diff options
author | Ilia Alshanetsky <iliaa@php.net> | 2004-07-13 13:15:35 +0000 |
---|---|---|
committer | Ilia Alshanetsky <iliaa@php.net> | 2004-07-13 13:15:35 +0000 |
commit | ccfe4bf7368b2546c8718b29d34e6a97bcdc93de (patch) | |
tree | 798f4f8ac513825c6a52c0bcefedc7e219225b5d | |
parent | aa72ed1ce7b69a8115cda48dec85e8cb8f73165c (diff) | |
download | php-git-ccfe4bf7368b2546c8718b29d34e6a97bcdc93de.tar.gz |
4.3.8 patches.
-rw-r--r-- | NEWS | 9 | ||||
-rw-r--r-- | configure.in | 2 | ||||
-rw-r--r-- | ext/imap/php_imap.c | 2 | ||||
-rw-r--r-- | ext/msession/msession.c | 10 | ||||
-rw-r--r-- | ext/mssql/php_mssql.c | 1 | ||||
-rw-r--r-- | ext/mysql/php_mysql.c | 5 | ||||
-rwxr-xr-x | ext/pcntl/pcntl.c | 14 | ||||
-rw-r--r-- | ext/session/mod_mm.c | 4 | ||||
-rw-r--r-- | ext/session/session.c | 7 | ||||
-rw-r--r-- | ext/standard/ftok.c | 4 | ||||
-rw-r--r-- | ext/standard/iptc.c | 6 | ||||
-rw-r--r-- | ext/standard/string.c | 2 | ||||
-rw-r--r-- | ext/sybase/php_sybase_db.c | 2 | ||||
-rw-r--r-- | ext/sybase_ct/php_sybase_ct.c | 2 | ||||
-rw-r--r-- | ext/w32api/w32api.c | 25 | ||||
-rw-r--r-- | ext/wddx/wddx.c | 4 | ||||
-rw-r--r-- | main/main.c | 15 | ||||
-rw-r--r-- | main/php_version.h | 4 | ||||
-rw-r--r-- | main/rfc1867.c | 7 |
19 files changed, 86 insertions, 39 deletions
@@ -1,5 +1,14 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +14 Jul 2004, Version 4.3.8 +- Fixed strip_tags() to correctly handle '\0' characters. (Stefan) +- Fixed memory_limit during request startup. (Stefan) +- Replace alloca() with emalloc() for better stack protection. (Ilia) +- Added missing safe_mode checks inside ftok and itpc. (Ilia) +- Fixed bug #28963 (Missing space for \0 in address allocation in IMAP). (Ilia) +- Fixed bug #28632 (Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL). + (Ilia) + 03 Jun 2004, Version 4.3.7 - Upgraded bundled GD library to 2.0.23. (Ilia) - Changed user error handler mechanism to relay to built-in error handler if it diff --git a/configure.in b/configure.in index 960a548378..7580d37077 100644 --- a/configure.in +++ b/configure.in @@ -41,7 +41,7 @@ AC_CONFIG_HEADER(main/php_config.h) MAJOR_VERSION=4 MINOR_VERSION=3 RELEASE_VERSION=8 -EXTRA_VERSION="-dev" +EXTRA_VERSION="" VERSION="$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION" dnl Define where extension directories are located in the configure context diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 73fce1b8c7..8f9adda0bb 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3683,7 +3683,7 @@ static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, z addresstmp = addresslist; if ((len = _php_imap_address_size(addresstmp))) { - tmpstr = (char *) malloc (len); + tmpstr = (char *) malloc(len + 1); tmpstr[0] = '\0'; rfc822_write_address(tmpstr, addresstmp); *fulladdress = tmpstr; diff --git a/ext/msession/msession.c b/ext/msession/msession.c index 1cafb9a339..cc77906a90 100644 --- a/ext/msession/msession.c +++ b/ext/msession/msession.c @@ -1266,7 +1266,7 @@ PS_OPEN_FUNC(msession) { int port; int len = strlen(save_path)+1; - char * path = alloca(len); + char * path = emalloc(len); char * szport; strcpy(path, save_path); @@ -1285,7 +1285,13 @@ PS_OPEN_FUNC(msession) ELOG( "ps_open_msession"); PS_SET_MOD_DATA((void *)1); /* session.c needs a non-zero here! */ - return PHPMsessionConnect(path, port) ? SUCCESS : FAILURE; + if (PHPMsessionConnect(path, port)) { + efree(path); + return SUCCESS; + } else { + efree(path); + return FAILURE; + } } PS_CLOSE_FUNC(msession) diff --git a/ext/mssql/php_mssql.c b/ext/mssql/php_mssql.c index 751e8fdd27..b795fa3c61 100644 --- a/ext/mssql/php_mssql.c +++ b/ext/mssql/php_mssql.c @@ -344,6 +344,7 @@ PHP_RINIT_FUNCTION(mssql) PHP_RSHUTDOWN_FUNCTION(mssql) { STR_FREE(MS_SQL_G(appname)); + MS_SQL_G(appname) = NULL; if (MS_SQL_G(server_message)) { STR_FREE(MS_SQL_G(server_message)); MS_SQL_G(server_message) = NULL; diff --git a/ext/mysql/php_mysql.c b/ext/mysql/php_mysql.c index ad610e8b30..9e91c263cd 100644 --- a/ext/mysql/php_mysql.c +++ b/ext/mysql/php_mysql.c @@ -259,6 +259,9 @@ static void _free_mysql_result(zend_rsrc_list_entry *rsrc TSRMLS_DC) */ static void php_mysql_set_default_link(int id TSRMLS_DC) { + if (MySG(default_link) != -1) { + zend_list_delete(MySG(default_link)); + } MySG(default_link) = id; zend_list_addref(id); } @@ -590,7 +593,7 @@ static void php_mysql_do_connect(INTERNAL_FUNCTION_PARAMETERS, int persistent) break; } /* disable local infile option for open_basedir */ - if (PG(open_basedir) && strlen(PG(open_basedir))) { + if (PG(open_basedir) && strlen(PG(open_basedir)) && (client_flags & CLIENT_LOCAL_FILES)) { client_flags ^= CLIENT_LOCAL_FILES; } diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c index 070c9f2bae..959383c2fa 100755 --- a/ext/pcntl/pcntl.c +++ b/ext/pcntl/pcntl.c @@ -386,7 +386,7 @@ PHP_FUNCTION(pcntl_exec) args_hash = HASH_OF(args); argc = zend_hash_num_elements(args_hash); - argv = alloca((argc+2) * sizeof(char *)); + argv = safe_emalloc((argc + 2), sizeof(char *), 0); *argv = path; for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS)); @@ -397,7 +397,7 @@ PHP_FUNCTION(pcntl_exec) } *(current_arg) = NULL; } else { - argv = alloca(2 * sizeof(char *)); + argv = emalloc(2 * sizeof(char *)); *argv = path; *(argv+1) = NULL; } @@ -407,13 +407,13 @@ PHP_FUNCTION(pcntl_exec) envs_hash = HASH_OF(envs); envc = zend_hash_num_elements(envs_hash); - envp = alloca((envc+1) * sizeof(char *)); + envp = safe_emalloc((envc + 1), sizeof(char *), 0); for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp; (envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS)); (envi++, pair++, zend_hash_move_forward(envs_hash)) ) { switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) { case HASH_KEY_IS_LONG: - key = alloca(101); + key = emalloc(101); snprintf(key, 100, "%ld", key_num); key_length = strlen(key); break; @@ -432,7 +432,7 @@ PHP_FUNCTION(pcntl_exec) strlcat(*pair, Z_STRVAL_PP(element), pair_length); /* Cleanup */ - if (return_val == HASH_KEY_IS_LONG) free_alloca(key); + if (return_val == HASH_KEY_IS_LONG) efree(key); } *(pair) = NULL; } @@ -445,10 +445,10 @@ PHP_FUNCTION(pcntl_exec) /* Cleanup */ if (envp != NULL) { for (pair = envp; *pair != NULL; pair++) efree(*pair); - free_alloca(envp); + efree(envp); } - free_alloca(argv); + efree(argv); RETURN_FALSE; } diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c index df18659278..2045451b8c 100644 --- a/ext/session/mod_mm.c +++ b/ext/session/mod_mm.c @@ -264,7 +264,7 @@ PHP_MINIT_FUNCTION(ps_mm) return FAILURE; /* Directory + '/' + File + Module Name + Effective UID + \0 */ - ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1); + ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1); memcpy(ps_mm_path, PS(save_path), save_path_len + 1); if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) { @@ -277,7 +277,7 @@ PHP_MINIT_FUNCTION(ps_mm) ret = ps_mm_initialize(ps_mm_instance, ps_mm_path); - free_alloca(ps_mm_path); + efree(ps_mm_path); if (ret != SUCCESS) { free(ps_mm_instance); diff --git a/ext/session/session.c b/ext/session/session.c index 3bd0e28399..ae2c78fde1 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -503,13 +503,16 @@ break_outer_loop: static void php_session_track_init(TSRMLS_D) { + zval *session_vars = NULL; + /* Unconditionally destroy existing arrays -- possible dirty data */ zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION")); - MAKE_STD_ZVAL(PS(http_session_vars)); - array_init(PS(http_session_vars)); + MAKE_STD_ZVAL(session_vars); + array_init(session_vars); + PS(http_session_vars) = session_vars; ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1); ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); diff --git a/ext/standard/ftok.c b/ext/standard/ftok.c index 111c51b0a2..99ff81ca70 100644 --- a/ext/standard/ftok.c +++ b/ext/standard/ftok.c @@ -52,6 +52,10 @@ PHP_FUNCTION(ftok) RETURN_LONG(-1); } + if ((PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(pathname), NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(Z_STRVAL_PP(pathname) TSRMLS_CC)) { + RETURN_LONG(-1); + } + k = ftok(Z_STRVAL_PP(pathname),Z_STRVAL_PP(proj)[0]); RETURN_LONG(k); diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index f0996e4c3a..940cdb1162 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -208,6 +208,10 @@ PHP_FUNCTION(iptcembed) break; } + if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(jpeg_file), NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + RETURN_FALSE; + } + if (php_check_open_basedir(Z_STRVAL_PP(jpeg_file) TSRMLS_CC)) { RETURN_FALSE; } @@ -347,7 +351,7 @@ PHP_FUNCTION(iptcparse) inx += 2; } - sprintf(key, "%d#%03d", (unsigned int) dataset, (unsigned int) recnum); + snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum); if ((len > length) || (inx + len) > length) break; diff --git a/ext/standard/string.c b/ext/standard/string.c index 6383ee87c5..d5a9889148 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -3339,6 +3339,8 @@ PHPAPI size_t php_strip_tags(char *rbuf, int len, int *stateptr, char *allow, in while (i < len) { switch (c) { + case '\0': + break; case '<': if (isspace(*(p + 1))) { goto reg_char; diff --git a/ext/sybase/php_sybase_db.c b/ext/sybase/php_sybase_db.c index 2d90e611a1..7aadcfb70b 100644 --- a/ext/sybase/php_sybase_db.c +++ b/ext/sybase/php_sybase_db.c @@ -297,7 +297,9 @@ PHP_MSHUTDOWN_FUNCTION(sybase) PHP_RSHUTDOWN_FUNCTION(sybase) { efree(php_sybase_module.appname); + php_sybase_module.appname = NULL; STR_FREE(php_sybase_module.server_message); + php_sybase_module.server_message = NULL; return SUCCESS; } diff --git a/ext/sybase_ct/php_sybase_ct.c b/ext/sybase_ct/php_sybase_ct.c index dd5493169a..6f752f591d 100644 --- a/ext/sybase_ct/php_sybase_ct.c +++ b/ext/sybase_ct/php_sybase_ct.c @@ -448,11 +448,13 @@ PHP_MSHUTDOWN_FUNCTION(sybase) PHP_RSHUTDOWN_FUNCTION(sybase) { efree(SybCtG(appname)); + SybCtG(appname) = NULL; if (SybCtG(callback_name)) { zval_ptr_dtor(&SybCtG(callback_name)); SybCtG(callback_name)= NULL; } STR_FREE(SybCtG(server_message)); + SybCtG(server_message) = NULL; return SUCCESS; } diff --git a/ext/w32api/w32api.c b/ext/w32api/w32api.c index 4b3448cdd5..376e8ae3c1 100644 --- a/ext/w32api/w32api.c +++ b/ext/w32api/w32api.c @@ -290,20 +290,26 @@ PHP_MSHUTDOWN_FUNCTION(w32api) */ PHP_RINIT_FUNCTION(w32api) { + HashTable *tmp; + WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL; + /* Allocate Request Specific HT's here */ - ALLOC_HASHTABLE(WG(funcs)); - zend_hash_init(WG(funcs), 1, NULL, php_w32api_hash_func_dtor, 1); - - ALLOC_HASHTABLE(WG(libraries)); - zend_hash_init(WG(libraries), 1, NULL, php_w32api_hash_lib_dtor, 1); + ALLOC_HASHTABLE(tmp); + zend_hash_init(tmp, 1, NULL, php_w32api_hash_func_dtor, 1); + WG(funcs) = tmp; - ALLOC_HASHTABLE(WG(callbacks)); - zend_hash_init(WG(callbacks), 1, NULL, php_w32api_hash_callback_dtor, 1); + ALLOC_HASHTABLE(tmp); + zend_hash_init(tmp, 1, NULL, php_w32api_hash_lib_dtor, 1); + WG(libraries) = tmp; - ALLOC_HASHTABLE(WG(types)); - zend_hash_init(WG(types), 1, NULL, php_w32api_hash_type_dtor, 1); + ALLOC_HASHTABLE(tmp); + zend_hash_init(tmp, 1, NULL, php_w32api_hash_callback_dtor, 1); + WG(callbacks) = tmp; + ALLOC_HASHTABLE(tmp); + zend_hash_init(tmp, 1, NULL, php_w32api_hash_type_dtor, 1); + WG(types) = tmp; return SUCCESS; @@ -330,6 +336,7 @@ PHP_RSHUTDOWN_FUNCTION(w32api) zend_hash_destroy(WG(types)); FREE_HASHTABLE(WG(types)); + WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL; return SUCCESS; } diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index b68b02dd8d..3a16dc95d0 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -1069,7 +1069,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) case ST_DATETIME: { char *tmp; - tmp = do_alloca(len + 1); + tmp = emalloc(len + 1); memcpy(tmp, s, len); tmp[len] = '\0'; @@ -1080,7 +1080,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) Z_STRLEN_P(ent->data) = len; Z_STRVAL_P(ent->data) = estrndup(s, len); } - free_alloca(tmp); + efree(tmp); } default: break; diff --git a/main/main.c b/main/main.c index 9b53c530f6..a3a93e3bb2 100644 --- a/main/main.c +++ b/main/main.c @@ -1369,6 +1369,7 @@ static int php_hash_environment(TSRMLS_D) int _gpc_flags[5] = {0, 0, 0, 0, 0}; zend_bool have_variables_order; zval *dummy_track_vars_array = NULL; + zval *env_vars = NULL; zend_bool initialized_dummy_track_vars_array=0; int i; char *variables_order; @@ -1401,9 +1402,10 @@ static int php_hash_environment(TSRMLS_D) } else { variables_order = PG(gpc_order); have_variables_order=0; - ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]); - array_init(PG(http_globals)[TRACK_VARS_ENV]); - INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]); + ALLOC_ZVAL(env_vars); + array_init(env_vars); + INIT_PZVAL(env_vars); + PG(http_globals)[TRACK_VARS_ENV] = env_vars; php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); if (PG(register_globals)) { php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC); @@ -1446,9 +1448,10 @@ static int php_hash_environment(TSRMLS_D) case 'E': if (!_gpc_flags[3]) { if (have_variables_order) { - ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]); - array_init(PG(http_globals)[TRACK_VARS_ENV]); - INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]); + ALLOC_ZVAL(env_vars); + array_init(env_vars); + INIT_PZVAL(env_vars); + PG(http_globals)[TRACK_VARS_ENV] = env_vars; php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); if (PG(register_globals)) { php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC); diff --git a/main/php_version.h b/main/php_version.h index a62ef6d178..6866a5fd8e 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,5 +3,5 @@ #define PHP_MAJOR_VERSION 4 #define PHP_MINOR_VERSION 3 #define PHP_RELEASE_VERSION 8 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "4.3.8-dev" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "4.3.8" diff --git a/main/rfc1867.c b/main/rfc1867.c index 91c23b6ba1..c37a711ce0 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -760,7 +760,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL; char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL; int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0, max_file_size=0, skip_upload=0; - zval *http_post_files=NULL; + zval *http_post_files=NULL; HashTable *uploaded_files=NULL; #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING) int str_len = 0, num_vars = 0, num_vars_max = 2*10, *len_list = NULL; char **val_list = NULL; @@ -811,8 +811,9 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* Initialize $_FILES[] */ zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0); - ALLOC_HASHTABLE(SG(rfc1867_uploaded_files)); - zend_hash_init(SG(rfc1867_uploaded_files), 5, NULL, (dtor_func_t) free_estring, 0); + ALLOC_HASHTABLE(uploaded_files); + zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0); + SG(rfc1867_uploaded_files) = uploaded_files; ALLOC_ZVAL(http_post_files); array_init(http_post_files); |