Anatol Belski [Fri, 16 Nov 2018 22:19:33 +0000 (23:19 +0100)]
Fixed bug #77111 php-win.exe corrupts unicode symbols from cli parameters
The binary can be of course used on console, for whatever reasons, so
UNICODE API should be used in that case. That might however not work as
expected, if the binary is used for a service.
Anatol Belski [Wed, 14 Nov 2018 21:23:24 +0000 (22:23 +0100)]
Rework magic data once more
The change reduces the input size on patterns using posix character
classes. It is still better than reverting to the patterns from the
older version, as the upstream data uses posix classes also in the later
versions. The input reduction speeds up the pattern matching in some
cases.
This patch is functionally almost same as upstream, but might show some diff
when the input is very long. While the magic data in the newer versions is
functionally an improvement, with jit=0 it might show a performance regression.
The slowdown is negligible in the normal usage and is still acceptable for the
malicious input. If some functional regressions show up, this patch should be
reverted and the tests timing should be adapted instead.
Fix #77147: Fix for 60494 ignores ICONV_MIME_DECODE_CONTINUE_ON_ERROR
If the `ICONV_MIME_DECODE_CONTINUE_ON_ERROR` flag is set, parsing
should not fail, if there are illegal characters in the headers;
instead we silently ignore these like before.
Anatol Belski [Sat, 10 Nov 2018 00:28:23 +0000 (01:28 +0100)]
Rework magic data
Avoid patching where vanilla data suffices. More precisely, avoid data
using [:space:] posix class in regex, as it is likely to cause performance
regressions.
Apparently, the presence of `cpuid.h` is not necessarily sufficient to
guarantee the availability of `__cpuid_count()`. We therefore test for
the latter explicitly.
Anatol Belski [Sun, 4 Nov 2018 12:11:28 +0000 (13:11 +0100)]
Rework places in libmagic regarding previous CVE-2014-3538 fixes
CVE-2014-3538 was fixed upstream, but the old patch was still kept in
the PHP port. This patch causes performance regressions when PCRE JIT is
not enabled. This is fixed by applying the relevant original code from
the newer libmagic, which makes the old patch obsolete as the
CVE-2014-3538 tests still pass.
Anatol Belski [Sat, 3 Nov 2018 19:29:51 +0000 (20:29 +0100)]
Change the way JIT availability is checked
The pcre2_jit_compile_8 sysmbol is always available, even JIT might be
not. If JIT is not enabled explicitly and is enabled in the PHP runtime,
this will lead to a malfunction. This approach ensures JIT is indeed
available on the given platform. For cross compilation this might get
complicated, as it would require an explicit processor architecture and
PCRE2 version check.
Another solution for this case is to run pcre2_config at runtime. That
however would require more condition checks that would impact
architectures where JIT is available.
Fix #71592: External entity processing never fails
If the callback set via `xml_set_external_entity_ref_handler()` returns
a falsy value, parsing is supposed to stop and the error number set to
`XML_ERROR_EXTERNAL_ENTITY_HANDLING`. This is already correctly done
by the libexpat binding, but the libxml2 binding ignores the return
value. We fix this by calling `xmlStopParser()` which is available as
of libxml 2.1.0[1] (PHP-7.1 requires at least libxml 2.6.11 anyway),
and setting the desired `errNo` ourselves.
Since we allow ext/xmlrpc to be built against a system libxmlrpc(-epi),
we must not `efree` memory which has been allocated via `malloc`. To
distinguish bundled and system libxmlrpc(-epi) we introduce the macro
`HAVE_XMLRPC_BUNDLED` (analogous to how it is done by ext/gd). We
deliberately keep the ugly `#ifdef`s, instead of tucking them away in
an `XMLRPC_FREE()` macro, to not forget that it is a bad idea to fork
and bundle a library, but to also allow building against an unpatched
system lib.
projects / php / log