From fa48ce68106d1b507a24333cfaee7ff9d59ec2ac Mon Sep 17 00:00:00 2001 From: Ilia Alshanetsky Date: Thu, 10 Aug 2006 19:02:32 +0000 Subject: [PATCH] MFB: Various security fixes --- ext/curl/interface.c | 11 ++++++++++- ext/curl/streams.c | 12 ++++++++++-- ext/standard/string.c | 22 ++++++---------------- 3 files changed, 26 insertions(+), 19 deletions(-) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 13b4a7ead1..c6ba522d18 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1166,7 +1166,6 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu case CURLOPT_FTPLISTONLY: case CURLOPT_FTPAPPEND: case CURLOPT_NETRC: - case CURLOPT_FOLLOWLOCATION: case CURLOPT_PUT: #if CURLOPT_MUTE != 0 case CURLOPT_MUTE: @@ -1217,6 +1216,16 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu convert_to_long_ex(zvalue); error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); break; + case CURLOPT_FOLLOWLOCATION: + convert_to_long_ex(zvalue); + if (PG(open_basedir) && *PG(open_basedir)) { + if (Z_LVAL_PP(zvalue) != 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when open_basedir is set"); + RETURN_FALSE; + } + } + error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue)); + break; case CURLOPT_URL: case CURLOPT_PROXY: case CURLOPT_USERPWD: diff --git a/ext/curl/streams.c b/ext/curl/streams.c index f4600c00a7..d438a91b87 100644 --- a/ext/curl/streams.c +++ b/ext/curl/streams.c @@ -349,11 +349,19 @@ php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *filename, } } if (mr > 1) { - curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L); + if (PG(open_basedir) && *PG(open_basedir)) { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0); + } else { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + } curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, mr); } } else { - curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L); + if (PG(open_basedir) && *PG(open_basedir)) { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0); + } else { + curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1); + } curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, 20L); } } diff --git a/ext/standard/string.c b/ext/standard/string.c index 707d1f7dc5..43d401d42e 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -834,7 +834,8 @@ PHP_FUNCTION(wordwrap) { const char *text, *breakchar = "\n"; char *newtext; - int textlen, breakcharlen = 1, newtextlen, alloced, chk; + int textlen, breakcharlen = 1, newtextlen, chk; + size_t alloced; long current = 0, laststart = 0, lastspace = 0; long linelength = 75; zend_bool docut = 0; @@ -6246,8 +6247,8 @@ PHP_FUNCTION(str_repeat) zend_uchar input_str_type; long mult; /* Multiplier */ void *result; /* Resulting string */ - int result_len; /* Length of the resulting string, in bytes */ - int result_chars; /* Chars/UChars in resulting string */ + size_t result_len; /* Length of the resulting string, in bytes */ + size_t result_chars; /* Chars/UChars in resulting string */ if ( zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "tl", &input_str, &input_str_chars, &input_str_type, &mult) == FAILURE ) { @@ -6273,23 +6274,12 @@ PHP_FUNCTION(str_repeat) if ( input_str_type == IS_UNICODE ) { input_str_len = UBYTES(input_str_chars); result_len = UBYTES(result_chars); - if ( result_chars < 1 || result_chars > (2147483647/UBYTES(1)) ) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than %ld characters", 2147483647/UBYTES(1)); - RETURN_FALSE; - } + result = (char *)safe_emalloc(UBYTES(input_str_chars), UBYTES(mult), UBYTES(1)); } else { input_str_len = input_str_chars; result_len = result_chars; - if ( result_chars < 1 || result_chars > 2147483647 ) { - if ( input_str_type == IS_STRING ) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 characters"); - } else { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes"); - } - RETURN_FALSE; - } + result = (char *)safe_emalloc(input_str_chars, mult, 1); } - result = emalloc(result_len); /* Heavy optimization for situations where input string is 1 byte long */ if ( input_str_len == 1 ) { -- 2.50.1