rpms/php/FC-4 php-5.0.5-CVE-2005-3883.patch, NONE, 1.1 php-5.0.5-CVE-2006-0207.patch, NONE, 1.1 php-5.0.5-CVE-2006-0208.patch, NONE, 1.1 php-5.0.5-CVE-2006-0996.patch, NONE, 1.1 php-5.0.5-a2hfixes.patch, NONE, 1.1 php-5.1.2-CVE-2006-1490.patch, NONE, 1.1 .cvsignore, 1.25, 1.26 php.spec, 1.82, 1.83 sources, 1.26, 1.27 php-4.3.6-umask.patch, 1.2, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Apr 20 14:52:44 UTC 2006
- Previous message (by thread): rpms/tzdata/FC-5 .cvsignore, 1.22, 1.23 sources, 1.24, 1.25 tzdata.spec, 1.28, 1.29
- Next message (by thread): rpms/tzdata/FC-4 .cvsignore, 1.17, 1.18 sources, 1.18, 1.19 tzdata.spec, 1.20, 1.21
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jorton
Update of /cvs/dist/rpms/php/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv21427
Modified Files:
.cvsignore php.spec sources
Added Files:
php-5.0.5-CVE-2005-3883.patch php-5.0.5-CVE-2006-0207.patch
php-5.0.5-CVE-2006-0208.patch php-5.0.5-CVE-2006-0996.patch
php-5.0.5-a2hfixes.patch php-5.1.2-CVE-2006-1490.patch
Removed Files:
php-4.3.6-umask.patch
Log Message:
* Thu Apr 20 2006 Joe Orton <jorton at redhat.com> 5.0.5-2.2
- add security fixes from upstream:
* phpinfo XSS (CVE-2006-0996)
* binary safeness fix for html_entity_decode (CVE-2006-1490)
* session ID response splitting/XSS fix (CVE-2006-0207)
* XSS issues in "html_errors" mode (CVE-2006-0208)
* mbstring header validation (CVE-2005-3883)
- add apache2handler SAPI fixes (#168442)
- pear: update to XML_RPC-1.4.8
php-5.0.5-CVE-2005-3883.patch:
mbstring.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
1 files changed, 57 insertions(+), 7 deletions(-)
--- NEW FILE php-5.0.5-CVE-2005-3883.patch ---
--- php-5.0.5/ext/mbstring/mbstring.c.cve3883
+++ php-5.0.5/ext/mbstring/mbstring.c
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: mbstring.c,v 1.214.2.4 2005/02/21 15:15:08 moriyoshi Exp $ */
+/* $Id: mbstring.c,v 1.214.2.8 2005/12/23 11:15:32 hirokawa Exp $ */
/*
* PHP 4 Multibyte String module "mbstring"
@@ -1736,6 +1736,11 @@
}
}
+ if (((MBSTRG(func_overload) & MB_OVERLOAD_STRING) == MB_OVERLOAD_STRING)
+ && (from >= mbfl_strlen(&string))) {
+ RETURN_FALSE;
+ }
+
ret = mbfl_substr(&string, &result, from, len);
if (ret != NULL) {
RETVAL_STRINGL((char *)ret->val, ret->len, 0); /* the string is already strdup()'ed */
@@ -2267,7 +2272,7 @@
}
/* }}} */
-/* {{{ proto string mb_encode_mimeheader(string str [, string charset [, string transfer-encoding [, string linefeed]]])
+/* {{{ proto string mb_encode_mimeheader(string str [, string charset [, string transfer-encoding [, string linefeed [, int indent]]]])
Converts the string to MIME "encoded-word" in the format of =?charset?(B|Q)?encoded_string?= */
PHP_FUNCTION(mb_encode_mimeheader)
{
@@ -2279,12 +2284,13 @@
int trans_enc_name_len;
char *linefeed = "\r\n";
int linefeed_len;
+ int indent = 0;
mbfl_string_init(&string);
string.no_language = MBSTRG(current_language);
string.no_encoding = MBSTRG(current_internal_encoding);
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sss", (char **)&string.val, &string.len, &charset_name, &charset_name_len, &trans_enc_name, &trans_enc_name_len, &linefeed, &linefeed_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|sssl", (char **)&string.val, &string.len, &charset_name, &charset_name_len, &trans_enc_name, &trans_enc_name_len, &linefeed, &linefeed_len, &indent) == FAILURE) {
return;
}
@@ -2314,7 +2320,7 @@
}
mbfl_string_init(&result);
- ret = mbfl_mime_header_encode(&string, &result, charset, transenc, linefeed, 0);
+ ret = mbfl_mime_header_encode(&string, &result, charset, transenc, linefeed, indent);
if (ret != NULL) {
RETVAL_STRINGL((char *)ret->val, ret->len, 0) /* the string is already strdup()'ed */
} else {
@@ -2770,6 +2776,15 @@
*/
#if HAVE_SENDMAIL
+#define SKIP_LONG_HEADER_SEP_MBSTRING(str, pos) \
+ if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \
+ pos += 3; \
+ while (str[pos] == ' ' || str[pos] == '\t') { \
+ pos++; \
+ } \
+ continue; \
+ }
+
#define APPEND_ONE_CHAR(ch) do { \
if (token.a > 0) { \
smart_str_appendc(&token, ch); \
@@ -2981,6 +2996,9 @@
int subject_len;
char *extra_cmd=NULL;
int extra_cmd_len;
+ int i;
+ char *to_r;
+ char *force_extra_parameters = INI_STR("mail.force_extra_parameters");
struct {
int cnt_type:1;
int cnt_trans_enc:1;
@@ -3086,7 +3104,30 @@
}
/* To: */
- if (to == NULL || to_len <= 0) {
+ if (to != NULL) {
+ if (to_len > 0) {
+ to_r = estrndup(to, to_len);
+ for (; to_len; to_len--) {
+ if (!isspace((unsigned char) to_r[to_len - 1])) {
+ break;
+ }
+ to_r[to_len - 1] = '\0';
+ }
+ for (i = 0; to_r[i]; i++) {
+ if (iscntrl((unsigned char) to_r[i])) {
+ /* According to RFC 822, section 3.1.1 long headers may be separated into
+ * parts using CRLF followed at least one linear-white-space character ('\t' or ' ').
+ * To prevent these separators from being replaced with a space, we use the
+ * SKIP_LONG_HEADER_SEP_MBSTRING to skip over them.
+ */
+ SKIP_LONG_HEADER_SEP_MBSTRING(to_r, i);
+ to_r[i] = ' ';
+ }
+ }
+ } else {
+ to_r = to;
+ }
+ } else {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Missing To: field");
err = 1;
}
@@ -3182,12 +3223,20 @@
mbfl_memory_device_output('\0', &device);
headers = (char *)device.buffer;
- if (!err && php_mail(to, subject, message, headers, extra_cmd TSRMLS_CC)) {
+ if (force_extra_parameters) {
+ extra_cmd = estrdup(force_extra_parameters);
+ } else if (extra_cmd) {
+ extra_cmd = php_escape_shell_cmd(extra_cmd);
+ }
+
+ if (!err && php_mail(to_r, subject, message, headers, extra_cmd TSRMLS_CC)) {
RETVAL_TRUE;
} else {
RETVAL_FALSE;
}
-
+ if (to_r != to) {
+ efree(to_r);
+ }
if (subject_buf) {
efree((void *)subject_buf);
}
@@ -3198,6 +3247,7 @@
zend_hash_destroy(&ht_headers);
}
+#undef SKIP_LONG_HEADER_SEP_MBSTRING
#undef APPEND_ONE_CHAR
#undef SEPARATE_SMART_STR
#undef PHP_MBSTR_MAIL_MIME_HEADER1
php-5.0.5-CVE-2006-0207.patch:
SAPI.c | 13 +++++++++++++
1 files changed, 13 insertions(+)
--- NEW FILE php-5.0.5-CVE-2006-0207.patch ---
iliaa Mon Dec 5 22:40:10 2005 EDT
Modified files: (Branch: PHP_4_4)
/php-src NEWS
/php-src/main SAPI.c
Log:
MFH: Prevent header injection by limiting each header to a single line.
--- php-5.0.5/main/SAPI.c.cve0207
+++ php-5.0.5/main/SAPI.c
@@ -546,6 +546,19 @@
while(isspace(header_line[header_line_len-1]))
header_line[--header_line_len]='\0';
+ /* new line safety check */
+ {
+ char *s = header_line, *e = header_line + header_line_len, *p;
+ while (s < e && (p = memchr(s, '\n', (e - s)))) {
+ if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+ s = p + 1;
+ continue;
+ }
+ efree(header_line);
+ sapi_module.sapi_error(E_WARNING, "Header may not contain more then a single header, new line detected.");
+ return FAILURE;
+ }
+ }
sapi_header.header = header_line;
sapi_header.header_len = header_line_len;
php-5.0.5-CVE-2006-0208.patch:
main.c | 21 ++++++++++++++++-----
1 files changed, 16 insertions(+), 5 deletions(-)
--- NEW FILE php-5.0.5-CVE-2006-0208.patch ---
--- php-5.0.5/main/main.c.cve0208
+++ php-5.0.5/main/main.c
@@ -515,7 +515,10 @@
}
/* display html formatted or only show the additional links */
if (PG(html_errors)) {
- spprintf(&message, 0, "%s [<a href='%s%s%s'>%s</a>]: %s", origin, docref_root, docref, docref_target, docref, buffer);
+ int len;
+ char *replace = php_escape_html_entities(params, strlen(params), &len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ spprintf(&message, "%s(%s) [<a href='%s%s%s'>%s</a>]: %s", get_active_function_name(TSRMLS_C), replace, docref_root, docref, docref_target, docref, buffer);
+ efree(replace);
} else {
spprintf(&message, 0, "%s [%s%s%s]: %s", origin, docref_root, docref, docref_target, buffer);
}
@@ -730,10 +733,18 @@
} else {
char *prepend_string = INI_STR("error_prepend_string");
char *append_string = INI_STR("error_append_string");
- char *error_format = PG(html_errors) ?
- "%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s"
- : "%s\n%s: %s in %s on line %d\n%s";
- php_printf(error_format, STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+ if (PG(html_errors)) {
+ if (type == E_ERROR) {
+ int len;
+ char *buf = php_escape_html_entities(buffer, buffer_len, &len, 0, ENT_COMPAT, NULL TSRMLS_CC);
+ php_printf("%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buf, error_filename, error_lineno, STR_PRINT(append_string));
+ efree(buf);
+ } else {
+ php_printf("%s<br />\n<b>%s</b>: %s in <b>%s</b> on line <b>%d</b><br />\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+ }
+ } else {
+ php_printf("%s\n%s: %s in %s on line %d\n%s", STR_PRINT(prepend_string), error_type_str, buffer, error_filename, error_lineno, STR_PRINT(append_string));
+ }
}
}
#if ZEND_DEBUG
php-5.0.5-CVE-2006-0996.patch:
info.c | 38 +++++++++++++++++++-------------------
1 files changed, 19 insertions(+), 19 deletions(-)
--- NEW FILE php-5.0.5-CVE-2006-0996.patch ---
--- php-5.0.5/ext/standard/info.c.cve0996
+++ php-5.0.5/ext/standard/info.c
@@ -58,6 +58,21 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ TSRMLS_FETCH();
+
+ int new_len, written;
+ char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@ -135,28 +150,13 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
-
- MAKE_STD_ZVAL(tmp3);
-
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
-
- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
-
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
- zval_ptr_dtor(&tmp3);
-
- if (!sapi_module.phpinfo_as_text) {
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0 TSRMLS_CC);
PUTS("</pre>");
- }
+ } else {
+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
+ }
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
zval_copy_ctor(&tmp2);
php-5.0.5-a2hfixes.patch:
php_functions.c | 51 ++++++++++++++++++----------
sapi_apache2.c | 99 ++++++++++++++++++++++++++++++++++++--------------------
2 files changed, 98 insertions(+), 52 deletions(-)
--- NEW FILE php-5.0.5-a2hfixes.patch ---
--- php-5.0.5/sapi/apache2handler/sapi_apache2.c.a2hfixes
+++ php-5.0.5/sapi/apache2handler/sapi_apache2.c
@@ -86,7 +86,7 @@
php_apache_sapi_header_handler(sapi_header_struct *sapi_header,sapi_headers_struct *sapi_headers TSRMLS_DC)
{
php_struct *ctx;
- char *val;
+ char *val, *ptr;
ctx = SG(server_context);
@@ -96,6 +96,7 @@
sapi_free_header(sapi_header);
return 0;
}
+ ptr = val;
*val = '\0';
@@ -111,6 +112,7 @@
} else {
apr_table_add(ctx->r->headers_out, sapi_header->header, val);
}
+ *ptr = ':';
return SAPI_HEADER_ADD;
}
@@ -175,13 +177,13 @@
ctx->finfo.st_dev = ctx->r->finfo.device;
ctx->finfo.st_ino = ctx->r->finfo.inode;
#if defined(NETWARE) && defined(CLIB_STAT_PATCH)
- ctx->finfo.st_atime.tv_sec = ctx->r->finfo.atime/1000000;
- ctx->finfo.st_mtime.tv_sec = ctx->r->finfo.mtime/1000000;
- ctx->finfo.st_ctime.tv_sec = ctx->r->finfo.ctime/1000000;
+ ctx->finfo.st_atime.tv_sec = apr_time_sec(ctx->r->finfo.atime);
+ ctx->finfo.st_mtime.tv_sec = apr_time_sec(ctx->r->finfo.mtime);
+ ctx->finfo.st_ctime.tv_sec = apr_time_sec(ctx->r->finfo.ctime);
#else
- ctx->finfo.st_atime = ctx->r->finfo.atime/1000000;
- ctx->finfo.st_mtime = ctx->r->finfo.mtime/1000000;
- ctx->finfo.st_ctime = ctx->r->finfo.ctime/1000000;
+ ctx->finfo.st_atime = apr_time_sec(ctx->r->finfo.atime);
+ ctx->finfo.st_mtime = apr_time_sec(ctx->r->finfo.mtime);
+ ctx->finfo.st_ctime = apr_time_sec(ctx->r->finfo.ctime);
#endif
ctx->finfo.st_size = ctx->r->finfo.size;
@@ -221,7 +223,7 @@
char *key, *val;
APR_ARRAY_FOREACH_OPEN(arr, key, val)
- if (!val) val = empty_string;
+ if (!val) val = "";
php_register_variable(key, val, track_vars_array TSRMLS_CC);
APR_ARRAY_FOREACH_CLOSE()
@@ -278,6 +280,11 @@
}
}
+static time_t php_apache_sapi_get_request_time(TSRMLS_D) {
+ php_struct *ctx = SG(server_context);
+ return apr_time_sec(ctx->r->request_time);
+}
+
extern zend_module_entry php_apache_module;
static int php_apache2_startup(sapi_module_struct *sapi_module)
@@ -314,6 +321,7 @@
php_apache_sapi_register_variables,
php_apache_sapi_log_message, /* Log message */
+ php_apache_sapi_get_request_time, /* Request Time */
STANDARD_SAPI_MODULE_PROPERTIES
};
@@ -449,6 +445,18 @@
php_request_shutdown(NULL);
}
+static void php_apache_ini_dtor(request_rec *r, request_rec *p TSRMLS_DC)
+{
+ if (strcmp(r->protocol, "INCLUDED")) {
+ zend_try { zend_ini_deactivate(TSRMLS_C); } zend_end_try();
+ }
+ if (p) {
+ ((php_struct *)SG(server_context))->r = p;
+ } else {
+ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
+ }
+}
+
static int php_handler(request_rec *r)
{
php_struct *ctx;
@@ -459,15 +467,32 @@
request_rec *parent_req = NULL;
TSRMLS_FETCH();
+#define PHPAP_INI_OFF php_apache_ini_dtor(r, parent_req TSRMLS_CC);
+
conf = ap_get_module_config(r->per_dir_config, &php5_module);
+
+ /* apply_config() needs r in some cases, so allocate server_context early */
+ ctx = SG(server_context);
+ if (ctx == NULL || (ctx && ctx->request_processed && !strcmp(r->protocol, "INCLUDED"))) {
+normal:
+ ctx = SG(server_context) = apr_pcalloc(r->pool, sizeof(*ctx));
+ /* register a cleanup so we clear out the SG(server_context)
+ * after each request. Note: We pass in the pointer to the
+ * server_context in case this is handled by a different thread.
+ */
+ apr_pool_cleanup_register(r->pool, (void *)&SG(server_context), php_server_context_cleanup, apr_pool_cleanup_null);
+ ctx->r = r;
+ ctx = NULL; /* May look weird to null it here, but it is to catch the right case in the first_try later on */
+ } else {
+ parent_req = ctx->r;
+ ctx->r = r;
+ }
apply_config(conf);
if (strcmp(r->handler, PHP_MAGIC_TYPE) && strcmp(r->handler, PHP_SOURCE_MAGIC_TYPE) && strcmp(r->handler, PHP_SCRIPT)) {
/* Check for xbithack in this case. */
if (!AP2(xbithack) || strcmp(r->handler, "text/html") || !(r->finfo.protection & APR_UEXECUTE)) {
- zend_try {
- zend_ini_deactivate(TSRMLS_C);
- } zend_end_try();
+ PHPAP_INI_OFF;
return DECLINED;
}
}
@@ -476,32 +501,24 @@
* the configuration; default behaviour is to accept. */
if (r->used_path_info == AP_REQ_REJECT_PATH_INFO
&& r->path_info && r->path_info[0]) {
- zend_try {
- zend_ini_deactivate(TSRMLS_C);
- } zend_end_try();
+ PHPAP_INI_OFF;
return HTTP_NOT_FOUND;
}
/* handle situations where user turns the engine off */
if (!AP2(engine)) {
- zend_try {
- zend_ini_deactivate(TSRMLS_C);
- } zend_end_try();
+ PHPAP_INI_OFF;
return DECLINED;
}
if (r->finfo.filetype == 0) {
php_apache_sapi_log_message_ex("script '%s' not found or unable to stat", r);
- zend_try {
- zend_ini_deactivate(TSRMLS_C);
- } zend_end_try();
+ PHPAP_INI_OFF;
return HTTP_NOT_FOUND;
}
if (r->finfo.filetype == APR_DIR) {
php_apache_sapi_log_message_ex("attempt to invoke directory '%s' as script", r);
- zend_try {
- zend_ini_deactivate(TSRMLS_C);
- } zend_end_try();
+ PHPAP_INI_OFF;
return HTTP_FORBIDDEN;
}
@@ -517,25 +534,27 @@
zend_first_try {
- ctx = SG(server_context);
if (ctx == NULL) {
-normal:
- ctx = SG(server_context) = apr_pcalloc(r->pool, sizeof(*ctx));
- /* register a cleanup so we clear out the SG(server_context)
- * after each request. Note: We pass in the pointer to the
- * server_context in case this is handled by a different thread.
- */
- apr_pool_cleanup_register(r->pool, (void *)&SG(server_context), php_server_context_cleanup, apr_pool_cleanup_null);
-
- ctx->r = r;
brigade = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+ ctx = SG(server_context);
ctx->brigade = brigade;
if (php_apache_request_ctor(r, ctx TSRMLS_CC)!=SUCCESS) {
zend_bailout();
}
} else {
- parent_req = ctx->r;
+ if (!parent_req) {
+ parent_req = ctx->r;
+ }
+ if (parent_req && parent_req->handler &&
+ strcmp(parent_req->handler, PHP_MAGIC_TYPE) &&
+ strcmp(parent_req->handler, PHP_SOURCE_MAGIC_TYPE) &&
+ strcmp(parent_req->handler, PHP_SCRIPT)) {
+ if (php_apache_request_ctor(r, ctx TSRMLS_CC)!=SUCCESS) {
+ zend_bailout();
+ }
+ }
+
/* check if comming due to ErrorDocument */
if (parent_req && parent_req->status != HTTP_OK) {
parent_req = NULL;
--- php-5.0.5/sapi/apache2handler/php_functions.c.a2hfixes
+++ php-5.0.5/sapi/apache2handler/php_functions.c
@@ -115,7 +115,7 @@
#define ADD_LONG(name) \
add_property_long(return_value, #name, rr->name)
#define ADD_TIME(name) \
- add_property_long(return_value, #name, rr->name / APR_USEC_PER_SEC);
+ add_property_long(return_value, #name, apr_time_sec(rr->name));
#define ADD_STRING(name) \
if (rr->name) add_property_string(return_value, #name, (char *) rr->name, 1)
@@ -161,7 +161,6 @@
ADD_LONG(allowed);
ADD_LONG(sent_bodyct);
ADD_LONG(bytes_sent);
- ADD_LONG(request_time);
ADD_LONG(mtime);
ADD_TIME(request_time);
@@ -182,13 +181,17 @@
const apr_array_header_t *arr;
char *key, *val;
+ if (ZEND_NUM_ARGS()) {
+ WRONG_PARAM_COUNT;
+ }
+
array_init(return_value);
ctx = SG(server_context);
arr = apr_table_elts(ctx->r->headers_in);
APR_ARRAY_FOREACH_OPEN(arr, key, val)
- if (!val) val = empty_string;
+ if (!val) val = "";
add_assoc_string(return_value, key, val, 1);
APR_ARRAY_FOREACH_CLOSE()
}
@@ -202,13 +205,17 @@
const apr_array_header_t *arr;
char *key, *val;
+ if (ZEND_NUM_ARGS()) {
+ WRONG_PARAM_COUNT;
+ }
+
array_init(return_value);
ctx = SG(server_context);
arr = apr_table_elts(ctx->r->headers_out);
APR_ARRAY_FOREACH_OPEN(arr, key, val)
- if (!val) val = empty_string;
+ if (!val) val = "";
add_assoc_string(return_value, key, val, 1);
APR_ARRAY_FOREACH_CLOSE()
}
@@ -259,7 +266,7 @@
int arg_count = ZEND_NUM_ARGS();
request_rec *r;
- if (arg_count<1 || arg_count>3 ||
+ if (arg_count < 2 || arg_count > 3 ||
zend_get_parameters_ex(arg_count, &variable, &string_val, &walk_to_top) == FAILURE) {
WRONG_PARAM_COUNT;
}
@@ -267,10 +274,13 @@
ctx = SG(server_context);
r = ctx->r;
- if (arg_count == 3 && Z_STRVAL_PP(walk_to_top)) {
- while(r->prev) {
- r = r->prev;
- }
+ if (arg_count == 3) {
+ convert_to_boolean_ex(walk_to_top);
+ if (Z_LVAL_PP(walk_to_top)) {
+ while(r->prev) {
+ r = r->prev;
+ }
+ }
}
convert_to_string_ex(variable);
@@ -303,10 +313,13 @@
ctx = SG(server_context);
r = ctx->r;
- if (arg_count == 2 && Z_STRVAL_PP(walk_to_top)) {
- while(r->prev) {
- r = r->prev;
- }
+ if (arg_count == 2) {
+ convert_to_boolean_ex(walk_to_top);
+ if (Z_LVAL_PP(walk_to_top)) {
+ while(r->prev) {
+ r = r->prev;
+ }
+ }
}
convert_to_string_ex(variable);
@@ -407,7 +420,9 @@
sprintf(tmp, "Per Child: %d - Keep Alive: %s - Max Per Connection: %d", max_requests, (serv->keep_alive ? "on":"off"), serv->keep_alive_max);
php_info_print_table_row(2, "Max Requests", tmp);
- sprintf(tmp, "Connection: %lld - Keep-Alive: %lld", (serv->timeout / 1000000), (serv->keep_alive_timeout / 1000000));
+ apr_snprintf(tmp, sizeof tmp,
+ "Connection: %" APR_TIME_T_FMT " - Keep-Alive: %" APR_TIME_T_FMT,
+ apr_time_sec(serv->timeout), apr_time_sec(serv->keep_alive_timeout));
php_info_print_table_row(2, "Timeouts", tmp);
php_info_print_table_row(2, "Virtual Server", (serv->is_virtual ? "Yes" : "No"));
@@ -428,7 +443,7 @@
php_info_print_table_header(2, "Variable", "Value");
APR_ARRAY_FOREACH_OPEN(arr, key, val)
if (!val) {
- val = empty_string;
+ val = "";
}
php_info_print_table_row(2, key, val);
APR_ARRAY_FOREACH_CLOSE()
@@ -443,7 +458,7 @@
arr = apr_table_elts(((php_struct *) SG(server_context))->r->headers_in);
APR_ARRAY_FOREACH_OPEN(arr, key, val)
if (!val) {
- val = empty_string;
+ val = "";
}
php_info_print_table_row(2, key, val);
APR_ARRAY_FOREACH_CLOSE()
@@ -452,7 +467,7 @@
arr = apr_table_elts(((php_struct *) SG(server_context))->r->headers_out);
APR_ARRAY_FOREACH_OPEN(arr, key, val)
if (!val) {
- val = empty_string;
+ val = "";
}
php_info_print_table_row(2, key, val);
APR_ARRAY_FOREACH_CLOSE()
@@ -461,7 +476,7 @@
}
}
-static function_entry apache_functions[] = {
+static zend_function_entry apache_functions[] = {
PHP_FE(apache_lookup_uri, NULL)
PHP_FE(virtual, NULL)
PHP_FE(apache_request_headers, NULL)
php-5.1.2-CVE-2006-1490.patch:
html.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE php-5.1.2-CVE-2006-1490.patch ---
Modified files: (Branch: PHP_4_4)
/php-src/ext/standard html.c
Log:
MFH - binary safety patch from Moriyoshi
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/html.c?r1=1.63.2.23.2.1&r2=1.63.2.23.2.2&diff_format=u
--- php-5.1.2/ext/standard/html.c.cve1490
+++ php-5.1.2/ext/standard/html.c
@@ -884,7 +884,7 @@
unsigned char replacement[15];
int replacement_len;
- ret = estrdup(old);
+ ret = estrndup(old, oldlen);
retlen = oldlen;
if (!retlen) {
goto empty_source;
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/php/FC-4/.cvsignore,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- .cvsignore 8 Sep 2005 10:52:57 -0000 1.25
+++ .cvsignore 20 Apr 2006 14:52:41 -0000 1.26
@@ -21,3 +21,6 @@
HTTP-1.3.6.tgz
Net_SMTP-1.2.7.tgz
php-5.0.5.tar.gz
+XML_RPC-1.4.8.tgz
+php-5.0.5
+clog
Index: php.spec
===================================================================
RCS file: /cvs/dist/rpms/php/FC-4/php.spec,v
retrieving revision 1.82
retrieving revision 1.83
diff -u -r1.82 -r1.83
--- php.spec 8 Sep 2005 10:49:07 -0000 1.82
+++ php.spec 20 Apr 2006 14:52:41 -0000 1.83
@@ -10,7 +10,7 @@
Summary: The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
Name: php
Version: 5.0.5
-Release: 2.1
+Release: 2.2
License: The PHP License
Group: Development/Languages
URL: http://www.php.net/
@@ -23,7 +23,7 @@
Source23: http://pear.php.net/get/XML_Parser-1.2.6.tgz
Source24: http://pear.php.net/get/Net_Socket-1.0.6.tgz
Source25: http://pear.php.net/get/Net_SMTP-1.2.7.tgz
-Source26: http://pear.php.net/get/XML_RPC-1.4.1.tgz
+Source26: http://pear.php.net/get/XML_RPC-1.4.8.tgz
Source50: php.conf
Patch2: php-5.0.1-config.patch
@@ -32,12 +32,12 @@
Patch5: php-4.3.3-install.patch
Patch6: php-5.0.4-norpath.patch
Patch7: php-4.3.2-libtool15.patch
-Patch9: php-4.3.6-umask.patch
Patch10: php-5.0.2-gdnspace.patch
Patch11: php-4.3.8-round.patch
Patch13: php-5.0.2-phpize64.patch
Patch14: php-5.0.3-sprintf.patch
Patch16: php-5.0.3-gdheaders.patch
+Patch17: php-5.0.5-a2hfixes.patch
# Fixes for extension modules
Patch21: php-4.3.1-odbc.patch
@@ -55,6 +55,13 @@
Patch51: php-5.0.4-tests-wddx.patch
Patch52: php-5.0.4-tests-sunfunc.patch
+# Security fixes
+Patch70: php-5.0.5-CVE-2005-3883.patch
+Patch71: php-5.0.5-CVE-2006-0208.patch
+Patch72: php-5.0.5-CVE-2006-0996.patch
+Patch73: php-5.1.2-CVE-2006-1490.patch
+Patch74: php-5.0.5-CVE-2006-0207.patch
+
BuildRoot: %{_tmppath}/%{name}-root
BuildRequires: bzip2-devel, curl-devel >= 7.9, db4-devel, expat-devel
@@ -81,7 +88,7 @@
%package devel
Group: Development/Libraries
Summary: Files needed for building PHP extensions.
-Requires: php = %{version}-%{release}
+Requires: php = %{version}-%{release}, autoconf, automake
%description devel
The php-devel package contains the files needed for building PHP
@@ -335,11 +342,11 @@
%patch5 -p1 -b .install
%patch6 -p1 -b .norpath
%patch7 -p1 -b .libtool15
-%patch9 -p1 -b .umask
%patch10 -p1 -b .gdnspace
%patch11 -p1 -b .round
%patch13 -p1 -b .phpize64
%patch16 -p1 -b .gdheaders
+%patch17 -p1 -b .a2hfixes
%patch21 -p1 -b .odbc
%patch22 -p1 -b .shutdown
@@ -354,6 +361,12 @@
%patch51 -p1 -b .tests-wddx
%patch52 -p1 -b .tests-sunfunc
+%patch70 -p1 -b .cve3883
+%patch71 -p1 -b .cve0208
+%patch72 -p1 -b .cve0996
+%patch73 -p1 -b .cve1490
+%patch74 -p1 -b .cve0207
+
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
cp TSRM/LICENSE TSRM_LICENSE
@@ -646,6 +659,16 @@
%endif
%changelog
+* Thu Apr 20 2006 Joe Orton <jorton at redhat.com> 5.0.5-2.2
+- add security fixes from upstream:
+ * phpinfo XSS (CVE-2006-0996)
+ * binary safeness fix for html_entity_decode (CVE-2006-1490)
+ * session ID response splitting/XSS fix (CVE-2006-0207)
+ * XSS issues in "html_errors" mode (CVE-2006-0208)
+ * mbstring header validation (CVE-2005-3883)
+- add apache2handler SAPI fixes (#168442)
+- pear: update to XML_RPC-1.4.8
+
* Thu Sep 8 2005 Joe Orton <jorton at redhat.com> 5.0.5-2.1
- update to 5.0.5
- pear: update to HTTP-1.3.6, Mail-1.1.8, Net_SMTP-1.2.7, XML_RPC-1.4.1
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/php/FC-4/sources,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- sources 8 Sep 2005 10:52:57 -0000 1.26
+++ sources 20 Apr 2006 14:52:41 -0000 1.27
@@ -1,8 +1,8 @@
f961deffb093a58eb4c48478de1b27ed Net_Socket-1.0.6.tgz
96ebc0fc2f349249f1455389797e72a4 XML_Parser-1.2.6.tgz
b5ff032f7e8873174e3e7fc21b7ec696 DB-1.7.6.tgz
-a646a20e20634442eda43c21ed3f08fd XML_RPC-1.4.1.tgz
69b1941019b686227123a879090241ab Mail-1.1.8.tgz
b166af8069febd24699df675cf0d5b0f HTTP-1.3.6.tgz
11c4de943b07206aab6193eefd8f328e Net_SMTP-1.2.7.tgz
ae36a2aa35cfaa58bdc5b9a525e6f451 php-5.0.5.tar.gz
+c2e94575bd14a4425de9e20976c65d43 XML_RPC-1.4.8.tgz
--- php-4.3.6-umask.patch DELETED ---
- Previous message (by thread): rpms/tzdata/FC-5 .cvsignore, 1.22, 1.23 sources, 1.24, 1.25 tzdata.spec, 1.28, 1.29
- Next message (by thread): rpms/tzdata/FC-4 .cvsignore, 1.17, 1.18 sources, 1.18, 1.19 tzdata.spec, 1.20, 1.21
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list