From 813e3cf14d199efa99eedebb5d4b1f792bab6df7 Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Mon, 3 May 2010 14:41:40 +0000 Subject: [PATCH] Fixed bug #51690 (Phar::setStub looks for case-sensitive __HALT_COMPILER()) --- NEWS | 2 ++ ext/phar/phar.c | 11 +++++++---- ext/phar/tar.c | 9 +++++++-- ext/phar/zip.c | 10 ++++++++-- 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/NEWS b/NEWS index 126644650a..f7f00de5a4 100644 --- a/NEWS +++ b/NEWS @@ -37,6 +37,8 @@ PHP NEWS requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) - Fixed 64-bit integer overflow in mhash_keygen_s2k(). (Clément LECIGNE, Stas) +- Fixed bug #51690 (Phar::setStub looks for case-sensitive + __HALT_COMPILER()). (Ilia) - Fixed bug #51688 (ini per dir crashes when invalid document root are given). (Pierre) - Fixed bug #51671 (imagefill does not work correctly for small images). diff --git a/ext/phar/phar.c b/ext/phar/phar.c index c0b994cd9e..f255537fa7 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -2563,8 +2563,8 @@ char *phar_create_default_stub(const char *index_php, const char *web_index, siz */ int phar_flush(phar_archive_data *phar, char *user_stub, long len, int convert, char **error TSRMLS_DC) /* {{{ */ { -/* static const char newstub[] = "\r\n"; */ - char *newstub; + char halt_stub[] = "__HALT_COMPILER();"; + char *newstub, *tmp; phar_entry_info *entry, *newentry; int halt_offset, restore_alias_len, global_flags = 0, closeoldfile; char *pos, has_dirs = 0; @@ -2665,8 +2665,9 @@ int phar_flush(phar_archive_data *phar, char *user_stub, long len, int convert, } else { free_user_stub = 0; } - if ((pos = strstr(user_stub, "__HALT_COMPILER();")) == NULL) - { + tmp = estrndup(user_stub, len); + if ((pos = php_stristr(tmp, halt_stub, len, sizeof(halt_stub) - 1)) == NULL) { + efree(tmp); if (closeoldfile) { php_stream_close(oldfile); } @@ -2679,6 +2680,8 @@ int phar_flush(phar_archive_data *phar, char *user_stub, long len, int convert, } return EOF; } + pos = user_stub + (pos - tmp); + efree(tmp); len = pos - user_stub + 18; if ((size_t)len != php_stream_write(newfile, user_stub, len) || 5 != php_stream_write(newfile, " ?>\r\n", 5)) { diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 53255b1d2d..a0b6f511f4 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -911,7 +911,8 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, long len, int defau php_stream *oldfile, *newfile, *stubfile; int closeoldfile, free_user_stub, signature_length; struct _phar_pass_tar_info pass; - char *buf, *signature, sigbuf[8]; + char *buf, *signature, *tmp, sigbuf[8]; + char halt_stub[] = "__HALT_COMPILER();"; entry.flags = PHAR_ENT_PERM_DEF_FILE; entry.timestamp = time(NULL); @@ -990,7 +991,9 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, long len, int defau free_user_stub = 0; } - if ((pos = strstr(user_stub, "__HALT_COMPILER();")) == NULL) { + tmp = estrndup(user_stub, len); + if ((pos = php_stristr(tmp, halt_stub, len, sizeof(halt_stub) - 1)) == NULL) { + efree(tmp); if (error) { spprintf(error, 0, "illegal stub for tar-based phar \"%s\"", phar->fname); } @@ -999,6 +1002,8 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, long len, int defau } return EOF; } + pos = user_stub + (pos - tmp); + efree(tmp); len = pos - user_stub + 18; entry.fp = php_stream_fopen_tmpfile(); diff --git a/ext/phar/zip.c b/ext/phar/zip.c index 383561ab87..eb64dea047 100644 --- a/ext/phar/zip.c +++ b/ext/phar/zip.c @@ -1167,6 +1167,9 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, long len, int defau char *pos; smart_str main_metadata_str = {0}; static const char newstub[] = "fname); } @@ -1271,6 +1275,8 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, long len, int defau } return EOF; } + pos = user_stub + (pos - tmp); + efree(tmp); len = pos - user_stub + 18; entry.fp = php_stream_fopen_tmpfile(); -- 2.40.0