
+ #define DEBUG_FILE_UPLOAD ZEND_DEBUG
+ 
+@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 	zend_llist header;
+ 	void *event_extra_data = NULL;
+ 	int llen = 0;
++	int upload_cnt = INI_INT("max_file_uploads");
+ 
+-	if (SG(request_info).content_length > SG(post_max_size)) {
++	if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) {
+ 		sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size));
+ 		return;
+ 	}
+@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 			/* If file_uploads=off, skip the file part */
+ 			if (!PG(file_uploads)) {
+ 				skip_upload = 1;
++			} else if (upload_cnt <= 0) {
++				skip_upload = 1;
++				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+ 			}
+ 
+ 			/* Return with an error if the posted data is garbled */
+@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
+ 			if (!skip_upload) {
+ 				/* Handle file */
+ 				fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC);
++				upload_cnt--;
+ 				if (fd==-1) {
+ 					sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
+ 					cancel_upload = UPLOAD_ERROR_E;
author	tron <tron>	2009-11-30 23:10:19 +0000
committer	tron <tron>	2009-11-30 23:10:19 +0000
commit	193ed1acdea13f08054c736b37e923b20f2dde16 (patch)
tree	0d41e8eb1ddc6a0fc9ace6b8a2e25f13c4c128f1
parent	5289e86b0512325fab54b3ec0c4350df06a14bb1 (diff)
download	pkgsrc-193ed1acdea13f08054c736b37e923b20f2dde16.tar.gz