[Pkg-php-commits] [php/debian-sid] Pick some bug fixing patches from Gentoo (thanks!) All these patches will be included in the next 5.2 release by upstream. debian/patches/gentoo/: 003_ext-zip-memory-corruptions.patch 005_ext-gd-imagepng-empty-image-crash.patch 006_ext-curl-set_opt-crash.patch 007_ext-sysvshm-mem-alignment-fix.patch 008_ext-mbstring-mem-alignment-fix.patch 009_ob-memory-leaks.patch 010_ext-openssl-utf8-conversion-crash.patch 011_strnlen-compile-warning-fix.patch 013_ext-session-bad-save_path-crash.patch 015_zend-double-efree-fix.patch 016_ext-curl-open_basedir-bypass.patch 012_ext-xmlrpc-bad-callback-crash.patch
Raphael Geissert
atomo64 at gmail.com
Wed May 6 05:41:28 UTC 2009
---
.../gentoo/003_ext-zip-memory-corruptions.patch | 49 +++++
.../005_ext-gd-imagepng-empty-image-crash.patch | 47 +++++
.../gentoo/006_ext-curl-set_opt-crash.patch | 16 ++
.../gentoo/007_ext-sysvshm-mem-alignment-fix.patch | 17 ++
.../008_ext-mbstring-mem-alignment-fix.patch | 17 ++
debian/patches/gentoo/009_ob-memory-leaks.patch | 34 ++++
.../010_ext-openssl-utf8-conversion-crash.patch | 30 +++
.../gentoo/011_strnlen-compile-warning-fix.patch | 17 ++
.../gentoo/012_ext-xmlrpc-bad-callback-crash.patch | 64 +++++++
.../013_ext-session-bad-save_path-crash.patch | 17 ++
.../patches/gentoo/015_zend-double-efree-fix.patch | 16 ++
.../gentoo/016_ext-curl-open_basedir-bypass.patch | 192 ++++++++++++++++++++
debian/patches/series | 12 ++
13 files changed, 528 insertions(+), 0 deletions(-)
create mode 100644 debian/patches/gentoo/003_ext-zip-memory-corruptions.patch
create mode 100644 debian/patches/gentoo/005_ext-gd-imagepng-empty-image-crash.patch
create mode 100644 debian/patches/gentoo/006_ext-curl-set_opt-crash.patch
create mode 100644 debian/patches/gentoo/007_ext-sysvshm-mem-alignment-fix.patch
create mode 100644 debian/patches/gentoo/008_ext-mbstring-mem-alignment-fix.patch
create mode 100644 debian/patches/gentoo/009_ob-memory-leaks.patch
create mode 100644 debian/patches/gentoo/010_ext-openssl-utf8-conversion-crash.patch
create mode 100644 debian/patches/gentoo/011_strnlen-compile-warning-fix.patch
create mode 100644 debian/patches/gentoo/012_ext-xmlrpc-bad-callback-crash.patch
create mode 100644 debian/patches/gentoo/013_ext-session-bad-save_path-crash.patch
create mode 100644 debian/patches/gentoo/015_zend-double-efree-fix.patch
create mode 100644 debian/patches/gentoo/016_ext-curl-open_basedir-bypass.patch
diff --git a/debian/patches/gentoo/003_ext-zip-memory-corruptions.patch b/debian/patches/gentoo/003_ext-zip-memory-corruptions.patch
new file mode 100644
index 0000000..857a7ae
--- /dev/null
+++ b/debian/patches/gentoo/003_ext-zip-memory-corruptions.patch
@@ -0,0 +1,49 @@
+003_ext-zip-memory-corruptions.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49&r2=1.1.2.50&diff_format=u
+Fixed 2 memory corruptions in zip extension idenfied by oo_properties.phpt
+test
+diff -r 71e7fbe93f72 -r 3bd0acdff49e ext/zip/php_zip.c
+--- a/ext/zip/php_zip.c Thu Apr 09 13:53:48 2009 +0200
++++ b/ext/zip/php_zip.c Thu Apr 09 14:15:51 2009 +0200
+@@ -806,6 +806,7 @@
+ } else {
+ if (hnd->read_const_char_from_obj_func) {
+ retchar = hnd->read_const_char_from_obj_func(obj TSRMLS_CC);
++ len = strlen(retchar);
+ }
+ }
+ }
+@@ -818,7 +819,7 @@
+ switch (hnd->type) {
+ case IS_STRING:
+ if (retchar) {
+- ZVAL_STRING(*retval, (char *) retchar, 1);
++ ZVAL_STRINGL(*retval, (char *) retchar, len, 1);
+ } else {
+ ZVAL_EMPTY_STRING(*retval);
+ }
+@@ -941,10 +942,11 @@
+
+ if (ret == SUCCESS) {
+ zval *tmp;
++ ALLOC_INIT_ZVAL(tmp);
+
+ if (type == 2) {
+ retval = 1;
+- } else if (php_zip_property_reader(obj, hnd, &tmp, 1 TSRMLS_CC) == SUCCESS) {
++ } else if (php_zip_property_reader(obj, hnd, &tmp, 0 TSRMLS_CC) == SUCCESS) {
+ Z_SET_REFCOUNT_P(tmp, 1);
+ Z_UNSET_ISREF_P(tmp);
+ if (type == 1) {
+@@ -952,8 +954,9 @@
+ } else if (type == 0) {
+ retval = (Z_TYPE_P(tmp) != IS_NULL);
+ }
+- zval_ptr_dtor(&tmp);
+ }
++
++ zval_ptr_dtor(&tmp);
+ } else {
+ std_hnd = zend_get_std_object_handlers();
+ retval = std_hnd->has_property(object, member, type TSRMLS_CC);
diff --git a/debian/patches/gentoo/005_ext-gd-imagepng-empty-image-crash.patch b/debian/patches/gentoo/005_ext-gd-imagepng-empty-image-crash.patch
new file mode 100644
index 0000000..2bb7a48
--- /dev/null
+++ b/debian/patches/gentoo/005_ext-gd-imagepng-empty-image-crash.patch
@@ -0,0 +1,47 @@
+005_ext-gd-imagepng-empty-image-crash.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/libgd/gd_png.c?r1=1.17.4.2.2.6&r2=1.17.4.2.2.7&diff_format=u
+http://cvs.php.net/viewvc.cgi/php-src/ext/gd/tests/bug45799.phpt?view=markup&revision=1.1
+http://bugs.php.net/bug.php?id=45799
+Fixed bug #45799 (imagepng() crashes on empty image)
+diff -r de141004e0e2 -r 9db107056020 ext/gd/libgd/gd_png.c
+--- a/ext/gd/libgd/gd_png.c Fri Apr 10 11:22:20 2009 +0200
++++ b/ext/gd/libgd/gd_png.c Fri Apr 10 11:25:01 2009 +0200
+@@ -535,6 +535,10 @@
+ ++colors;
+ }
+ }
++ if (colors == 0) {
++ php_gd_error("gd-png error: no colors in palette");
++ goto bail;
++ }
+ if (colors < im->colorsTotal) {
+ remap = TRUE;
+ }
+@@ -732,6 +736,7 @@
+ }
+ }
+ /* 1.6.3: maybe we should give that memory BACK! TBB */
++ bail:
+ png_destroy_write_struct(&png_ptr, &info_ptr);
+ }
+
+diff -r de141004e0e2 -r 9db107056020 ext/gd/tests/bug45799.phpt
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/ext/gd/tests/bug45799.phpt Fri Apr 10 11:25:01 2009 +0200
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #45799 (imagepng() crashes on empty image).
++--SKIPIF--
++<?php
++ if (!extension_loaded('gd')) die("skip gd extension not available\n");
++?>
++--FILE--
++<?php
++$img = imagecreate(500,500);
++imagepng($img);
++imagedestroy($img);
++?>
++--EXPECTF--
++
++Warning: imagepng(): gd-png error: no colors in palette in %s on line %d
diff --git a/debian/patches/gentoo/006_ext-curl-set_opt-crash.patch b/debian/patches/gentoo/006_ext-curl-set_opt-crash.patch
new file mode 100644
index 0000000..eb38dcc
--- /dev/null
+++ b/debian/patches/gentoo/006_ext-curl-set_opt-crash.patch
@@ -0,0 +1,16 @@
+006_ext-curl-set_opt-crash.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.42&r2=1.62.2.14.2.43&diff_format=u
+http://bugs.php.net/bug.php?id=47616
+Fixed bug #47616 (curl keeps crashing)
+diff -r 9db107056020 -r 85ef4c1844f0 ext/curl/interface.c
+--- a/ext/curl/interface.c Fri Apr 10 11:25:01 2009 +0200
++++ b/ext/curl/interface.c Fri Apr 10 11:29:41 2009 +0200
+@@ -1550,6 +1550,7 @@
+ } else {
+ #if LIBCURL_VERSION_NUM >= 0x071101
+ /* with curl 7.17.0 and later, we can use COPYPOSTFIELDS, but we have to provide size before */
++ convert_to_string_ex(zvalue);
+ error = curl_easy_setopt(ch->cp, CURLOPT_POSTFIELDSIZE, Z_STRLEN_PP(zvalue));
+ error = curl_easy_setopt(ch->cp, CURLOPT_COPYPOSTFIELDS, Z_STRVAL_PP(zvalue));
+ #else
diff --git a/debian/patches/gentoo/007_ext-sysvshm-mem-alignment-fix.patch b/debian/patches/gentoo/007_ext-sysvshm-mem-alignment-fix.patch
new file mode 100644
index 0000000..e71c810
--- /dev/null
+++ b/debian/patches/gentoo/007_ext-sysvshm-mem-alignment-fix.patch
@@ -0,0 +1,17 @@
+007_ext-sysvshm-mem-alignment-fix.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/sysvshm/sysvshm.c?r1=1.70.2.2.2.7&r2=1.70.2.2.2.8&diff_format=u
+http://bugs.php.net/bug.php?id=47721
+Fixed bug #47721 (Aligment issues in mbstring and sysvshm extension)
+diff -r 85ef4c1844f0 -r c6515e04bd26 ext/sysvshm/sysvshm.c
+--- a/ext/sysvshm/sysvshm.c Fri Apr 10 11:29:41 2009 +0200
++++ b/ext/sysvshm/sysvshm.c Fri Apr 10 11:34:09 2009 +0200
+@@ -375,7 +375,7 @@
+ long total_size;
+ long shm_varpos;
+
+- total_size = ((long) (len + sizeof(sysvshm_chunk) - 1) / 4) * 4 + 4; /* 4-byte alligment */
++ total_size = ((long) (len + sizeof(sysvshm_chunk) - 1) / sizeof(long)) * sizeof(long) + sizeof(long); /* long alligment */
+
+ if ((shm_varpos = php_check_shm_data(ptr, key)) > 0) {
+ php_remove_shm_data(ptr, shm_varpos);
diff --git a/debian/patches/gentoo/008_ext-mbstring-mem-alignment-fix.patch b/debian/patches/gentoo/008_ext-mbstring-mem-alignment-fix.patch
new file mode 100644
index 0000000..a41cefd
--- /dev/null
+++ b/debian/patches/gentoo/008_ext-mbstring-mem-alignment-fix.patch
@@ -0,0 +1,17 @@
+008_ext-mbstring-mem-alignment-fix.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/mbstring/oniguruma/regint.h?r1=1.5.4.7&r2=1.5.4.8&diff_format=u
+http://bugs.php.net/bug.php?id=47721
+Fixed bug #47721 (Aligment issues in mbstring and sysvshm extension)
+diff -r c6515e04bd26 -r f5a102df944d ext/mbstring/oniguruma/regint.h
+--- a/ext/mbstring/oniguruma/regint.h Fri Apr 10 11:34:09 2009 +0200
++++ b/ext/mbstring/oniguruma/regint.h Fri Apr 10 11:35:06 2009 +0200
+@@ -256,7 +256,7 @@
+ #define NULL_UCHARP ((UChar* )0)
+
+ #ifndef PLATFORM_UNALIGNED_WORD_ACCESS
+-#define WORD_ALIGNMENT_SIZE SIZEOF_INT
++#define WORD_ALIGNMENT_SIZE SIZEOF_LONG
+
+ #define GET_ALIGNMENT_PAD_SIZE(addr,pad_size) do {\
+ (pad_size) = WORD_ALIGNMENT_SIZE \
diff --git a/debian/patches/gentoo/009_ob-memory-leaks.patch b/debian/patches/gentoo/009_ob-memory-leaks.patch
new file mode 100644
index 0000000..d8338ab
--- /dev/null
+++ b/debian/patches/gentoo/009_ob-memory-leaks.patch
@@ -0,0 +1,34 @@
+009_ob-memory-leaks.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/main/output.c?r1=1.167.2.3.2.8&r2=1.167.2.3.2.9&diff_format=u
+Fixed memory leak in ob_get_clean/ob_get_flush.
+
+diff -r f5a102df944d -r e2602e8d2936 main/output.c
+--- a/main/output.c Fri Apr 10 11:35:06 2009 +0200
++++ b/main/output.c Fri Apr 10 11:37:31 2009 +0200
+@@ -855,10 +855,12 @@
+ /* error checks */
+ if (!OG(ob_nesting_level)) {
+ php_error_docref("ref.outcontrol" TSRMLS_CC, E_NOTICE, "failed to delete and flush buffer. No buffer to delete or flush.");
++ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ if (OG(ob_nesting_level) && !OG(active_ob_buffer).status && !OG(active_ob_buffer).erase) {
+ php_error_docref("ref.outcontrol" TSRMLS_CC, E_NOTICE, "failed to delete buffer %s.", OG(active_ob_buffer).handler_name);
++ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ /* flush */
+@@ -880,10 +882,12 @@
+ /* error checks */
+ if (!OG(ob_nesting_level)) {
+ php_error_docref("ref.outcontrol" TSRMLS_CC, E_NOTICE, "failed to delete buffer. No buffer to delete.");
++ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ if (OG(ob_nesting_level) && !OG(active_ob_buffer).status && !OG(active_ob_buffer).erase) {
+ php_error_docref("ref.outcontrol" TSRMLS_CC, E_NOTICE, "failed to delete buffer %s.", OG(active_ob_buffer).handler_name);
++ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ /* delete buffer */
diff --git a/debian/patches/gentoo/010_ext-openssl-utf8-conversion-crash.patch b/debian/patches/gentoo/010_ext-openssl-utf8-conversion-crash.patch
new file mode 100644
index 0000000..e6cdd35
--- /dev/null
+++ b/debian/patches/gentoo/010_ext-openssl-utf8-conversion-crash.patch
@@ -0,0 +1,30 @@
+010_ext-openssl-utf8-conversion-crash.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/openssl/openssl.c?r1=1.98.2.5.2.51&r2=1.98.2.5.2.52&diff_format=u
+http://bugs.php.net/bug.php?id=47828
+Fix bug #47828 - Converting to UTF-8 can sometimes fail, check error codes and
+avoid segfault.
+
+diff -r e2602e8d2936 -r d409743914d7 ext/openssl/openssl.c
+--- a/ext/openssl/openssl.c Fri Apr 10 11:37:31 2009 +0200
++++ b/ext/openssl/openssl.c Fri Apr 10 11:39:27 2009 +0200
+@@ -301,7 +301,9 @@
+ str = X509_NAME_ENTRY_get_data(ne);
+ if (ASN1_STRING_type(str) != V_ASN1_UTF8STRING) {
+ to_add_len = ASN1_STRING_to_UTF8(&to_add, str);
+- add_next_index_stringl(subentries, (char *)to_add, to_add_len, 1);
++ if (to_add_len != -1) {
++ add_next_index_stringl(subentries, (char *)to_add, to_add_len, 1);
++ }
+ } else {
+ to_add = ASN1_STRING_data(str);
+ to_add_len = ASN1_STRING_length(str);
+@@ -317,7 +319,7 @@
+ } else {
+ zval_dtor(subentries);
+ FREE_ZVAL(subentries);
+- if (obj_cnt && str) {
++ if (obj_cnt && str && to_add_len > -1) {
+ add_assoc_stringl(subitem, sname, (char *)to_add, to_add_len, 1);
+ }
+ }
diff --git a/debian/patches/gentoo/011_strnlen-compile-warning-fix.patch b/debian/patches/gentoo/011_strnlen-compile-warning-fix.patch
new file mode 100644
index 0000000..f07f484
--- /dev/null
+++ b/debian/patches/gentoo/011_strnlen-compile-warning-fix.patch
@@ -0,0 +1,17 @@
+011_strnlen-compile-warning-fix.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/main/spprintf.c?r1=1.25.2.2.2.15&r2=1.25.2.2.2.16&diff_format=u
+http://bugs.php.net/bug.php?id=47831
+Fixed bug #47831 (Compile warning for strnlen() in main/spprintf.c)
+
+diff -r d409743914d7 -r a5eccb8408e8 main/spprintf.c
+--- a/main/spprintf.c Fri Apr 10 11:39:27 2009 +0200
++++ b/main/spprintf.c Fri Apr 10 11:41:21 2009 +0200
+@@ -76,6 +76,7 @@
+ * SIO stdio-replacement strx_* functions by Panos Tsirigotis
+ * <panos at alumni.cs.colorado.edu> for xinetd.
+ */
++#define _GNU_SOURCE
+ #include "php.h"
+
+ #include <stddef.h>
diff --git a/debian/patches/gentoo/012_ext-xmlrpc-bad-callback-crash.patch b/debian/patches/gentoo/012_ext-xmlrpc-bad-callback-crash.patch
new file mode 100644
index 0000000..51902ca
--- /dev/null
+++ b/debian/patches/gentoo/012_ext-xmlrpc-bad-callback-crash.patch
@@ -0,0 +1,64 @@
+012_ext-xmlrpc-bad-callback-crash.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/xmlrpc-epi-php.c?r1=1.39.2.5.2.13&r2=1.39.2.5.2.14&diff_format=u
+http://cvs.php.net/viewvc.cgi/php-src/ext/xmlrpc/tests/bug47818.phpt?view=markup&revision=1.1
+http://bugs.php.net/bug.php?id=47818
+Fixed bug #47818 (Segfault due to bound callback param)
+
+diff -r a5eccb8408e8 -r f582e5464d52 ext/xmlrpc/tests/bug47818.phpt
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ b/ext/xmlrpc/tests/bug47818.phpt Fri Apr 10 11:42:59 2009 +0200
+@@ -0,0 +1,39 @@
++--TEST--
++Bug #47818 (Segfault due to bound callback param)
++--FILE--
++<?php
++
++class MyXmlRpc {
++ private $s;
++ private $method;
++
++ function impl($method_name, $params, $user_data){
++ $this->method = $method_name;
++ print "Inside impl(): {$this->method}\n";
++ return array_sum($params);
++ }
++
++ function __construct() {
++ $this->s = xmlrpc_server_create();
++ xmlrpc_server_register_method($this->s, 'add', array($this, 'impl'));
++ }
++
++ function call($req) {
++ return xmlrpc_server_call_method($this->s, $req, null);
++ }
++
++ function getMethod() {return $this->method;}
++
++}
++
++$x = new MyXmlRpc;
++$resp = $x->call(xmlrpc_encode_request('add', array(1, 2, 3)));
++
++$method = $x->getMethod();
++
++print "Global scope: $method\n";
++
++?>
++--EXPECTF--
++Inside impl(): add
++Global scope: add
+diff -r a5eccb8408e8 -r f582e5464d52 ext/xmlrpc/xmlrpc-epi-php.c
+--- a/ext/xmlrpc/xmlrpc-epi-php.c Fri Apr 10 11:41:21 2009 +0200
++++ b/ext/xmlrpc/xmlrpc-epi-php.c Fri Apr 10 11:42:59 2009 +0200
+@@ -1113,8 +1113,8 @@
+ }
+
+ /* cleanup after ourselves. what a sty! */
+- zval_dtor(data.xmlrpc_method);
+- FREE_ZVAL(data.xmlrpc_method);
++ zval_ptr_dtor(&data.xmlrpc_method);
++
+ zval_dtor(data.return_data);
+ FREE_ZVAL(data.return_data);
+
diff --git a/debian/patches/gentoo/013_ext-session-bad-save_path-crash.patch b/debian/patches/gentoo/013_ext-session-bad-save_path-crash.patch
new file mode 100644
index 0000000..3392e03
--- /dev/null
+++ b/debian/patches/gentoo/013_ext-session-bad-save_path-crash.patch
@@ -0,0 +1,17 @@
+013_ext-session-bad-save_path-crash.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.12&r2=1.100.2.3.2.13&diff_format=u
+Fixed segfault on invalid session.save_path
+
+diff -r f582e5464d52 -r a2fba1cfd647 ext/session/mod_files.c
+--- a/ext/session/mod_files.c Fri Apr 10 11:42:59 2009 +0200
++++ b/ext/session/mod_files.c Fri Apr 10 11:44:25 2009 +0200
+@@ -295,7 +295,7 @@
+ argv[argc++] = last;
+ last = ++p;
+ p = strchr(p, ';');
+- if (argc > 2) break;
++ if (argc > 1) break;
+ }
+ argv[argc++] = last;
+
diff --git a/debian/patches/gentoo/015_zend-double-efree-fix.patch b/debian/patches/gentoo/015_zend-double-efree-fix.patch
new file mode 100644
index 0000000..1cc2450
--- /dev/null
+++ b/debian/patches/gentoo/015_zend-double-efree-fix.patch
@@ -0,0 +1,16 @@
+015_zend-double-efree-fix.patch
+PHP_5_2
+http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_API.c?r1=1.296.2.27.2.41&r2=1.296.2.27.2.42&diff_format=u
+Fixed double efree()
+
+diff -r 9f16d9bf044a -r fc79c5cbba99 Zend/zend_API.c
+--- a/Zend/zend_API.c Sat Apr 11 12:51:18 2009 +0200
++++ b/Zend/zend_API.c Sat Apr 11 12:53:26 2009 +0200
+@@ -1782,7 +1782,6 @@
+ fname_len = strlen(ptr->fname);
+ lowercase_name = zend_str_tolower_dup(ptr->fname, fname_len);
+ if (zend_hash_exists(target_function_table, lowercase_name, fname_len+1)) {
+- efree(lowercase_name);
+ zend_error(error_type, "Function registration failed - duplicate name - %s%s%s", scope ? scope->name : "", scope ? "::" : "", ptr->fname);
+ }
+ efree(lowercase_name);
diff --git a/debian/patches/gentoo/016_ext-curl-open_basedir-bypass.patch b/debian/patches/gentoo/016_ext-curl-open_basedir-bypass.patch
new file mode 100644
index 0000000..dca84a8
--- /dev/null
+++ b/debian/patches/gentoo/016_ext-curl-open_basedir-bypass.patch
@@ -0,0 +1,192 @@
+016_ext-curl-open_basedir-bypass.patch
+PHP_5_2
+http://securityreason.com/securityalert/5564
+http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.43&r2=1.62.2.14.2.44&diff_format=u
+http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.44&r2=1.62.2.14.2.45
+http://cvs.php.net/viewvc.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.45&r2=1.62.2.14.2.46&diff_format=u
+"disable file:// when safe_mode or open_basedir are enabled"
+("improve file:// deactivation in curl_init and do not allow to enable it again
+manually", "fix zts build")
+
+diff -r fc79c5cbba99 -r a3454e7da0bc ext/curl/interface.c
+--- a/ext/curl/interface.c Sat Apr 11 12:53:26 2009 +0200
++++ b/ext/curl/interface.c Thu Apr 16 19:21:07 2009 +0200
+@@ -147,6 +147,7 @@
+ #endif
+ /* }}} */
+
++static void _php_curl_close_ex(php_curl *ch TSRMLS_DC);
+ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC);
+
+ #define SAVE_CURL_ERROR(__handle, __err) (__handle)->err.no = (int) __err;
+@@ -162,31 +163,44 @@
+ #define php_curl_ret(__ret) RETVAL_FALSE; return;
+ #endif
+
+-#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret) \
+- if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
+- strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
+- { \
+- php_url *tmp_url; \
+- \
+- if (!(tmp_url = php_url_parse_ex(str, len))) { \
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str); \
+- php_curl_ret(__ret); \
+- } \
+- \
+- if (tmp_url->host || !php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) { \
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str); \
+- php_url_free(tmp_url); \
+- php_curl_ret(__ret); \
+- } \
+- \
+- if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+- (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
+- ) { \
+- php_url_free(tmp_url); \
+- php_curl_ret(__ret); \
+- } \
+- php_url_free(tmp_url); \
++static int php_curl_option_url(php_curl *ch, const char *url, const int len) {
++ CURLcode error=CURLE_OK;
++#if LIBCURL_VERSION_NUM < 0x071100
++ char *copystr = NULL;
++#endif
++ TSRMLS_FETCH();
++
++ /* Disable file:// if open_basedir or safe_mode are used */
++ if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
++#if LIBCURL_VERSION_NUM >= 0x071304
++ error = curl_easy_setopt(ch->cp, CURLOPT_PROTOCOLS, CURLPROTO_ALL & ~CURLPROTO_FILE);
++#else
++ php_url *uri;
++
++ if (!(uri = php_url_parse_ex(url, len))) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", url);
++ return 0;
++ }
++
++ if (!strncasecmp("file", uri->scheme, sizeof("file"))) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol 'file' disabled in cURL");
++ php_url_free(uri);
++ return 0;
++ }
++ php_url_free(uri);
++#endif
+ }
++ /* Strings passed to libcurl as 'char *' arguments, are copied by the library... NOTE: before 7.17.0 strings were not copied. */
++#if LIBCURL_VERSION_NUM >= 0x071100
++ error = curl_easy_setopt(ch->cp, CURLOPT_URL, url);
++#else
++ copystr = estrndup(url, len);
++ error = curl_easy_setopt(ch->cp, CURLOPT_URL, copystr);
++ zend_llist_add_element(&ch->to_free.str, ©str);
++#endif
++
++ return (error == CURLE_OK ? 1 : 0);
++}
+
+ /* {{{ arginfo */
+ static
+@@ -1102,7 +1116,6 @@
+
+ if (argc > 0) {
+ convert_to_string_ex(url);
+- PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url), (void) NULL);
+ }
+
+ cp = curl_easy_init();
+@@ -1140,15 +1153,10 @@
+ #endif
+
+ if (argc > 0) {
+-#if LIBCURL_VERSION_NUM >= 0x071100
+- curl_easy_setopt(ch->cp, CURLOPT_URL, Z_STRVAL_PP(url));
+-#else
+- char *urlcopy;
+-
+- urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
+- curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
+- zend_llist_add_element(&ch->to_free.str, &urlcopy);
+-#endif
++ if (!php_curl_option_url(ch, Z_STRVAL_PP(url), Z_STRLEN_PP(url))) {
++ _php_curl_close_ex(ch TSRMLS_CC);
++ RETURN_FALSE;
++ }
+ }
+
+ ZEND_REGISTER_RESOURCE(return_value, ch, le_curl);
+@@ -1304,6 +1312,13 @@
+ case CURLOPT_TCP_NODELAY:
+ #endif
+ convert_to_long_ex(zvalue);
++#if LIBCURL_VERSION_NUM >= 0x71304
++ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && (Z_LVAL_PP(zvalue) & CURLPROTO_FILE)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLPROTO_FILE cannot be activated when in safe_mode or an open_basedir is set");
++ RETVAL_FALSE;
++ return 1;
++ }
++#endif
+ error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+ break;
+ case CURLOPT_FOLLOWLOCATION:
+@@ -1348,18 +1363,20 @@
+ convert_to_string_ex(zvalue);
+
+ if (option == CURLOPT_URL) {
+- PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue), 1);
++ if (!php_curl_option_url(ch, Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue))) {
++ RETVAL_FALSE;
++ return 1;
++ }
++ } else {
++#if LIBCURL_VERSION_NUM >= 0x071100
++ /* Strings passed to libcurl as ’char *’ arguments, are copied by the library... NOTE: before 7.17.0 strings were not copied. */
++ error = curl_easy_setopt(ch->cp, option, Z_STRVAL_PP(zvalue));
++#else
++ copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
++ error = curl_easy_setopt(ch->cp, option, copystr);
++ zend_llist_add_element(&ch->to_free.str, ©str);
++#endif
+ }
+-
+-#if LIBCURL_VERSION_NUM >= 0x071100
+- /* Strings passed to libcurl as ’char *’ arguments, are copied by the library... NOTE: before 7.17.0 strings were not copied. */
+- error = curl_easy_setopt(ch->cp, option, Z_STRVAL_PP(zvalue));
+-#else
+- copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
+- error = curl_easy_setopt(ch->cp, option, copystr);
+- zend_llist_add_element(&ch->to_free.str, ©str);
+-#endif
+-
+ break;
+ }
+ case CURLOPT_FILE:
+@@ -1982,10 +1999,8 @@
+
+ /* {{{ _php_curl_close()
+ List destructor for curl handles */
+-static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
++static void _php_curl_close_ex(php_curl *ch TSRMLS_DC)
+ {
+- php_curl *ch = (php_curl *) rsrc->ptr;
+-
+ #if PHP_CURL_DEBUG
+ fprintf(stderr, "DTOR CALLED, ch = %x\n", ch);
+ #endif
+@@ -2024,6 +2039,15 @@
+ }
+ /* }}} */
+
++/* {{{ _php_curl_close()
++ List destructor for curl handles */
++static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
++{
++ php_curl *ch = (php_curl *) rsrc->ptr;
++ _php_curl_close_ex(ch TSRMLS_CC);
++}
++/* }}} */
++
+ #endif /* HAVE_CURL */
+
+ /*
diff --git a/debian/patches/series b/debian/patches/series
index a55b317..7b147f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -34,3 +34,15 @@ libedit_is_editline.patch
bad_whatis_entries.patch
sockets_spelling.patch
curl_streams_sleep.patch
+gentoo/003_ext-zip-memory-corruptions.patch
+gentoo/005_ext-gd-imagepng-empty-image-crash.patch
+gentoo/006_ext-curl-set_opt-crash.patch
+gentoo/007_ext-sysvshm-mem-alignment-fix.patch
+gentoo/008_ext-mbstring-mem-alignment-fix.patch
+gentoo/009_ob-memory-leaks.patch
+gentoo/010_ext-openssl-utf8-conversion-crash.patch
+gentoo/011_strnlen-compile-warning-fix.patch
+gentoo/013_ext-session-bad-save_path-crash.patch
+gentoo/015_zend-double-efree-fix.patch
+gentoo/016_ext-curl-open_basedir-bypass.patch
+gentoo/012_ext-xmlrpc-bad-callback-crash.patch
--
1.5.6.5
More information about the Pkg-php-commits
mailing list