[Pkg-php-commits] r1227 - php5/trunk/debian/patches
Sean Finney
seanius at alioth.debian.org
Tue Jan 20 23:10:50 UTC 2009
Author: seanius
Date: 2009-01-20 23:10:50 +0000 (Tue, 20 Jan 2009)
New Revision: 1227
Modified:
php5/trunk/debian/patches/CVE-2008-5658.patch
Log:
more work on CVE-2008-5658
Modified: php5/trunk/debian/patches/CVE-2008-5658.patch
===================================================================
--- php5/trunk/debian/patches/CVE-2008-5658.patch 2009-01-20 18:10:12 UTC (rev 1226)
+++ php5/trunk/debian/patches/CVE-2008-5658.patch 2009-01-20 23:10:50 UTC (rev 1227)
@@ -164,3 +164,375 @@
if (n<0) {
return 0;
+--- php5-5.2.6.dfsg.1.orig/TSRM/tsrm_virtual_cwd.c
++++ php5-5.2.6.dfsg.1/TSRM/tsrm_virtual_cwd.c
+@@ -654,24 +654,17 @@ static inline realpath_cache_bucket* rea
+ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func verify_path, int use_realpath) /* {{{ */
+ {
+ int path_length = strlen(path);
+- cwd_state old_state;
+- char orig_path[MAXPATHLEN];
+- realpath_cache_bucket *bucket;
+- time_t t = 0;
++ char resolved_path[MAXPATHLEN];
++ int start = 1;
++ int ll = 0;
++ time_t t;
+ int ret;
+- int use_cache;
+- int use_relative_path = 0;
+-#ifdef TSRM_WIN32
+- int is_unc;
+-#endif
++ int add_slash;
+ TSRMLS_FETCH();
+
+- use_cache = ((use_realpath != CWD_EXPAND) && CWDG(realpath_cache_size_limit));
+-
+- if (path_length == 0)
+- return (1);
+- if (path_length >= MAXPATHLEN)
+- return (1);
++ if (path_length == 0 || path_length >= MAXPATHLEN-1) {
++ return 1;
++ }
+
+ #if VIRTUAL_CWD_DEBUG
+ fprintf(stderr,"cwd = %s path = %s\n", state->cwd, path);
+@@ -682,10 +675,10 @@ CWD_API int virtual_file_ex(cwd_state *s
+ * but *does* have execute permissions */
+ if (!IS_ABSOLUTE_PATH(path, path_length)) {
+ if (state->cwd_length == 0) {
+- use_cache = 0;
+- use_relative_path = 1;
++ /* resolve relative path */
++ start = 0;
++ memcpy(resolved_path , path, path_length + 1);
+ } else {
+- int orig_path_len;
+ int state_cwd_length = state->cwd_length;
+
+ #ifdef TSRM_WIN32
+@@ -693,240 +686,109 @@ CWD_API int virtual_file_ex(cwd_state *s
+ state_cwd_length = 2;
+ }
+ #endif
+- orig_path_len = path_length + state_cwd_length + 1;
+- if (orig_path_len >= MAXPATHLEN) {
++ if (path_length + state_cwd_length + 1 >= MAXPATHLEN-1) {
+ return 1;
+ }
+- memcpy(orig_path, state->cwd, state_cwd_length);
+- orig_path[state_cwd_length] = DEFAULT_SLASH;
+- memcpy(orig_path + state_cwd_length + 1, path, path_length + 1);
+- path = orig_path;
+- path_length = orig_path_len;
++ memcpy(resolved_path, state->cwd, state_cwd_length);
++ resolved_path[state_cwd_length] = DEFAULT_SLASH;
++ memcpy(resolved_path + state_cwd_length + 1, path, path_length + 1);
++ path_length += state_cwd_length + 1;
+ }
+- }
++ } else {
++ memcpy(resolved_path , path, path_length + 1);
++ }
+
+- if (use_cache) {
+- t = CWDG(realpath_cache_ttl)?time(0):0;
+- if ((bucket = realpath_cache_find(path, path_length, t TSRMLS_CC)) != NULL) {
+- int len = bucket->realpath_len;
+-
+- CWD_STATE_COPY(&old_state, state);
+- state->cwd = (char *) realloc(state->cwd, len+1);
+- memcpy(state->cwd, bucket->realpath, len+1);
+- state->cwd_length = len;
+- if (verify_path && verify_path(state)) {
+- CWD_STATE_FREE(state);
+- *state = old_state;
+- return 1;
+- } else {
+- CWD_STATE_FREE(&old_state);
+- return 0;
+- }
+- }
++#ifdef TSRM_WIN32
++ if (memchr(resolved_path, '*', path_length) ||
++ memchr(resolved_path, '?', path_length)) {
++ return 1;
+ }
+-
+- if (use_realpath != CWD_EXPAND) {
+-#if !defined(TSRM_WIN32) && !defined(NETWARE)
+- char resolved_path[MAXPATHLEN];
+-
+- if (!realpath(path, resolved_path)) { /* Note: Not threadsafe on older *BSD's */
+- if (use_realpath == CWD_REALPATH) {
+- return 1;
+- }
+- goto no_realpath;
+- }
+- use_realpath = CWD_REALPATH;
+- CWD_STATE_COPY(&old_state, state);
+-
+- state->cwd_length = strlen(resolved_path);
+- state->cwd = (char *) realloc(state->cwd, state->cwd_length+1);
+- memcpy(state->cwd, resolved_path, state->cwd_length+1);
+-#else
+- goto no_realpath;
+ #endif
+- } else {
+- char *ptr, *path_copy, *free_path;
+- char *tok;
+- int ptr_length;
+-no_realpath:
+
+ #ifdef TSRM_WIN32
+- if (memchr(path, '*', path_length) ||
+- memchr(path, '?', path_length)) {
+- return 1;
++ if (IS_UNC_PATH(resolved_path, path_length)) {
++ /* skip UNC name */
++ resolved_path[0] = DEFAULT_SLASH;
++ resolved_path[1] = DEFAULT_SLASH;
++ start = 2;
++ while (!IS_SLASH(resolved_path[start])) {
++ if (resolved_path[start] == 0) {
++ goto verify;
++ }
++ resolved_path[start] = toupper(resolved_path[start]);
++ start++;
+ }
+-#endif
+-
+- free_path = path_copy = tsrm_strndup(path, path_length);
+- CWD_STATE_COPY(&old_state, state);
+-
+-#ifdef TSRM_WIN32
+- ret = 0;
+- is_unc = 0;
+- if (path_length >= 2 && path[1] == ':') {
+- state->cwd = (char *) realloc(state->cwd, 2 + 1);
+- state->cwd[0] = toupper(path[0]);
+- state->cwd[1] = ':';
+- state->cwd[2] = '\0';
+- state->cwd_length = 2;
+- path_copy += 2;
+- } else if (IS_UNC_PATH(path, path_length)) {
+- state->cwd = (char *) realloc(state->cwd, 1 + 1);
+- state->cwd[0] = DEFAULT_SLASH;
+- state->cwd[1] = '\0';
+- state->cwd_length = 1;
+- path_copy += 2;
+- is_unc = 2;
+- } else {
+-#endif
+- state->cwd = (char *) realloc(state->cwd, 1);
+- state->cwd[0] = '\0';
+- state->cwd_length = 0;
+-#ifdef TSRM_WIN32
++ resolved_path[start++] = DEFAULT_SLASH;
++ while (!IS_SLASH(resolved_path[start])) {
++ if (resolved_path[start] == 0) {
++ goto verify;
++ }
++ resolved_path[start] = toupper(resolved_path[start]);
++ start++;
+ }
+-#endif
+-
+- tok = NULL;
+- ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok);
+- while (ptr) {
+- ptr_length = strlen(ptr);
+-
+- if (IS_DIRECTORY_UP(ptr, ptr_length)) {
+- char save;
+-
+- if (use_relative_path) {
+- CWD_STATE_FREE(state);
+- *state = old_state;
+- return 1;
+- }
+-
+- save = DEFAULT_SLASH;
+-
+-#define PREVIOUS state->cwd[state->cwd_length - 1]
+-
+- while (IS_ABSOLUTE_PATH(state->cwd, state->cwd_length) &&
+- !IS_SLASH(PREVIOUS)) {
+- save = PREVIOUS;
+- PREVIOUS = '\0';
+- state->cwd_length--;
+- }
+-
+- if (!IS_ABSOLUTE_PATH(state->cwd, state->cwd_length)) {
+- state->cwd[state->cwd_length++] = save;
+- state->cwd[state->cwd_length] = '\0';
+- } else {
+- PREVIOUS = '\0';
+- state->cwd_length--;
+- }
+- } else if (!IS_DIRECTORY_CURRENT(ptr, ptr_length)) {
+- if (use_relative_path) {
+- state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1);
+- use_relative_path = 0;
+- } else {
+- state->cwd = (char *) realloc(state->cwd, state->cwd_length+ptr_length+1+1);
+-#ifdef TSRM_WIN32
+- /* Windows 9x will consider C:\\Foo as a network path. Avoid it. */
+- if (state->cwd_length < 2 ||
+- (state->cwd[state->cwd_length-1]!='\\' && state->cwd[state->cwd_length-1]!='/') ||
+- IsDBCSLeadByte(state->cwd[state->cwd_length-2])) {
+- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
+- }
++ resolved_path[start++] = DEFAULT_SLASH;
++ } else if (IS_ABSOLUTE_PATH(resolved_path, path_length)) {
++ /* skip DRIVE name */
++ resolved_path[0] = toupper(resolved_path[0]);
++ resolved_path[2] = DEFAULT_SLASH;
++ start = 3;
++ }
+ #elif defined(NETWARE)
+- /*
+- Below code keeps appending to state->cwd a File system seperator
+- cases where this appending should not happen is given below,
+- a) sys: should just be left as it is
+- b) sys:system should just be left as it is,
+- Colon is allowed only in the first token as volume names alone can have the : in their names.
+- Files and Directories cannot have : in their names
+- So the check goes like this,
+- For second token and above simply append the DEFAULT_SLASH to the state->cwd.
+- For first token check for the existence of :
+- if it exists don't append the DEFAULT_SLASH to the state->cwd.
+- */
+- if(((state->cwd_length == 0) && (strchr(ptr, ':') == NULL)) || (state->cwd_length > 0)) {
+- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
+- }
+-#else
+- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
+-#endif
+- }
+- memcpy(&state->cwd[state->cwd_length], ptr, ptr_length+1);
+-
+-#ifdef TSRM_WIN32
+- if (use_realpath != CWD_EXPAND) {
+- WIN32_FIND_DATA data;
+- HANDLE hFind;
+-
+- if ((hFind = FindFirstFile(state->cwd, &data)) != INVALID_HANDLE_VALUE) {
+- int length = strlen(data.cFileName);
+-
+- if (length != ptr_length) {
+- state->cwd = (char *) realloc(state->cwd, state->cwd_length+length+1);
+- }
+- memcpy(&state->cwd[state->cwd_length], data.cFileName, length+1);
+- ptr_length = length;
+- FindClose(hFind);
+- ret = 0;
+- } else if (use_realpath == CWD_REALPATH) {
+- if (is_unc) {
+- /* skip share name */
+- is_unc--;
+- ret = 0;
+- } else {
+- ret = 1;
+- }
+- }
+- }
+-#endif
+-
+- state->cwd_length += ptr_length;
+- }
+- ptr = tsrm_strtok_r(NULL, TOKENIZER_STRING, &tok);
++ if (IS_ABSOLUTE_PATH(resolved_path, path_length)) {
++ /* skip VOLUME name */
++ start = 0;
++ while (start != ':') {
++ if (resolved_path[start] == 0) return -1;
++ start++;
+ }
+- free(free_path);
++ start++;
++ if (!IS_SLASH(resolved_path[start])) return -1;
++ resolved_path[start++] = DEFAULT_SLASH;
++ }
++#endif
+
+- if (use_realpath == CWD_REALPATH) {
+- if (ret) {
+- CWD_STATE_FREE(state);
+- *state = old_state;
+- return 1;
+- }
+- } else {
+-#if defined(TSRM_WIN32) || defined(NETWARE)
+- if (path[path_length-1] == '\\' || path[path_length-1] == '/') {
+-#else
+- if (path[path_length-1] == '/') {
+-#endif
+- state->cwd = (char*)realloc(state->cwd, state->cwd_length + 2);
+- state->cwd[state->cwd_length++] = DEFAULT_SLASH;
+- state->cwd[state->cwd_length] = 0;
+- }
+- }
+
+- if (state->cwd_length == COPY_WHEN_ABSOLUTE(state->cwd)) {
+- state->cwd = (char *) realloc(state->cwd, state->cwd_length+1+1);
+- state->cwd[state->cwd_length] = DEFAULT_SLASH;
+- state->cwd[state->cwd_length+1] = '\0';
+- state->cwd_length++;
++ add_slash = (use_realpath != CWD_REALPATH) && path_length > 0 && IS_SLASH(resolved_path[path_length-1]);
++ t = CWDG(realpath_cache_ttl) ? 0 : -1;
++ path_length = tsrm_realpath_r(resolved_path, start, path_length, &ll, &t, use_realpath, 0 TSRMLS_CC);
++
++ if (path_length < 0) {
++ return 1;
++ }
++
++ if (!start && !path_length) {
++ resolved_path[path_length++] = '.';
++ }
++ if (add_slash && path_length && !IS_SLASH(resolved_path[path_length-1])) {
++ if (path_length >= MAXPATHLEN-1) {
++ return -1;
+ }
++ resolved_path[path_length++] = DEFAULT_SLASH;
+ }
++ resolved_path[path_length] = 0;
+
+- /* Store existent file in realpath cache. */
+ #ifdef TSRM_WIN32
+- if (use_cache && !is_unc) {
+-#else
+- if (use_cache && (use_realpath == CWD_REALPATH)) {
++verify:
+ #endif
+- realpath_cache_add(path, path_length, state->cwd, state->cwd_length, t TSRMLS_CC);
+- }
++ if (verify_path) {
++ cwd_state old_state;
+
+- if (verify_path && verify_path(state)) {
+- CWD_STATE_FREE(state);
+- *state = old_state;
+- ret = 1;
++ CWD_STATE_COPY(&old_state, state);
++ state->cwd_length = path_length;
++ state->cwd = (char *) realloc(state->cwd, state->cwd_length+1);
++ memcpy(state->cwd, resolved_path, state->cwd_length+1);
++ if (verify_path(state)) {
++ CWD_STATE_FREE(state);
++ *state = old_state;
++ ret = 1;
++ } else {
++ CWD_STATE_FREE(&old_state);
++ ret = 0;
++ }
+ } else {
+- CWD_STATE_FREE(&old_state);
++ state->cwd_length = path_length;
++ state->cwd = (char *) realloc(state->cwd, state->cwd_length+1);
++ memcpy(state->cwd, resolved_path, state->cwd_length+1);
+ ret = 0;
+ }
+
More information about the Pkg-php-commits
mailing list