diff options
Diffstat (limited to 'lang/php5/patches')
-rw-r--r-- | lang/php5/patches/patch-ag | 14 | ||||
-rw-r--r-- | lang/php5/patches/patch-ah | 14 | ||||
-rw-r--r-- | lang/php5/patches/patch-ay | 17 | ||||
-rw-r--r-- | lang/php5/patches/patch-az | 373 | ||||
-rw-r--r-- | lang/php5/patches/patch-ba | 17 | ||||
-rw-r--r-- | lang/php5/patches/patch-bb | 19 | ||||
-rw-r--r-- | lang/php5/patches/patch-bc | 15 | ||||
-rw-r--r-- | lang/php5/patches/patch-bd | 46 |
8 files changed, 6 insertions, 509 deletions
diff --git a/lang/php5/patches/patch-ag b/lang/php5/patches/patch-ag index d24403b2091..b725e2edfcb 100644 --- a/lang/php5/patches/patch-ag +++ b/lang/php5/patches/patch-ag @@ -1,10 +1,8 @@ -$NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $ +$NetBSD: patch-ag,v 1.2.34.2 2009/12/23 19:09:51 spz Exp $ * Ajust for pkgsrc. -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 ---- php.ini-dist.orig 2009-02-14 01:55:18.000000000 +0900 +--- php.ini-dist.orig 2009-11-05 13:29:34.000000000 +0000 +++ php.ini-dist @@ -471,7 +471,7 @@ default_mimetype = "text/html" ;;;;;;;;;;;;;;;;;;;;;;;;; @@ -27,7 +25,7 @@ $NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -546,11 +547,13 @@ file_uploads = On +@@ -546,7 +547,7 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -36,9 +34,3 @@ $NetBSD: patch-ag,v 1.2.34.1 2009/11/30 23:10:20 tron Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M - -+; Maximum number of files that can be uploaded via a single request -+max_file_uploads = 100 - - ;;;;;;;;;;;;;;;;;; - ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ah b/lang/php5/patches/patch-ah index 5d4f73c3cec..5ec67f41188 100644 --- a/lang/php5/patches/patch-ah +++ b/lang/php5/patches/patch-ah @@ -1,10 +1,8 @@ -$NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $ +$NetBSD: patch-ah,v 1.1.36.2 2009/12/23 19:09:51 spz Exp $ * Ajust for pkgsrc. -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 ---- php.ini-recommended.orig 2009-03-02 13:44:35.000000000 +0900 +--- php.ini-recommended.orig 2009-11-05 13:29:34.000000000 +0000 +++ php.ini-recommended @@ -522,7 +522,7 @@ default_mimetype = "text/html" ;;;;;;;;;;;;;;;;;;;;;;;;; @@ -27,7 +25,7 @@ $NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $ ; Whether or not to enable the dl() function. The dl() function does NOT work ; properly in multithreaded servers, such as IIS or Zeus, and is automatically -@@ -597,11 +598,13 @@ file_uploads = On +@@ -597,7 +598,7 @@ file_uploads = On ; Temporary directory for HTTP uploaded files (will use system default if not ; specified). @@ -36,9 +34,3 @@ $NetBSD: patch-ah,v 1.1.36.1 2009/11/30 23:10:20 tron Exp $ ; Maximum allowed size for uploaded files. upload_max_filesize = 2M - -+; Maximum number of files that can be uploaded via a single request -+max_file_uploads = 100 - - ;;;;;;;;;;;;;;;;;; - ; Fopen wrappers ; diff --git a/lang/php5/patches/patch-ay b/lang/php5/patches/patch-ay deleted file mode 100644 index 2d6c27d875f..00000000000 --- a/lang/php5/patches/patch-ay +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-ay,v 1.1.2.3 2009/11/30 23:10:20 tron Exp $ - -* Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3546 - http://svn.php.net/viewvc?view=revision&revision=289557 - ---- ext/gd/libgd/gd_gd.c.orig 2007-08-09 23:21:38.000000000 +0900 -+++ ext/gd/libgd/gd_gd.c -@@ -39,6 +39,9 @@ int _gdGetColors (gdIOCtx * in, gdImageP - if (!gdGetWord(&im->colorsTotal, in)) { - goto fail1; - } -+ if (im->colorsTotal > gdMaxColors) { -+ goto fail1; -+ } - } - /* Int to accommodate truecolor single-color transparency */ - if (!gdGetInt(&im->transparent, in)) { diff --git a/lang/php5/patches/patch-az b/lang/php5/patches/patch-az deleted file mode 100644 index 184f591054b..00000000000 --- a/lang/php5/patches/patch-az +++ /dev/null @@ -1,373 +0,0 @@ -$NetBSD$ - -* Fix for htmlspecialchars(): - http://svn.php.net/viewvc?view=revision&revision=289411 - http://svn.php.net/viewvc?view=revision&revision=289554 - http://svn.php.net/viewvc?view=revision&revision=289565 - http://svn.php.net/viewvc?view=revision&revision=289567 - http://svn.php.net/viewvc?view=revision&revision=289605 - ---- ext/standard/html.c.orig 2008-12-31 20:17:49.000000000 +0900 -+++ ext/standard/html.c -@@ -484,15 +484,31 @@ struct basic_entities_dec { - } \ - mbseq[mbpos++] = (mbchar); } - --#define CHECK_LEN(pos, chars_need) \ -- if((str_len - (pos)) < chars_need) { \ -- *status = FAILURE; \ -- return 0; \ -+/* skip one byte and return */ -+#define MB_FAILURE(pos) do { \ -+ *newpos = pos + 1; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } while (0) -+ -+#define CHECK_LEN(pos, chars_need) \ -+ if (chars_need < 1) { \ -+ if((str_len - (pos)) < chars_need) { \ -+ *newpos = pos; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } \ -+ } else { \ -+ if((str_len - (pos)) < chars_need) { \ -+ *newpos = pos + 1; \ -+ *status = FAILURE; \ -+ return 0; \ -+ } \ - } - - /* {{{ get_next_char - */ --inline static unsigned short get_next_char(enum entity_charset charset, -+inline static unsigned int get_next_char(enum entity_charset charset, - unsigned char * str, - int str_len, - int * newpos, -@@ -503,205 +519,189 @@ inline static unsigned short get_next_ch - int pos = *newpos; - int mbpos = 0; - int mbspace = *mbseqlen; -- unsigned short this_char = str[pos++]; -+ unsigned int this_char = 0; - unsigned char next_char; - - *status = SUCCESS; -- -+ - if (mbspace <= 0) { - *mbseqlen = 0; -- return this_char; -+ CHECK_LEN(pos, 1); -+ *newpos = pos + 1; -+ *newpos = pos + 1; - } -- -- MB_WRITE((unsigned char)this_char); -- -+ - switch (charset) { - case cs_utf_8: - { -- unsigned long utf = 0; -- int stat = 0; -- int more = 1; -- -- /* unpack utf-8 encoding into a wide char. -- * Code stolen from the mbstring extension */ -- -- do { -- if (this_char < 0x80) { -- more = 0; -- if(stat) { -- /* we didn't finish the UTF sequence correctly */ -- *status = FAILURE; -- } -- break; -- } else if (this_char < 0xc0) { -- switch (stat) { -- case 0x10: /* 2, 2nd */ -- case 0x21: /* 3, 3rd */ -- case 0x32: /* 4, 4th */ -- case 0x43: /* 5, 5th */ -- case 0x54: /* 6, 6th */ -- /* last byte in sequence */ -- more = 0; -- utf |= (this_char & 0x3f); -- this_char = (unsigned short)utf; -- break; -- case 0x20: /* 3, 2nd */ -- case 0x31: /* 4, 3rd */ -- case 0x42: /* 5, 4th */ -- case 0x53: /* 6, 5th */ -- /* penultimate char */ -- utf |= ((this_char & 0x3f) << 6); -- stat++; -- break; -- case 0x30: /* 4, 2nd */ -- case 0x41: /* 5, 3rd */ -- case 0x52: /* 6, 4th */ -- utf |= ((this_char & 0x3f) << 12); -- stat++; -- break; -- case 0x40: /* 5, 2nd */ -- case 0x51: -- utf |= ((this_char & 0x3f) << 18); -- stat++; -- break; -- case 0x50: /* 6, 2nd */ -- utf |= ((this_char & 0x3f) << 24); -- stat++; -- break; -- default: -- /* invalid */ -- *status = FAILURE; -- more = 0; -- } -- } -- /* lead byte */ -- else if (this_char < 0xe0) { -- stat = 0x10; /* 2 byte */ -- utf = (this_char & 0x1f) << 6; -- CHECK_LEN(pos, 1); -- } else if (this_char < 0xf0) { -- stat = 0x20; /* 3 byte */ -- utf = (this_char & 0xf) << 12; -- CHECK_LEN(pos, 2); -- } else if (this_char < 0xf8) { -- stat = 0x30; /* 4 byte */ -- utf = (this_char & 0x7) << 18; -- CHECK_LEN(pos, 3); -- } else if (this_char < 0xfc) { -- stat = 0x40; /* 5 byte */ -- utf = (this_char & 0x3) << 24; -- CHECK_LEN(pos, 4); -- } else if (this_char < 0xfe) { -- stat = 0x50; /* 6 byte */ -- utf = (this_char & 0x1) << 30; -- CHECK_LEN(pos, 5); -- } else { -- /* invalid; bail */ -- more = 0; -- *status = FAILURE; -- break; -+ unsigned char c; -+ CHECK_LEN(pos, 1); -+ c = str[pos]; -+ if (c < 0x80) { -+ MB_WRITE(c); -+ this_char = c; -+ pos++; -+ } else if (c < 0xc0) { -+ MB_FAILURE(pos); -+ } else if (c < 0xe0) { -+ CHECK_LEN(pos, 2); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); - } -- -- if (more) { -- this_char = str[pos++]; -- MB_WRITE((unsigned char)this_char); -+ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); -+ if (this_char < 0x80) { -+ MB_FAILURE(pos); - } -- } while (more); -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ pos += 2; -+ } else if (c < 0xf0) { -+ CHECK_LEN(pos, 3); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); -+ if (this_char < 0x800) { -+ MB_FAILURE(pos); -+ } -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ MB_WRITE((unsigned char)str[pos + 2]); -+ pos += 3; -+ } else if (c < 0xf8) { -+ CHECK_LEN(pos, 4); -+ if (str[pos + 1] < 0x80 || str[pos + 1] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 2] < 0x80 || str[pos + 2] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ if (str[pos + 3] < 0x80 || str[pos + 3] > 0xbf) { -+ MB_FAILURE(pos); -+ } -+ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); -+ if (this_char < 0x10000) { -+ MB_FAILURE(pos); -+ } -+ MB_WRITE((unsigned char)c); -+ MB_WRITE((unsigned char)str[pos + 1]); -+ MB_WRITE((unsigned char)str[pos + 2]); -+ MB_WRITE((unsigned char)str[pos + 3]); -+ pos += 4; -+ } else { -+ MB_FAILURE(pos); -+ } - } - break; - case cs_big5: - case cs_gb2312: - case cs_big5hkscs: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a 2-byte sequence */ -- if (this_char >= 0xa1 && this_char <= 0xfe) { -+ if (this_char >= 0x81 && this_char <= 0xfe) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if ((next_char >= 0x40 && next_char <= 0x7e) || - (next_char >= 0xa1 && next_char <= 0xfe)) { - /* yes, this a wide char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } -- break; - } -+ break; - case cs_sjis: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a 2-byte sequence */ -- if ( (this_char >= 0x81 && this_char <= 0x9f) || -- (this_char >= 0xe0 && this_char <= 0xef) -- ) { -+ if ((this_char >= 0x81 && this_char <= 0x9f) || -+ (this_char >= 0xe0 && this_char <= 0xfc)) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if ((next_char >= 0x40 && next_char <= 0x7e) || - (next_char >= 0x80 && next_char <= 0xfc)) - { - /* yes, this a wide char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } - break; - } - case cs_eucjp: - { -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; - /* check if this is the first of a multi-byte sequence */ - if (this_char >= 0xa1 && this_char <= 0xfe) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if (next_char >= 0xa1 && next_char <= 0xfe) { - /* yes, this a jis kanji char */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- - } else if (this_char == 0x8e) { - /* peek at the next char */ - CHECK_LEN(pos, 1); -- next_char = str[pos]; -+ next_char = str[pos++]; - if (next_char >= 0xa1 && next_char <= 0xdf) { - /* JIS X 0201 kana */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -+ this_char = (this_char << 8) | next_char; -+ } else { -+ MB_FAILURE(pos); - } -- - } else if (this_char == 0x8f) { - /* peek at the next two char */ - unsigned char next2_char; - CHECK_LEN(pos, 2); - next_char = str[pos]; -- next2_char = str[pos+1]; -+ next2_char = str[pos + 1]; -+ pos += 2; - if ((next_char >= 0xa1 && next_char <= 0xfe) && - (next2_char >= 0xa1 && next2_char <= 0xfe)) { - /* JIS X 0212 hojo-kanji */ -- this_char <<= 8; -+ MB_WRITE(this_char); - MB_WRITE(next_char); -- this_char |= next_char; -- pos++; -- this_char <<= 8; - MB_WRITE(next2_char); -- this_char |= next2_char; -- pos++; -+ this_char = (this_char << 16) | (next_char << 8) | next2_char; -+ } else { -+ MB_FAILURE(pos); - } -- -+ } else { -+ MB_WRITE(this_char); - } - break; - } - default: -+ /* single-byte charsets */ -+ CHECK_LEN(pos, 1); -+ this_char = str[pos++]; -+ MB_WRITE(this_char); - break; - } - MB_RETURN; -@@ -1132,7 +1132,7 @@ PHPAPI char *php_escape_html_entities_ex - unsigned char mbsequence[16]; /* allow up to 15 characters in a multibyte sequence */ - int mbseqlen = sizeof(mbsequence); - int status = SUCCESS; -- unsigned short this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); -+ unsigned int this_char = get_next_char(charset, old, oldlen, &i, mbsequence, &mbseqlen, &status); - - if(status == FAILURE) { - /* invalid MB sequence */ diff --git a/lang/php5/patches/patch-ba b/lang/php5/patches/patch-ba deleted file mode 100644 index 36f0ac78796..00000000000 --- a/lang/php5/patches/patch-ba +++ /dev/null @@ -1,17 +0,0 @@ -$NetBSD: patch-ba,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3558: - http://svn.php.net/viewvc?view=revision&revision=288934 - ---- ext/posix/posix.c.orig 2009-08-06 20:11:15.000000000 +0900 -+++ ext/posix/posix.c -@@ -679,7 +679,8 @@ PHP_FUNCTION(posix_mkfifo) - RETURN_FALSE; - } - -- if (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { -+ if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) || -+ (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR))) { - RETURN_FALSE; - } - diff --git a/lang/php5/patches/patch-bb b/lang/php5/patches/patch-bb deleted file mode 100644 index 07c69816914..00000000000 --- a/lang/php5/patches/patch-bb +++ /dev/null @@ -1,19 +0,0 @@ -$NetBSD: patch-bb,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3557: - http://svn.php.net/viewvc?view=revision&revision=288945 - http://svn.php.net/viewvc?view=revision&revision=288971 - ---- ext/standard/file.c.orig 2009-11-30 10:04:51.000000000 +0900 -+++ ext/standard/file.c -@@ -838,6 +838,10 @@ PHP_FUNCTION(tempnam) - convert_to_string_ex(arg1); - convert_to_string_ex(arg2); - -+ if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) { -+ RETURN_FALSE; -+ } -+ - if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) { - RETURN_FALSE; - } diff --git a/lang/php5/patches/patch-bc b/lang/php5/patches/patch-bc deleted file mode 100644 index 6377089a28a..00000000000 --- a/lang/php5/patches/patch-bc +++ /dev/null @@ -1,15 +0,0 @@ -$NetBSD: patch-bc,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 - ---- main/main.c.orig 2009-11-30 10:04:51.000000000 +0900 -+++ main/main.c -@@ -455,6 +455,7 @@ PHP_INI_BEGIN() - PHP_INI_ENTRY("mail.force_extra_parameters",NULL, PHP_INI_SYSTEM|PHP_INI_PERDIR, OnChangeMailForceExtra) - PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL) - PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL) -+ PHP_INI_ENTRY("max_file_uploads", "100", PHP_INI_SYSTEM, NULL) - - STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals) - STD_PHP_INI_BOOLEAN("allow_url_include", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_include, php_core_globals, core_globals) diff --git a/lang/php5/patches/patch-bd b/lang/php5/patches/patch-bd deleted file mode 100644 index 7032c8ee22b..00000000000 --- a/lang/php5/patches/patch-bd +++ /dev/null @@ -1,46 +0,0 @@ -$NetBSD: patch-bd,v 1.1.2.2 2009/11/30 23:10:20 tron Exp $ - -Fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017: - http://svn.php.net/viewvc?view=revision&revision=289990 - http://svn.php.net/viewvc?view=revision&revision=290820 - http://svn.php.net/viewvc?view=revision&revision=290885 - ---- main/rfc1867.c.orig 2008-12-31 20:17:49.000000000 +0900 -+++ main/rfc1867.c -@@ -32,6 +32,7 @@ - #include "php_globals.h" - #include "php_variables.h" - #include "rfc1867.h" -+#include "php_ini.h" - - #define DEBUG_FILE_UPLOAD ZEND_DEBUG - -@@ -794,8 +795,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - zend_llist header; - void *event_extra_data = NULL; - int llen = 0; -+ int upload_cnt = INI_INT("max_file_uploads"); - -- if (SG(request_info).content_length > SG(post_max_size)) { -+ if (SG(post_max_size) > 0 && SG(request_info).content_length > SG(post_max_size)) { - sapi_module.sapi_error(E_WARNING, "POST Content-Length of %ld bytes exceeds the limit of %ld bytes", SG(request_info).content_length, SG(post_max_size)); - return; - } -@@ -972,6 +974,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - /* If file_uploads=off, skip the file part */ - if (!PG(file_uploads)) { - skip_upload = 1; -+ } else if (upload_cnt <= 0) { -+ skip_upload = 1; -+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded"); - } - - /* Return with an error if the posted data is garbled */ -@@ -1016,6 +1021,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_ - if (!skip_upload) { - /* Handle file */ - fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1 TSRMLS_CC); -+ upload_cnt--; - if (fd==-1) { - sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); - cancel_upload = UPLOAD_ERROR_E; |