From 292aa9d6cb3a6632b94a87ef3ba581eb85510a11 Mon Sep 17 00:00:00 2001
From: George Wang <gwang@php.net>
Date: Tue, 8 Dec 2015 23:43:29 -0500
Subject: [PATCH] Clear secret after use.

---
 sapi/litespeed/lsapilib.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c
index d6d1c107a7..4b28c968ea 100644
--- a/sapi/litespeed/lsapilib.c
+++ b/sapi/litespeed/lsapilib.c
@@ -128,7 +128,7 @@ static int s_pid_dump_debug_info = 0;
 
 LSAPI_Request g_req = { -1, -1 };
 
-static char         s_pSecret[24];
+static char         s_secret[24];
 
 
 void Flush_RespBuf_r( LSAPI_Request * pReq );
@@ -670,7 +670,7 @@ static int readSecret( const char * pSecretFile )
         close( fd );
         return -1;
     }
-    if ( read( fd, s_pSecret, 16 ) < 16 )
+    if ( read( fd, s_secret, 16 ) < 16 )
     {
         fprintf( stderr, "LSAPI: failed to read secret from secret file: %s\n", pSecretFile );
         close( fd );
@@ -682,7 +682,7 @@ static int readSecret( const char * pSecretFile )
 
 int LSAPI_is_suEXEC_Daemon()
 {
-    if (( !s_uid )&&( s_pSecret[0] ))
+    if (( !s_uid )&&( s_secret[0] ))
         return 1;
     else
         return 0;
@@ -877,7 +877,7 @@ static int lsapi_suexec_auth( LSAPI_Request *pReq,
     if ( len < 32 )
         return -1;
     memmove( achMD5, pAuth + 16, 16 );
-    memmove( pAuth + 16, s_pSecret, 16 );
+    memmove( pAuth + 16, s_secret, 16 );
     lsapi_MD5Init( &md5ctx );
     lsapi_MD5Update( &md5ctx, (unsigned char *)pAuth, 32 );
     lsapi_MD5Update( &md5ctx, (unsigned char *)pUgid, 8 );
@@ -1170,8 +1170,11 @@ static int readReq( LSAPI_Request * pReq )
     pReq->m_reqState = LSAPI_ST_REQ_BODY | LSAPI_ST_RESP_HEADER;
 
     if ( !s_uid )
+    {
         if ( lsapi_changeUGid( pReq ) )
             return -1;
+        memset(s_secret, 0, sizeof(s_secret));
+    }
     pReq->m_bufProcessed = packetLen;
 
     //OPTIMIZATION
@@ -1191,7 +1194,7 @@ int LSAPI_Init(void)
     if ( !g_inited )
     {
         s_uid = geteuid();
-        s_pSecret[0] = 0;
+        s_secret[0] = 0;
         lsapi_signal(SIGPIPE, lsapi_sigpipe);
         lsapi_signal(SIGUSR1, lsapi_siguser1);
 
@@ -1444,7 +1447,7 @@ int LSAPI_ReqBodyGetLine_r( LSAPI_Request * pReq, char * pBuf, size_t bufLen, in
     char * pBufCur = pBuf;
     char * pCur;
     char * p;
-    if (!pReq || (pReq->m_fd ==-1) ||( !pBuf )|| !getLF )
+    if (!pReq || (pReq->m_fd ==-1) ||( !pBuf )||(bufLen < 0 )|| !getLF )
         return -1;
     *getLF = 0;
     while( (left = pBufEnd - pBufCur ) > 0 )
@@ -1488,7 +1491,7 @@ ssize_t LSAPI_ReadReqBody_r( LSAPI_Request * pReq, char * pBuf, size_t bufLen )
     ssize_t len;
     off_t total;
     /* char *pOldBuf = pBuf; */
-    if (!pReq || (pReq->m_fd ==-1) || ( !pBuf ))
+    if (!pReq || (pReq->m_fd ==-1) || ( !pBuf )||(bufLen < 0 ))
         return -1;
 
     total = pReq->m_reqBodyLen - pReq->m_reqBodyRead;
-- 
2.40.0