diff options
author | Stanislav Malyshev <stas@php.net> | 2015-06-09 15:31:27 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-06-09 15:31:27 -0700 |
commit | 4e2fb470929ab13101c945e76e2ac397a730ba5a (patch) | |
tree | c57b6929754e3db437b4b2d904c084e097a8a772 | |
parent | 5f7c1917e3ab7ef7120dba6b2a3c46601781ea22 (diff) | |
parent | 80367584910885baa1a2a4476a4a31efdcf0c9c0 (diff) | |
download | php-git-4e2fb470929ab13101c945e76e2ac397a730ba5a.tar.gz |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Fix bug #69646 OS command injection vulnerability in escapeshellarg
Fix #69719 - more checks for nulls in paths
fix test description
Fixed Buf #68812 Unchecked return value.
Conflicts:
ext/dom/document.c
ext/gd/gd.c
-rw-r--r-- | ext/dom/document.c | 22 | ||||
-rw-r--r-- | ext/gd/gd.c | 12 | ||||
-rw-r--r-- | ext/standard/exec.c | 8 |
3 files changed, 31 insertions, 11 deletions
diff --git a/ext/dom/document.c b/ext/dom/document.c index 8b62e92a19..d82ca92096 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1761,7 +1761,7 @@ PHP_FUNCTION(dom_document_save) char *file; long options = 0; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { return; } @@ -1991,7 +1991,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type int is_valid; char resolved_path[MAXPATHLEN + 1]; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { return; } @@ -2004,6 +2004,10 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); @@ -2087,7 +2091,7 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ int is_valid; char resolved_path[MAXPATHLEN + 1]; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { return; } @@ -2100,6 +2104,10 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); @@ -2180,7 +2188,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ id = getThis(); - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { return; } @@ -2190,6 +2198,10 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ } if (mode == DOM_LOAD_FILE) { + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); + RETURN_FALSE; + } ctxt = htmlCreateFileParserCtxt(source, NULL); } else { source_len = xmlStrlen(source); @@ -2278,7 +2290,7 @@ PHP_FUNCTION(dom_document_save_html_file) char *file; const char *encoding; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { return; } diff --git a/ext/gd/gd.c b/ext/gd/gd.c index 322325e47b..76e2c5bf55 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1735,7 +1735,7 @@ PHP_FUNCTION(imagefilledarc) long cx, cy, w, h, ST, E, col, style; gdImagePtr im; int e, st; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) { return; } @@ -1976,7 +1976,7 @@ PHP_FUNCTION(imagegrabwindow) if ( handle == 0 ) { goto clean; } - pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); + pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); if ( pPrintWindow ) { pPrintWindow(window, memDC, (UINT) client_area); @@ -3845,7 +3845,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) { continue; } - + if (strcmp("linespacing", key) == 0) { convert_to_double_ex(item); strex.flags |= gdFTEX_LINESPACE; @@ -3924,7 +3924,7 @@ PHP_FUNCTION(imagepsloadfont) struct stat st; #endif - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { return; } @@ -4264,11 +4264,11 @@ PHP_FUNCTION(imagepsbbox) if (argc != 3 && argc != 6) { ZEND_WRONG_PARAM_COUNT(); } - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) { return; } - + if (argc == 6) { space = sp; add_width = wd; diff --git a/ext/standard/exec.c b/ext/standard/exec.c index 683878877b..06c068399d 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -380,6 +380,14 @@ PHPAPI char *php_escape_shell_arg(char *str) } } #ifdef PHP_WIN32 + if (y > 0 && '\\' == cmd[y - 1]) { + int k = 0, n = y - 1; + for (; n >= 0 && '\\' == cmd[n]; n--, k++); + if (k % 2) { + cmd[y++] = '\\'; + } + } + cmd[y++] = '"'; #else cmd[y++] = '\''; |