Merge remote-tracking branch 'origin/master' into PHP-7.0.0php-7.0.0alpha1

* origin/master: add missing NEWS entries add missing NEWS entries Fixed bug #69646 (OS command injection vulnerability in escapeshellarg) add NEWS Fixed bug #68776 fix test update NEWS fix typo Fix bug #69646 OS command injection vulnerability in escapeshellarg Fix #69719 - more checks for nulls in paths fix test description Fixed Buf #68812 Unchecked return value.
author: Ferenc Kovacs <tyrael@php.net> 2015-06-10 10:49:51 +0200
committer: Ferenc Kovacs <tyrael@php.net> 2015-06-10 10:49:51 +0200
commit: dbf30365aa15b9044d75b8f77db570bf8fdf2726 (patch)
tree: e0b4481c39b2852b91037b38fa0ee5ec3776b52b /ext/standard
parent: 9cb8cb47975b044bbaafd2d12287ff52cdd3b0e9 (diff)
parent: 5ff259ebb72c1f5cef45c235ca1a85b8e1523835 (diff)
download: php-git-php-7.0.0alpha1.tar.gz
3 files changed, 381 insertions, 0 deletions
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 71dfc7c361..60fd7ba1aa 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -383,6 +383,14 @@ PHPAPI zend_string *php_escape_shell_arg(char *str)
 		}
 	}
 #ifdef PHP_WIN32
+	if (y > 0 && '\\' == cmd->val[y - 1]) {
+		int k = 0, n = y - 1;
+		for (; n >= 0 && '\\' == cmd->val[n]; n--, k++);
+		if (k % 2) {
+			cmd->val[y++] = '\\';
+		}
+	}
+
 	cmd->val[y++] = '"';
 #else
 	cmd->val[y++] = '\'';
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index 5633372022..a9046cea69 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -224,6 +224,44 @@ void php_mail_log_to_file(char *filename, char *message, size_t message_size) {
 }
 
 
+static int php_mail_detect_multiple_crlf(char *hdr) {
+	/* This function detects multiple/malformed multiple newlines. */
+	size_t len;
+
+	if (!hdr) {
+		return 0;
+	}
+
+	/* Should not have any newlines at the beginning. */
+	/* RFC 2822 2.2. Header Fields */
+	if (*hdr < 33 || *hdr > 126 || *hdr == ':') {
+		return 1;
+	}
+
+	while(*hdr) {
+		if (*hdr == '\r') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || (*(hdr+1) == '\n' && (*(hdr+2) == '\0' || *(hdr+2) == '\n' || *(hdr+2) == '\r'))) {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else if (*hdr == '\n') {
+			if (*(hdr+1) == '\0' || *(hdr+1) == '\r' || *(hdr+1) == '\n') {
+				/* Malformed or multiple newlines. */
+				return 1;
+			} else {
+				hdr += 2;
+			}
+		} else {
+			hdr++;
+		}
+	}
+
+	return 0;
+}
+
+
 /* {{{ php_mail
  */
 PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd)
@@ -278,6 +316,7 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 
 		efree(tmp);
 	}
+
 	if (PG(mail_x_header)) {
 		const char *tmp = zend_get_executed_filename();
 		zend_string *f;
@@ -292,6 +331,11 @@ PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char
 		zend_string_release(f);
 	}
 
+	if (hdr && php_mail_detect_multiple_crlf(hdr)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Multiple or malformed newlines found in additional_header");
+		MAIL_RET(0);
+	}
+
 	if (!sendmail_path) {
 #if (defined PHP_WIN32 || defined NETWARE)
 		/* handle old style win smtp sending */
diff --git a/ext/standard/tests/mail/mail_basic6.phpt b/ext/standard/tests/mail/mail_basic6.phpt
new file mode 100644
index 0000000000..d0d45b78f3
--- /dev/null
+++ b/ext/standard/tests/mail/mail_basic6.phpt
@@ -0,0 +1,329 @@
+--TEST--
+Test mail() function : basic functionality
+--INI--
+sendmail_path=tee mailBasic.out >/dev/null
+mail.add_x_header = Off
+--SKIPIF--
+<?php
+if(substr(PHP_OS, 0, 3) == "WIN")
+  die("skip Won't run on Windows");
+?>
+--FILE--
+<?php
+/* Prototype  : int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
+ * Description: Send an email message with invalid addtional_headers
+ * Source code: ext/standard/mail.c
+ * Alias to functions:
+ */
+
+echo "*** Testing mail() : basic functionality ***\n";
+
+
+// Valid header
+$to = 'user@example.com';
+$subject = 'Test Subject';
+$message = 'A Message';
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n";
+$outFile = "mailBasic.out";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo file_get_contents($outFile);
+unlink($outFile);
+
+// Valid header
+$additional_headers = "HEAD1: a\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Valid header
+// \r is accepted as valid. This may be changed to invalid.
+$additional_headers = "HEAD1: a\rHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Valid Header --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+//===============================================================================
+// Invalid header
+$additional_headers = "\nHEAD1: a\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\rHEAD1: a\nHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\n\r\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\n\nHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "\r\rHEAD1: a\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - preceeding newline--\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\n\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\n\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\r\rHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\rHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+$additional_headers = "HEAD1: a\n\r\nHEAD2: b\r\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - multiple newlines in the middle --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r\n\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\n\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\n";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+// Invalid header
+// Invalid, but PHP_FUNCTION(mail) trims newlines
+$additional_headers = "HEAD1: a\r\nHEAD2: b\r";
+@unlink($outFile);
+
+echo "-- Invalid Header - trailing newlines --\n";
+// Calling mail() with all additional headers
+var_dump( mail($to, $subject, $message, $additional_headers) );
+echo @file_get_contents($outFile);
+@unlink($outFile);
+
+?>
+===DONE===
+--EXPECTF--
+*** Testing mail() : basic functionality ***
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Valid Header --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - preceeding newline--
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - multiple newlines in the middle --
+
+Warning: mail(): Multiple or malformed newlines found in additional_header in %s/mail_basic6.php on line %d
+bool(false)
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+-- Invalid Header - trailing newlines --
+bool(true)
+To: user@example.com
+Subject: Test Subject
+HEAD1: a
+HEAD2: b
+
+A Message
+===DONE===
author	Ferenc Kovacs <tyrael@php.net>	2015-06-10 10:49:51 +0200
committer	Ferenc Kovacs <tyrael@php.net>	2015-06-10 10:49:51 +0200
commit	dbf30365aa15b9044d75b8f77db570bf8fdf2726 (patch)
tree	e0b4481c39b2852b91037b38fa0ee5ec3776b52b /ext/standard
parent	9cb8cb47975b044bbaafd2d12287ff52cdd3b0e9 (diff)
parent	5ff259ebb72c1f5cef45c235ca1a85b8e1523835 (diff)
download	php-git-php-7.0.0alpha1.tar.gz