[Pkg-php-commits] r1230 - php5/trunk/debian/patches

Fri Jan 23 07:08:23 UTC 2009

Author: seanius
Date: 2009-01-23 07:08:22 +0000 (Fri, 23 Jan 2009)
New Revision: 1230

Modified:
   php5/trunk/debian/patches/CVE-2008-5658.patch
Log:
clean up patch as much as i can, add comments

Modified: php5/trunk/debian/patches/CVE-2008-5658.patch
===================================================================

--- php5/trunk/debian/patches/CVE-2008-5658.patch	2009-01-22 22:37:52 UTC (rev 1229)
+++ php5/trunk/debian/patches/CVE-2008-5658.patch	2009-01-23 07:08:22 UTC (rev 1230)
@@ -1,6 +1,10 @@
+backported patch to fix CVE-2008-5658.
+unfortunately there is so much noise in TSRM that a more surgical fix does not
+seem possible according to upstream, so the new versions of the function are
+copied as local static functions to minimize the impact elsewhere.
 --- php5-5.2.6.dfsg.1.orig/ext/zip/php_zip.c
 +++ php5-5.2.6.dfsg.1/ext/zip/php_zip.c
-@@ -82,6 +82,344 @@ static int le_zip_entry;
+@@ -82,6 +82,231 @@ static int le_zip_entry;
  
  /* }}} */
  
@@ -8,12 +12,7 @@
 +{
 +	int i, j;
 +	int directory = 0;
-+#ifdef PHP_WIN32
-+	WIN32_FIND_DATA data;
-+	HANDLE hFind;
-+#else
 +	struct stat st;
-+#endif
 +	realpath_cache_bucket *bucket;
 +	char *tmp;
 +
@@ -73,19 +72,10 @@
 +	
 +		path[len] = 0;
 +
-+#ifdef PHP_WIN32
 +		tmp = tsrm_do_alloca(len+1);
 +		memcpy(tmp, path, len+1);
-+#elif defined(NETWARE)
 +
-+		tmp = tsrm_do_alloca(len+1);
-+		memcpy(tmp, path, len+1);
-+#else
-+		tmp = tsrm_do_alloca(len+1);
-+		memcpy(tmp, path, len+1);
-+
 +		{
-+#endif
 +			if (i - 1 <= start) {
 +				j = start;
 +			} else {
@@ -95,26 +85,13 @@
 +					path[j++] = DEFAULT_SLASH;
 +				}
 +			}
-+#ifdef PHP_WIN32
 +			if (j < 0 || j + len - i >= MAXPATHLEN-1) {
 +				tsrm_free_alloca(tmp);
-+
 +				return -1;
 +			}
-+			{
-+				/* use the original file or directory name as it wasn't found */
-+				memcpy(path+j, tmp+i, len-i+1);
-+				j += (len-i);
-+			}
-+#else
-+			if (j < 0 || j + len - i >= MAXPATHLEN-1) {
-+				tsrm_free_alloca(tmp);
-+				return -1;
-+			}
 +			memcpy(path+j, tmp+i, len-i+1);
 +			j += (len-i);
 +		}
-+#endif
 +
 +		tsrm_free_alloca(tmp);
 +		return j;
@@ -159,31 +136,6 @@
 +		} else {
 +			int state_cwd_length = state->cwd_length;
 +
-+#ifdef PHP_WIN32
-+			if (IS_SLASH(path[0])) {
-+				if (state->cwd[1] == ':') {
-+					/* Copy only the drive name */
-+					state_cwd_length = 2;
-+				} else if (IS_UNC_PATH(state->cwd, state->cwd_length)) {
-+					/* Copy only the share name */
-+					state_cwd_length = 2;
-+					while (IS_SLASH(state->cwd[state_cwd_length])) {
-+						state_cwd_length++;
-+					}						 
-+					while (state->cwd[state_cwd_length] &&
-+					       !IS_SLASH(state->cwd[state_cwd_length])) {
-+						state_cwd_length++;
-+					}						 
-+					while (IS_SLASH(state->cwd[state_cwd_length])) {
-+						state_cwd_length++;
-+					}						 
-+					while (state->cwd[state_cwd_length] &&
-+					       !IS_SLASH(state->cwd[state_cwd_length])) {
-+						state_cwd_length++;
-+					}						 
-+				}
-+			}
-+#endif
 +			if (path_length + state_cwd_length + 1 >= MAXPATHLEN-1) {
 +				return 1;
 +			}
@@ -193,67 +145,9 @@
 +			path_length += state_cwd_length + 1;
 +		}
 +	} else {		
-+#ifdef PHP_WIN32
-+		if (path_length > 2 && path[1] == ':' && !IS_SLASH(path[2])) {
-+			resolved_path[0] = path[0];
-+			resolved_path[1] = ':';
-+			resolved_path[2] = DEFAULT_SLASH;
-+			memcpy(resolved_path + 3, path + 2, path_length - 1);
-+			path_length++;
-+		} else
-+#endif
 +		memcpy(resolved_path, path, path_length + 1);
 +	} 
 +
-+#ifdef PHP_WIN32
-+	if (memchr(resolved_path, '*', path_length) ||
-+	    memchr(resolved_path, '?', path_length)) {
-+		return 1;
-+	}
-+#endif
-+
-+#ifdef PHP_WIN32
-+	if (IS_UNC_PATH(resolved_path, path_length)) {
-+		/* skip UNC name */
-+		resolved_path[0] = DEFAULT_SLASH;
-+		resolved_path[1] = DEFAULT_SLASH;
-+		start = 2;
-+		while (!IS_SLASH(resolved_path[start])) {
-+			if (resolved_path[start] == 0) {
-+				goto verify;
-+			}
-+			resolved_path[start] = toupper(resolved_path[start]);
-+			start++;
-+		}
-+		resolved_path[start++] = DEFAULT_SLASH;
-+		while (!IS_SLASH(resolved_path[start])) {
-+			if (resolved_path[start] == 0) {
-+				goto verify;
-+			}
-+			resolved_path[start] = toupper(resolved_path[start]);
-+			start++;
-+		}
-+		resolved_path[start++] = DEFAULT_SLASH;
-+	} else if (IS_ABSOLUTE_PATH(resolved_path, path_length)) {
-+		/* skip DRIVE name */
-+		resolved_path[0] = toupper(resolved_path[0]);
-+		resolved_path[2] = DEFAULT_SLASH;
-+		start = 3;
-+	}
-+#elif defined(NETWARE)
-+	if (IS_ABSOLUTE_PATH(resolved_path, path_length)) {
-+		/* skip VOLUME name */
-+		start = 0;
-+		while (start != ':') {
-+			if (resolved_path[start] == 0) return -1;
-+			start++;
-+		}
-+		start++;
-+		if (!IS_SLASH(resolved_path[start])) return -1;
-+		resolved_path[start++] = DEFAULT_SLASH;
-+	}
-+#endif
-+
 +	add_slash = (use_realpath != CWD_REALPATH) && path_length > 0 && IS_SLASH(resolved_path[path_length-1]);
 +	t = CWDG(realpath_cache_ttl) ? 0 : -1;
 +	path_length = php_zip_realpath_r(resolved_path, start, path_length, &ll, &t, use_realpath, 0, NULL TSRMLS_CC);
@@ -274,9 +168,6 @@
 +	}
 +	resolved_path[path_length] = 0;
 +
-+#ifdef PHP_WIN32
-+verify:
-+#endif
 +	if (verify_path) {
 +		cwd_state old_state;
 +
@@ -345,7 +236,7 @@
  /* {{{ php_zip_extract_file */
  /* TODO: Simplify it */
  static int php_zip_extract_file(struct zip * za, char *dest, char *file, int file_len TSRMLS_DC)
-@@ -103,57 +441,80 @@ static int php_zip_extract_file(struct z
+@@ -103,57 +328,80 @@ static int php_zip_extract_file(struct z
  	char *file_basename;
  	size_t file_basename_len;
  	int is_dir_only = 0;
@@ -356,8 +247,7 @@
 +	new_state.cwd = (char*)malloc(1);
 +	new_state.cwd[0] = '\0';
 +	new_state.cwd_length = 0;
- 
--	if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
++
 +	/* Clean/normlize the path and then transform any path (absolute or relative)
 +		 to a path relative to cwd (../../mydir/foo.txt > mydir/foo.txt)
 +	 */
@@ -366,7 +256,8 @@
 +	}
 +	path_cleaned =  php_zip_make_relative_path(new_state.cwd, new_state.cwd_length);
 +	path_cleaned_len = strlen(path_cleaned);
-+
+ 
+-	if (file_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
 +	if (path_cleaned_len >= MAXPATHLEN || zip_stat(za, file, 0, &sb) != 0) {
  		return 0;
  	}
@@ -440,7 +331,7 @@
  	}
  
  	/* check again the full path, not sure if it
-@@ -164,6 +525,7 @@ static int php_zip_extract_file(struct z
+@@ -164,6 +412,7 @@ static int php_zip_extract_file(struct z
  		efree(fullpath);
  		efree(file_dirname_fullpath);
  		efree(file_basename);
@@ -448,7 +339,7 @@
  		return 0;
  	}
  
-@@ -172,6 +534,7 @@ static int php_zip_extract_file(struct z
+@@ -172,6 +421,7 @@ static int php_zip_extract_file(struct z
  		efree(fullpath);
  		efree(file_dirname_fullpath);
  		efree(file_basename);
@@ -456,7 +347,7 @@
  		return 0;
  	}
  
-@@ -186,6 +549,7 @@ static int php_zip_extract_file(struct z
+@@ -186,6 +436,7 @@ static int php_zip_extract_file(struct z
  	efree(fullpath);
  	efree(file_basename);
  	efree(file_dirname_fullpath);


