Add pkgsrc build option disable-filter-url to disable php://filter URL

php://filter URL is a feature documented here:
http://php.net/manual/en/wrappers.php.php

Unfortunately, it allows remote control of include() behavior
beyond what many developpers expected, enabling easy dump of
PHP source files. The administrator may want to disable the
feature for security sake, and this option makes that possible.

3 files changed, 42 insertions, 3 deletions

diff --git a/lang/php56/Makefile.php b/lang/php56/Makefile.php
index e406cabbe15..4b8dfad3f53 100644
--- a/lang/php56/Makefile.php
+++ b/lang/php56/Makefile.php
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.php,v 1.4 2017/07/12 09:11:35 manu Exp $
+# $NetBSD: Makefile.php,v 1.5 2018/07/18 07:33:12 manu Exp $
 # used by lang/php56/Makefile
 # used by www/ap-php/Makefile
 # used by www/php-fpm/Makefile
@@ -42,7 +42,7 @@ CONFIGURE_ARGS+=	--with-libxml-dir=${PREFIX}
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
@@ -89,5 +89,9 @@ CONFIGURE_ARGS+=	--enable-dtrace
 INSTALL_MAKE_FLAGS+=	-r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+CFLAGS+=		-DDISABLE_FILTER_URL
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
diff --git a/lang/php56/distinfo b/lang/php56/distinfo
index 806ebd644a8..61899228703 100644
--- a/lang/php56/distinfo
+++ b/lang/php56/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.48 2018/04/29 16:26:40 taca Exp $
+$NetBSD: distinfo,v 1.49 2018/07/18 07:33:12 manu Exp $
 
 SHA1 (php-5.6.36.tar.bz2) = c5cf00d9d6e212e1d10cfd45adbe73c936312e43
 RMD160 (php-5.6.36.tar.bz2) = 91d662d8dba9cd6ed9b14244afcae4c12c25ff01
@@ -6,6 +6,7 @@ SHA512 (php-5.6.36.tar.bz2) = 39988e3be529cdbb12aab848de7bc132475e2c81d322403bc7
 Size (php-5.6.36.tar.bz2) = 15057704 bytes
 SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0
 SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2
+SHA1 (patch-disable-filter-url) = a2b08912d81f2872bf1834fa4cefddb044c9d0f8
 SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19
 SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577
 SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c
diff --git a/lang/php56/patches/patch-disable-filter-url b/lang/php56/patches/patch-disable-filter-url
new file mode 100644
index 00000000000..02a2ef18b1c
--- /dev/null
+++ b/lang/php56/patches/patch-disable-filter-url
@@ -0,0 +1,34 @@
+$NetBSD: patch-disable-filter-url,v 1.1 2018/07/18 07:33:12 manu Exp $
+
+Add build-time disable option for dangerous php://filter URL
+
+php://filter URL is a feature documented here:
+http://php.net/manual/en/wrappers.php.php
+
+Unfortunately, it allows remote control of include() behavior
+beyond what many developpers expected, enabling easy dump of 
+PHP source files. The administrator may want to disable the
+feature for security sake, and this patch makes that possible.
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -333,8 +333,9 @@
+ 				"Error duping file descriptor %ld; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifndef DISABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -369,8 +370,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* !DISABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;