diff options
author | taca <taca@pkgsrc.org> | 2011-08-20 13:55:09 +0000 |
---|---|---|
committer | taca <taca@pkgsrc.org> | 2011-08-20 13:55:09 +0000 |
commit | 833643857cba0ce35b998c8e5437fb908a41d405 (patch) | |
tree | 62831adafdbf1ee6224ebced780efe54e4f3238f /lang | |
parent | afc53ae4d237875274752e771046da0e59e300e1 (diff) | |
download | pkgsrc-833643857cba0ce35b998c8e5437fb908a41d405.tar.gz |
Update php53 package to 5.3.7.
PHP 5.3.7 Released!
[18-Aug-2011] The PHP development team would like to announce the immediate
availability of PHP 5.3.7. This release focuses on improving the stability of
the PHP 5.3.x branch with over 90 bug fixes, some of which are security
related.
Security Enhancements and Fixes in PHP 5.3.7:
* Updated crypt_blowfish to 1.2. (CVE-2011-2483)
* Fixed crash in error_log(). Reported by Mateusz Kocielski
* Fixed buffer overflow on overlog salt in crypt().
* Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload
filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
* Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
* Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)
Key enhancements in PHP 5.3.7 include:
* Upgraded bundled Sqlite3 to version 3.7.7.1
* Upgraded bundled PCRE to version 8.12
* Fixed bug #54910 (Crash when calling call_user_func with unknown function
name)
* Fixed bug #54585 (track_errors causes segfault)
* Fixed bug #54262 (Crash when assigning value to a dimension in a non-array)
* Fixed a crash inside dtor for error handling
* Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off)
* Fixed bug #54935 php_win_err can lead to crash
* Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption)
* Fixed bug #54305 (Crash in gc_remove_zval_from_buffer)
* Fixed bug #54580 (get_browser() segmentation fault when browscap ini
directive is set through php_admin_value)
* Fixed bug #54529 (SAPI crashes on apache_config.c:197)
* Fixed bug #54283 (new DatePeriod(NULL) causes crash).
* Fixed bug #54269 (Short exception message buffer causes crash)
* Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries)
* Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters)
* Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and
SplTempFileObject crash when user-space classes don't call the parent
constructor)
* Fixed bug #54292 (Wrong parameter causes crash in
SplFileObject::__construct())
* Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting
with \0)
* Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator)
* Fixed bug #54623 (Segfault when writing to a persistent socket after closing
a copy of the socket)
* Fixed bug #54681 (addGlob() crashes on invalid flags)
* Over 80 other bug fixes.
Diffstat (limited to 'lang')
-rw-r--r-- | lang/php53/Makefile | 3 | ||||
-rw-r--r-- | lang/php53/Makefile.common | 4 | ||||
-rw-r--r-- | lang/php53/PLIST | 3 | ||||
-rw-r--r-- | lang/php53/distinfo | 14 | ||||
-rw-r--r-- | lang/php53/patches/patch-ac | 22 | ||||
-rw-r--r-- | lang/php53/patches/patch-ext_sockets_sockets.c | 18 | ||||
-rw-r--r-- | lang/php53/patches/patch-ext_standard_crypt__blowfish.c | 160 | ||||
-rw-r--r-- | lang/php53/patches/patch-ext_standard_string.c | 163 | ||||
-rw-r--r-- | lang/php53/patches/patch-main_rfc1867.c | 24 |
9 files changed, 14 insertions, 397 deletions
diff --git a/lang/php53/Makefile b/lang/php53/Makefile index ea602b488dd..a092c38bbef 100644 --- a/lang/php53/Makefile +++ b/lang/php53/Makefile @@ -1,10 +1,9 @@ -# $NetBSD: Makefile,v 1.14 2011/07/08 10:20:10 adam Exp $ +# $NetBSD: Makefile,v 1.15 2011/08/20 13:55:09 taca Exp $ # # We can't omit PKGNAME here to handle PKG_OPTIONS. # PKGNAME= php-${PHP_BASE_VERS} -PKGREVISION= 4 CATEGORIES= lang HOMEPAGE= http://www.php.net/ diff --git a/lang/php53/Makefile.common b/lang/php53/Makefile.common index 25e708d7be7..71a3289c4be 100644 --- a/lang/php53/Makefile.common +++ b/lang/php53/Makefile.common @@ -1,4 +1,4 @@ -# $NetBSD: Makefile.common,v 1.6 2011/07/08 10:20:10 adam Exp $ +# $NetBSD: Makefile.common,v 1.7 2011/08/20 13:55:09 taca Exp $ # used by lang/php53/Makefile.php # used by lang/php/ext.mk # used by meta-pkgs/php53-extensions/Makefile @@ -39,7 +39,7 @@ EXTRACT_SUFX?= .tar.bz2 MAINTAINER?= pkgsrc-users@NetBSD.org HOMEPAGE?= http://www.php.net/ -PHP_BASE_VERS= 5.3.6 +PHP_BASE_VERS= 5.3.7 PHP_EXTENSION_DIR= lib/php/20090630 PLIST_SUBST+= PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR} diff --git a/lang/php53/PLIST b/lang/php53/PLIST index bfc6e2eab7f..dd133925901 100644 --- a/lang/php53/PLIST +++ b/lang/php53/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.1.1.1 2010/03/16 15:31:58 taca Exp $ +@comment $NetBSD: PLIST,v 1.2 2011/08/20 13:55:09 taca Exp $ bin/phar bin/phar.phar bin/php @@ -118,6 +118,7 @@ include/php/ext/standard/crc32.h include/php/ext/standard/credits.h include/php/ext/standard/credits_ext.h include/php/ext/standard/credits_sapi.h +include/php/ext/standard/crypt_blowfish.h include/php/ext/standard/crypt_freesec.h include/php/ext/standard/css.h include/php/ext/standard/cyr_convert.h diff --git a/lang/php53/distinfo b/lang/php53/distinfo index 632a1e0f245..7d8a7b79c43 100644 --- a/lang/php53/distinfo +++ b/lang/php53/distinfo @@ -1,11 +1,11 @@ -$NetBSD: distinfo,v 1.17 2011/06/22 09:54:35 taca Exp $ +$NetBSD: distinfo,v 1.18 2011/08/20 13:55:09 taca Exp $ -SHA1 (php-5.3.6/php-5.3.6.tar.bz2) = 0e0b9b4d9117f22080e2204afa9383469eb0dbbd -RMD160 (php-5.3.6/php-5.3.6.tar.bz2) = 619bf96cf24bf6aa0988494186f8914fde94d44d -Size (php-5.3.6/php-5.3.6.tar.bz2) = 10952171 bytes +SHA1 (php-5.3.7/php-5.3.7.tar.bz2) = 811e84b75d41ad997c075e3ebc8470f5c26d03ea +RMD160 (php-5.3.7/php-5.3.7.tar.bz2) = d14c52036f35d79193783b590c0cf131e1cd00c0 +Size (php-5.3.7/php-5.3.7.tar.bz2) = 11144328 bytes SHA1 (patch-aa) = b0dc6cd0b2103d5858280202506b33322a98496e SHA1 (patch-ab) = d08bb50cf074a6065ef0d1d67a713b7573cb2f5b -SHA1 (patch-ac) = 07a3d6c9ee4c316033afd8c7db71eb21045a3afd +SHA1 (patch-ac) = 1720f154232241c19d0c6e08a824e33252f1b690 SHA1 (patch-ad) = 1608c58860a43b4e31df8646b5ded253ec9aa881 SHA1 (patch-ae) = e590db60a60f4e5ef2da4e5edb786335a67a3d56 SHA1 (patch-af) = 1618b23fd6d090ce5aa929208416028724278bfc @@ -14,7 +14,3 @@ SHA1 (patch-ah) = b20c29c64b3099f77855a5ec28960dc1c4f65c83 SHA1 (patch-ai) = d4766893a2c47a4e4a744248dda265b0a9a66a1f SHA1 (patch-aj) = d611d13fcc28c5d2b9e9586832ce4b8ae5707b48 SHA1 (patch-al) = fbbee5502e0cd1c47c6e7c15e0d54746414ec32e -SHA1 (patch-ext_sockets_sockets.c) = 99137af0e3307f1b379e4a4012ebd56978a88a15 -SHA1 (patch-ext_standard_crypt__blowfish.c) = aa1788e5e89bb51a6f9271bb3859386c99859c8c -SHA1 (patch-ext_standard_string.c) = fe16ffedd894a6d580f3c998b9f571f403f4a764 -SHA1 (patch-main_rfc1867.c) = 2f7efd3ebc6eadb377ce308d5d8293bda07bbc42 diff --git a/lang/php53/patches/patch-ac b/lang/php53/patches/patch-ac index 70d74f440fd..0c05512463e 100644 --- a/lang/php53/patches/patch-ac +++ b/lang/php53/patches/patch-ac @@ -1,6 +1,6 @@ -$NetBSD: patch-ac,v 1.3 2011/01/13 13:52:53 wiz Exp $ +$NetBSD: patch-ac,v 1.4 2011/08/20 13:55:09 taca Exp $ ---- ext/gd/config.m4.orig 2009-05-27 08:18:24.000000000 +0000 +--- ext/gd/config.m4.orig 2011-05-12 08:19:37.000000000 +0000 +++ ext/gd/config.m4 @@ -45,18 +45,7 @@ dnl Checks for the configure options dnl @@ -30,22 +30,8 @@ $NetBSD: patch-ac,v 1.3 2011/01/13 13:52:53 wiz Exp $ ]) AC_DEFUN([PHP_GD_JPEG],[ -@@ -97,11 +85,11 @@ AC_DEFUN([PHP_GD_PNG],[ - if test "$PHP_PNG_DIR" != "no"; then - - for i in $PHP_PNG_DIR /usr/local /usr; do -- test -f $i/$PHP_LIBDIR/libpng.$SHLIB_SUFFIX_NAME || test -f $i/$PHP_LIBDIR/libpng.a && GD_PNG_DIR=$i && break -+ test -f $i/$PHP_LIBDIR/libpng15.$SHLIB_SUFFIX_NAME || test -f $i/$PHP_LIBDIR/libpng15.a && GD_PNG_DIR=$i && break - done - - if test -z "$GD_PNG_DIR"; then -- AC_MSG_ERROR([libpng.(a|so) not found.]) -+ AC_MSG_ERROR([libpng15.(a|so) not found.]) - fi - - if test "$PHP_ZLIB_DIR" = "no"; then -@@ -112,13 +100,13 @@ AC_DEFUN([PHP_GD_PNG],[ - AC_MSG_ERROR([png.h not found.]) +@@ -108,13 +96,13 @@ AC_DEFUN([PHP_GD_PNG],[ + AC_MSG_ERROR([PNG support requires ZLIB. Use --with-zlib-dir=<DIR>]) fi - PHP_CHECK_LIBRARY(png,png_write_image, diff --git a/lang/php53/patches/patch-ext_sockets_sockets.c b/lang/php53/patches/patch-ext_sockets_sockets.c deleted file mode 100644 index 5df4f25324a..00000000000 --- a/lang/php53/patches/patch-ext_sockets_sockets.c +++ /dev/null @@ -1,18 +0,0 @@ -$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:42:03 taca Exp $ - -* Update of r311369 of PHP's repository, fix for CVE-2011-1938. - ---- ext/sockets/sockets.c.orig 2011-01-01 02:19:59.000000000 +0000 -+++ ext/sockets/sockets.c -@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect) - break; - - case AF_UNIX: -+ if (addr_len >= sizeof(s_un.sun_path)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type); -+ RETURN_FALSE; -+ } -+ - memset(&s_un, 0, sizeof(struct sockaddr_un)); - - s_un.sun_family = AF_UNIX; diff --git a/lang/php53/patches/patch-ext_standard_crypt__blowfish.c b/lang/php53/patches/patch-ext_standard_crypt__blowfish.c deleted file mode 100644 index f8ea74092ea..00000000000 --- a/lang/php53/patches/patch-ext_standard_crypt__blowfish.c +++ /dev/null @@ -1,160 +0,0 @@ -$NetBSD: patch-ext_standard_crypt__blowfish.c,v 1.2 2011/06/22 09:54:35 taca Exp $ - -- Fix potential security problem by char signedness processing: - http://www.openwall.com/lists/oss-security/2011/06/20/2 - - Dereived from revision 1.11 change of http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c. - ---- ext/standard/crypt_blowfish.c.orig 2010-02-21 23:47:14.000000000 +0000 -+++ ext/standard/crypt_blowfish.c -@@ -7,6 +7,7 @@ - * cracking removed. - * - * Written by Solar Designer <solar at openwall.com> in 1998-2002 and -+ * placed in the public domain. Quick self-test added in 2011 and also - * placed in the public domain. - * - * There's absolutely no warranty. -@@ -51,6 +52,13 @@ - #define __CONST __const - #endif - -+/* -+ * Please keep this enabled. We really don't want incompatible hashes to be -+ * produced. The performance cost of this quick self-test is around 0.6% at -+ * the "$2a$08" setting. -+ */ -+#define BF_SELF_TEST -+ - #ifdef __i386__ - #define BF_ASM 0 - #define BF_SCALE 1 -@@ -63,6 +71,7 @@ - #endif - - typedef unsigned int BF_word; -+typedef signed int BF_word_signed; - - /* Number of Blowfish rounds, this is also hardcoded into a few places */ - #define BF_N 16 -@@ -555,7 +564,8 @@ static void BF_swap(BF_word *x, int coun - } while (ptr < &data.ctx.S[3][0xFF]); - #endif - --static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial) -+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial, -+ int sign_extension_bug) - { - __CONST char *ptr = key; - int i, j; -@@ -565,7 +575,10 @@ static void BF_set_key(__CONST char *key - tmp = 0; - for (j = 0; j < 4; j++) { - tmp <<= 8; -- tmp |= *ptr; -+ if (sign_extension_bug) -+ tmp |= (BF_word_signed)(signed char)*ptr; -+ else -+ tmp |= (unsigned char)*ptr; - - if (!*ptr) ptr = key; else ptr++; - } -@@ -575,8 +588,9 @@ static void BF_set_key(__CONST char *key - } - } - --char *php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting, -- char *output, int size) -+static char *BF_crypt(__CONST char *key, __CONST char *setting, -+ char *output, int size, -+ BF_word min) - { - #if BF_ASM - extern void _BF_body_r(BF_ctx *ctx); -@@ -602,7 +616,7 @@ char *php_crypt_blowfish_rn(__CONST char - - if (setting[0] != '$' || - setting[1] != '2' || -- setting[2] != 'a' || -+ (setting[2] != 'a' && setting[2] != 'x') || - setting[3] != '$' || - setting[4] < '0' || setting[4] > '3' || - setting[5] < '0' || setting[5] > '9' || -@@ -613,7 +627,7 @@ char *php_crypt_blowfish_rn(__CONST char - } - - count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0')); -- if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) { -+ if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) { - clean(data.binary.salt, sizeof(data.binary.salt)); - __set_errno(EINVAL); - return NULL; -@@ -621,7 +635,7 @@ char *php_crypt_blowfish_rn(__CONST char - - BF_swap(data.binary.salt, 4); - -- BF_set_key(key, data.expanded_key, data.ctx.P); -+ BF_set_key(key, data.expanded_key, data.ctx.P, setting[2] == 'x'); - - memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S)); - -@@ -721,14 +735,59 @@ char *php_crypt_blowfish_rn(__CONST char - BF_encode(&output[7 + 22], data.binary.output, 23); - output[7 + 22 + 31] = '\0'; - -+#ifndef BF_SELF_TEST - /* Overwrite the most obvious sensitive data we have on the stack. Note - * that this does not guarantee there's no sensitive data left on the - * stack and/or in registers; I'm not aware of portable code that does. */ - clean(&data, sizeof(data)); -+#endif - - return output; - } - -+char *php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting, -+ char *output, int size) -+{ -+#ifdef BF_SELF_TEST -+ __CONST char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; -+ __CONST char *test_2a = -+ "$2a$00$abcdefghijklmnopqrstuui1D709vfamulimlGcq0qq3UvuUasvEa" -+ "\0" -+ "canary"; -+ __CONST char *test_2x = -+ "$2x$00$abcdefghijklmnopqrstuuVUrPmXD6q/nVSSp7pNDhCR9071IfIRe" -+ "\0" -+ "canary"; -+ __CONST char *test_hash, *p; -+ int ok; -+ char buf[7 + 22 + 31 + 1 + 6 + 1]; -+ -+ output = BF_crypt(key, setting, output, size, 16); -+ -+/* Do a quick self-test. This also happens to overwrite BF_crypt()'s data. */ -+ test_hash = (setting[2] == 'x') ? test_2x : test_2a; -+ memcpy(buf, test_hash, sizeof(buf)); -+ memset(buf, -1, sizeof(buf) - (6 + 1)); /* keep "canary" only */ -+ p = BF_crypt(test_key, test_hash, buf, sizeof(buf) - 6, 1); -+ -+ ok = (p == buf && !memcmp(p, test_hash, sizeof(buf))); -+ -+/* This could reveal what hash type we were using last. Unfortunately, we -+ * can't reliably clean the test_hash pointer. */ -+ clean(&buf, sizeof(buf)); -+ -+ if (ok) -+ return output; -+ -+/* Should not happen */ -+ __set_errno(EINVAL); /* pretend we don't support this hash type */ -+ return NULL; -+#else -+#warning Self-test is disabled, please enable -+ return BF_crypt(key, setting, output, size, 16); -+#endif -+} -+ - char *php_crypt_gensalt_blowfish_rn(unsigned long count, - __CONST char *input, int size, char *output, int output_size) - { diff --git a/lang/php53/patches/patch-ext_standard_string.c b/lang/php53/patches/patch-ext_standard_string.c deleted file mode 100644 index 369d95e9058..00000000000 --- a/lang/php53/patches/patch-ext_standard_string.c +++ /dev/null @@ -1,163 +0,0 @@ -$NetBSD: patch-ext_standard_string.c,v 1.1 2011/05/16 13:08:45 taca Exp $ - -* Update to r310401 of PHP's repository, including fix for CVE-2011-1148. - ---- ext/standard/string.c.orig 2011-01-01 02:19:59.000000000 +0000 -+++ ext/standard/string.c -@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace) - - zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str); - while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) { -- convert_to_string_ex(tmp_str); -+ zval *orig_str; -+ zval dummy; -+ if(Z_TYPE_PP(tmp_str) != IS_STRING) { -+ dummy = **tmp_str; -+ orig_str = &dummy; -+ zval_copy_ctor(orig_str); -+ convert_to_string(orig_str); -+ } else { -+ orig_str = *tmp_str; -+ } - - if (Z_TYPE_PP(from) == IS_ARRAY) { - if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) { -- convert_to_long_ex(tmp_from); -+ if(Z_TYPE_PP(tmp_from) != IS_LONG) { -+ zval dummy = **tmp_from; -+ zval_copy_ctor(&dummy); -+ convert_to_long(&dummy); -+ f = Z_LVAL(dummy); -+ } else { -+ f = Z_LVAL_PP(tmp_from); -+ } - -- f = Z_LVAL_PP(tmp_from); - if (f < 0) { -- f = Z_STRLEN_PP(tmp_str) + f; -+ f = Z_STRLEN_P(orig_str) + f; - if (f < 0) { - f = 0; - } -- } else if (f > Z_STRLEN_PP(tmp_str)) { -- f = Z_STRLEN_PP(tmp_str); -+ } else if (f > Z_STRLEN_P(orig_str)) { -+ f = Z_STRLEN_P(orig_str); - } - zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from); - } else { -@@ -2374,72 +2389,92 @@ PHP_FUNCTION(substr_replace) - } else { - f = Z_LVAL_PP(from); - if (f < 0) { -- f = Z_STRLEN_PP(tmp_str) + f; -+ f = Z_STRLEN_P(orig_str) + f; - if (f < 0) { - f = 0; - } -- } else if (f > Z_STRLEN_PP(tmp_str)) { -- f = Z_STRLEN_PP(tmp_str); -+ } else if (f > Z_STRLEN_P(orig_str)) { -+ f = Z_STRLEN_P(orig_str); - } - } - - if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) { - if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) { -- convert_to_long_ex(tmp_len); -- -- l = Z_LVAL_PP(tmp_len); -+ if(Z_TYPE_PP(tmp_len) != IS_LONG) { -+ zval dummy = **tmp_len; -+ zval_copy_ctor(&dummy); -+ convert_to_long(&dummy); -+ l = Z_LVAL(dummy); -+ } else { -+ l = Z_LVAL_PP(tmp_len); -+ } - zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len); - } else { -- l = Z_STRLEN_PP(tmp_str); -+ l = Z_STRLEN_P(orig_str); - } - } else if (argc > 3) { - l = Z_LVAL_PP(len); - } else { -- l = Z_STRLEN_PP(tmp_str); -+ l = Z_STRLEN_P(orig_str); - } - - if (l < 0) { -- l = (Z_STRLEN_PP(tmp_str) - f) + l; -+ l = (Z_STRLEN_P(orig_str) - f) + l; - if (l < 0) { - l = 0; - } - } - -- if ((f + l) > Z_STRLEN_PP(tmp_str)) { -- l = Z_STRLEN_PP(tmp_str) - f; -+ if ((f + l) > Z_STRLEN_P(orig_str)) { -+ l = Z_STRLEN_P(orig_str) - f; - } - -- result_len = Z_STRLEN_PP(tmp_str) - l; -+ result_len = Z_STRLEN_P(orig_str) - l; - - if (Z_TYPE_PP(repl) == IS_ARRAY) { - if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) { -- convert_to_string_ex(tmp_repl); -- result_len += Z_STRLEN_PP(tmp_repl); -+ zval *repl_str; -+ zval zrepl; -+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { -+ zrepl = **tmp_repl; -+ repl_str = &zrepl; -+ zval_copy_ctor(repl_str); -+ convert_to_string(repl_str); -+ } else { -+ repl_str = *tmp_repl; -+ } -+ -+ result_len += Z_STRLEN_P(repl_str); - zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); - result = emalloc(result_len + 1); - -- memcpy(result, Z_STRVAL_PP(tmp_str), f); -- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl)); -- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); -+ memcpy(result, Z_STRVAL_P(orig_str), f); -+ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); -+ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); -+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { -+ zval_dtor(repl_str); -+ } - } else { - result = emalloc(result_len + 1); - -- memcpy(result, Z_STRVAL_PP(tmp_str), f); -- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); -+ memcpy(result, Z_STRVAL_P(orig_str), f); -+ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); - } - } else { - result_len += Z_STRLEN_PP(repl); - - result = emalloc(result_len + 1); - -- memcpy(result, Z_STRVAL_PP(tmp_str), f); -+ memcpy(result, Z_STRVAL_P(orig_str), f); - memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); -- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); -+ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); - } - - result[result_len] = '\0'; - add_next_index_stringl(return_value, result, result_len, 0); -- -+ if(Z_TYPE_PP(tmp_str) != IS_STRING) { -+ zval_dtor(orig_str); -+ } - zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str); - } /*while*/ - } /* if */ diff --git a/lang/php53/patches/patch-main_rfc1867.c b/lang/php53/patches/patch-main_rfc1867.c deleted file mode 100644 index 4d0e54edc84..00000000000 --- a/lang/php53/patches/patch-main_rfc1867.c +++ /dev/null @@ -1,24 +0,0 @@ -$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:42:03 taca Exp $ - -* Update of r312103 of PHP's repository, fix filename-injection vulnerability. - ---- main/rfc1867.c.orig 2011-01-19 13:09:05.000000000 +0000 -+++ main/rfc1867.c -@@ -1223,7 +1223,7 @@ filedone: - #endif - - if (!is_anonymous) { -- if (s && s > filename) { -+ if (s && s >= filename) { - safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC); - } else { - safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC); -@@ -1236,7 +1236,7 @@ filedone: - } else { - snprintf(lbuf, llen, "%s[name]", param); - } -- if (s && s > filename) { -+ if (s && s >= filename) { - register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC); - } else { - register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC); |