From 314c9b92338c2cffe4e9ce4299d5d39c35751a3a Mon Sep 17 00:00:00 2001
From: Christopher Jones <sixd@php.net>
Date: Tue, 16 Nov 2010 19:33:31 +0000
Subject: [PATCH] Protect against null bytes in LOB filenames (rasmus)

---
 ext/oci8/oci8_interface.c       | 18 +++++++--
 ext/oci8/package.xml            | 29 +++++++++++---
 ext/oci8/php_oci8.h             |  2 +-
 ext/oci8/tests/null_byte_1.phpt | 38 ++++++++++++++++++
 ext/oci8/tests/null_byte_2.phpt | 69 +++++++++++++++++++++++++++++++++
 5 files changed, 145 insertions(+), 11 deletions(-)
 create mode 100644 ext/oci8/tests/null_byte_1.phpt
 create mode 100644 ext/oci8/tests/null_byte_2.phpt

diff --git a/ext/oci8/oci8_interface.c b/ext/oci8/oci8_interface.c
index b9e79f9fe9..3143d492ba 100644
--- a/ext/oci8/oci8_interface.c
+++ b/ext/oci8/oci8_interface.c
@@ -242,7 +242,12 @@ PHP_FUNCTION(oci_lob_import)
 			return;
 		}	
 	}
-	
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;  
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -894,7 +899,12 @@ PHP_FUNCTION(oci_lob_export)
 			RETURN_FALSE;
 		}
 	}
-	
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;  
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -1662,8 +1672,8 @@ PHP_FUNCTION(oci_num_fields)
 }
 /* }}} */
 
-/* {{{ proto resource oci_parse(resource connection, string query)
-   Parse a query and return a statement */
+/* {{{ proto resource oci_parse(resource connection, string statement)
+   Parse a SQL or PL/SQL statement and return a statement resource */
 PHP_FUNCTION(oci_parse)
 {
 	zval *z_connection;
diff --git a/ext/oci8/package.xml b/ext/oci8/package.xml
index ed4349ea04..a56c010129 100644
--- a/ext/oci8/package.xml
+++ b/ext/oci8/package.xml
@@ -33,21 +33,20 @@ http://pear.php.net/dtd/package-2.0.xsd">
   <active>no</active>
  </lead>
 
- <date>2010-11-10</date>
+ <date>2010-11-16</date>
  <time>15:00:00</time>
 
  <version>
-  <release>1.4.4</release>
-  <api>1.4.4</api>
+  <release>1.4.5</release>
+  <api>1.4.5</api>
  </version>
  <stability>
-  <release>stable</release>
+  <release>devel</release>
   <api>stable</api>
  </stability>
  <license uri="http://www.php.net/license">PHP</license>
  <notes>
-    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
-    Enhancement - improve startup failure error messages
+    Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
  </notes>
  <contents>
   <dir name="/">
@@ -306,6 +305,8 @@ http://pear.php.net/dtd/package-2.0.xsd">
     <file name="lob_temp1.phpt" role="test" />
     <file name="lob_temp.phpt" role="test" />
     <file name="minfo.phpt" role="test" />
+    <file name="null_byte_1.phpt" role="test" />
+    <file name="null_byte_2.phpt" role="test" />
     <file name="num.phpt" role="test" />
     <file name="oci8safemode.phpt" role="test" />
     <file name="oci_execute_segfault.phpt" role="test" />
@@ -377,6 +378,22 @@ http://pear.php.net/dtd/package-2.0.xsd">
  </extsrcrelease>
  <changelog>
 
+<release>
+ <version>
+  <release>1.4.4</release>
+  <api>1.4.4</api>
+ </version>
+ <stability>
+  <release>stable</release>
+  <api>stable</api>
+ </stability>
+ <license uri="http://www.php.net/license">PHP</license>
+ <notes>
+    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
+    Enhancement - improve startup failure error messages
+ </notes>
+</release>
+
 <release>
  <version>
   <release>1.4.3</release>
diff --git a/ext/oci8/php_oci8.h b/ext/oci8/php_oci8.h
index 3f7a514a74..02dee73d27 100644
--- a/ext/oci8/php_oci8.h
+++ b/ext/oci8/php_oci8.h
@@ -46,7 +46,7 @@
  */
 #undef PHP_OCI8_VERSION
 #endif
-#define PHP_OCI8_VERSION "1.4.4"
+#define PHP_OCI8_VERSION "1.4.5-devel"
 
 extern zend_module_entry oci8_module_entry;
 #define phpext_oci8_ptr &oci8_module_entry
diff --git a/ext/oci8/tests/null_byte_1.phpt b/ext/oci8/tests/null_byte_1.phpt
new file mode 100644
index 0000000000..1439bd5d66
--- /dev/null
+++ b/ext/oci8/tests/null_byte_1.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Import\n";
+
+$lob = oci_new_descriptor($c, OCI_D_LOB);
+$r = $lob->savefile("/tmp/abc\0def");
+var_dump($r);
+
+echo "Test 2: Export\n";
+
+$r = $lob->export("/tmp/abc\0def");
+var_dump($r);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Import
+
+Warning: OCI-Lob::savefile(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+Test 2: Export
+
+Warning: OCI-Lob::export(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+===DONE===
diff --git a/ext/oci8/tests/null_byte_2.phpt b/ext/oci8/tests/null_byte_2.phpt
new file mode 100644
index 0000000000..b4c9b61ad4
--- /dev/null
+++ b/ext/oci8/tests/null_byte_2.phpt
@@ -0,0 +1,69 @@
+--TEST--
+Null bytes in SQL statements
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Valid use of a null byte\n";
+
+$s = oci_parse($c, "select * \0from dual");
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+echo "Test 2: Invalid use of a null byte\n";
+
+$s = oci_parse($c, "select * from du\0al");
+oci_execute($s);
+
+echo "Test 3: Using a null byte in a bind variable name\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 1");
+$bv = 1;
+oci_bind_by_name($s, ":bv\0:bv", $bv);
+oci_execute($s);
+ 
+echo "Test 4: Using a null byte in a bind variable value causing WHERE clause to fail\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 'abc'");
+$bv = 'abc\0abc';
+oci_bind_by_name($s, ":bv", $bv);
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Valid use of a null byte
+array(1) {
+  ["DUMMY"]=>
+  array(1) {
+    [0]=>
+    string(1) "X"
+  }
+}
+Test 2: Invalid use of a null byte
+
+Warning: oci_execute(): ORA-00942: %s in %snull_byte_2.php on line %d
+Test 3: Using a null byte in a bind variable name
+
+Warning: oci_bind_by_name(): ORA-01036: %s in %snull_byte_2.php on line %d
+
+Warning: oci_execute(): ORA-01008: %s in %snull_byte_2.php on line %d
+Test 4: Using a null byte in a bind variable value causing WHERE clause to fail
+array(1) {
+  ["DUMMY"]=>
+  array(0) {
+  }
+}
+===DONE===
-- 
2.40.0