summaryrefslogtreecommitdiff
path: root/lang
diff options
context:
space:
mode:
authortaca <taca@pkgsrc.org>2011-08-20 13:55:09 +0000
committertaca <taca@pkgsrc.org>2011-08-20 13:55:09 +0000
commit833643857cba0ce35b998c8e5437fb908a41d405 (patch)
tree62831adafdbf1ee6224ebced780efe54e4f3238f /lang
parentafc53ae4d237875274752e771046da0e59e300e1 (diff)
downloadpkgsrc-833643857cba0ce35b998c8e5437fb908a41d405.tar.gz
Update php53 package to 5.3.7.
PHP 5.3.7 Released! [18-Aug-2011] The PHP development team would like to announce the immediate availability of PHP 5.3.7. This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related. Security Enhancements and Fixes in PHP 5.3.7: * Updated crypt_blowfish to 1.2. (CVE-2011-2483) * Fixed crash in error_log(). Reported by Mateusz Kocielski * Fixed buffer overflow on overlog salt in crypt(). * Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202) * Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938) * Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148) Key enhancements in PHP 5.3.7 include: * Upgraded bundled Sqlite3 to version 3.7.7.1 * Upgraded bundled PCRE to version 8.12 * Fixed bug #54910 (Crash when calling call_user_func with unknown function name) * Fixed bug #54585 (track_errors causes segfault) * Fixed bug #54262 (Crash when assigning value to a dimension in a non-array) * Fixed a crash inside dtor for error handling * Fixed bug #55339 (Segfault with allow_call_time_pass_reference = Off) * Fixed bug #54935 php_win_err can lead to crash * Fixed bug #54332 (Crash in zend_mm_check_ptr // Heap corruption) * Fixed bug #54305 (Crash in gc_remove_zval_from_buffer) * Fixed bug #54580 (get_browser() segmentation fault when browscap ini directive is set through php_admin_value) * Fixed bug #54529 (SAPI crashes on apache_config.c:197) * Fixed bug #54283 (new DatePeriod(NULL) causes crash). * Fixed bug #54269 (Short exception message buffer causes crash) * Fixed Bug #54221 (mysqli::get_warnings segfault when used in multi queries) * Fixed bug #54395 (Phar::mount() crashes when calling with wrong parameters) * Fixed bug #54384 (Dual iterators, GlobIterator, SplFileObject and SplTempFileObject crash when user-space classes don't call the parent constructor) * Fixed bug #54292 (Wrong parameter causes crash in SplFileObject::__construct()) * Fixed bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) * Fixed bug #54281 (Crash in non-initialized RecursiveIteratorIterator) * Fixed bug #54623 (Segfault when writing to a persistent socket after closing a copy of the socket) * Fixed bug #54681 (addGlob() crashes on invalid flags) * Over 80 other bug fixes.
Diffstat (limited to 'lang')
-rw-r--r--lang/php53/Makefile3
-rw-r--r--lang/php53/Makefile.common4
-rw-r--r--lang/php53/PLIST3
-rw-r--r--lang/php53/distinfo14
-rw-r--r--lang/php53/patches/patch-ac22
-rw-r--r--lang/php53/patches/patch-ext_sockets_sockets.c18
-rw-r--r--lang/php53/patches/patch-ext_standard_crypt__blowfish.c160
-rw-r--r--lang/php53/patches/patch-ext_standard_string.c163
-rw-r--r--lang/php53/patches/patch-main_rfc1867.c24
9 files changed, 14 insertions, 397 deletions
diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index ea602b488dd..a092c38bbef 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -1,10 +1,9 @@
-# $NetBSD: Makefile,v 1.14 2011/07/08 10:20:10 adam Exp $
+# $NetBSD: Makefile,v 1.15 2011/08/20 13:55:09 taca Exp $
#
# We can't omit PKGNAME here to handle PKG_OPTIONS.
#
PKGNAME= php-${PHP_BASE_VERS}
-PKGREVISION= 4
CATEGORIES= lang
HOMEPAGE= http://www.php.net/
diff --git a/lang/php53/Makefile.common b/lang/php53/Makefile.common
index 25e708d7be7..71a3289c4be 100644
--- a/lang/php53/Makefile.common
+++ b/lang/php53/Makefile.common
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.6 2011/07/08 10:20:10 adam Exp $
+# $NetBSD: Makefile.common,v 1.7 2011/08/20 13:55:09 taca Exp $
# used by lang/php53/Makefile.php
# used by lang/php/ext.mk
# used by meta-pkgs/php53-extensions/Makefile
@@ -39,7 +39,7 @@ EXTRACT_SUFX?= .tar.bz2
MAINTAINER?= pkgsrc-users@NetBSD.org
HOMEPAGE?= http://www.php.net/
-PHP_BASE_VERS= 5.3.6
+PHP_BASE_VERS= 5.3.7
PHP_EXTENSION_DIR= lib/php/20090630
PLIST_SUBST+= PHP_EXTENSION_DIR=${PHP_EXTENSION_DIR}
diff --git a/lang/php53/PLIST b/lang/php53/PLIST
index bfc6e2eab7f..dd133925901 100644
--- a/lang/php53/PLIST
+++ b/lang/php53/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.1.1.1 2010/03/16 15:31:58 taca Exp $
+@comment $NetBSD: PLIST,v 1.2 2011/08/20 13:55:09 taca Exp $
bin/phar
bin/phar.phar
bin/php
@@ -118,6 +118,7 @@ include/php/ext/standard/crc32.h
include/php/ext/standard/credits.h
include/php/ext/standard/credits_ext.h
include/php/ext/standard/credits_sapi.h
+include/php/ext/standard/crypt_blowfish.h
include/php/ext/standard/crypt_freesec.h
include/php/ext/standard/css.h
include/php/ext/standard/cyr_convert.h
diff --git a/lang/php53/distinfo b/lang/php53/distinfo
index 632a1e0f245..7d8a7b79c43 100644
--- a/lang/php53/distinfo
+++ b/lang/php53/distinfo
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.17 2011/06/22 09:54:35 taca Exp $
+$NetBSD: distinfo,v 1.18 2011/08/20 13:55:09 taca Exp $
-SHA1 (php-5.3.6/php-5.3.6.tar.bz2) = 0e0b9b4d9117f22080e2204afa9383469eb0dbbd
-RMD160 (php-5.3.6/php-5.3.6.tar.bz2) = 619bf96cf24bf6aa0988494186f8914fde94d44d
-Size (php-5.3.6/php-5.3.6.tar.bz2) = 10952171 bytes
+SHA1 (php-5.3.7/php-5.3.7.tar.bz2) = 811e84b75d41ad997c075e3ebc8470f5c26d03ea
+RMD160 (php-5.3.7/php-5.3.7.tar.bz2) = d14c52036f35d79193783b590c0cf131e1cd00c0
+Size (php-5.3.7/php-5.3.7.tar.bz2) = 11144328 bytes
SHA1 (patch-aa) = b0dc6cd0b2103d5858280202506b33322a98496e
SHA1 (patch-ab) = d08bb50cf074a6065ef0d1d67a713b7573cb2f5b
-SHA1 (patch-ac) = 07a3d6c9ee4c316033afd8c7db71eb21045a3afd
+SHA1 (patch-ac) = 1720f154232241c19d0c6e08a824e33252f1b690
SHA1 (patch-ad) = 1608c58860a43b4e31df8646b5ded253ec9aa881
SHA1 (patch-ae) = e590db60a60f4e5ef2da4e5edb786335a67a3d56
SHA1 (patch-af) = 1618b23fd6d090ce5aa929208416028724278bfc
@@ -14,7 +14,3 @@ SHA1 (patch-ah) = b20c29c64b3099f77855a5ec28960dc1c4f65c83
SHA1 (patch-ai) = d4766893a2c47a4e4a744248dda265b0a9a66a1f
SHA1 (patch-aj) = d611d13fcc28c5d2b9e9586832ce4b8ae5707b48
SHA1 (patch-al) = fbbee5502e0cd1c47c6e7c15e0d54746414ec32e
-SHA1 (patch-ext_sockets_sockets.c) = 99137af0e3307f1b379e4a4012ebd56978a88a15
-SHA1 (patch-ext_standard_crypt__blowfish.c) = aa1788e5e89bb51a6f9271bb3859386c99859c8c
-SHA1 (patch-ext_standard_string.c) = fe16ffedd894a6d580f3c998b9f571f403f4a764
-SHA1 (patch-main_rfc1867.c) = 2f7efd3ebc6eadb377ce308d5d8293bda07bbc42
diff --git a/lang/php53/patches/patch-ac b/lang/php53/patches/patch-ac
index 70d74f440fd..0c05512463e 100644
--- a/lang/php53/patches/patch-ac
+++ b/lang/php53/patches/patch-ac
@@ -1,6 +1,6 @@
-$NetBSD: patch-ac,v 1.3 2011/01/13 13:52:53 wiz Exp $
+$NetBSD: patch-ac,v 1.4 2011/08/20 13:55:09 taca Exp $
---- ext/gd/config.m4.orig 2009-05-27 08:18:24.000000000 +0000
+--- ext/gd/config.m4.orig 2011-05-12 08:19:37.000000000 +0000
+++ ext/gd/config.m4
@@ -45,18 +45,7 @@ dnl Checks for the configure options
dnl
@@ -30,22 +30,8 @@ $NetBSD: patch-ac,v 1.3 2011/01/13 13:52:53 wiz Exp $
])
AC_DEFUN([PHP_GD_JPEG],[
-@@ -97,11 +85,11 @@ AC_DEFUN([PHP_GD_PNG],[
- if test "$PHP_PNG_DIR" != "no"; then
-
- for i in $PHP_PNG_DIR /usr/local /usr; do
-- test -f $i/$PHP_LIBDIR/libpng.$SHLIB_SUFFIX_NAME || test -f $i/$PHP_LIBDIR/libpng.a && GD_PNG_DIR=$i && break
-+ test -f $i/$PHP_LIBDIR/libpng15.$SHLIB_SUFFIX_NAME || test -f $i/$PHP_LIBDIR/libpng15.a && GD_PNG_DIR=$i && break
- done
-
- if test -z "$GD_PNG_DIR"; then
-- AC_MSG_ERROR([libpng.(a|so) not found.])
-+ AC_MSG_ERROR([libpng15.(a|so) not found.])
- fi
-
- if test "$PHP_ZLIB_DIR" = "no"; then
-@@ -112,13 +100,13 @@ AC_DEFUN([PHP_GD_PNG],[
- AC_MSG_ERROR([png.h not found.])
+@@ -108,13 +96,13 @@ AC_DEFUN([PHP_GD_PNG],[
+ AC_MSG_ERROR([PNG support requires ZLIB. Use --with-zlib-dir=<DIR>])
fi
- PHP_CHECK_LIBRARY(png,png_write_image,
diff --git a/lang/php53/patches/patch-ext_sockets_sockets.c b/lang/php53/patches/patch-ext_sockets_sockets.c
deleted file mode 100644
index 5df4f25324a..00000000000
--- a/lang/php53/patches/patch-ext_sockets_sockets.c
+++ /dev/null
@@ -1,18 +0,0 @@
-$NetBSD: patch-ext_sockets_sockets.c,v 1.1 2011/06/15 14:42:03 taca Exp $
-
-* Update of r311369 of PHP's repository, fix for CVE-2011-1938.
-
---- ext/sockets/sockets.c.orig 2011-01-01 02:19:59.000000000 +0000
-+++ ext/sockets/sockets.c
-@@ -1333,6 +1333,11 @@ PHP_FUNCTION(socket_connect)
- break;
-
- case AF_UNIX:
-+ if (addr_len >= sizeof(s_un.sun_path)) {
-+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
-+ RETURN_FALSE;
-+ }
-+
- memset(&s_un, 0, sizeof(struct sockaddr_un));
-
- s_un.sun_family = AF_UNIX;
diff --git a/lang/php53/patches/patch-ext_standard_crypt__blowfish.c b/lang/php53/patches/patch-ext_standard_crypt__blowfish.c
deleted file mode 100644
index f8ea74092ea..00000000000
--- a/lang/php53/patches/patch-ext_standard_crypt__blowfish.c
+++ /dev/null
@@ -1,160 +0,0 @@
-$NetBSD: patch-ext_standard_crypt__blowfish.c,v 1.2 2011/06/22 09:54:35 taca Exp $
-
-- Fix potential security problem by char signedness processing:
- http://www.openwall.com/lists/oss-security/2011/06/20/2
-
- Dereived from revision 1.11 change of http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/glibc/crypt_blowfish/crypt_blowfish.c.
-
---- ext/standard/crypt_blowfish.c.orig 2010-02-21 23:47:14.000000000 +0000
-+++ ext/standard/crypt_blowfish.c
-@@ -7,6 +7,7 @@
- * cracking removed.
- *
- * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
-+ * placed in the public domain. Quick self-test added in 2011 and also
- * placed in the public domain.
- *
- * There's absolutely no warranty.
-@@ -51,6 +52,13 @@
- #define __CONST __const
- #endif
-
-+/*
-+ * Please keep this enabled. We really don't want incompatible hashes to be
-+ * produced. The performance cost of this quick self-test is around 0.6% at
-+ * the "$2a$08" setting.
-+ */
-+#define BF_SELF_TEST
-+
- #ifdef __i386__
- #define BF_ASM 0
- #define BF_SCALE 1
-@@ -63,6 +71,7 @@
- #endif
-
- typedef unsigned int BF_word;
-+typedef signed int BF_word_signed;
-
- /* Number of Blowfish rounds, this is also hardcoded into a few places */
- #define BF_N 16
-@@ -555,7 +564,8 @@ static void BF_swap(BF_word *x, int coun
- } while (ptr < &data.ctx.S[3][0xFF]);
- #endif
-
--static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
-+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial,
-+ int sign_extension_bug)
- {
- __CONST char *ptr = key;
- int i, j;
-@@ -565,7 +575,10 @@ static void BF_set_key(__CONST char *key
- tmp = 0;
- for (j = 0; j < 4; j++) {
- tmp <<= 8;
-- tmp |= *ptr;
-+ if (sign_extension_bug)
-+ tmp |= (BF_word_signed)(signed char)*ptr;
-+ else
-+ tmp |= (unsigned char)*ptr;
-
- if (!*ptr) ptr = key; else ptr++;
- }
-@@ -575,8 +588,9 @@ static void BF_set_key(__CONST char *key
- }
- }
-
--char *php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
-- char *output, int size)
-+static char *BF_crypt(__CONST char *key, __CONST char *setting,
-+ char *output, int size,
-+ BF_word min)
- {
- #if BF_ASM
- extern void _BF_body_r(BF_ctx *ctx);
-@@ -602,7 +616,7 @@ char *php_crypt_blowfish_rn(__CONST char
-
- if (setting[0] != '$' ||
- setting[1] != '2' ||
-- setting[2] != 'a' ||
-+ (setting[2] != 'a' && setting[2] != 'x') ||
- setting[3] != '$' ||
- setting[4] < '0' || setting[4] > '3' ||
- setting[5] < '0' || setting[5] > '9' ||
-@@ -613,7 +627,7 @@ char *php_crypt_blowfish_rn(__CONST char
- }
-
- count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
-- if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
-+ if (count < min || BF_decode(data.binary.salt, &setting[7], 16)) {
- clean(data.binary.salt, sizeof(data.binary.salt));
- __set_errno(EINVAL);
- return NULL;
-@@ -621,7 +635,7 @@ char *php_crypt_blowfish_rn(__CONST char
-
- BF_swap(data.binary.salt, 4);
-
-- BF_set_key(key, data.expanded_key, data.ctx.P);
-+ BF_set_key(key, data.expanded_key, data.ctx.P, setting[2] == 'x');
-
- memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
-
-@@ -721,14 +735,59 @@ char *php_crypt_blowfish_rn(__CONST char
- BF_encode(&output[7 + 22], data.binary.output, 23);
- output[7 + 22 + 31] = '\0';
-
-+#ifndef BF_SELF_TEST
- /* Overwrite the most obvious sensitive data we have on the stack. Note
- * that this does not guarantee there's no sensitive data left on the
- * stack and/or in registers; I'm not aware of portable code that does. */
- clean(&data, sizeof(data));
-+#endif
-
- return output;
- }
-
-+char *php_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
-+ char *output, int size)
-+{
-+#ifdef BF_SELF_TEST
-+ __CONST char *test_key = "8b \xd0\xc1\xd2\xcf\xcc\xd8";
-+ __CONST char *test_2a =
-+ "$2a$00$abcdefghijklmnopqrstuui1D709vfamulimlGcq0qq3UvuUasvEa"
-+ "\0"
-+ "canary";
-+ __CONST char *test_2x =
-+ "$2x$00$abcdefghijklmnopqrstuuVUrPmXD6q/nVSSp7pNDhCR9071IfIRe"
-+ "\0"
-+ "canary";
-+ __CONST char *test_hash, *p;
-+ int ok;
-+ char buf[7 + 22 + 31 + 1 + 6 + 1];
-+
-+ output = BF_crypt(key, setting, output, size, 16);
-+
-+/* Do a quick self-test. This also happens to overwrite BF_crypt()'s data. */
-+ test_hash = (setting[2] == 'x') ? test_2x : test_2a;
-+ memcpy(buf, test_hash, sizeof(buf));
-+ memset(buf, -1, sizeof(buf) - (6 + 1)); /* keep "canary" only */
-+ p = BF_crypt(test_key, test_hash, buf, sizeof(buf) - 6, 1);
-+
-+ ok = (p == buf && !memcmp(p, test_hash, sizeof(buf)));
-+
-+/* This could reveal what hash type we were using last. Unfortunately, we
-+ * can't reliably clean the test_hash pointer. */
-+ clean(&buf, sizeof(buf));
-+
-+ if (ok)
-+ return output;
-+
-+/* Should not happen */
-+ __set_errno(EINVAL); /* pretend we don't support this hash type */
-+ return NULL;
-+#else
-+#warning Self-test is disabled, please enable
-+ return BF_crypt(key, setting, output, size, 16);
-+#endif
-+}
-+
- char *php_crypt_gensalt_blowfish_rn(unsigned long count,
- __CONST char *input, int size, char *output, int output_size)
- {
diff --git a/lang/php53/patches/patch-ext_standard_string.c b/lang/php53/patches/patch-ext_standard_string.c
deleted file mode 100644
index 369d95e9058..00000000000
--- a/lang/php53/patches/patch-ext_standard_string.c
+++ /dev/null
@@ -1,163 +0,0 @@
-$NetBSD: patch-ext_standard_string.c,v 1.1 2011/05/16 13:08:45 taca Exp $
-
-* Update to r310401 of PHP's repository, including fix for CVE-2011-1148.
-
---- ext/standard/string.c.orig 2011-01-01 02:19:59.000000000 +0000
-+++ ext/standard/string.c
-@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace)
-
- zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
- while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
-- convert_to_string_ex(tmp_str);
-+ zval *orig_str;
-+ zval dummy;
-+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
-+ dummy = **tmp_str;
-+ orig_str = &dummy;
-+ zval_copy_ctor(orig_str);
-+ convert_to_string(orig_str);
-+ } else {
-+ orig_str = *tmp_str;
-+ }
-
- if (Z_TYPE_PP(from) == IS_ARRAY) {
- if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
-- convert_to_long_ex(tmp_from);
-+ if(Z_TYPE_PP(tmp_from) != IS_LONG) {
-+ zval dummy = **tmp_from;
-+ zval_copy_ctor(&dummy);
-+ convert_to_long(&dummy);
-+ f = Z_LVAL(dummy);
-+ } else {
-+ f = Z_LVAL_PP(tmp_from);
-+ }
-
-- f = Z_LVAL_PP(tmp_from);
- if (f < 0) {
-- f = Z_STRLEN_PP(tmp_str) + f;
-+ f = Z_STRLEN_P(orig_str) + f;
- if (f < 0) {
- f = 0;
- }
-- } else if (f > Z_STRLEN_PP(tmp_str)) {
-- f = Z_STRLEN_PP(tmp_str);
-+ } else if (f > Z_STRLEN_P(orig_str)) {
-+ f = Z_STRLEN_P(orig_str);
- }
- zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
- } else {
-@@ -2374,72 +2389,92 @@ PHP_FUNCTION(substr_replace)
- } else {
- f = Z_LVAL_PP(from);
- if (f < 0) {
-- f = Z_STRLEN_PP(tmp_str) + f;
-+ f = Z_STRLEN_P(orig_str) + f;
- if (f < 0) {
- f = 0;
- }
-- } else if (f > Z_STRLEN_PP(tmp_str)) {
-- f = Z_STRLEN_PP(tmp_str);
-+ } else if (f > Z_STRLEN_P(orig_str)) {
-+ f = Z_STRLEN_P(orig_str);
- }
- }
-
- if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
- if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
-- convert_to_long_ex(tmp_len);
--
-- l = Z_LVAL_PP(tmp_len);
-+ if(Z_TYPE_PP(tmp_len) != IS_LONG) {
-+ zval dummy = **tmp_len;
-+ zval_copy_ctor(&dummy);
-+ convert_to_long(&dummy);
-+ l = Z_LVAL(dummy);
-+ } else {
-+ l = Z_LVAL_PP(tmp_len);
-+ }
- zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
- } else {
-- l = Z_STRLEN_PP(tmp_str);
-+ l = Z_STRLEN_P(orig_str);
- }
- } else if (argc > 3) {
- l = Z_LVAL_PP(len);
- } else {
-- l = Z_STRLEN_PP(tmp_str);
-+ l = Z_STRLEN_P(orig_str);
- }
-
- if (l < 0) {
-- l = (Z_STRLEN_PP(tmp_str) - f) + l;
-+ l = (Z_STRLEN_P(orig_str) - f) + l;
- if (l < 0) {
- l = 0;
- }
- }
-
-- if ((f + l) > Z_STRLEN_PP(tmp_str)) {
-- l = Z_STRLEN_PP(tmp_str) - f;
-+ if ((f + l) > Z_STRLEN_P(orig_str)) {
-+ l = Z_STRLEN_P(orig_str) - f;
- }
-
-- result_len = Z_STRLEN_PP(tmp_str) - l;
-+ result_len = Z_STRLEN_P(orig_str) - l;
-
- if (Z_TYPE_PP(repl) == IS_ARRAY) {
- if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
-- convert_to_string_ex(tmp_repl);
-- result_len += Z_STRLEN_PP(tmp_repl);
-+ zval *repl_str;
-+ zval zrepl;
-+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
-+ zrepl = **tmp_repl;
-+ repl_str = &zrepl;
-+ zval_copy_ctor(repl_str);
-+ convert_to_string(repl_str);
-+ } else {
-+ repl_str = *tmp_repl;
-+ }
-+
-+ result_len += Z_STRLEN_P(repl_str);
- zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
- result = emalloc(result_len + 1);
-
-- memcpy(result, Z_STRVAL_PP(tmp_str), f);
-- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
-- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
-+ memcpy(result, Z_STRVAL_P(orig_str), f);
-+ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
-+ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
-+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
-+ zval_dtor(repl_str);
-+ }
- } else {
- result = emalloc(result_len + 1);
-
-- memcpy(result, Z_STRVAL_PP(tmp_str), f);
-- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
-+ memcpy(result, Z_STRVAL_P(orig_str), f);
-+ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
- }
- } else {
- result_len += Z_STRLEN_PP(repl);
-
- result = emalloc(result_len + 1);
-
-- memcpy(result, Z_STRVAL_PP(tmp_str), f);
-+ memcpy(result, Z_STRVAL_P(orig_str), f);
- memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
-- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
-+ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
- }
-
- result[result_len] = '\0';
- add_next_index_stringl(return_value, result, result_len, 0);
--
-+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
-+ zval_dtor(orig_str);
-+ }
- zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
- } /*while*/
- } /* if */
diff --git a/lang/php53/patches/patch-main_rfc1867.c b/lang/php53/patches/patch-main_rfc1867.c
deleted file mode 100644
index 4d0e54edc84..00000000000
--- a/lang/php53/patches/patch-main_rfc1867.c
+++ /dev/null
@@ -1,24 +0,0 @@
-$NetBSD: patch-main_rfc1867.c,v 1.1 2011/06/15 14:42:03 taca Exp $
-
-* Update of r312103 of PHP's repository, fix filename-injection vulnerability.
-
---- main/rfc1867.c.orig 2011-01-19 13:09:05.000000000 +0000
-+++ main/rfc1867.c
-@@ -1223,7 +1223,7 @@ filedone:
- #endif
-
- if (!is_anonymous) {
-- if (s && s > filename) {
-+ if (s && s >= filename) {
- safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
- } else {
- safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
-@@ -1236,7 +1236,7 @@ filedone:
- } else {
- snprintf(lbuf, llen, "%s[name]", param);
- }
-- if (s && s > filename) {
-+ if (s && s >= filename) {
- register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
- } else {
- register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);