]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: 8d31e46 d52c485)
Merge branch 'PHP-5.5' into PHP-5.6
authorStanislav Malyshev <stas@php.net>
Tue, 4 Aug 2015 22:29:13 +0000 (15:29 -0700)
committerStanislav Malyshev <stas@php.net>
Tue, 4 Aug 2015 22:29:13 +0000 (15:29 -0700)
* PHP-5.5:
  update NEWS
  fix test
  update NEWS
  Fix bug #70019 - limit extracted files to given directory
  Do not do convert_to_* on unserialize, it messes up references
  Fix #69793 - limit what we accept when unserializing exception
  Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
  Fixed bug #70166 - Use After Free Vulnerability in unserialize() with SPLArrayObject
  ignore signatures for packages too
  Fix bug #70168 - Use After Free Vulnerability in unserialize() with SplObjectStorage
  Fixed bug #69892
  Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
  Improved fix for Bug #69441
  Fix bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
  Fix bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref)
  Fix bug #70081: check types for SOAP variables

Conflicts:
ext/soap/php_http.c
ext/spl/spl_observer.c

1  2 
.gitignore patch | diff1 | diff2 | blob | history
ext/date/php_date.c patch | diff1 | diff2 | blob | history
ext/openssl/openssl.c patch | diff1 | diff2 | blob | history
ext/phar/phar_internal.h patch | diff1 | diff2 | blob | history
ext/phar/phar_object.c patch | diff1 | diff2 | blob | history
ext/soap/php_http.c patch | diff1 | diff2 | blob | history
ext/spl/spl_array.c patch | diff1 | diff2 | blob | history
ext/spl/spl_dllist.c patch | diff1 | diff2 | blob | history
ext/spl/spl_observer.c patch | diff1 | diff2 | blob | history

diff --cc .gitignore
Simple merge
diff --cc ext/date/php_date.c
Simple merge
diff --cc ext/openssl/openssl.c
Simple merge
diff --cc ext/phar/phar_internal.h
Simple merge
diff --cc ext/phar/phar_object.c
Simple merge
diff --cc ext/soap/php_http.c
index 2045162367915c6af1c922744dc5631bb194cd17,21a0da0876a2ccdeeb3c03ce5e95bb50a7fc34b3..c8eba98bc80c38bf57a4fba3b371b2c5c349b22b
--- 1/ext/soap/php_http.c
--- 2/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@@ -822,21 -821,24 +822,24 @@@ try_again
                                zend_hash_internal_pointer_reset(Z_ARRVAL_PP(cookies));
                                smart_str_append_const(&soap_headers, "Cookie: ");
                                for (i = 0; i < n; i++) {
 -                                      int res = zend_hash_get_current_key(Z_ARRVAL_PP(cookies), &key, &numindx, FALSE);
+                                       ulong numindx;
++                                      int res = zend_hash_get_current_key_ex(Z_ARRVAL_PP(cookies), &key, &key_len, &numindx, 0, NULL);
                                        zend_hash_get_current_data(Z_ARRVAL_PP(cookies), (void **)&data);
-                                       zend_hash_get_current_key_ex(Z_ARRVAL_PP(cookies), &key, &key_len, NULL, 0, NULL);
  
-                                       if (Z_TYPE_PP(data) == IS_ARRAY) {
+                                       if (res == HASH_KEY_IS_STRING && Z_TYPE_PP(data) == IS_ARRAY) {
                                          zval** value;
  
                                                if (zend_hash_index_find(Z_ARRVAL_PP(data), 0, (void**)&value) == SUCCESS &&
                                                    Z_TYPE_PP(value) == IS_STRING) {
                                                  zval **tmp;
                                                  if ((zend_hash_index_find(Z_ARRVAL_PP(data), 1, (void**)&tmp) == FAILURE ||
+                                                  Z_TYPE_PP(tmp) != IS_STRING ||
                                                       strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_PP(tmp),Z_STRLEN_PP(tmp)) == 0) &&
                                                      (zend_hash_index_find(Z_ARRVAL_PP(data), 2, (void**)&tmp) == FAILURE ||
+                                                      Z_TYPE_PP(tmp) != IS_STRING ||
                                                       in_domain(phpurl->host,Z_STRVAL_PP(tmp))) &&
                                                      (use_ssl || zend_hash_index_find(Z_ARRVAL_PP(data), 3, (void**)&tmp) == FAILURE)) {
 -                                                              smart_str_appendl(&soap_headers, key, strlen(key));
 +                                                              smart_str_appendl(&soap_headers, key, key_len-1);
                                                                smart_str_appendc(&soap_headers, '=');
                                                                smart_str_appendl(&soap_headers, Z_STRVAL_PP(value), Z_STRLEN_PP(value));
                                                                smart_str_appendc(&soap_headers, ';');
diff --cc ext/spl/spl_array.c
Simple merge
diff --cc ext/spl/spl_dllist.c
Simple merge
diff --cc ext/spl/spl_observer.c
Simple merge
Unnamed repository; edit this file 'description' to name the repository.