Hello community,
here is the log from the commit of package php5 for openSUSE:Factory
checked in at Fri Apr 23 01:28:58 CEST 2010.
--------
--- php5/php5.changes 2010-03-06 17:45:13.000000000 +0100
+++ /mounts/work_src_done/STABLE/php5/php5.changes 2010-04-16 17:53:02.000000000 +0200
@@ -1,0 +2,27 @@
+Fri Apr 16 15:51:49 UTC 2010 - crrodriguez@opensuse.org
+
+- use FD_CLOEXEC flag to avoid annoying races.
+
+-------------------------------------------------------------------
+Sun Apr 4 12:43:07 UTC 2010 - crrodriguez@opensuse.org
+
+- remove obsolete buildRequires
+
+-------------------------------------------------------------------
+Fri Apr 2 14:59:46 UTC 2010 - crrodriguez@opensuse.org
+
+- remove build date from binaries so they dont get
+ republished every time
+- fix invalid path
+
+-------------------------------------------------------------------
+Thu Apr 1 22:03:47 UTC 2010 - crrodriguez@opensuse.org
+
+- add missing patch, refresh patches with -p0
+
+-------------------------------------------------------------------
+Thu Apr 1 21:38:12 UTC 2010 - crrodriguez@opensuse.org
+
+- Update to PHP 5.3.2, see NEWS for details
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
php-5.3.0-46074.diff
php-5.3.0-curl_code_10.patch
php-5.3.0-ini.patch
php-5.3.0-open_basedir-borked.patch
php-5.3.0-systzdata-v6.patch
php-5.3.0.tar.bz2
php5-autoconf-2.65.patch
php5-bug51224.patch
php5-really-with-libedit.patch
suhosin-0.9.24-return-non-void.patch
suhosin-0.9.29-retval.patch
suhosin-0.9.29.tgz
suhosin-patch-5.3.0-0.9.8-BETA-1.patch.gz
New:
----
php-5.3-session.patch
php-5.3.1-systzdata-v7.patch
php-5.3.2-aconf26x.patch
php-5.3.2-ini.patch
php-5.3.2-no-build-date.patch
php-5.3.2.tar.bz2
php-cloexec.patch
suhosin-0.9.31.tgz
suhosin-patch-5.3.2-0.9.9.1.patch.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ php5.spec ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package php5 (Version 5.3.0)
+# spec file for package php5 (Version 5.3.2)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -21,18 +21,18 @@
Name: php5
%global apiver 20090626
%global zendver 20090626
-%define suhosin_version 0.9.29
-%define suhosin_patch_version 0.9.8-BETA-1
+%define suhosin_version 0.9.31
+%define suhosin_patch_version 0.9.9.1
%define with_suhosin_patch 0
%define pkg_name php5
%define with_spell 1
-%if 0%{?suse_version} < 930
-%define with_spell 0
-BuildRequires: heimdal-devel
-%else
-BuildRequires: krb5-devel
-%endif
-BuildRequires: apache2-devel bison curl-devel db-devel enchant-devel gmp-devel imap imap-devel libicu-devel libmcrypt-devel libtidy-devel libtiff-devel libxslt-devel mhash-devel mm-devel mysql-devel net-snmp-devel openldap2-devel pam-devel pkgconfig postfix postgresql-devel qt3-devel tcpd-devel unixODBC-devel update-alternatives zip
+
+BuildRequires: apache2-devel curl-devel freetype2-devel gcc-c++ libpng-devel xorg-x11-devel
+BuildRequires: db-devel enchant-devel gmp-devel imap-devel libicu-devel libtidy-devel
+BuildRequires: libtiff-devel libxslt-devel mm-devel mysql-devel net-snmp-devel openldap2-devel
+BuildRequires: pam-devel pkgconfig postfix postgresql-devel unixODBC-devel update-alternatives
+BuildRequires: krb5-devel libmcrypt-devel
+
%if %{with_spell}
BuildRequires: aspell-devel
%endif
@@ -44,7 +44,7 @@
# other highly reccommended extensions
Suggests: php-mbstring php-gd php-pear php-gettext php-mysql php-suhosin
%else
-BuildRequires: flex libgcrypt-devel rpm-devel
+BuildRequires: libgcrypt-devel rpm-devel
BuildRequires: libjpeg libjpeg-devel
%endif
BuildRequires: libedit-devel
@@ -58,9 +58,6 @@
#10.3 does not install sendmail binary with the minimal system
Requires: smtp_daemon
%endif
-#if 0%{?_with_qdbm:1}
-#BuildRequires: qdbm-devel
-#endif
%define extension_dir %{_libdir}/%{pkg_name}/extensions
%define peardir %{_datadir}/%{pkg_name}/PEAR
%define php_sysconf %{_sysconfdir}/%{pkg_name}
@@ -79,8 +76,8 @@
#define builtin_tz_ver 2007.9
###
###
-Version: 5.3.0
-Release: 7
+Version: 5.3.2
+Release: 1
License: The PHP License, version 3.01
Group: Development/Languages/Other
Provides: php zend php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter
@@ -102,27 +99,22 @@
Patch3: php5-apache_sapi_install.patch
Patch4: php5-php-config.patch
#home made hack to really build against libedit
-Patch5: php5-really-with-libedit.patch
+#Patch5: php5-really-with-libedit.patch
%if %{with_suhosin_patch}
Patch6: suhosin-patch-%{version}-%{suhosin_patch_version}.patch.gz
%endif
-Patch7: php-5.3.0-systzdata-v6.patch
+Patch7: php-5.3.1-systzdata-v7.patch
#bugs
-Patch12: suhosin-0.9.24-return-non-void.patch
Patch13: php-5.2.9-BNC-457056.patch
Patch14: php-5.3.0-ldap-checks.patch
Patch15: php-5.3.0-fix-rpmlint-errors.patch
-Patch16: php-5.3.0-open_basedir-borked.patch
-Patch17: php-5.3.0-curl_code_10.patch
-Patch18: suhosin-0.9.29-retval.patch
Patch19: php-5.3.0-bnc513080.patch
-Patch20: php-5.3.0-ini.patch
-# http://bugs.php.net/bug.php?id=46074
-Patch21: php-5.3.0-46074.diff
+Patch20: php-5.3.2-ini.patch
# PATCH-FIX-UPSTREAM php5-autoconf-2.65.patch http://bugs.php.ney/bug.php?id=50291 dimstar@opensuse.org -- Build fails with autoconf > 2.63
-Patch22: php5-autoconf-2.65.patch
-# PATCH-FIX-UPSTREAM php5-bug51224.patch http://bugs.php.ney/bug.php?id=51224 dimstar@opensuse.org -- Fix buffer overflows. The \0 were apparently not counted. Fixed in later versions.
-Patch23: php5-bug51224.patch
+Patch22: php-5.3.2-aconf26x.patch
+Patch23: php-5.3-session.patch
+Patch24: php-5.3.2-no-build-date.patch
+Patch25: php-cloexec.patch
Url: http://www.php.net
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Summary: PHP5 Core Files
@@ -1182,16 +1174,12 @@
%{__cp} %{S:4} pear/README.SUSE
#patch0 -p1
%patch2
-%patch3 -p1
+%patch3
%patch4
-%patch5
%if %{with_suhosin_patch}
%patch6 -p1
%endif
-%patch7 -p1
-pushd ext/suhosin
-%patch12
-popd
+%patch7
%if %{need_libxml2_hack}
echo "***APPLY LIBXML2.7 FIX***"
%patch13
@@ -1200,14 +1188,12 @@
%endif
%patch14
%patch15
-%patch16
-%patch17
-%patch18
%patch19
-%patch20 -p1
-%patch -P 21 -p1
-%patch22 -p0
-%patch23 -p1
+%patch20
+%patch22
+%patch23
+%patch24
+%patch25 -p1
# we build three SAPI
%{__mkdir_p} build-apache2
%{__mkdir_p} build-fastcgi/sapi/cgi/libfcgi
@@ -1288,7 +1274,6 @@
--with-config-file-scan-dir=%{php_sysconf}/conf.d \
--enable-libxml \
--enable-session \
- --with-mm \
%if 0%{?suse_version} > 1010
--with-pcre-regex=%{_usr} \
%else
@@ -1324,11 +1309,13 @@
# perform all builds
# apache2 sapi
Build apache2 \
+ --with-mm \
--with-apxs2=%{apxs2} \
--disable-all \
--disable-cli \
# fast-cgi sapi
Build fastcgi \
+ --with-mm \
--enable-force-cgi-redirect \
--disable-discard-path \
--enable-fastcgi \
@@ -1524,13 +1511,14 @@
# fix deadlock
%{__cp} %{S:5} %{buildroot}/%{peardir}/PEAR
# reminder: Will be removed when upstream fixes deadlock in pear
-test %version = 5.3.0
+test %version = 5.3.2
# for pear XML files
%{__install} -d -m 0755 %{buildroot}/var/lib/pear
# provide compat symlink
%{__mkdir_p} %{buildroot}/srv/www/cgi-bin
%{__ln_s} /usr/bin/php-cgi5 %{buildroot}/srv/www/cgi-bin/php5
#fix symlink
+sed -i -e "s@$RPM_BUILD_DIR/php-%{version}/build-cli/sapi/cli/php@php@g" %{buildroot}%{_bindir}/phar.phar
rm %{buildroot}%{_bindir}/phar
%{__ln_s} -f %{_bindir}/phar.phar %{buildroot}%{_bindir}/phar
# Install the macros file:
++++++ php-5.3-session.patch ++++++
Index: ext/session/config.m4
===================================================================
--- ext/session/config.m4.orig 2009-07-28 10:59:08.000000000 +0200
+++ ext/session/config.m4 2010-04-02 00:00:18.106149000 +0200
@@ -12,7 +12,7 @@ if test "$PHP_SESSION" != "no"; then
PHP_PWRITE_TEST
PHP_PREAD_TEST
PHP_NEW_EXTENSION(session, session.c mod_files.c mod_mm.c mod_user.c, $ext_shared)
- PHP_ADD_EXTENSION_DEP(session, hash, true)
+dnl PHP_ADD_EXTENSION_DEP(session, hash, true)
PHP_SUBST(SESSION_SHARED_LIBADD)
PHP_INSTALL_HEADERS(ext/session, [php_session.h mod_files.h mod_user.h])
AC_DEFINE(HAVE_PHP_SESSION,1,[ ])
++++++ php-5.3.0-bnc513080.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -1,7 +1,7 @@
Index: ext/exif/exif.c
===================================================================
---- ext/exif/exif.c.orig 2009-06-12 16:03:35.000000000 +0200
-+++ ext/exif/exif.c 2009-08-24 02:52:33.000000000 +0200
+--- ext/exif/exif.c.orig 2010-01-03 10:23:27.000000000 +0100
++++ ext/exif/exif.c 2010-04-02 00:00:17.386249000 +0200
@@ -66,7 +66,7 @@
#include "ext/standard/php_image.h"
#include "ext/standard/info.h"
++++++ php-5.3.0-fix-rpmlint-errors.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -1,7 +1,7 @@
Index: ext/intl/locale/locale_methods.c
===================================================================
---- ext/intl/locale/locale_methods.c.orig 2008-08-03 13:33:45.000000000 +0200
-+++ ext/intl/locale/locale_methods.c 2009-08-16 19:43:11.000000000 +0200
+--- ext/intl/locale/locale_methods.c.orig 2010-01-25 14:59:35.000000000 +0100
++++ ext/intl/locale/locale_methods.c 2010-04-02 00:00:17.182233000 +0200
@@ -264,7 +264,7 @@ static char* get_icu_value_internal( cha
UErrorCode status = U_ZERO_ERROR;
@@ -11,7 +11,7 @@
/* Handle grandfathered languages */
grOffset = findOffset( LOC_GRANDFATHERED , loc_name );
if( grOffset >= 0 ){
-@@ -501,7 +501,7 @@ static void get_icu_disp_value_src_php(
+@@ -501,7 +501,7 @@ static void get_icu_disp_value_src_php(
loc_name = INTL_G(default_locale);
}
@@ -20,7 +20,7 @@
/* Handle grandfathered languages */
grOffset = findOffset( LOC_GRANDFATHERED , loc_name );
if( grOffset >= 0 ){
-@@ -1062,7 +1062,7 @@ static int add_array_entry(char* loc_nam
+@@ -1043,7 +1043,7 @@ static int add_array_entry(char* loc_nam
add_assoc_string( hash_arr, cur_key_name , token , TRUE );
}
++++++ php-5.3.0-ldap-checks.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -1,7 +1,7 @@
Index: ext/ldap/config.m4
===================================================================
---- ext/ldap/config.m4.orig 2007-08-08 13:37:44.000000000 +0200
-+++ ext/ldap/config.m4 2009-07-27 02:09:24.000000000 +0200
+--- ext/ldap/config.m4.orig 2007-09-26 17:44:16.000000000 +0200
++++ ext/ldap/config.m4 2010-04-02 00:00:16.872236000 +0200
@@ -50,7 +50,7 @@ AC_DEFUN([PHP_LDAP_SASL_CHECKS], [
SASL_LIB="-L$LDAP_SASL_LIBDIR -lsasl2"
fi
++++++ php-5.3.0-systzdata-v6.patch -> php-5.3.1-systzdata-v7.patch ++++++
--- php5/php-5.3.0-systzdata-v6.patch 2009-08-17 00:18:22.000000000 +0200
+++ /mounts/work_src_done/STABLE/php5/php-5.3.1-systzdata-v7.patch 2010-04-02 00:05:18.000000000 +0200
@@ -3,6 +3,7 @@
than embedding a copy. Discussed upstream but was not desired.
History:
+r7: improve check for valid timezone id to exclude directories
r6: fix fd leak in r5, fix country code/BC flag use in
timezone_identifiers_list() using system db,
fix use of PECL timezonedb to override system db,
@@ -14,10 +15,10 @@
r2: add filesystem trawl to set up name alias index
r1: initial revision
-Index: ext/date/lib/timelib.m4
+Index: ext/date/lib/parse_tz.c
===================================================================
---- php-5.3.0/ext/date/lib/parse_tz.c.systzdata
-+++ php-5.3.0/ext/date/lib/parse_tz.c
+--- ext/date/lib/parse_tz.c.orig 2010-01-03 10:23:27.000000000 +0100
++++ ext/date/lib/parse_tz.c 2010-04-02 00:00:16.631318000 +0200
@@ -20,6 +20,16 @@
#include "timelib.h"
@@ -66,7 +67,7 @@
/* read BC flag */
tz->bc = (**tzf == '\1');
*tzf += 1;
-@@ -253,7 +273,390 @@ void timelib_dump_tzinfo(timelib_tzinfo
+@@ -253,7 +273,397 @@ void timelib_dump_tzinfo(timelib_tzinfo
}
}
@@ -422,6 +423,13 @@
+ sysdb->data = (unsigned char *)data;
+}
+
++/* Returns true if the passed-in stat structure describes a
++ * probably-valid timezone file. */
++static int is_valid_tzfile(const struct stat *st)
++{
++ return S_ISREG(st->st_mode) && st->st_size > 20;
++}
++
+/* Return the mmap()ed tzfile if found, else NULL. On success, the
+ * length of the mapped data is placed in *length. */
+static char *map_tzfile(const char *timezone, size_t *length)
@@ -440,7 +448,7 @@
+ fd = open(fname, O_RDONLY);
+ if (fd == -1) {
+ return NULL;
-+ } else if (fstat(fd, &st) != 0 || st.st_size < 21) {
++ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st)) {
+ close(fd);
+ return NULL;
+ }
@@ -458,7 +466,7 @@
{
int left = 0, right = tzdb->index_size - 1;
#ifdef HAVE_SETLOCALE
-@@ -292,36 +695,124 @@ static int seek_to_tz_position(const uns
+@@ -292,36 +702,125 @@ static int seek_to_tz_position(const uns
return 0;
}
@@ -524,14 +532,15 @@
+#ifdef HAVE_SYSTEM_TZDATA
+ if (tzdb == timezonedb_system) {
+ char fname[PATH_MAX];
-+
++ struct stat st;
++
+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) {
+ return 0;
+ }
+
+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", timezone);
+
-+ return access(fname, R_OK) == 0 ? 1 : 0;
++ return stat(fname, &st) == 0 && is_valid_tzfile(&st);
+ }
+#endif
+
@@ -586,8 +595,10 @@
} else {
tmp = NULL;
}
---- php-5.3.0/ext/date/lib/timelib.m4.systzdata
-+++ php-5.3.0/ext/date/lib/timelib.m4
+Index: ext/date/lib/timelib.m4
+===================================================================
+--- ext/date/lib/timelib.m4.orig 2007-09-26 17:44:16.000000000 +0200
++++ ext/date/lib/timelib.m4 2010-04-02 00:00:16.634331000 +0200
@@ -78,3 +78,17 @@ stdlib.h
dnl Check for strtoll, atoll
++++++ php-5.3.2-aconf26x.patch ++++++
Fix use of divert() to work with autoconf 2.6x.
Index: configure.in
===================================================================
--- configure.in.orig 2010-03-03 17:36:07.000000000 +0100
+++ configure.in 2010-04-02 00:00:17.863156000 +0200
@@ -1,7 +1,7 @@
## $Id: configure.in 295792 2010-03-03 16:36:07Z johannes $ -*- autoconf -*-
dnl ## Process this file with autoconf to produce a configure script.
-divert(1)
+divert(1001)
dnl ## Diversion 1 is the autoconf + automake setup phase. We also
dnl ## set the PHP version, deal with platform-specific compile
@@ -290,7 +290,7 @@ sinclude(TSRM/threads.m4)
sinclude(TSRM/tsrm.m4)
-divert(2)
+divert(1002)
dnl ## Diversion 2 is where we set PHP-specific options and come up
dnl ## with reasonable default values for them. We check for pthreads here
@@ -329,7 +329,7 @@ if test "$enable_maintainer_zts" = "yes"
PTHREADS_FLAGS
fi
-divert(3)
+divert(1003)
dnl ## In diversion 3 we check for compile-time options to the PHP
dnl ## core and how to deal with different system dependencies.
@@ -675,7 +675,7 @@ if test "x$php_crypt_r" = "x1"; then
PHP_CRYPT_R_STYLE
fi
-divert(4)
+divert(1004)
dnl ## In diversion 4 we check user-configurable general settings.
@@ -916,7 +916,7 @@ else
AC_MSG_RESULT([using system default])
fi
-divert(5)
+divert(1005)
dnl ## In diversion 5 we check which extensions should be compiled.
dnl ## All of these are normally in the extension directories.
Index: ext/standard/config.m4
===================================================================
--- ext/standard/config.m4.orig 2010-02-22 01:34:22.000000000 +0100
+++ ext/standard/config.m4 2010-04-02 00:00:17.880144000 +0200
@@ -1,6 +1,6 @@
dnl $Id: config.m4 295350 2010-02-22 00:34:22Z pajoye $ -*- autoconf -*-
-divert(3)dnl
+divert(1003)dnl
dnl
dnl Check if flush should be called explicitly after buffered io
@@ -333,7 +333,7 @@ dnl
AC_CHECK_FUNCS(getcwd getwd asinh acosh atanh log1p hypot glob strfmon nice fpclass isinf isnan mempcpy strpncpy)
AC_FUNC_FNMATCH
-divert(5)dnl
+divert(1005)dnl
dnl
dnl Check if there is a support means of creating a new process
Index: scripts/phpize.m4
===================================================================
--- scripts/phpize.m4.orig 2009-12-02 18:42:58.000000000 +0100
+++ scripts/phpize.m4 2010-04-02 00:00:17.886143000 +0200
@@ -1,6 +1,6 @@
dnl This file becomes configure.in for self-contained extensions.
-divert(1)
+divert(1001)
AC_PREREQ(2.13)
AC_INIT(config.m4)
++++++ php-5.3.0-ini.patch -> php-5.3.2-ini.patch ++++++
--- php5/php-5.3.0-ini.patch 2009-12-02 19:29:45.000000000 +0100
+++ /mounts/work_src_done/STABLE/php5/php-5.3.2-ini.patch 2010-04-02 00:05:20.000000000 +0200
@@ -1,8 +1,8 @@
-Index: php-5.3.0/php.ini-production
+Index: php.ini-production
===================================================================
---- php-5.3.0.orig/php.ini-production 2009-06-28 19:56:18.000000000 +0200
-+++ php-5.3.0/php.ini-production 2009-12-02 19:27:32.000000000 +0100
-@@ -785,7 +785,7 @@ default_mimetype = "text/html"
+--- php.ini-production.orig 2009-11-05 14:29:34.000000000 +0100
++++ php.ini-production 2010-04-02 00:00:17.674182000 +0200
+@@ -781,7 +781,7 @@ default_mimetype = "text/html"
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
@@ -11,7 +11,7 @@
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"
-@@ -1186,7 +1186,7 @@ mysql.allow_local_infile = On
+@@ -1189,7 +1189,7 @@ mysql.allow_local_infile = On
; Allow or prevent persistent links.
; http://php.net/mysql.allow-persistent
@@ -20,7 +20,7 @@
; If mysqlnd is used: Number of cache slots for the internal result set cache
; http://php.net/mysql.cache_size
-@@ -1249,7 +1249,7 @@ mysqli.max_persistent = -1
+@@ -1252,7 +1252,7 @@ mysqli.max_persistent = -1
; Allow or prevent persistent links.
; http://php.net/mysqli.allow-persistent
@@ -29,28 +29,35 @@
; Maximum number of links. -1 means no limit.
; http://php.net/mysqli.max-links
-@@ -1587,12 +1587,12 @@ session.referer_check =
-
- ; How many bytes to read from the file.
- ; http://php.net/session.entropy-length
--session.entropy_length = 0
-+session.entropy_length = 16
+@@ -1474,7 +1474,7 @@ session.save_handler = files
+ ; where MODE is the octal representation of the mode. Note that this
+ ; does not overwrite the process's umask.
+ ; http://php.net/session.save-path
+-;session.save_path = "/tmp"
++session.save_path = "/var/lib/php5"
+
+ ; Whether to use cookies.
+ ; http://php.net/session.use-cookies
+@@ -1594,11 +1594,10 @@ session.entropy_length = 0
; Specified here to create the session id.
; http://php.net/session.entropy-file
-;session.entropy_file = /dev/urandom
-session.entropy_file =
+session.entropy_file = /dev/urandom
-+;session.entropy_file =
; http://php.net/session.entropy-length
- ;session.entropy_length = 16
-@@ -1623,7 +1623,7 @@ session.use_trans_sid = 0
- ; 0 (MD5 128 bits)
- ; 1 (SHA-1 160 bits)
+-;session.entropy_length = 16
++session.entropy_length = 16
+
+ ; Set to {nocache,private,public,} to determine HTTP caching aspects
+ ; or leave this empty to avoid sending anti-caching headers.
+@@ -1629,7 +1628,7 @@ session.use_trans_sid = 0
+ ; the hash extension. A list of available hashes is returned by the hash_alogs()
+ ; function.
; http://php.net/session.hash-function
-session.hash_function = 0
-+session.hash_function = 1
++session.hash_function = 3
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
++++++ php-5.3.2-no-build-date.patch ++++++
Index: sapi/cgi/cgi_main.c
===================================================================
--- sapi/cgi/cgi_main.c.orig 2010-01-03 10:23:27.000000000 +0100
+++ sapi/cgi/cgi_main.c 2010-04-03 14:42:45.404083000 +0200
@@ -1926,7 +1926,7 @@ consult the installation file that came
#if ZEND_DEBUG
php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2010 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
#else
- php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2010 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+ php_printf("PHP %s (%s)\nCopyright (c) 1997-2010 The PHP Group\n%s", PHP_VERSION, sapi_module.name, get_zend_version());
#endif
php_request_shutdown((void *) 0);
exit_status = 0;
Index: sapi/cli/php_cli.c
===================================================================
--- sapi/cli/php_cli.c.orig 2010-01-03 10:23:27.000000000 +0100
+++ sapi/cli/php_cli.c 2010-04-03 14:42:45.410100000 +0200
@@ -831,8 +831,8 @@ int main(int argc, char *argv[])
}
request_started = 1;
- php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2010 The PHP Group\n%s",
- PHP_VERSION, sapi_module.name, __DATE__, __TIME__,
+ php_printf("PHP %s (%s) %s\nCopyright (c) 1997-2010 The PHP Group\n%s",
+ PHP_VERSION, sapi_module.name,
#if ZEND_DEBUG && defined(HAVE_GCOV)
"(DEBUG GCOV)",
#elif ZEND_DEBUG
Index: ext/standard/info.c
===================================================================
--- ext/standard/info.c.orig 2010-01-03 10:23:27.000000000 +0100
+++ ext/standard/info.c 2010-04-03 14:44:31.369445000 +0200
@@ -686,7 +686,7 @@ PHPAPI void php_print_info(int flag TSRM
php_info_print_box_end();
php_info_print_table_start();
php_info_print_table_row(2, "System", php_uname );
- php_info_print_table_row(2, "Build Date", __DATE__ " " __TIME__ );
+ /* php_info_print_table_row(2, "Build Date", __DATE__ " " __TIME__ ); */
#ifdef COMPILER
php_info_print_table_row(2, "Compiler", COMPILER);
#endif
@@ -694,7 +694,7 @@ PHPAPI void php_print_info(int flag TSRM
php_info_print_table_row(2, "Architecture", ARCHITECTURE);
#endif
#ifdef CONFIGURE_COMMAND
- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND );
+ /* php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); */
#endif
if (sapi_module.pretty_name) {
++++++ php-5.3.0.tar.bz2 -> php-5.3.2.tar.bz2 ++++++
php5/php-5.3.0.tar.bz2 /mounts/work_src_done/STABLE/php5/php-5.3.2.tar.bz2 differ: char 11, line 1
++++++ php-cloexec.patch ++++++
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 5850026..efc1aa3 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -107,8 +107,12 @@ PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd_p, "rb");
#else
+#if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ fp = VCWD_POPEN(cmd_p, "re");
+#else
fp = VCWD_POPEN(cmd_p, "r");
#endif
+#endif
if (!fp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
goto err;
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 704ef12..e03a661 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -957,6 +957,13 @@ PHP_FUNCTION(popen)
}
}
#endif
+#if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ char *e = memchr(posix_mode, 'e', mode_len);
+ if (e) {
+ memmove(e, e + 1, mode_len - (e - posix_mode));
+ }
+#endif
+
if (PG(safe_mode)){
b = strchr(command, ' ');
if (!b) {
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index ab65f16..ed421e0 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -288,8 +288,12 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
* (e.g. the shell can't be executed) we explicitely set it to 0 to be
* sure we don't catch any older errno value. */
errno = 0;
+#if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ sendmail = popen(sendmail_cmd, "we");
+#else
sendmail = popen(sendmail_cmd, "w");
#endif
+#endif
if (extra_cmd != NULL) {
efree (sendmail_cmd);
}
++++++ php5-apache_sapi_install.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -4,8 +4,10 @@
sapi/apache2handler/config.m4 | 9 ---------
1 file changed, 9 deletions(-)
---- php-5.2.3.orig/sapi/apache2handler/config.m4
-+++ php-5.2.3/sapi/apache2handler/config.m4
+Index: sapi/apache2handler/config.m4
+===================================================================
+--- sapi/apache2handler/config.m4.orig 2008-03-11 23:47:39.000000000 +0100
++++ sapi/apache2handler/config.m4 2010-04-02 00:00:15.311457000 +0200
@@ -68,18 +68,9 @@ if test "$PHP_APXS2" != "no"; then
fi
++++++ php5-php-config.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -2,8 +2,10 @@
scripts/php-config.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---- scripts/php-config.in
-+++ scripts/php-config.in
+Index: scripts/php-config.in
+===================================================================
+--- scripts/php-config.in.orig 2007-08-24 13:44:10.000000000 +0200
++++ scripts/php-config.in 2010-04-02 00:00:16.440342000 +0200
@@ -5,7 +5,7 @@ prefix="@prefix@"
exec_prefix="@exec_prefix@"
version="@PHP_VERSION@"
++++++ php5-phpize.patch ++++++
--- /var/tmp/diff_new_pack.wTmkJt/_old 2010-04-23 01:28:38.000000000 +0200
+++ /var/tmp/diff_new_pack.wTmkJt/_new 2010-04-23 01:28:38.000000000 +0200
@@ -3,8 +3,10 @@
scripts/phpize.in | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
---- scripts/Makefile.frag.orig
-+++ scripts/Makefile.frag
+Index: scripts/Makefile.frag
+===================================================================
+--- scripts/Makefile.frag.orig 2005-11-22 00:08:02.000000000 +0100
++++ scripts/Makefile.frag 2010-04-02 00:00:15.074448000 +0200
@@ -3,8 +3,8 @@
# Build environment install
#
@@ -16,8 +18,10 @@
BUILD_FILES = \
scripts/phpize.m4 \
---- scripts/phpize.in.orig
-+++ scripts/phpize.in
+Index: scripts/phpize.in
+===================================================================
+--- scripts/phpize.in.orig 2009-06-24 09:42:33.000000000 +0200
++++ scripts/phpize.in 2010-04-02 00:00:15.080427000 +0200
@@ -3,8 +3,8 @@
# Variable declaration
prefix='@prefix@'
++++++ suhosin-0.9.29.tgz -> suhosin-0.9.31.tgz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/Changelog new/suhosin-0.9.31/Changelog
--- old/suhosin-0.9.29/Changelog 2009-08-15 17:54:42.000000000 +0200
+++ new/suhosin-0.9.31/Changelog 2010-03-28 22:43:13.000000000 +0200
@@ -1,3 +1,22 @@
+2010-03-28 - 0.9.31
+
+ - Fix ZTS build of session.c
+ - Increased session identifier entropy by using /dev/urandom if available
+
+2010-03-25 - 0.9.30
+
+ - Added line ending characters %0a and %0d to the list of dangerous characters handled
+ by suhosin.server.encode and suhosin.server.strip
+ - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
+ - Added ! protection to PHP session serializer
+ - Fixed simulation mode now also affects (dis)allowed functions
+ - Fixed missing return (1); in random number generator replacements
+ - Fixed random number generator replacement error case behaviour in PHP 5.3.x
+ - Fixed error case handling in function_exists() PHP 5.3.x
+ - Merged changes/fixes in import_request_variables()/extract() from upstream PHP
+ - Fixed suhosin_header_handler to be PHP 5.3.x compatible
+ - Merge fixes and new features of PHP's file upload code to suhosin
+
2009-08-15 - 0.9.29
- Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/crypt.c new/suhosin-0.9.31/crypt.c
--- old/suhosin-0.9.29/crypt.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/crypt.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/ex_imp.c new/suhosin-0.9.31/ex_imp.c
--- old/suhosin-0.9.29/ex_imp.c 2009-08-15 17:05:29.000000000 +0200
+++ new/suhosin-0.9.31/ex_imp.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -28,6 +28,7 @@
#include "php_ini.h"
#include "php_suhosin.h"
#include "ext/standard/php_smart_str.h"
+#include "ext/standard/php_var.h"
#define EXTR_OVERWRITE 0
@@ -41,21 +42,33 @@
#define EXTR_REFS 0x100
-static int php_valid_var_name(char *var_name)
+static int php_valid_var_name(char *var_name, int len) /* {{{ */
{
- int len, i;
+ int i, ch;
if (!var_name)
return 0;
-
- len = strlen(var_name);
-
- if (!isalpha((int)((unsigned char *)var_name)[0]) && var_name[0] != '_')
+
+ /* These are allowed as first char: [a-zA-Z_\x7f-\xff] */
+ ch = (int)((unsigned char *)var_name)[0];
+ if (var_name[0] != '_' &&
+ (ch < 65 /* A */ || /* Z */ ch > 90) &&
+ (ch < 97 /* a */ || /* z */ ch > 122) &&
+ (ch < 127 /* 0x7f */ || /* 0xff */ ch > 255)
+ ) {
return 0;
-
+ }
+
+ /* And these as the rest: [a-zA-Z0-9_\x7f-\xff] */
if (len > 1) {
- for (i=1; i 57) &&
+ (ch < 65 /* A */ || /* Z */ ch > 90) &&
+ (ch < 97 /* a */ || /* z */ ch > 122) &&
+ (ch < 127 /* 0x7f */ || /* 0xff */ ch > 255)
+ ) {
return 0;
}
}
@@ -95,7 +108,162 @@
Imports variables into symbol table from an array */
PHP_FUNCTION(suhosin_extract)
{
- zval **var_array, **z_extract_type, **prefix;
+#if PHP_VERSION_ID >= 50300
+ zval *var_array, *prefix = NULL;
+ long extract_type = EXTR_OVERWRITE;
+ zval **entry, *data;
+ char *var_name;
+ ulong num_key;
+ uint var_name_len;
+ int var_exists, key_type, count = 0;
+ int extract_refs = 0;
+ HashPosition pos;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a|lz/", &var_array, &extract_type, &prefix) == FAILURE) {
+ return;
+ }
+
+ extract_refs = (extract_type & EXTR_REFS);
+ extract_type &= 0xff;
+
+ if (extract_type < EXTR_OVERWRITE || extract_type > EXTR_IF_EXISTS) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid extract type");
+ return;
+ }
+
+ if (extract_type > EXTR_SKIP && extract_type <= EXTR_PREFIX_IF_EXISTS && ZEND_NUM_ARGS() < 3) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "specified extract type requires the prefix parameter");
+ return;
+ }
+
+ if (prefix) {
+ convert_to_string(prefix);
+ if (Z_STRLEN_P(prefix) && !php_valid_var_name(Z_STRVAL_P(prefix), Z_STRLEN_P(prefix))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "prefix is not a valid identifier");
+ return;
+ }
+ }
+
+ if (!EG(active_symbol_table)) {
+ zend_rebuild_symbol_table(TSRMLS_C);
+ }
+
+ /* var_array is passed by ref for the needs of EXTR_REFS (needs to
+ * work on the original array to create refs to its members)
+ * simulate pass_by_value if EXTR_REFS is not used */
+ if (!extract_refs) {
+ SEPARATE_ARG_IF_REF(var_array);
+ }
+
+ zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(var_array), &pos);
+ while (zend_hash_get_current_data_ex(Z_ARRVAL_P(var_array), (void **)&entry, &pos) == SUCCESS) {
+ zval final_name;
+
+ ZVAL_NULL(&final_name);
+
+ key_type = zend_hash_get_current_key_ex(Z_ARRVAL_P(var_array), &var_name, &var_name_len, &num_key, 0, &pos);
+ var_exists = 0;
+
+ if (key_type == HASH_KEY_IS_STRING) {
+ var_name_len--;
+ var_exists = zend_hash_exists(EG(active_symbol_table), var_name, var_name_len + 1);
+ } else if (key_type == HASH_KEY_IS_LONG && (extract_type == EXTR_PREFIX_ALL || extract_type == EXTR_PREFIX_INVALID)) {
+ zval num;
+
+ ZVAL_LONG(&num, num_key);
+ convert_to_string(&num);
+ php_prefix_varname(&final_name, prefix, Z_STRVAL(num), Z_STRLEN(num), 1 TSRMLS_CC);
+ zval_dtor(&num);
+ } else {
+ zend_hash_move_forward_ex(Z_ARRVAL_P(var_array), &pos);
+ continue;
+ }
+
+ switch (extract_type) {
+ case EXTR_IF_EXISTS:
+ if (!var_exists) break;
+ /* break omitted intentionally */
+
+ case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && var_name_len == sizeof("GLOBALS") && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
+ if (var_exists && var_name_len == sizeof("this") && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
+ break;
+ }
+ ZVAL_STRINGL(&final_name, var_name, var_name_len, 1);
+ break;
+
+ case EXTR_PREFIX_IF_EXISTS:
+ if (var_exists) {
+ php_prefix_varname(&final_name, prefix, var_name, var_name_len, 1 TSRMLS_CC);
+ }
+ break;
+
+ case EXTR_PREFIX_SAME:
+ if (!var_exists && var_name_len != 0) {
+ ZVAL_STRINGL(&final_name, var_name, var_name_len, 1);
+ }
+ /* break omitted intentionally */
+
+ case EXTR_PREFIX_ALL:
+ if (Z_TYPE(final_name) == IS_NULL && var_name_len != 0) {
+ php_prefix_varname(&final_name, prefix, var_name, var_name_len, 1 TSRMLS_CC);
+ }
+ break;
+
+ case EXTR_PREFIX_INVALID:
+ if (Z_TYPE(final_name) == IS_NULL) {
+ if (!php_valid_var_name(var_name, var_name_len)) {
+ php_prefix_varname(&final_name, prefix, var_name, var_name_len, 1 TSRMLS_CC);
+ } else {
+ ZVAL_STRINGL(&final_name, var_name, var_name_len, 1);
+ }
+ }
+ break;
+
+ default:
+ if (!var_exists) {
+ ZVAL_STRINGL(&final_name, var_name, var_name_len, 1);
+ }
+ break;
+ }
+
+ if (Z_TYPE(final_name) != IS_NULL && php_valid_var_name(Z_STRVAL(final_name), Z_STRLEN(final_name))) {
+ if (extract_refs) {
+ zval **orig_var;
+
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
+ if (zend_hash_find(EG(active_symbol_table), Z_STRVAL(final_name), Z_STRLEN(final_name) + 1, (void **) &orig_var) == SUCCESS) {
+ zval_ptr_dtor(orig_var);
+ *orig_var = *entry;
+ } else {
+ zend_hash_update(EG(active_symbol_table), Z_STRVAL(final_name), Z_STRLEN(final_name) + 1, (void **) entry, sizeof(zval *), NULL);
+ }
+ } else {
+ MAKE_STD_ZVAL(data);
+ *data = **entry;
+ zval_copy_ctor(data);
+
+ ZEND_SET_SYMBOL_WITH_LENGTH(EG(active_symbol_table), Z_STRVAL(final_name), Z_STRLEN(final_name) + 1, data, 1, 0);
+ }
+ count++;
+ }
+ zval_dtor(&final_name);
+
+ zend_hash_move_forward_ex(Z_ARRVAL_P(var_array), &pos);
+ }
+
+ if (!extract_refs) {
+ zval_ptr_dtor(&var_array);
+ }
+
+ RETURN_LONG(count);
+#else
+ zval **var_array, *orig_var_array, **z_extract_type, **prefix;
zval **entry, *data;
char *var_name;
smart_str final_name = {0};
@@ -143,12 +311,6 @@
break;
}
-#if PHP_VERSION_ID >= 50300
- if (!EG(active_symbol_table)) {
- zend_rebuild_symbol_table(TSRMLS_C);
- }
-#endif
-
if (extract_type < EXTR_OVERWRITE || extract_type > EXTR_IF_EXISTS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown extract type");
return;
@@ -158,7 +320,15 @@
php_error_docref(NULL TSRMLS_CC, E_WARNING, "First argument should be an array");
return;
}
-
+
+ /* var_array is passed by ref for the needs of EXTR_REFS (needs to
+ * work on the original array to create refs to its members)
+ * simulate pass_by_value if EXTR_REFS is not used */
+ if (!extract_refs) {
+ orig_var_array = *var_array;
+ SEPARATE_ARG_IF_REF((*var_array));
+ }
+
zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(var_array), &pos);
while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(var_array), (void **)&entry, &pos) == SUCCESS) {
key_type = zend_hash_get_current_key_ex(Z_ARRVAL_PP(var_array), &var_name, &var_name_len, &num_key, 0, &pos);
@@ -183,7 +353,10 @@
case EXTR_OVERWRITE:
/* GLOBALS protection */
- if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ if (var_exists && var_name_len == sizeof("GLOBALS") && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
+ if (var_exists && var_name_len == sizeof("this") && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
break;
}
smart_str_appendl(&final_name, var_name, var_name_len);
@@ -212,7 +385,7 @@
case EXTR_PREFIX_INVALID:
if (final_name.len == 0) {
- if (!php_valid_var_name(var_name)) {
+ if (!php_valid_var_name(var_name, var_name_len)) {
smart_str_appendl(&final_name, Z_STRVAL_PP(prefix), Z_STRLEN_PP(prefix));
smart_str_appendc(&final_name, '_');
smart_str_appendl(&final_name, var_name, var_name_len);
@@ -229,24 +402,17 @@
if (final_name.len) {
smart_str_0(&final_name);
- if (php_valid_var_name(final_name.c)) {
+ if (php_valid_var_name(final_name.c, final_name.len)) {
if (extract_refs) {
zval **orig_var;
+ SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
+ zval_add_ref(entry);
+
if (zend_hash_find(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) &orig_var) == SUCCESS) {
- SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
- zval_add_ref(entry);
-
zval_ptr_dtor(orig_var);
-
*orig_var = *entry;
} else {
- if (Z_REFCOUNT_PP(var_array) > 1) {
- SEPARATE_ZVAL_TO_MAKE_IS_REF(entry);
- } else {
- Z_SET_ISREF_PP(entry);
- }
- zval_add_ref(entry);
zend_hash_update(EG(active_symbol_table), final_name.c, final_name.len+1, (void **) entry, sizeof(zval *), NULL);
}
} else {
@@ -265,13 +431,89 @@
zend_hash_move_forward_ex(Z_ARRVAL_PP(var_array), &pos);
}
+ if (!extract_refs) {
+ zval_ptr_dtor(var_array);
+ *var_array = orig_var_array;
+ }
smart_str_free(&final_name);
RETURN_LONG(count);
+#endif
}
/* }}} */
+#if PHP_VERSION_ID >= 50300
+static int copy_request_variable(void *pDest TSRMLS_DC, int num_args, va_list args, zend_hash_key *hash_key)
+{
+ zval *prefix, new_key;
+ int prefix_len;
+ zval **var = (zval **) pDest;
+
+ if (num_args != 1) {
+ return 0;
+ }
+
+ prefix = va_arg(args, zval *);
+ prefix_len = Z_STRLEN_P(prefix);
+
+ if (!prefix_len && !hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard");
+ return 0;
+ }
+
+ if (hash_key->nKeyLength) {
+ php_prefix_varname(&new_key, prefix, hash_key->arKey, hash_key->nKeyLength - 1, 0 TSRMLS_CC);
+ } else {
+ zval num;
+
+ ZVAL_LONG(&num, hash_key->h);
+ convert_to_string(&num);
+ php_prefix_varname(&new_key, prefix, Z_STRVAL(num), Z_STRLEN(num), 0 TSRMLS_CC);
+ zval_dtor(&num);
+ }
+
+ if (php_varname_check(Z_STRVAL(new_key), Z_STRLEN(new_key), 0 TSRMLS_CC) == FAILURE) {
+ zval_dtor(&new_key);
+ return 0;
+ }
+
+ if (Z_STRVAL(new_key)[0] == 'H') {
+ if ((strcmp(Z_STRVAL(new_key), "HTTP_GET_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_POST_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_POST_FILES")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_ENV_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_SERVER_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_SESSION_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_COOKIE_VARS")==0)||
+ (strcmp(Z_STRVAL(new_key), "HTTP_RAW_POST_DATA")==0)) {
+ zval_dtor(&new_key);
+ return 0;
+ }
+ } else if (Z_STRVAL(new_key)[0] == '_') {
+ if ((strcmp(Z_STRVAL(new_key), "_COOKIE")==0)||
+ (strcmp(Z_STRVAL(new_key), "_ENV")==0)||
+ (strcmp(Z_STRVAL(new_key), "_FILES")==0)||
+ (strcmp(Z_STRVAL(new_key), "_GET")==0)||
+ (strcmp(Z_STRVAL(new_key), "_POST")==0)||
+ (strcmp(Z_STRVAL(new_key), "_REQUEST")==0)||
+ (strcmp(Z_STRVAL(new_key), "_SESSION")==0)||
+ (strcmp(Z_STRVAL(new_key), "_SERVER")==0)) {
+ zval_dtor(&new_key);
+ return 0;
+ }
+ } else if (strcmp(Z_STRVAL(new_key), "GLOBALS")==0) {
+ zval_dtor(&new_key);
+ return 0;
+ }
+
+ zend_delete_global_variable(Z_STRVAL(new_key), Z_STRLEN(new_key) TSRMLS_CC);
+ ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), Z_STRVAL(new_key), Z_STRLEN(new_key) + 1, *var, Z_REFCOUNT_PP(var) + 1, 0);
+
+ zval_dtor(&new_key);
+ return 0;
+}
+#else
static int copy_request_variable(void *pDest, int num_args, va_list args, zend_hash_key *hash_key)
{
char *prefix, *new_key;
@@ -304,6 +546,12 @@
memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
} else {
new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ new_key_len++;
+ }
+
+ if (php_varname_check(new_key, new_key_len-1, 0 TSRMLS_CC) == FAILURE) {
+ zval_dtor(&new_key);
+ return 0;
}
if (new_key[0] == 'H') {
@@ -345,15 +593,68 @@
efree(new_key);
return 0;
}
+#endif
/* {{{ proto bool import_request_variables(string types [, string prefix])
Import GET/POST/Cookie variables into the global scope */
PHP_FUNCTION(suhosin_import_request_variables)
{
+#if PHP_VERSION_ID >= 50300
+ char *types;
+ int types_len;
+ zval *prefix = NULL;
+ char *p;
+ zend_bool ok = 0;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z/", &types, &types_len, &prefix) == FAILURE) {
+ return;
+ }
+
+ if (ZEND_NUM_ARGS() > 1) {
+ convert_to_string(prefix);
+
+ if (Z_STRLEN_P(prefix) == 0) {
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "No prefix specified - possible security hazard");
+ }
+ } else {
+ MAKE_STD_ZVAL(prefix);
+ ZVAL_EMPTY_STRING(prefix);
+ }
+
+ for (p = types; p && *p; p++) {
+ switch (*p) {
+
+ case 'g':
+ case 'G':
+ zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_GET]) TSRMLS_CC, (apply_func_args_t) copy_request_variable, 1, prefix);
+ ok = 1;
+ break;
+
+ case 'p':
+ case 'P':
+ zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_POST]) TSRMLS_CC, (apply_func_args_t) copy_request_variable, 1, prefix);
+ zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_FILES]) TSRMLS_CC, (apply_func_args_t) copy_request_variable, 1, prefix);
+ ok = 1;
+ break;
+
+ case 'c':
+ case 'C':
+ zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) TSRMLS_CC, (apply_func_args_t) copy_request_variable, 1, prefix);
+ ok = 1;
+ break;
+ }
+ }
+
+ if (ZEND_NUM_ARGS() < 2) {
+ zval_ptr_dtor(&prefix);
+ }
+ RETURN_BOOL(ok);
+#else
zval **z_types, **z_prefix;
char *types, *prefix;
uint prefix_len;
char *p;
+ zend_bool ok = 0;
switch (ZEND_NUM_ARGS()) {
@@ -391,29 +692,44 @@
case 'g':
case 'G':
zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_GET]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);
+ ok = 1;
break;
case 'p':
case 'P':
zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_POST]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);
zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_FILES]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);
+ ok = 1;
break;
case 'c':
case 'C':
zend_hash_apply_with_arguments(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]), (apply_func_args_t) copy_request_variable, 2, prefix, prefix_len);
+ ok = 1;
break;
}
}
+ RETURN_BOOL(ok);
+#endif
}
/* }}} */
+ZEND_BEGIN_ARG_INFO_EX(suhosin_arginfo_extract, 0, 0, 1)
+ ZEND_ARG_INFO(ZEND_SEND_PREFER_REF, arg) /* ARRAY_INFO(0, arg, 0) */
+ ZEND_ARG_INFO(0, extract_type)
+ ZEND_ARG_INFO(0, prefix)
+ZEND_END_ARG_INFO()
+
+ZEND_BEGIN_ARG_INFO_EX(suhosin_arginfo_import_request_variables, 0, 0, 1)
+ ZEND_ARG_INFO(0, types)
+ ZEND_ARG_INFO(0, prefix)
+ZEND_END_ARG_INFO()
/* {{{ suhosin_ex_imp_functions[]
*/
function_entry suhosin_ex_imp_functions[] = {
- PHP_NAMED_FE(extract, PHP_FN(suhosin_extract), NULL)
- PHP_NAMED_FE(import_request_variables, PHP_FN(suhosin_import_request_variables), NULL)
+ PHP_NAMED_FE(extract, PHP_FN(suhosin_extract), suhosin_arginfo_extract)
+ PHP_NAMED_FE(import_request_variables, PHP_FN(suhosin_import_request_variables), suhosin_arginfo_import_request_variables)
{NULL, NULL, NULL}
};
/* }}} */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/execute.c new/suhosin-0.9.31/execute.c
--- old/suhosin-0.9.29/execute.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/execute.c 2010-03-28 22:43:13.000000000 +0200
@@ -1067,19 +1067,34 @@
static int ih_function_exists(IH_HANDLER_PARAMS)
{
+#ifndef PHP_ATLEAST_5_3
zval **function_name;
+#endif
zend_function *func;
char *lcname;
zend_bool retval;
int func_name_len;
+#ifndef PHP_ATLEAST_5_3
if (ZEND_NUM_ARGS()!=1 || zend_get_parameters_ex(1, &function_name)==FAILURE) {
- ZEND_WRONG_PARAM_COUNT();
+ ZEND_WRONG_PARAM_COUNT_WITH_RETVAL(1);
}
convert_to_string_ex(function_name);
func_name_len = Z_STRLEN_PP(function_name);
- lcname = estrndup(Z_STRVAL_PP(function_name), func_name_len);
+ lcname = estrndup(Z_STRVAL_PP(function_name), func_name_len);
zend_str_tolower(lcname, func_name_len);
+#else
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &lcname, &func_name_len) == FAILURE) {
+ return;
+ }
+
+ /* Ignore leading "\" */
+ if (lcname[0] == '\\') {
+ lcname = &lcname[1];
+ func_name_len--;
+ }
+ lcname = zend_str_tolower_dup(lcname, func_name_len);
+#endif
retval = (zend_hash_find(EG(function_table), lcname, func_name_len+1, (void **)&func) == SUCCESS);
@@ -1394,7 +1409,6 @@
long seed;
if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE || SUHOSIN_G(srand_ignore)) {
- RETVAL_FALSE;
return (1);
}
@@ -1403,7 +1417,6 @@
} else {
suhosin_srand(seed TSRMLS_CC);
}
- RETVAL_TRUE;
return (1);
}
@@ -1413,7 +1426,6 @@
long seed;
if (zend_parse_parameters(argc TSRMLS_CC, "|l", &seed) == FAILURE || SUHOSIN_G(mt_srand_ignore)) {
- RETVAL_FALSE;
return (1);
}
@@ -1422,7 +1434,6 @@
} else {
suhosin_mt_srand(seed TSRMLS_CC);
}
- RETVAL_TRUE;
return (1);
}
@@ -1446,7 +1457,8 @@
RAND_RANGE(number, min, max, PHP_MT_RAND_MAX);
}
- RETURN_LONG(number);
+ RETVAL_LONG(number);
+ return (1);
}
static int ih_rand(IH_HANDLER_PARAMS)
@@ -1469,17 +1481,23 @@
RAND_RANGE(number, min, max, PHP_MT_RAND_MAX);
}
- RETURN_LONG(number);
+ RETVAL_LONG(number);
+ return (1);
}
static int ih_getrandmax(IH_HANDLER_PARAMS)
{
- int argc = ZEND_NUM_ARGS();
+#ifdef PHP_ATLEAST_5_3
+ if (zend_parse_parameters_none() == FAILURE) {
+ return;
+ }
+#else
+ int argc = ZEND_NUM_ARGS();
- if (argc != 0) {
- ZEND_WRONG_PARAM_COUNT();
- }
-
+ if (argc != 0) {
+ ZEND_WRONG_PARAM_COUNT_WITH_RETVAL(1);
+ }
+#endif
RETVAL_LONG(PHP_MT_RAND_MAX);
return (1);
}
@@ -1543,6 +1561,7 @@
};
#define FUNCTION_WARNING() zend_error(E_WARNING, "%s() has been disabled for security reasons", get_active_function_name(TSRMLS_C));
+#define FUNCTION_SIMULATE_WARNING() zend_error(E_WARNING, "SIMULATION - %s() has been disabled for security reasons", get_active_function_name(TSRMLS_C));
/* {{{ void suhosin_execute_internal(zend_execute_data *execute_data_ptr, int return_value_used TSRMLS_DC)
* This function provides a hook for internal execution */
@@ -1577,7 +1596,7 @@
#ifdef ZEND_ENGINE_2
return_value = (*(temp_variable *)((char *) execute_data_ptr->Ts + execute_data_ptr->opline->result.u.var)).var.ptr;
#else
- return_value = execute_data_ptr->Ts[execute_data_ptr->opline->result.u.var].var.ptr;
+ return_value = execute_data_ptr->Ts[execute_data_ptr->opline->result.u.var].var.ptr;
#endif
ht = execute_data_ptr->opline->extended_value;
@@ -1588,12 +1607,20 @@
if (SUHOSIN_G(eval_whitelist) != NULL) {
if (!zend_hash_exists(SUHOSIN_G(eval_whitelist), lcname, function_name_strlen+1)) {
suhosin_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
- goto execute_internal_bailout;
+ if (!SUHOSIN_G(simulation)) {
+ goto execute_internal_bailout;
+ } else {
+ FUNCTION_SIMULATE_WARNING()
+ }
}
} else if (SUHOSIN_G(eval_blacklist) != NULL) {
if (zend_hash_exists(SUHOSIN_G(eval_blacklist), lcname, function_name_strlen+1)) {
suhosin_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
- goto execute_internal_bailout;
+ if (!SUHOSIN_G(simulation)) {
+ goto execute_internal_bailout;
+ } else {
+ FUNCTION_SIMULATE_WARNING()
+ }
}
}
}
@@ -1601,12 +1628,20 @@
if (SUHOSIN_G(func_whitelist) != NULL) {
if (!zend_hash_exists(SUHOSIN_G(func_whitelist), lcname, function_name_strlen+1)) {
suhosin_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
- goto execute_internal_bailout;
+ if (!SUHOSIN_G(simulation)) {
+ goto execute_internal_bailout;
+ } else {
+ FUNCTION_SIMULATE_WARNING()
+ }
}
} else if (SUHOSIN_G(func_blacklist) != NULL) {
if (zend_hash_exists(SUHOSIN_G(func_blacklist), lcname, function_name_strlen+1)) {
suhosin_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
- goto execute_internal_bailout;
+ if (!SUHOSIN_G(simulation)) {
+ goto execute_internal_bailout;
+ } else {
+ FUNCTION_SIMULATE_WARNING()
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/header.c new/suhosin-0.9.31/header.c
--- old/suhosin-0.9.29/header.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/header.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -32,7 +32,11 @@
#include "SAPI.h"
#include "php_variables.h"
+#if PHP_VERSION_ID >= 50300
+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_header_op_enum op, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
+#else
static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
+#endif
char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
{
@@ -221,10 +225,20 @@
/* {{{ suhosin_header_handler
*/
+#if PHP_VERSION_ID >= 50300
+int suhosin_header_handler(sapi_header_struct *sapi_header, sapi_header_op_enum op, sapi_headers_struct *sapi_headers TSRMLS_DC)
+#else
int suhosin_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
+#endif
{
int retval = SAPI_HEADER_ADD, i;
char *tmp;
+
+#if PHP_VERSION_ID >= 50300
+ if (op != SAPI_HEADER_ADD && op != SAPI_HEADER_REPLACE) {
+ goto suhosin_skip_header_handling;
+ }
+#endif
if (!SUHOSIN_G(allow_multiheader) && sapi_header && sapi_header->header) {
@@ -309,10 +323,14 @@
sapi_header->header_len = len;
}
-
+suhosin_skip_header_handling:
/* If existing call the sapi header handler */
if (orig_header_handler) {
+#if PHP_VERSION_ID >= 50300
+ retval = orig_header_handler(sapi_header, op, sapi_headers TSRMLS_CC);
+#else
retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
+#endif
}
return retval;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/ifilter.c new/suhosin-0.9.31/ifilter.c
--- old/suhosin-0.9.29/ifilter.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/ifilter.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -118,7 +118,7 @@
static unsigned char suhosin_hexchars[] = "0123456789ABCDEF";
static const char suhosin_is_dangerous_char[256] = {
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/log.c new/suhosin-0.9.31/log.c
--- old/suhosin-0.9.29/log.c 2009-08-15 17:05:24.000000000 +0200
+++ new/suhosin-0.9.31/log.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/memory_limit.c new/suhosin-0.9.31/memory_limit.c
--- old/suhosin-0.9.29/memory_limit.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/memory_limit.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/php_suhosin.h new/suhosin-0.9.31/php_suhosin.h
--- old/suhosin-0.9.29/php_suhosin.h 2009-08-15 17:47:24.000000000 +0200
+++ new/suhosin-0.9.31/php_suhosin.h 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -22,7 +22,7 @@
#ifndef PHP_SUHOSIN_H
#define PHP_SUHOSIN_H
-#define SUHOSIN_EXT_VERSION "0.9.29"
+#define SUHOSIN_EXT_VERSION "0.9.31"
/*#define SUHOSIN_DEBUG*/
#define SUHOSIN_LOG "/tmp/suhosin_log.txt"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/post_handler.c new/suhosin-0.9.31/post_handler.c
--- old/suhosin-0.9.29/post_handler.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/post_handler.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/rfc1867.c new/suhosin-0.9.31/rfc1867.c
--- old/suhosin-0.9.29/rfc1867.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/rfc1867.c 2010-03-28 22:43:13.000000000 +0200
@@ -33,6 +33,8 @@
#include "php_variables.h"
#include "php_suhosin.h"
#include "suhosin_rfc1867.h"
+#include "php_ini.h"
+#include "ext/standard/php_string.h"
#define DEBUG_FILE_UPLOAD ZEND_DEBUG
@@ -776,13 +778,15 @@
int str_len = 0, num_vars = 0, num_vars_max = 2*10, *len_list = NULL;
char **val_list = NULL;
#endif
- zend_bool magic_quotes_gpc;
multipart_buffer *mbuff;
zval *array_ptr = (zval *) arg;
int fd=-1;
zend_llist header;
void *event_extra_data = NULL;
-
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+ int upload_cnt = INI_INT("max_file_uploads");
+#endif
+
SDEBUG("suhosin_rfc1867_handler");
if (SG(request_info).content_length > SG(post_max_size)) {
@@ -792,6 +796,18 @@
/* Get the boundary */
boundary = strstr(content_type_dup, "boundary");
+ if (!boundary) {
+ int content_type_len = strlen(content_type_dup);
+ char *content_type_lcase = estrndup(content_type_dup, content_type_len);
+
+ php_strtolower(content_type_lcase, content_type_len);
+ boundary = strstr(content_type_lcase, "boundary");
+ if (boundary) {
+ boundary = content_type_dup + (boundary - content_type_lcase);
+ }
+ efree(content_type_lcase);
+ }
+
if (!boundary || !(boundary=strchr(boundary, '='))) {
sapi_module.sapi_error(E_WARNING, "Missing boundary in multipart/form-data POST data");
return;
@@ -973,7 +989,13 @@
/* If file_uploads=off, skip the file part */
if (!PG(file_uploads)) {
skip_upload = 1;
- }
+ }
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+ else if (upload_cnt <= 0) {
+ skip_upload = 1;
+ sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+ }
+#endif
/* Return with an error if the posted data is garbled */
if (!param && !filename) {
@@ -1019,6 +1041,9 @@
/* Handle file */
fd = php_open_temporary_fd(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
+#if PHP_VERSION_ID >= 50302 || (PHP_VERSION_ID >= 50212 && PHP_VERSION_ID < 50300)
+ upload_cnt--;
+#endif
if (fd==-1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
cancel_upload = UPLOAD_ERROR_E;
@@ -1075,12 +1100,12 @@
}
- if (PG(upload_max_filesize) > 0 && total_bytes > PG(upload_max_filesize)) {
+ if (PG(upload_max_filesize) > 0 && total_bytes+blen > PG(upload_max_filesize)) {
#if DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "upload_max_filesize of %ld bytes exceeded - file [%s=%s] not saved", PG(upload_max_filesize), param, filename);
#endif
cancel_upload = UPLOAD_ERROR_A;
- } else if (max_file_size && (total_bytes > max_file_size)) {
+ } else if (max_file_size && (total_bytes+blen > max_file_size)) {
#if DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
#endif
@@ -1270,26 +1295,30 @@
}
s = "";
- /* Initialize variables */
- add_protected_variable(param TSRMLS_CC);
+ {
+ /* store temp_filename as-is (without magic_quotes_gpc-ing it, in case upload_tmp_dir
+ * contains escapeable characters. escape only the variable name.) */
+ zval zfilename;
+
+ /* Initialize variables */
+ add_protected_variable(param TSRMLS_CC);
+
+ /* if param is of form xxx[.*] this will cut it to xxx */
+ if (!is_anonymous) {
+ ZVAL_STRING(&zfilename, temp_filename, 1);
+ safe_php_register_variable_ex(param, &zfilename, NULL, 1 TSRMLS_CC);
+ }
- magic_quotes_gpc = PG(magic_quotes_gpc);
- PG(magic_quotes_gpc) = 0;
- /* if param is of form xxx[.*] this will cut it to xxx */
- if (!is_anonymous) {
- safe_php_register_variable(param, temp_filename, NULL, 1 TSRMLS_CC);
- }
-
- /* Add $foo[tmp_name] */
- if (is_arr_upload) {
- sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
- } else {
- sprintf(lbuf, "%s[tmp_name]", param);
+ /* Add $foo[tmp_name] */
+ if (is_arr_upload) {
+ sprintf(lbuf, "%s[tmp_name][%s]", abuf, array_index);
+ } else {
+ sprintf(lbuf, "%s[tmp_name]", param);
+ }
+ add_protected_variable(lbuf TSRMLS_CC);
+ ZVAL_STRING(&zfilename, temp_filename, 1);
+ register_http_post_files_variable_ex(lbuf, &zfilename, http_post_files, 1 TSRMLS_CC);
}
- add_protected_variable(lbuf TSRMLS_CC);
- register_http_post_files_variable(lbuf, temp_filename, http_post_files, 1 TSRMLS_CC);
-
- PG(magic_quotes_gpc) = magic_quotes_gpc;
{
zval file_size, error_type;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/session.c new/suhosin-0.9.31/session.c
--- old/suhosin-0.9.29/session.c 2009-08-15 17:23:33.000000000 +0200
+++ new/suhosin-0.9.31/session.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -30,8 +30,16 @@
#include "php_ini.h"
#include "php_suhosin.h"
#include "ext/standard/base64.h"
+#include "ext/standard/php_smart_str.h"
+#include "ext/standard/php_var.h"
#include "sha256.h"
+#include
+
+#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+# include "ext/hash/php_hash.h"
+#endif
+
#define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
#define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
#define PS_READ_ARGS void **mod_data, const char *key, char **val, int *vallen TSRMLS_DC
@@ -135,7 +143,7 @@
int define_sid;
} php_ps_globals_50_51;
-typedef struct _php_ps_globals_52_60 {
+typedef struct _php_ps_globals_52 {
char *save_path;
char *session_name;
char *id;
@@ -171,13 +179,66 @@
int send_cookie;
int define_sid;
zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */
-} php_ps_globals_52_60;
+} php_ps_globals_52;
+typedef struct _php_ps_globals_53 {
+ char *save_path;
+ char *session_name;
+ char *id;
+ char *extern_referer_chk;
+ char *entropy_file;
+ char *cache_limiter;
+ long entropy_length;
+ long cookie_lifetime;
+ char *cookie_path;
+ char *cookie_domain;
+ zend_bool cookie_secure;
+ zend_bool cookie_httponly;
+ ps_module *mod;
+ void *mod_data;
+ php_session_status session_status;
+ long gc_probability;
+ long gc_divisor;
+ long gc_maxlifetime;
+ int module_number;
+ long cache_expire;
+ union {
+ zval *names[6];
+ struct {
+ zval *ps_open;
+ zval *ps_close;
+ zval *ps_read;
+ zval *ps_write;
+ zval *ps_destroy;
+ zval *ps_gc;
+ } name;
+ } mod_user_names;
+ zend_bool bug_compat; /* Whether to behave like PHP 4.2 and earlier */
+ zend_bool bug_compat_warn; /* Whether to warn about it */
+ const struct ps_serializer_struct *serializer;
+ zval *http_session_vars;
+ zend_bool auto_start;
+ zend_bool use_cookies;
+ zend_bool use_only_cookies;
+ zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
+ zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
+
+ long hash_func;
+#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
+ php_hash_ops *hash_ops;
+#endif
+ long hash_bits_per_character;
+ int send_cookie;
+ int define_sid;
+ zend_bool invalid_session_id; /* allows the driver to report about an invalid session id and request id regeneration */
+} php_ps_globals_53;
#ifdef ZTS
static ts_rsrc_id session_globals_id = 0;
-# if PHP_MAJOR_VERSION > 5 || (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
-# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_52_60 *, v)
+# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3)
+# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_53 *, v)
+# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
+# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_52 *, v)
# elif (PHP_MAJOR_VERSION == 5)
# define SESSION_G(v) TSRMG(session_globals_id, php_ps_globals_50_51 *, v)
# elif (PHP_MAJOR_VERSION == 4 && PHP_MINOR_VERSION >= 3)
@@ -186,8 +247,10 @@
UNSUPPORTED PHP VERSION
# endif
#else
-# if PHP_MAJOR_VERSION > 5 || (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
-static php_ps_globals_52_60 *session_globals = NULL;
+# if (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 3)
+static php_ps_globals_53 *session_globals = NULL;
+# elif (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
+static php_ps_globals_52 *session_globals = NULL;
# elif (PHP_MAJOR_VERSION == 5)
static php_ps_globals_50_51 *session_globals = NULL;
# elif (PHP_MAJOR_VERSION == 4 && PHP_MINOR_VERSION >= 3)
@@ -198,6 +261,114 @@
#define SESSION_G(v) (session_globals->v)
#endif
+ps_serializer *(*suhosin_find_ps_serializer)(char *name TSRMLS_DC) = NULL;
+
+#define PS_ENCODE_VARS \
+ char *key; \
+ uint key_length; \
+ ulong num_key; \
+ zval **struc;
+
+#define PS_ENCODE_LOOP(code) do { \
+ HashTable *_ht = Z_ARRVAL_P(SESSION_G(http_session_vars)); \
+ int key_type; \
+ \
+ for (zend_hash_internal_pointer_reset(_ht); \
+ (key_type = zend_hash_get_current_key_ex(_ht, &key, &key_length, &num_key, 0, NULL)) != HASH_KEY_NON_EXISTANT; \
+ zend_hash_move_forward(_ht)) { \
+ if (key_type == HASH_KEY_IS_LONG) { \
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Skipping numeric key %ld", num_key); \
+ continue; \
+ } \
+ key_length--; \
+ if (suhosin_get_session_var(key, key_length, &struc TSRMLS_CC) == SUCCESS) { \
+ code; \
+ } \
+ } \
+ } while(0)
+
+static int suhosin_get_session_var(char *name, size_t namelen, zval ***state_var TSRMLS_DC) /* {{{ */
+{
+ int ret = FAILURE;
+
+ if (SESSION_G(http_session_vars) && SESSION_G(http_session_vars)->type == IS_ARRAY) {
+ ret = zend_hash_find(Z_ARRVAL_P(SESSION_G(http_session_vars)), name, namelen + 1, (void **) state_var);
+
+ /* If register_globals is enabled, and
+ * if there is an entry for the slot in $_SESSION, and
+ * if that entry is still set to NULL, and
+ * if the global var exists, then
+ * we prefer the same key in the global sym table. */
+
+ if (PG(register_globals) && ret == SUCCESS && Z_TYPE_PP(*state_var) == IS_NULL) {
+ zval **tmp;
+
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+ *state_var = tmp;
+ }
+ }
+ }
+ return ret;
+}
+
+#define PS_DELIMITER '|'
+#define PS_UNDEF_MARKER '!'
+
+int suhosin_session_encode(char **newstr, int *newlen TSRMLS_DC)
+{
+ smart_str buf = {0};
+ php_serialize_data_t var_hash;
+ PS_ENCODE_VARS;
+
+ PHP_VAR_SERIALIZE_INIT(var_hash);
+
+ PS_ENCODE_LOOP(
+ smart_str_appendl(&buf, key, key_length);
+ if (key[0] == PS_UNDEF_MARKER || memchr(key, PS_DELIMITER, key_length)) {
+ PHP_VAR_SERIALIZE_DESTROY(var_hash);
+ smart_str_free(&buf);
+ return FAILURE;
+ }
+ smart_str_appendc(&buf, PS_DELIMITER);
+
+ php_var_serialize(&buf, struc, &var_hash TSRMLS_CC);
+ } else {
+ smart_str_appendc(&buf, PS_UNDEF_MARKER);
+ smart_str_appendl(&buf, key, key_length);
+ smart_str_appendc(&buf, PS_DELIMITER);
+ );
+
+ if (newlen) {
+ *newlen = buf.len;
+ }
+ smart_str_0(&buf);
+ *newstr = buf.c;
+
+ PHP_VAR_SERIALIZE_DESTROY(var_hash);
+ return SUCCESS;
+}
+
+static void suhosin_send_cookie(TSRMLS_D)
+{
+ int * session_send_cookie = &SESSION_G(send_cookie);
+ char * base;
+ zend_ini_entry *ini_entry;
+
+ /* The following is requires to be 100% compatible to PHP
+ versions where the hash extension is not available by default */
+#if (PHP_MAJOR_VERSION >= 5 && PHP_MINOR_VERSION >= 3)
+ if (zend_hash_find(EG(ini_directives), "session.hash_bits_per_character", sizeof("session.hash_bits_per_character"), (void **) &ini_entry) == SUCCESS) {
+#ifndef ZTS
+ base = (char *) ini_entry->mh_arg2;
+#else
+ base = (char *) ts_resource(*((int *) ini_entry->mh_arg2));
+#endif
+ session_send_cookie = (int *) (base+(size_t) ini_entry->mh_arg1+sizeof(long));
+ }
+#endif
+ *session_send_cookie = 1;
+}
+
void suhosin_get_ipv4(char *buf TSRMLS_DC)
{
char *raddr = sapi_getenv("REMOTE_ADDR", sizeof("REMOTE_ADDR")-1 TSRMLS_CC);
@@ -472,7 +643,7 @@
regenerate:
SDEBUG("regenerating key is %s", key);
KEY = SESSION_G(id) = SESSION_G(mod)->s_create_sid(&SESSION_G(mod_data), NULL TSRMLS_CC);
- SESSION_G(send_cookie) = 1;
+ suhosin_send_cookie(TSRMLS_C);
} else if (strlen(key) > SUHOSIN_G(session_max_id_length)) {
suhosin_log(S_SESSION, "session id ('%s') exceeds maximum length - regenerating", KEY);
if (!SUHOSIN_G(simulation)) {
@@ -621,6 +792,7 @@
void suhosin_hook_session(TSRMLS_D)
{
+ ps_serializer *serializer;
zend_ini_entry *ini_entry;
zend_module_entry *module;
#ifdef ZTS
@@ -686,6 +858,26 @@
ini_entry->on_modify = suhosin_OnUpdateSaveHandler;
suhosin_hook_session_module(TSRMLS_C);
+
+ /* Protect the PHP serializer from ! attacks */
+# if PHP_MAJOR_VERSION > 5 || (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION >= 2)
+ serializer = SESSION_G(serializer);
+ if (serializer != NULL && strcmp(serializer->name, "php")==0) {
+ serializer->encode = suhosin_session_encode;
+ }
+#endif
+
+ /* increase session identifier entropy */
+ if (SESSION_G(entropy_length) == 0 || SESSION_G(entropy_file) == NULL) {
+
+ /* ensure that /dev/urandom exists */
+ int fd = VCWD_OPEN("/dev/urandom", O_RDONLY);
+ if (fd >= 0) {
+ close(fd);
+ SESSION_G(entropy_length) = 16;
+ SESSION_G(entropy_file) = pestrdup("/dev/urandom", 1);
+ }
+ }
}
void suhosin_unhook_session(TSRMLS_D)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/sha256.c new/suhosin-0.9.31/sha256.c
--- old/suhosin-0.9.29/sha256.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/sha256.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/sha256.h new/suhosin-0.9.31/sha256.h
--- old/suhosin-0.9.29/sha256.h 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/sha256.h 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/suhosin.c new/suhosin-0.9.31/suhosin.c
--- old/suhosin-0.9.29/suhosin.c 2009-08-15 17:54:08.000000000 +0200
+++ new/suhosin-0.9.31/suhosin.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -62,7 +62,7 @@
SUHOSIN_EXT_VERSION,
"SektionEins GmbH",
"http://www.suhosin.org",
- "Copyright (c) 2007",
+ "Copyright (c) 2007-2010",
suhosin_module_startup,
suhosin_shutdown,
NULL,
@@ -1204,10 +1204,10 @@
PUTS(!sapi_module.phpinfo_as_text?"<br /><br />":"\n\n");
if (sapi_module.phpinfo_as_text) {
PUTS("Copyright (c) 2006-2007 Hardened-PHP Project\n");
- PUTS("Copyright (c) 2007-2008 SektionEins GmbH\n");
+ PUTS("Copyright (c) 2007-2010 SektionEins GmbH\n");
} else {
PUTS("Copyright (c) 2006-2007 http://www.hardened-php.net/\">Hardened-PHP Project</a><br />\n");
- PUTS("Copyright (c) 2007-2008 http://www.sektioneins.de/\">SektionEins GmbH</a>\n");
+ PUTS("Copyright (c) 2007-2010 http://www.sektioneins.de/\">SektionEins GmbH</a>\n");
}
php_info_print_box_end();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/suhosin.ini new/suhosin-0.9.31/suhosin.ini
--- old/suhosin-0.9.29/suhosin.ini 2009-08-15 17:53:40.000000000 +0200
+++ new/suhosin-0.9.31/suhosin.ini 2010-03-28 22:43:13.000000000 +0200
@@ -134,7 +134,8 @@
; If you fear that Suhosin breaks your application, you can activate Suhosin's
; simulation mode with this flag. When Suhosin runs in simulation mode,
; violations are logged as usual, but nothing is blocked or removed from the
-; request. (Transparent Encryptions are NOT deactivated in simulation mode.)
+; request. (Transparent features are NOT deactivated in simulation mode.)
+; (since v0.9.30 affects (dis)allowed functions)
;suhosin.simulation = Off
; APC 3.0.12(p1/p2) uses reserved resources without requesting a resource slot
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/suhosin_rfc1867.h new/suhosin-0.9.31/suhosin_rfc1867.h
--- old/suhosin-0.9.29/suhosin_rfc1867.h 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/suhosin_rfc1867.h 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/treat_data.c new/suhosin-0.9.31/treat_data.c
--- old/suhosin-0.9.29/treat_data.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/treat_data.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/suhosin-0.9.29/ufilter.c new/suhosin-0.9.31/ufilter.c
--- old/suhosin-0.9.29/ufilter.c 2009-08-15 16:59:55.000000000 +0200
+++ new/suhosin-0.9.31/ufilter.c 2010-03-28 22:43:13.000000000 +0200
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007 SektionEins GmbH |
+ | Copyright (c) 2007-2010 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
++++++ suhosin-patch-5.3.0-0.9.8-BETA-1.patch.gz -> suhosin-patch-5.3.2-0.9.9.1.patch.gz ++++++
Files php5/suhosin-patch-5.3.0-0.9.8-BETA-1.patch.gz and /mounts/work_src_done/STABLE/php5/suhosin-patch-5.3.2-0.9.9.1.patch.gz differ
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org