Skip to content

Commit ccfe4bf

Browse files
author
Ilia Alshanetsky
committed
4.3.8 patches.
1 parent aa72ed1 commit ccfe4bf

File tree

19 files changed

+86
-39
lines changed

19 files changed

+86
-39
lines changed

NEWS

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,14 @@
11
PHP 4 NEWS
22
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3+
14 Jul 2004, Version 4.3.8
4+
- Fixed strip_tags() to correctly handle '\0' characters. (Stefan)
5+
- Fixed memory_limit during request startup. (Stefan)
6+
- Replace alloca() with emalloc() for better stack protection. (Ilia)
7+
- Added missing safe_mode checks inside ftok and itpc. (Ilia)
8+
- Fixed bug #28963 (Missing space for \0 in address allocation in IMAP). (Ilia)
9+
- Fixed bug #28632 (Prevent open_basedir bypass via MySQL's LOAD DATA LOCAL).
10+
(Ilia)
11+
312
03 Jun 2004, Version 4.3.7
413
- Upgraded bundled GD library to 2.0.23. (Ilia)
514
- Changed user error handler mechanism to relay to built-in error handler if it

configure.in

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -41,7 +41,7 @@ AC_CONFIG_HEADER(main/php_config.h)
4141
MAJOR_VERSION=4
4242
MINOR_VERSION=3
4343
RELEASE_VERSION=8
44-
EXTRA_VERSION="-dev"
44+
EXTRA_VERSION=""
4545
VERSION="$MAJOR_VERSION.$MINOR_VERSION.$RELEASE_VERSION$EXTRA_VERSION"
4646

4747
dnl Define where extension directories are located in the configure context

ext/imap/php_imap.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3683,7 +3683,7 @@ static void _php_imap_parse_address (ADDRESS *addresslist, char **fulladdress, z
36833683
addresstmp = addresslist;
36843684

36853685
if ((len = _php_imap_address_size(addresstmp))) {
3686-
tmpstr = (char *) malloc (len);
3686+
tmpstr = (char *) malloc(len + 1);
36873687
tmpstr[0] = '\0';
36883688
rfc822_write_address(tmpstr, addresstmp);
36893689
*fulladdress = tmpstr;

ext/msession/msession.c

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1266,7 +1266,7 @@ PS_OPEN_FUNC(msession)
12661266
{
12671267
int port;
12681268
int len = strlen(save_path)+1;
1269-
char * path = alloca(len);
1269+
char * path = emalloc(len);
12701270
char * szport;
12711271

12721272
strcpy(path, save_path);
@@ -1285,7 +1285,13 @@ PS_OPEN_FUNC(msession)
12851285

12861286
ELOG( "ps_open_msession");
12871287
PS_SET_MOD_DATA((void *)1); /* session.c needs a non-zero here! */
1288-
return PHPMsessionConnect(path, port) ? SUCCESS : FAILURE;
1288+
if (PHPMsessionConnect(path, port)) {
1289+
efree(path);
1290+
return SUCCESS;
1291+
} else {
1292+
efree(path);
1293+
return FAILURE;
1294+
}
12891295
}
12901296

12911297
PS_CLOSE_FUNC(msession)

ext/mssql/php_mssql.c

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -344,6 +344,7 @@ PHP_RINIT_FUNCTION(mssql)
344344
PHP_RSHUTDOWN_FUNCTION(mssql)
345345
{
346346
STR_FREE(MS_SQL_G(appname));
347+
MS_SQL_G(appname) = NULL;
347348
if (MS_SQL_G(server_message)) {
348349
STR_FREE(MS_SQL_G(server_message));
349350
MS_SQL_G(server_message) = NULL;

ext/mysql/php_mysql.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -259,6 +259,9 @@ static void _free_mysql_result(zend_rsrc_list_entry *rsrc TSRMLS_DC)
259259
*/
260260
static void php_mysql_set_default_link(int id TSRMLS_DC)
261261
{
262+
if (MySG(default_link) != -1) {
263+
zend_list_delete(MySG(default_link));
264+
}
262265
MySG(default_link) = id;
263266
zend_list_addref(id);
264267
}
@@ -590,7 +593,7 @@ static void php_mysql_do_connect(INTERNAL_FUNCTION_PARAMETERS, int persistent)
590593
break;
591594
}
592595
/* disable local infile option for open_basedir */
593-
if (PG(open_basedir) && strlen(PG(open_basedir))) {
596+
if (PG(open_basedir) && strlen(PG(open_basedir)) && (client_flags & CLIENT_LOCAL_FILES)) {
594597
client_flags ^= CLIENT_LOCAL_FILES;
595598
}
596599

ext/pcntl/pcntl.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -386,7 +386,7 @@ PHP_FUNCTION(pcntl_exec)
386386
args_hash = HASH_OF(args);
387387
argc = zend_hash_num_elements(args_hash);
388388

389-
argv = alloca((argc+2) * sizeof(char *));
389+
argv = safe_emalloc((argc + 2), sizeof(char *), 0);
390390
*argv = path;
391391
for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1;
392392
(argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
@@ -397,7 +397,7 @@ PHP_FUNCTION(pcntl_exec)
397397
}
398398
*(current_arg) = NULL;
399399
} else {
400-
argv = alloca(2 * sizeof(char *));
400+
argv = emalloc(2 * sizeof(char *));
401401
*argv = path;
402402
*(argv+1) = NULL;
403403
}
@@ -407,13 +407,13 @@ PHP_FUNCTION(pcntl_exec)
407407
envs_hash = HASH_OF(envs);
408408
envc = zend_hash_num_elements(envs_hash);
409409

410-
envp = alloca((envc+1) * sizeof(char *));
410+
envp = safe_emalloc((envc + 1), sizeof(char *), 0);
411411
for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp;
412412
(envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS));
413413
(envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
414414
switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) {
415415
case HASH_KEY_IS_LONG:
416-
key = alloca(101);
416+
key = emalloc(101);
417417
snprintf(key, 100, "%ld", key_num);
418418
key_length = strlen(key);
419419
break;
@@ -432,7 +432,7 @@ PHP_FUNCTION(pcntl_exec)
432432
strlcat(*pair, Z_STRVAL_PP(element), pair_length);
433433

434434
/* Cleanup */
435-
if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
435+
if (return_val == HASH_KEY_IS_LONG) efree(key);
436436
}
437437
*(pair) = NULL;
438438
}
@@ -445,10 +445,10 @@ PHP_FUNCTION(pcntl_exec)
445445
/* Cleanup */
446446
if (envp != NULL) {
447447
for (pair = envp; *pair != NULL; pair++) efree(*pair);
448-
free_alloca(envp);
448+
efree(envp);
449449
}
450450

451-
free_alloca(argv);
451+
efree(argv);
452452

453453
RETURN_FALSE;
454454
}

ext/session/mod_mm.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -264,7 +264,7 @@ PHP_MINIT_FUNCTION(ps_mm)
264264
return FAILURE;
265265

266266
/* Directory + '/' + File + Module Name + Effective UID + \0 */
267-
ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
267+
ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
268268

269269
memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
270270
if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@@ -277,7 +277,7 @@ PHP_MINIT_FUNCTION(ps_mm)
277277

278278
ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
279279

280-
free_alloca(ps_mm_path);
280+
efree(ps_mm_path);
281281

282282
if (ret != SUCCESS) {
283283
free(ps_mm_instance);

ext/session/session.c

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -503,13 +503,16 @@ PS_SERIALIZER_DECODE_FUNC(php)
503503

504504
static void php_session_track_init(TSRMLS_D)
505505
{
506+
zval *session_vars = NULL;
507+
506508
/* Unconditionally destroy existing arrays -- possible dirty data */
507509
zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
508510
sizeof("HTTP_SESSION_VARS"));
509511
zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION"));
510512

511-
MAKE_STD_ZVAL(PS(http_session_vars));
512-
array_init(PS(http_session_vars));
513+
MAKE_STD_ZVAL(session_vars);
514+
array_init(session_vars);
515+
PS(http_session_vars) = session_vars;
513516

514517
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
515518
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1);

ext/standard/ftok.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,10 @@ PHP_FUNCTION(ftok)
5252
RETURN_LONG(-1);
5353
}
5454

55+
if ((PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(pathname), NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(Z_STRVAL_PP(pathname) TSRMLS_CC)) {
56+
RETURN_LONG(-1);
57+
}
58+
5559
k = ftok(Z_STRVAL_PP(pathname),Z_STRVAL_PP(proj)[0]);
5660

5761
RETURN_LONG(k);

0 commit comments

Comments
 (0)