From c1e5091166f891c9b5214e911991b1920c5ce2fe Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Thu, 10 Aug 2006 17:27:12 +0000 Subject: [PATCH] MFH: Various security fixes --- NEWS | 4 ++++ ext/curl/curl.c | 11 ++++++++++- ext/curl/curlstreams.c | 6 +++++- ext/standard/string.c | 11 ++++------- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/NEWS b/NEWS index cd84e755ff..9945cc3d3c 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,10 @@ PHP 4 NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2006, Version 4.4.4 +- Fixed memory_limit on 64bit systems. (Stefan E.) +- Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.) +- Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are + enabled. (Stefan E.) - Fixed bug #38377 (session_destroy() gives warning after session_regenerate_id()). (Ilia) - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code diff --git a/ext/curl/curl.c b/ext/curl/curl.c index 9f44485545..ddf022c2dd 100644 --- a/ext/curl/curl.c +++ b/ext/curl/curl.c @@ -924,7 +924,6 @@ PHP_FUNCTION(curl_setopt) case CURLOPT_FTPLISTONLY: case CURLOPT_FTPAPPEND: case CURLOPT_NETRC: - case CURLOPT_FOLLOWLOCATION: case CURLOPT_PUT: #if CURLOPT_MUTE != 0 case CURLOPT_MUTE: @@ -961,6 +960,16 @@ PHP_FUNCTION(curl_setopt) convert_to_long_ex(zvalue); error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); break; + case CURLOPT_FOLLOWLOCATION: + convert_to_long_ex(zvalue); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + if (Z_LVAL_PP(zvalue) != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set"); + RETURN_FALSE; + } + } + error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); + break; case CURLOPT_URL: case CURLOPT_PROXY: case CURLOPT_USERPWD: diff --git a/ext/curl/curlstreams.c b/ext/curl/curlstreams.c index e2ea652187..3bcbd7f5b1 100644 --- a/ext/curl/curlstreams.c +++ b/ext/curl/curlstreams.c @@ -297,7 +297,11 @@ PHPAPI php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *fil curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream); /* currently buggy (bug is in curl) */ - curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0); + } else { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + } curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr); curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0); diff --git a/ext/standard/string.c b/ext/standard/string.c index e172194634..9cc6e11a01 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -628,7 +628,8 @@ PHP_FUNCTION(wordwrap) { const char *text, *breakchar = "\n"; char *newtext; - int textlen, breakcharlen = 1, newtextlen, alloced, chk; + int textlen, breakcharlen = 1, newtextlen, chk; + size_t alloced; long current = 0, laststart = 0, lastspace = 0; long linelength = 75; zend_bool docut = 0; @@ -3518,7 +3519,7 @@ PHP_FUNCTION(str_repeat) zval **input_str; /* Input string */ zval **mult; /* Multiplier */ char *result; /* Resulting string */ - int result_len; /* Length of the resulting string */ + size_t result_len; /* Length of the resulting string */ if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) { WRONG_PARAM_COUNT; @@ -3543,11 +3544,7 @@ PHP_FUNCTION(str_repeat) /* Initialize the result string */ result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult); - if (result_len < 1) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes"); - RETURN_FALSE; - } - result = (char *)emalloc(result_len + 1); + result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1); /* Heavy optimization for situations where input string is 1 byte long */ if (Z_STRLEN_PP(input_str) == 1) { -- 2.40.0