summaryrefslogtreecommitdiff
path: root/0.2.6/hardened-php-4.3.10-0.2.6.patch
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:57:37 +0200
committerjvoisin2019-10-13 12:57:37 +0200
commit5fea1ebe59050ca0bc8de210e93e8fb4ae6cd8c8 (patch)
tree32a7da950a47305fdc5753a3eeae0b500c6b3a04 /0.2.6/hardened-php-4.3.10-0.2.6.patch
parentad5a70c7aedd0a78de0915b6434a76a4976528c0 (diff)
Add more patches
Diffstat (limited to '0.2.6/hardened-php-4.3.10-0.2.6.patch')
-rw-r--r--0.2.6/hardened-php-4.3.10-0.2.6.patch3408
1 files changed, 3408 insertions, 0 deletions
diff --git a/0.2.6/hardened-php-4.3.10-0.2.6.patch b/0.2.6/hardened-php-4.3.10-0.2.6.patch
new file mode 100644
index 0000000..0d12417
--- /dev/null
+++ b/0.2.6/hardened-php-4.3.10-0.2.6.patch
@@ -0,0 +1,3408 @@
1diff -Nur php-4.3.10/README.input_filter hardened-php-4.3.10-0.2.6/README.input_filter
2--- php-4.3.10/README.input_filter 1970-01-01 01:00:00.000000000 +0100
3+++ hardened-php-4.3.10-0.2.6/README.input_filter 2004-12-22 16:16:30.000000000 +0100
4@@ -0,0 +1,193 @@
5+Input Filter Support ported from PHP 5
6+--------------------------------------
7+
8+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
9+and can be quite difficult to prevent. Whenever you accept user data
10+and somehow display this data back to users, you are likely vulnerable
11+to XSS hacks.
12+
13+The Input Filter support in PHP 5 is aimed at providing the framework
14+through which a company-wide or site-wide security policy can be
15+enforced. It is implemented as a SAPI hook and is called from the
16+treat_data and post handler functions. To implement your own security
17+policy you will need to write a standard PHP extension.
18+
19+A simple implementation might look like the following. This stores the
20+original raw user data and adds a my_get_raw() function while the normal
21+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
22+data. In this simple example all I am doing is calling strip_tags() on
23+the data. If register_globals is turned on, the default globals that
24+are created will be stripped ($foo) while a $RAW_foo is created with the
25+original user input.
26+
27+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
28+ zval *post_array;
29+ zval *get_array;
30+ zval *cookie_array;
31+ZEND_END_MODULE_GLOBALS(my_input_filter)
32+
33+#ifdef ZTS
34+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
35+#else
36+#define IF_G(v) (my_input_filter_globals.v)
37+#endif
38+
39+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
40+
41+function_entry my_input_filter_functions[] = {
42+ PHP_FE(my_get_raw, NULL)
43+ {NULL, NULL, NULL}
44+};
45+
46+zend_module_entry my_input_filter_module_entry = {
47+ STANDARD_MODULE_HEADER,
48+ "my_input_filter",
49+ my_input_filter_functions,
50+ PHP_MINIT(my_input_filter),
51+ PHP_MSHUTDOWN(my_input_filter),
52+ NULL,
53+ PHP_RSHUTDOWN(my_input_filter),
54+ PHP_MINFO(my_input_filter),
55+ "0.1",
56+ STANDARD_MODULE_PROPERTIES
57+};
58+
59+PHP_MINIT_FUNCTION(my_input_filter)
60+{
61+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
62+
63+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
64+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
65+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
66+
67+ sapi_register_input_filter(my_sapi_input_filter);
68+ return SUCCESS;
69+}
70+
71+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
72+{
73+ if(IF_G(get_array)) {
74+ zval_ptr_dtor(&IF_G(get_array));
75+ IF_G(get_array) = NULL;
76+ }
77+ if(IF_G(post_array)) {
78+ zval_ptr_dtor(&IF_G(post_array));
79+ IF_G(post_array) = NULL;
80+ }
81+ if(IF_G(cookie_array)) {
82+ zval_ptr_dtor(&IF_G(cookie_array));
83+ IF_G(cookie_array) = NULL;
84+ }
85+ return SUCCESS;
86+}
87+
88+PHP_MINFO_FUNCTION(my_input_filter)
89+{
90+ php_info_print_table_start();
91+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
92+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
93+ php_info_print_table_end();
94+}
95+
96+/* The filter handler. If you return 1 from it, then PHP also registers the
97+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
98+ * you can use this if your filter already registers the variable under a
99+ * different name, or if you just don't want the variable registered at all. */
100+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
101+{
102+ zval new_var;
103+ zval *array_ptr = NULL;
104+ char *raw_var;
105+ int var_len;
106+
107+ assert(*val != NULL);
108+
109+ switch(arg) {
110+ case PARSE_GET:
111+ if(!IF_G(get_array)) {
112+ ALLOC_ZVAL(array_ptr);
113+ array_init(array_ptr);
114+ INIT_PZVAL(array_ptr);
115+ }
116+ IF_G(get_array) = array_ptr;
117+ break;
118+ case PARSE_POST:
119+ if(!IF_G(post_array)) {
120+ ALLOC_ZVAL(array_ptr);
121+ array_init(array_ptr);
122+ INIT_PZVAL(array_ptr);
123+ }
124+ IF_G(post_array) = array_ptr;
125+ break;
126+ case PARSE_COOKIE:
127+ if(!IF_G(cookie_array)) {
128+ ALLOC_ZVAL(array_ptr);
129+ array_init(array_ptr);
130+ INIT_PZVAL(array_ptr);
131+ }
132+ IF_G(cookie_array) = array_ptr;
133+ break;
134+ }
135+ Z_STRLEN(new_var) = val_len;
136+ Z_STRVAL(new_var) = estrndup(*val, val_len);
137+ Z_TYPE(new_var) = IS_STRING;
138+
139+ var_len = strlen(var);
140+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
141+ strcpy(raw_var, "RAW_");
142+ strlcat(raw_var,var,var_len+5);
143+
144+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
145+
146+ php_strip_tags(*val, val_len, NULL, NULL, 0);
147+
148+ *new_val_len = strlen(*val);
149+ return 1;
150+}
151+
152+PHP_FUNCTION(my_get_raw)
153+{
154+ long arg;
155+ char *var;
156+ int var_len;
157+ zval **tmp;
158+ zval *array_ptr = NULL;
159+ HashTable *hash_ptr;
160+ char *raw_var;
161+
162+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
163+ return;
164+ }
165+
166+ switch(arg) {
167+ case PARSE_GET:
168+ array_ptr = IF_G(get_array);
169+ break;
170+ case PARSE_POST:
171+ array_ptr = IF_G(post_array);
172+ break;
173+ case PARSE_COOKIE:
174+ array_ptr = IF_G(post_array);
175+ break;
176+ }
177+
178+ if(!array_ptr) RETURN_FALSE;
179+
180+ /*
181+ * I'm changing the variable name here because when running with register_globals on,
182+ * the variable will end up in the global symbol table
183+ */
184+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
185+ strcpy(raw_var, "RAW_");
186+ strlcat(raw_var,var,var_len+5);
187+ hash_ptr = HASH_OF(array_ptr);
188+
189+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
190+ *return_value = **tmp;
191+ zval_copy_ctor(return_value);
192+ } else {
193+ RETVAL_FALSE;
194+ }
195+ efree(raw_var);
196+}
197+
198diff -Nur php-4.3.10/TSRM/TSRM.h hardened-php-4.3.10-0.2.6/TSRM/TSRM.h
199--- php-4.3.10/TSRM/TSRM.h 2002-10-05 13:26:17.000000000 +0200
200+++ hardened-php-4.3.10-0.2.6/TSRM/TSRM.h 2004-12-22 16:16:30.000000000 +0100
201@@ -33,6 +33,13 @@
202 # define TSRM_API
203 #endif
204
205+#if HARDENED_PHP
206+# if HAVE_REALPATH
207+# undef realpath
208+# define realpath php_realpath
209+# endif
210+#endif
211+
212 /* Only compile multi-threading functions if we're in ZTS mode */
213 #ifdef ZTS
214
215@@ -90,6 +97,7 @@
216
217 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
218
219+
220 #ifdef __cplusplus
221 extern "C" {
222 #endif
223diff -Nur php-4.3.10/TSRM/tsrm_virtual_cwd.c hardened-php-4.3.10-0.2.6/TSRM/tsrm_virtual_cwd.c
224--- php-4.3.10/TSRM/tsrm_virtual_cwd.c 2004-12-02 02:04:46.000000000 +0100
225+++ hardened-php-4.3.10-0.2.6/TSRM/tsrm_virtual_cwd.c 2004-12-22 16:16:30.000000000 +0100
226@@ -17,7 +17,7 @@
227 +----------------------------------------------------------------------+
228 */
229
230-/* $Id: tsrm_virtual_cwd.c,v 1.41.2.8 2004/12/02 01:04:46 sesser Exp $ */
231+/* $Id: tsrm_virtual_cwd.c,v 1.41.2.4 2003/07/28 18:35:34 iliaa Exp $ */
232
233 #include <sys/types.h>
234 #include <sys/stat.h>
235@@ -192,6 +192,165 @@
236 return p;
237 }
238
239+#if HARDENED_PHP
240+CWD_API char *php_realpath(const char *path, char *resolved)
241+{
242+ struct stat sb;
243+ char *p, *q, *s;
244+ size_t left_len, resolved_len;
245+ unsigned symlinks;
246+ int serrno, slen;
247+ int is_dir = 1;
248+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
249+
250+ serrno = errno;
251+ symlinks = 0;
252+ if (path[0] == '/') {
253+ resolved[0] = '/';
254+ resolved[1] = '\0';
255+ if (path[1] == '\0')
256+ return (resolved);
257+ resolved_len = 1;
258+ left_len = strlcpy(left, path + 1, sizeof(left));
259+ } else {
260+ if (getcwd(resolved, PATH_MAX) == NULL) {
261+ strlcpy(resolved, ".", PATH_MAX);
262+ return (NULL);
263+ }
264+ resolved_len = strlen(resolved);
265+ left_len = strlcpy(left, path, sizeof(left));
266+ }
267+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
268+ errno = ENAMETOOLONG;
269+ return (NULL);
270+ }
271+
272+ /*
273+ * Iterate over path components in `left'.
274+ */
275+ while (left_len != 0) {
276+ /*
277+ * Extract the next path component and adjust `left'
278+ * and its length.
279+ */
280+ p = strchr(left, '/');
281+ s = p ? p : left + left_len;
282+ if (s - left >= sizeof(next_token)) {
283+ errno = ENAMETOOLONG;
284+ return (NULL);
285+ }
286+ memcpy(next_token, left, s - left);
287+ next_token[s - left] = '\0';
288+ left_len -= s - left;
289+ if (p != NULL)
290+ memmove(left, s + 1, left_len + 1);
291+ if (resolved[resolved_len - 1] != '/') {
292+ if (resolved_len + 1 >= PATH_MAX) {
293+ errno = ENAMETOOLONG;
294+ return (NULL);
295+ }
296+ resolved[resolved_len++] = '/';
297+ resolved[resolved_len] = '\0';
298+ }
299+ if (next_token[0] == '\0')
300+ continue;
301+ else if (strcmp(next_token, ".") == 0)
302+ continue;
303+ else if (strcmp(next_token, "..") == 0) {
304+ /*
305+ * Strip the last path component except when we have
306+ * single "/"
307+ */
308+ if (!is_dir) {
309+ errno = ENOENT;
310+ return (NULL);
311+ }
312+ if (resolved_len > 1) {
313+ resolved[resolved_len - 1] = '\0';
314+ q = strrchr(resolved, '/');
315+ *q = '\0';
316+ resolved_len = q - resolved;
317+ }
318+ continue;
319+ }
320+
321+ /*
322+ * Append the next path component and lstat() it. If
323+ * lstat() fails we still can return successfully if
324+ * there are no more path components left.
325+ */
326+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
327+ if (resolved_len >= PATH_MAX) {
328+ errno = ENAMETOOLONG;
329+ return (NULL);
330+ }
331+ if (lstat(resolved, &sb) != 0) {
332+ if (errno == ENOENT && p == NULL) {
333+ errno = serrno;
334+ return (resolved);
335+ }
336+ return (NULL);
337+ }
338+ if (S_ISLNK(sb.st_mode)) {
339+ if (symlinks++ > MAXSYMLINKS) {
340+ errno = ELOOP;
341+ return (NULL);
342+ }
343+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
344+ if (slen < 0)
345+ return (NULL);
346+ symlink[slen] = '\0';
347+ if (symlink[0] == '/') {
348+ resolved[1] = 0;
349+ resolved_len = 1;
350+ } else if (resolved_len > 1) {
351+ /* Strip the last path component. */
352+ resolved[resolved_len - 1] = '\0';
353+ q = strrchr(resolved, '/');
354+ *q = '\0';
355+ resolved_len = q - resolved;
356+ }
357+
358+ /*
359+ * If there are any path components left, then
360+ * append them to symlink. The result is placed
361+ * in `left'.
362+ */
363+ if (p != NULL) {
364+ if (symlink[slen - 1] != '/') {
365+ if (slen + 1 >= sizeof(symlink)) {
366+ errno = ENAMETOOLONG;
367+ return (NULL);
368+ }
369+ symlink[slen] = '/';
370+ symlink[slen + 1] = 0;
371+ }
372+ left_len = strlcat(symlink, left, sizeof(left));
373+ if (left_len >= sizeof(left)) {
374+ errno = ENAMETOOLONG;
375+ return (NULL);
376+ }
377+ }
378+ left_len = strlcpy(left, symlink, sizeof(left));
379+ } else {
380+ if (S_ISDIR(sb.st_mode)) {
381+ is_dir = 1;
382+ } else {
383+ is_dir = 0;
384+ }
385+ }
386+ }
387+
388+ /*
389+ * Remove trailing slash except when the resolved pathname
390+ * is a single "/".
391+ */
392+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
393+ resolved[resolved_len - 1] = '\0';
394+ return (resolved);
395+}
396+#endif
397+
398 CWD_API void virtual_cwd_startup(void)
399 {
400 char cwd[MAXPATHLEN];
401@@ -314,8 +473,7 @@
402 path = resolved_path;
403 path_length = strlen(path);
404 } else {
405- /* disable for now
406- return 1; */
407+ return 1;
408 }
409 }
410 } else { /* Concat current directory with relative path and then run realpath() on it */
411@@ -341,9 +499,8 @@
412 path = resolved_path;
413 path_length = strlen(path);
414 } else {
415- /* disable for now
416 free(tmp);
417- return 1; */
418+ return 1;
419 }
420 }
421 free(tmp);
422diff -Nur php-4.3.10/TSRM/tsrm_virtual_cwd.h hardened-php-4.3.10-0.2.6/TSRM/tsrm_virtual_cwd.h
423--- php-4.3.10/TSRM/tsrm_virtual_cwd.h 2003-09-20 04:08:12.000000000 +0200
424+++ hardened-php-4.3.10-0.2.6/TSRM/tsrm_virtual_cwd.h 2004-12-22 16:16:30.000000000 +0100
425@@ -128,6 +128,22 @@
426
427 typedef int (*verify_path_func)(const cwd_state *);
428
429+#ifndef HAVE_STRLCPY
430+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
431+#undef strlcpy
432+#define strlcpy php_strlcpy
433+#endif
434+
435+#ifndef HAVE_STRLCAT
436+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
437+#undef strlcat
438+#define strlcat php_strlcat
439+#endif
440+
441+
442+#if HARDENED_PHP
443+CWD_API char *php_realpath(const char *path, char *resolved);
444+#endif
445 CWD_API void virtual_cwd_startup(void);
446 CWD_API void virtual_cwd_shutdown(void);
447 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
448diff -Nur php-4.3.10/Zend/zend.c hardened-php-4.3.10-0.2.6/Zend/zend.c
449--- php-4.3.10/Zend/zend.c 2004-12-06 16:35:03.000000000 +0100
450+++ hardened-php-4.3.10-0.2.6/Zend/zend.c 2004-12-22 16:16:30.000000000 +0100
451@@ -53,6 +53,12 @@
452 ZEND_API void (*zend_unblock_interruptions)(void);
453 ZEND_API void (*zend_ticks_function)(int ticks);
454 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
455+#if HARDENED_PHP
456+ZEND_API void (*zend_security_log)(char *str);
457+#endif
458+#if HARDENED_PHP_INC_PROTECT
459+ZEND_API int (*zend_is_valid_include)(zval *z);
460+#endif
461
462 void (*zend_on_timeout)(int seconds TSRMLS_DC);
463
464@@ -424,6 +430,14 @@
465 extern zend_scanner_globals language_scanner_globals;
466 #endif
467
468+ /* Set up Hardened-PHP utility functions first */
469+#if HARDENED_PHP
470+ zend_security_log = utility_functions->security_log_function;
471+#endif
472+#if HARDENED_PHP_INC_PROTECT
473+ zend_is_valid_include = utility_functions->is_valid_include;
474+#endif
475+
476 #ifdef ZTS
477 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
478 #else
479diff -Nur php-4.3.10/Zend/zend.h hardened-php-4.3.10-0.2.6/Zend/zend.h
480--- php-4.3.10/Zend/zend.h 2004-07-28 21:06:48.000000000 +0200
481+++ hardened-php-4.3.10-0.2.6/Zend/zend.h 2004-12-22 16:31:29.000000000 +0100
482@@ -261,9 +261,9 @@
483 struct _zval_struct {
484 /* Variable information */
485 zvalue_value value; /* value */
486+ zend_uint refcount;
487 zend_uchar type; /* active type */
488 zend_uchar is_ref;
489- zend_ushort refcount;
490 };
491
492
493@@ -324,6 +324,12 @@
494 void (*ticks_function)(int ticks);
495 void (*on_timeout)(int seconds TSRMLS_DC);
496 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
497+#if HARDENED_PHP
498+ void (*security_log_function)(char *str);
499+#endif
500+#if HARDENED_PHP_INC_PROTECT
501+ int (*is_valid_include)(zval *z);
502+#endif
503 } zend_utility_functions;
504
505
506@@ -455,7 +461,16 @@
507 extern ZEND_API void (*zend_ticks_function)(int ticks);
508 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
509 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
510+#if HARDENED_PHP
511+extern ZEND_API void (*zend_security_log)(char *str);
512+#endif
513+#if HARDENED_PHP_INC_PROTECT
514+extern ZEND_API int (*zend_is_valid_include)(zval *z);
515+#endif
516
517+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
518+ZEND_API unsigned int zend_canary(void);
519+#endif
520
521 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
522
523@@ -574,6 +589,10 @@
524 #define EMPTY_SWITCH_DEFAULT_CASE()
525 #endif
526
527+#if HARDENED_PHP
528+#include "hardened_globals.h"
529+#endif
530+
531 #endif /* ZEND_H */
532
533 /*
534diff -Nur php-4.3.10/Zend/zend_alloc.c hardened-php-4.3.10-0.2.6/Zend/zend_alloc.c
535--- php-4.3.10/Zend/zend_alloc.c 2004-08-27 18:51:25.000000000 +0200
536+++ hardened-php-4.3.10-0.2.6/Zend/zend_alloc.c 2004-12-22 16:16:30.000000000 +0100
537@@ -56,6 +56,11 @@
538 # define END_MAGIC_SIZE 0
539 #endif
540
541+#if HARDENED_PHP_MM_PROTECT
542+# define CANARY_SIZE sizeof(unsigned int)
543+#else
544+# define CANARY_SIZE 0
545+#endif
546
547 # if MEMORY_LIMIT
548 # if ZEND_DEBUG
549@@ -129,6 +134,12 @@
550 DECLARE_CACHE_VARS();
551 TSRMLS_FETCH();
552
553+#if HARDENED_PHP_MM_PROTECT
554+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
555+ zend_security_log("emalloc() - requested size would result in integer overflow");
556+ exit(1);
557+ }
558+#endif
559 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
560
561 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
562@@ -146,6 +157,10 @@
563 AG(cache_stats)[CACHE_INDEX][1]++;
564 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
565 #endif
566+#if HARDENED_PHP_MM_PROTECT
567+ p->canary = HG(canary_1);
568+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
569+#endif
570 p->cached = 0;
571 p->size = size;
572 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
573@@ -161,7 +176,7 @@
574 AG(allocated_memory_peak) = AG(allocated_memory);
575 }
576 #endif
577- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
578+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
579 }
580
581 HANDLE_BLOCK_INTERRUPTIONS();
582@@ -191,7 +206,10 @@
583 # endif
584 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
585 #endif
586-
587+#if HARDENED_PHP_MM_PROTECT
588+ p->canary = HG(canary_1);
589+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
590+#endif
591 HANDLE_UNBLOCK_INTERRUPTIONS();
592 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
593 }
594@@ -218,17 +236,33 @@
595 return emalloc_rel(lval + offset);
596 }
597 }
598-
599+
600+#if HARDENED_PHP
601+ zend_security_log("Possible integer overflow catched by safe_emalloc()");
602+#endif
603 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
604 return 0;
605 }
606
607 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
608 {
609+#if HARDENED_PHP_MM_PROTECT
610+ unsigned int *canary_2;
611+#endif
612 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
613 DECLARE_CACHE_VARS();
614 TSRMLS_FETCH();
615
616+#if HARDENED_PHP_MM_PROTECT
617+ canary_2 = (unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
618+ if (p->canary != HG(canary_1) || *canary_2 != HG(canary_2)) {
619+ zend_security_log("canary mismatch on efree() - heap overflow or double efree detected");
620+ exit(1);
621+ }
622+ /* to catch double efree()s */
623+ *canary_2 = p->canary = 0;
624+#endif
625+
626 #if defined(ZTS) && TSRM_DEBUG
627 if (p->thread_id != tsrm_thread_id()) {
628 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
629@@ -273,6 +307,9 @@
630 size_t _size = nmemb * size;
631
632 if (nmemb && (_size/nmemb!=size)) {
633+#if HARDENED_PHP
634+ zend_security_log("Possible integer overflow catched by ecalloc()");
635+#endif
636 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
637 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
638 kill(getpid(), SIGSEGV);
639@@ -292,6 +329,9 @@
640
641 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
642 {
643+#if HARDENED_PHP_MM_PROTECT
644+ unsigned int canary_2;
645+#endif
646 zend_mem_header *p;
647 zend_mem_header *orig;
648 DECLARE_CACHE_VARS();
649@@ -303,6 +343,14 @@
650
651 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
652
653+#if HARDENED_PHP_MM_PROTECT
654+ canary_2 = *(unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
655+ if (p->canary != HG(canary_1) || canary_2 != HG(canary_2)) {
656+ zend_security_log("canary mismatch on erealloc() - heap overflow detected");
657+ exit(1);
658+ }
659+#endif
660+
661 #if defined(ZTS) && TSRM_DEBUG
662 if (p->thread_id != tsrm_thread_id()) {
663 void *new_p;
664@@ -326,7 +374,7 @@
665 }
666 #endif
667 REMOVE_POINTER_FROM_LIST(p);
668- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
669+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
670 if (!p) {
671 if (!allow_failure) {
672 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
673@@ -348,6 +396,9 @@
674 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
675 #endif
676
677+#if HARDENED_PHP_MM_PROTECT
678+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
679+#endif
680 p->size = size;
681
682 HANDLE_UNBLOCK_INTERRUPTIONS();
683@@ -423,6 +474,10 @@
684 {
685 AG(head) = NULL;
686
687+#if HARDENED_PHP_MM_PROTECT
688+ HG(canary_1) = zend_canary();
689+ HG(canary_2) = zend_canary();
690+#endif
691 #if MEMORY_LIMIT
692 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
693 AG(allocated_memory) = 0;
694diff -Nur php-4.3.10/Zend/zend_alloc.h hardened-php-4.3.10-0.2.6/Zend/zend_alloc.h
695--- php-4.3.10/Zend/zend_alloc.h 2004-08-11 08:10:46.000000000 +0200
696+++ hardened-php-4.3.10-0.2.6/Zend/zend_alloc.h 2004-12-22 16:16:30.000000000 +0100
697@@ -32,6 +32,9 @@
698 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
699
700 typedef struct _zend_mem_header {
701+#if HARDENED_PHP_MM_PROTECT
702+ unsigned int canary;
703+#endif
704 #if ZEND_DEBUG
705 long magic;
706 char *filename;
707diff -Nur php-4.3.10/Zend/zend_builtin_functions.c hardened-php-4.3.10-0.2.6/Zend/zend_builtin_functions.c
708--- php-4.3.10/Zend/zend_builtin_functions.c 2004-04-01 21:05:01.000000000 +0200
709+++ hardened-php-4.3.10-0.2.6/Zend/zend_builtin_functions.c 2004-12-22 16:16:30.000000000 +0100
710@@ -49,6 +49,9 @@
711 static ZEND_FUNCTION(crash);
712 #endif
713 #endif
714+#if HARDENED_PHP_MM_PROTECT_DEBUG
715+static ZEND_FUNCTION(heap_overflow);
716+#endif
717 static ZEND_FUNCTION(get_included_files);
718 static ZEND_FUNCTION(is_subclass_of);
719 static ZEND_FUNCTION(is_a);
720@@ -101,6 +104,9 @@
721 ZEND_FE(crash, NULL)
722 #endif
723 #endif
724+#if HARDENED_PHP_MM_PROTECT_DEBUG
725+ ZEND_FE(heap_overflow, NULL)
726+#endif
727 ZEND_FE(get_included_files, NULL)
728 ZEND_FALIAS(get_required_files, get_included_files, NULL)
729 ZEND_FE(is_subclass_of, NULL)
730@@ -805,6 +811,19 @@
731
732 #endif /* ZEND_DEBUG */
733
734+
735+#if HARDENED_PHP_MM_PROTECT_DEBUG
736+ZEND_FUNCTION(heap_overflow)
737+{
738+ char *nowhere = emalloc(10);
739+
740+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
741+
742+ efree(nowhere);
743+}
744+#endif
745+
746+
747 /* {{{ proto array get_included_files(void)
748 Returns an array with the file names that were include_once()'d */
749 ZEND_FUNCTION(get_included_files)
750diff -Nur php-4.3.10/Zend/zend_canary.c hardened-php-4.3.10-0.2.6/Zend/zend_canary.c
751--- php-4.3.10/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
752+++ hardened-php-4.3.10-0.2.6/Zend/zend_canary.c 2004-12-22 16:16:30.000000000 +0100
753@@ -0,0 +1,58 @@
754+/*
755+ +----------------------------------------------------------------------+
756+ | Hardened-PHP |
757+ +----------------------------------------------------------------------+
758+ | Copyright (c) 2004 Stefan Esser |
759+ +----------------------------------------------------------------------+
760+ | This source file is subject to version 2.02 of the PHP license, |
761+ | that is bundled with this package in the file LICENSE, and is |
762+ | available at through the world-wide-web at |
763+ | http://www.php.net/license/2_02.txt. |
764+ | If you did not receive a copy of the PHP license and are unable to |
765+ | obtain it through the world-wide-web, please send a note to |
766+ | license@php.net so we can mail you a copy immediately. |
767+ +----------------------------------------------------------------------+
768+ | Author: Stefan Esser <sesser@php.net> |
769+ +----------------------------------------------------------------------+
770+ */
771+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
772+
773+#include "zend.h"
774+
775+#include <stdio.h>
776+#include <stdlib.h>
777+
778+
779+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
780+
781+/* will be replaced later with more compatible method */
782+ZEND_API unsigned int zend_canary()
783+{
784+ time_t t;
785+ unsigned int canary;
786+ int fd;
787+
788+ fd = open("/dev/urandom", 0);
789+ if (fd != -1) {
790+ int r = read(fd, &canary, sizeof(canary));
791+ close(fd);
792+ if (r == sizeof(canary)) {
793+ return (canary);
794+ }
795+ }
796+ /* not good but we never want to do this */
797+ time(&t);
798+ canary = *(unsigned int *)&t + getpid() << 16;
799+ return (canary);
800+}
801+#endif
802+
803+
804+/*
805+ * Local variables:
806+ * tab-width: 4
807+ * c-basic-offset: 4
808+ * End:
809+ * vim600: sw=4 ts=4 fdm=marker
810+ * vim<600: sw=4 ts=4
811+ */
812diff -Nur php-4.3.10/Zend/zend_execute.c hardened-php-4.3.10-0.2.6/Zend/zend_execute.c
813--- php-4.3.10/Zend/zend_execute.c 2004-11-03 12:23:59.000000000 +0100
814+++ hardened-php-4.3.10-0.2.6/Zend/zend_execute.c 2004-12-22 16:16:30.000000000 +0100
815@@ -2149,7 +2149,12 @@
816 int dummy = 1;
817 zend_file_handle file_handle = {0};
818
819+#if HARDENED_PHP_INC_PROTECT
820+ if (zend_is_valid_include(inc_filename)
821+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
822+#else
823 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
824+#endif
825 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
826
827 file_handle.filename = inc_filename->value.str.val;
828@@ -2178,6 +2183,11 @@
829 break;
830 case ZEND_INCLUDE:
831 case ZEND_REQUIRE:
832+#if HARDENED_PHP_INC_PROTECT
833+ if (!zend_is_valid_include(inc_filename)) {
834+ break;
835+ }
836+#endif
837 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
838 break;
839 case ZEND_EVAL: {
840diff -Nur php-4.3.10/Zend/zend_extensions.h hardened-php-4.3.10-0.2.6/Zend/zend_extensions.h
841--- php-4.3.10/Zend/zend_extensions.h 2002-12-31 17:23:02.000000000 +0100
842+++ hardened-php-4.3.10-0.2.6/Zend/zend_extensions.h 2004-12-22 16:32:29.000000000 +0100
843@@ -23,7 +23,9 @@
844
845 #include "zend_compile.h"
846
847-#define ZEND_EXTENSION_API_NO 20021010
848+/* Create own API version number for Hardened-PHP */
849+
850+#define ZEND_EXTENSION_API_NO 1020041222
851
852 typedef struct _zend_extension_version_info {
853 int zend_extension_api_no;
854diff -Nur php-4.3.10/Zend/zend_hash.c hardened-php-4.3.10-0.2.6/Zend/zend_hash.c
855--- php-4.3.10/Zend/zend_hash.c 2004-07-12 23:26:46.000000000 +0200
856+++ hardened-php-4.3.10-0.2.6/Zend/zend_hash.c 2004-12-22 16:16:30.000000000 +0100
857@@ -26,6 +26,17 @@
858 # include <stdlib.h>
859 #endif
860
861+#if HARDENED_PHP_HASH_PROTECT
862+ unsigned int zend_hash_canary = 0x1234567;
863+ zend_bool zend_hash_canary_inited = 0;
864+#endif
865+
866+#define CHECK_HASH_CANARY(hash) \
867+ if (zend_hash_canary != (hash)->canary) { \
868+ zend_security_log("Zend HashTable canary was overwritten"); \
869+ exit(1); \
870+ }
871+
872 #define HANDLE_NUMERIC(key, length, func) { \
873 register char *tmp=key; \
874 \
875@@ -175,6 +186,9 @@
876 {
877 uint i = 3;
878 Bucket **tmp;
879+#if HARDENED_PHP_HASH_PROTECT
880+ TSRMLS_FETCH();
881+#endif
882
883 SET_INCONSISTENT(HT_OK);
884
885@@ -184,6 +198,13 @@
886
887 ht->nTableSize = 1 << i;
888 ht->nTableMask = ht->nTableSize - 1;
889+#if HARDENED_PHP_HASH_PROTECT
890+ if (zend_hash_canary_inited) {
891+ zend_hash_canary = zend_canary();
892+ zend_hash_canary_inited = 1;
893+ }
894+ ht->canary = zend_hash_canary;
895+#endif
896 ht->pDestructor = pDestructor;
897 ht->pListHead = NULL;
898 ht->pListTail = NULL;
899@@ -259,6 +280,9 @@
900 }
901 #endif
902 if (ht->pDestructor) {
903+#if HARDENED_PHP_HASH_PROTECT
904+ CHECK_HASH_CANARY(ht);
905+#endif
906 ht->pDestructor(p->pData);
907 }
908 UPDATE_DATA(ht, p, pData, nDataSize);
909@@ -327,6 +351,9 @@
910 }
911 #endif
912 if (ht->pDestructor) {
913+#if HARDENED_PHP_HASH_PROTECT
914+ CHECK_HASH_CANARY(ht);
915+#endif
916 ht->pDestructor(p->pData);
917 }
918 UPDATE_DATA(ht, p, pData, nDataSize);
919@@ -402,6 +429,9 @@
920 }
921 #endif
922 if (ht->pDestructor) {
923+#if HARDENED_PHP_HASH_PROTECT
924+ CHECK_HASH_CANARY(ht);
925+#endif
926 ht->pDestructor(p->pData);
927 }
928 UPDATE_DATA(ht, p, pData, nDataSize);
929@@ -450,7 +480,7 @@
930 IS_CONSISTENT(ht);
931
932 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
933- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
934+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
935 if (t) {
936 HANDLE_BLOCK_INTERRUPTIONS();
937 ht->arBuckets = t;
938@@ -460,6 +490,7 @@
939 HANDLE_UNBLOCK_INTERRUPTIONS();
940 return SUCCESS;
941 }
942+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
943 return FAILURE;
944 }
945 return SUCCESS;
946@@ -524,6 +555,9 @@
947 ht->pInternalPointer = p->pListNext;
948 }
949 if (ht->pDestructor) {
950+#if HARDENED_PHP_HASH_PROTECT
951+ CHECK_HASH_CANARY(ht);
952+#endif
953 ht->pDestructor(p->pData);
954 }
955 if (!p->pDataPtr) {
956@@ -553,6 +587,9 @@
957 q = p;
958 p = p->pListNext;
959 if (ht->pDestructor) {
960+#if HARDENED_PHP_HASH_PROTECT
961+ CHECK_HASH_CANARY(ht);
962+#endif
963 ht->pDestructor(q->pData);
964 }
965 if (!q->pDataPtr && q->pData) {
966@@ -579,6 +616,9 @@
967 q = p;
968 p = p->pListNext;
969 if (ht->pDestructor) {
970+#if HARDENED_PHP_HASH_PROTECT
971+ CHECK_HASH_CANARY(ht);
972+#endif
973 ht->pDestructor(q->pData);
974 }
975 if (!q->pDataPtr && q->pData) {
976@@ -608,6 +648,9 @@
977 HANDLE_BLOCK_INTERRUPTIONS();
978
979 if (ht->pDestructor) {
980+#if HARDENED_PHP_HASH_PROTECT
981+ CHECK_HASH_CANARY(ht);
982+#endif
983 ht->pDestructor(p->pData);
984 }
985 if (!p->pDataPtr) {
986diff -Nur php-4.3.10/Zend/zend_hash.h hardened-php-4.3.10-0.2.6/Zend/zend_hash.h
987--- php-4.3.10/Zend/zend_hash.h 2002-12-31 17:23:03.000000000 +0100
988+++ hardened-php-4.3.10-0.2.6/Zend/zend_hash.h 2004-12-22 16:16:30.000000000 +0100
989@@ -54,6 +54,9 @@
990 } Bucket;
991
992 typedef struct _hashtable {
993+#if HARDENED_PHP_HASH_PROTECT
994+ unsigned int canary;
995+#endif
996 uint nTableSize;
997 uint nTableMask;
998 uint nNumOfElements;
999diff -Nur php-4.3.10/Zend/zend_llist.c hardened-php-4.3.10-0.2.6/Zend/zend_llist.c
1000--- php-4.3.10/Zend/zend_llist.c 2002-12-31 17:23:04.000000000 +0100
1001+++ hardened-php-4.3.10-0.2.6/Zend/zend_llist.c 2004-12-22 16:16:30.000000000 +0100
1002@@ -21,9 +21,34 @@
1003 #include "zend.h"
1004 #include "zend_llist.h"
1005 #include "zend_qsort.h"
1006+#include "zend_globals.h"
1007+
1008+#define CHECK_LIST_CANARY(list) \
1009+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
1010+ zend_security_log("linked list canary was overwritten"); \
1011+ exit(1); \
1012+ }
1013+
1014+#define CHECK_LISTELEMENT_CANARY(elem) \
1015+ if (HG(canary_3) != (elem)->canary) { \
1016+ zend_security_log("linked list element canary was overwritten"); \
1017+ exit(1); \
1018+ }
1019+
1020
1021 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
1022 {
1023+#if HARDENED_PHP_LL_PROTECT
1024+ TSRMLS_FETCH();
1025+
1026+ if (!HG(ll_canary_inited)) {
1027+ HG(canary_3) = zend_canary();
1028+ HG(canary_4) = zend_canary();
1029+ HG(ll_canary_inited) = 1;
1030+ }
1031+ l->canary_h = HG(canary_3);
1032+ l->canary_t = HG(canary_4);
1033+#endif
1034 l->head = NULL;
1035 l->tail = NULL;
1036 l->count = 0;
1037@@ -37,6 +62,11 @@
1038 {
1039 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1040
1041+#if HARDENED_PHP_LL_PROTECT
1042+ TSRMLS_FETCH();
1043+ CHECK_LIST_CANARY(l)
1044+ tmp->canary = HG(canary_3);
1045+#endif
1046 tmp->prev = l->tail;
1047 tmp->next = NULL;
1048 if (l->tail) {
1049@@ -55,6 +85,11 @@
1050 {
1051 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1052
1053+#if HARDENED_PHP_LL_PROTECT
1054+ TSRMLS_FETCH();
1055+ CHECK_LIST_CANARY(l)
1056+ tmp->canary = HG(canary_3);
1057+#endif
1058 tmp->next = l->head;
1059 tmp->prev = NULL;
1060 if (l->head) {
1061@@ -91,10 +126,20 @@
1062 zend_llist_element *current=l->head;
1063 zend_llist_element *next;
1064
1065+#if HARDENED_PHP_LL_PROTECT
1066+ TSRMLS_FETCH();
1067+ CHECK_LIST_CANARY(l)
1068+#endif
1069 while (current) {
1070+#if HARDENED_PHP_LL_PROTECT
1071+ CHECK_LISTELEMENT_CANARY(current)
1072+#endif
1073 next = current->next;
1074 if (compare(current->data, element)) {
1075 DEL_LLIST_ELEMENT(current, l);
1076+#if HARDENED_PHP_LL_PROTECT
1077+ current->canary = 0;
1078+#endif
1079 break;
1080 }
1081 current = next;
1082@@ -106,7 +151,14 @@
1083 {
1084 zend_llist_element *current=l->head, *next;
1085
1086+#if HARDENED_PHP_LL_PROTECT
1087+ TSRMLS_FETCH();
1088+ CHECK_LIST_CANARY(l)
1089+#endif
1090 while (current) {
1091+#if HARDENED_PHP_LL_PROTECT
1092+ CHECK_LISTELEMENT_CANARY(current)
1093+#endif
1094 next = current->next;
1095 if (l->dtor) {
1096 l->dtor(current->data);
1097@@ -131,7 +183,14 @@
1098 zend_llist_element *old_tail;
1099 void *data;
1100
1101+#if HARDENED_PHP_LL_PROTECT
1102+ TSRMLS_FETCH();
1103+ CHECK_LIST_CANARY(l)
1104+#endif
1105 if ((old_tail = l->tail)) {
1106+#if HARDENED_PHP_LL_PROTECT
1107+ CHECK_LISTELEMENT_CANARY(old_tail)
1108+#endif
1109 if (l->tail->prev) {
1110 l->tail->prev->next = NULL;
1111 }
1112@@ -157,9 +216,16 @@
1113 {
1114 zend_llist_element *ptr;
1115
1116+#if HARDENED_PHP_LL_PROTECT
1117+ TSRMLS_FETCH();
1118+ CHECK_LIST_CANARY(src)
1119+#endif
1120 zend_llist_init(dst, src->size, src->dtor, src->persistent);
1121 ptr = src->head;
1122 while (ptr) {
1123+#if HARDENED_PHP_LL_PROTECT
1124+ CHECK_LISTELEMENT_CANARY(ptr)
1125+#endif
1126 zend_llist_add_element(dst, ptr->data);
1127 ptr = ptr->next;
1128 }
1129@@ -170,11 +236,21 @@
1130 {
1131 zend_llist_element *element, *next;
1132
1133+#if HARDENED_PHP_LL_PROTECT
1134+ TSRMLS_FETCH();
1135+ CHECK_LIST_CANARY(l)
1136+#endif
1137 element=l->head;
1138 while (element) {
1139+#if HARDENED_PHP_LL_PROTECT
1140+ CHECK_LISTELEMENT_CANARY(element)
1141+#endif
1142 next = element->next;
1143 if (func(element->data)) {
1144 DEL_LLIST_ELEMENT(element, l);
1145+#if HARDENED_PHP_LL_PROTECT
1146+ element->canary = 0;
1147+#endif
1148 }
1149 element = next;
1150 }
1151@@ -185,7 +261,13 @@
1152 {
1153 zend_llist_element *element;
1154
1155+#if HARDENED_PHP_LL_PROTECT
1156+ CHECK_LIST_CANARY(l)
1157+#endif
1158 for (element=l->head; element; element=element->next) {
1159+#if HARDENED_PHP_LL_PROTECT
1160+ CHECK_LISTELEMENT_CANARY(element)
1161+#endif
1162 func(element->data TSRMLS_CC);
1163 }
1164 }
1165@@ -197,6 +279,9 @@
1166 zend_llist_element **elements;
1167 zend_llist_element *element, **ptr;
1168
1169+#if HARDENED_PHP_LL_PROTECT
1170+ CHECK_LIST_CANARY(l)
1171+#endif
1172 if (l->count <= 0) {
1173 return;
1174 }
1175@@ -206,6 +291,9 @@
1176 ptr = &elements[0];
1177
1178 for (element=l->head; element; element=element->next) {
1179+#if HARDENED_PHP_LL_PROTECT
1180+ CHECK_LISTELEMENT_CANARY(element)
1181+#endif
1182 *ptr++ = element;
1183 }
1184
1185@@ -228,7 +316,13 @@
1186 {
1187 zend_llist_element *element;
1188
1189+#if HARDENED_PHP_LL_PROTECT
1190+ CHECK_LIST_CANARY(l)
1191+#endif
1192 for (element=l->head; element; element=element->next) {
1193+#if HARDENED_PHP_LL_PROTECT
1194+ CHECK_LISTELEMENT_CANARY(element)
1195+#endif
1196 func(element->data, arg TSRMLS_CC);
1197 }
1198 }
1199@@ -239,8 +333,14 @@
1200 zend_llist_element *element;
1201 va_list args;
1202
1203+#if HARDENED_PHP_LL_PROTECT
1204+ CHECK_LIST_CANARY(l)
1205+#endif
1206 va_start(args, num_args);
1207 for (element=l->head; element; element=element->next) {
1208+#if HARDENED_PHP_LL_PROTECT
1209+ CHECK_LISTELEMENT_CANARY(element)
1210+#endif
1211 func(element->data, num_args, args TSRMLS_CC);
1212 }
1213 va_end(args);
1214@@ -249,6 +349,10 @@
1215
1216 ZEND_API int zend_llist_count(zend_llist *l)
1217 {
1218+#if HARDENED_PHP_LL_PROTECT
1219+ TSRMLS_FETCH();
1220+ CHECK_LIST_CANARY(l)
1221+#endif
1222 return l->count;
1223 }
1224
1225@@ -256,8 +360,15 @@
1226 {
1227 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1228
1229+#if HARDENED_PHP_LL_PROTECT
1230+ TSRMLS_FETCH();
1231+ CHECK_LIST_CANARY(l)
1232+#endif
1233 *current = l->head;
1234 if (*current) {
1235+#if HARDENED_PHP_LL_PROTECT
1236+ CHECK_LISTELEMENT_CANARY(*current)
1237+#endif
1238 return (*current)->data;
1239 } else {
1240 return NULL;
1241@@ -269,8 +380,15 @@
1242 {
1243 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1244
1245+#if HARDENED_PHP_LL_PROTECT
1246+ TSRMLS_FETCH();
1247+ CHECK_LIST_CANARY(l)
1248+#endif
1249 *current = l->tail;
1250 if (*current) {
1251+#if HARDENED_PHP_LL_PROTECT
1252+ CHECK_LISTELEMENT_CANARY(*current)
1253+#endif
1254 return (*current)->data;
1255 } else {
1256 return NULL;
1257@@ -282,9 +400,19 @@
1258 {
1259 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1260
1261+#if HARDENED_PHP_LL_PROTECT
1262+ TSRMLS_FETCH();
1263+ CHECK_LIST_CANARY(l)
1264+#endif
1265 if (*current) {
1266+#if HARDENED_PHP_LL_PROTECT
1267+ CHECK_LISTELEMENT_CANARY(*current)
1268+#endif
1269 *current = (*current)->next;
1270 if (*current) {
1271+#if HARDENED_PHP_LL_PROTECT
1272+ CHECK_LISTELEMENT_CANARY(*current)
1273+#endif
1274 return (*current)->data;
1275 }
1276 }
1277@@ -296,9 +424,19 @@
1278 {
1279 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1280
1281+#if HARDENED_PHP_LL_PROTECT
1282+ TSRMLS_FETCH();
1283+ CHECK_LIST_CANARY(l)
1284+#endif
1285 if (*current) {
1286+#if HARDENED_PHP_LL_PROTECT
1287+ CHECK_LISTELEMENT_CANARY(*current)
1288+#endif
1289 *current = (*current)->prev;
1290 if (*current) {
1291+#if HARDENED_PHP_LL_PROTECT
1292+ CHECK_LISTELEMENT_CANARY(*current)
1293+#endif
1294 return (*current)->data;
1295 }
1296 }
1297diff -Nur php-4.3.10/Zend/zend_llist.h hardened-php-4.3.10-0.2.6/Zend/zend_llist.h
1298--- php-4.3.10/Zend/zend_llist.h 2002-12-31 17:23:04.000000000 +0100
1299+++ hardened-php-4.3.10-0.2.6/Zend/zend_llist.h 2004-12-22 16:16:30.000000000 +0100
1300@@ -24,6 +24,9 @@
1301 #include <stdlib.h>
1302
1303 typedef struct _zend_llist_element {
1304+#if HARDENED_PHP_LL_PROTECT
1305+ unsigned int canary;
1306+#endif
1307 struct _zend_llist_element *next;
1308 struct _zend_llist_element *prev;
1309 char data[1]; /* Needs to always be last in the struct */
1310@@ -36,6 +39,9 @@
1311 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
1312
1313 typedef struct _zend_llist {
1314+#if HARDENED_PHP_LL_PROTECT
1315+ unsigned int canary_h; /* head */
1316+#endif
1317 zend_llist_element *head;
1318 zend_llist_element *tail;
1319 size_t size;
1320@@ -43,6 +49,9 @@
1321 llist_dtor_func_t dtor;
1322 unsigned char persistent;
1323 zend_llist_element *traverse_ptr;
1324+#if HARDENED_PHP_LL_PROTECT
1325+ unsigned int canary_t; /* tail */
1326+#endif
1327 } zend_llist;
1328
1329 typedef zend_llist_element* zend_llist_position;
1330diff -Nur php-4.3.10/Zend/zend_modules.h hardened-php-4.3.10-0.2.6/Zend/zend_modules.h
1331--- php-4.3.10/Zend/zend_modules.h 2002-12-31 17:23:04.000000000 +0100
1332+++ hardened-php-4.3.10-0.2.6/Zend/zend_modules.h 2004-12-22 17:33:47.000000000 +0100
1333@@ -34,7 +34,7 @@
1334 ZEND_API extern unsigned char second_arg_force_ref[];
1335 ZEND_API extern unsigned char third_arg_force_ref[];
1336
1337-#define ZEND_MODULE_API_NO 20020429
1338+#define ZEND_MODULE_API_NO 1020041222
1339 #ifdef ZTS
1340 #define USING_ZTS 1
1341 #else
1342diff -Nur php-4.3.10/acinclude.m4 hardened-php-4.3.10-0.2.6/acinclude.m4
1343--- php-4.3.10/acinclude.m4 2004-12-11 12:17:21.000000000 +0100
1344+++ hardened-php-4.3.10-0.2.6/acinclude.m4 2004-12-22 16:16:30.000000000 +0100
1345@@ -1153,6 +1153,36 @@
1346 fi
1347 ])
1348
1349+dnl
1350+dnl Check for broken realpath()
1351+dnl
1352+dnl realpath("/etc/hosts/../passwd",XXX) should not return
1353+dnl "/etc/passwd"
1354+dnl
1355+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
1356+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
1357+ AC_TRY_RUN([
1358+main() {
1359+ char buf[4096+1];
1360+ buf[0] = 0;
1361+ realpath("/etc/hosts/../passwd", buf);
1362+ exit(strcmp(buf, "/etc/passwd")==0);
1363+}
1364+ ],[
1365+ ac_cv_broken_realpath=no
1366+ ],[
1367+ ac_cv_broken_realpath=yes
1368+ ],[
1369+ ac_cv_broken_realpath=no
1370+ ])
1371+ ])
1372+ if test "$ac_cv_broken_realpath" = "yes"; then
1373+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
1374+ else
1375+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
1376+ fi
1377+])
1378+
1379 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
1380 dnl
1381 dnl Basically sets up the link-stage for building module-name
1382diff -Nur php-4.3.10/configure hardened-php-4.3.10-0.2.6/configure
1383--- php-4.3.10/configure 2004-12-14 18:55:18.000000000 +0100
1384+++ hardened-php-4.3.10-0.2.6/configure 2004-12-22 16:16:31.000000000 +0100
1385@@ -389,6 +389,16 @@
1386 ac_default_prefix=/usr/local
1387 # Any additions from configure.in:
1388 ac_help="$ac_help
1389+ --disable-hardened-php-mm-protect Disable the Memory Manager protection."
1390+ac_help="$ac_help
1391+ --disable-hardened-php-ll-protect Disable the Linked List protection."
1392+ac_help="$ac_help
1393+ --disable-hardened-php-inc-protect Disable include/require protection."
1394+ac_help="$ac_help
1395+ --disable-hardened-php-fmt-protect Disable format string protection."
1396+ac_help="$ac_help
1397+ --disable-hardened-php-hash-protect Disable Zend HashTable DTOR protection."
1398+ac_help="$ac_help
1399
1400 SAPI modules:
1401 "
1402@@ -831,6 +841,8 @@
1403 ac_help="$ac_help
1404 --disable-tokenizer Disable tokenizer support"
1405 ac_help="$ac_help
1406+ --disable-varfilter Disable Hardened-PHP's variable filter"
1407+ac_help="$ac_help
1408 --enable-wddx Enable WDDX support."
1409 ac_help="$ac_help
1410 --disable-xml Disable XML support using bundled expat lib"
1411@@ -2643,6 +2655,157 @@
1412
1413
1414
1415+# Check whether --enable-hardened-php-mm-protect or --disable-hardened-php-mm-protect was given.
1416+if test "${enable_hardened_php_mm_protect+set}" = set; then
1417+ enableval="$enable_hardened_php_mm_protect"
1418+
1419+ DO_HARDENED_PHP_MM_PROTECT=$enableval
1420+
1421+else
1422+
1423+ DO_HARDENED_PHP_MM_PROTECT=yes
1424+
1425+fi
1426+
1427+
1428+# Check whether --enable-hardened-php-ll-protect or --disable-hardened-php-ll-protect was given.
1429+if test "${enable_hardened_php_ll_protect+set}" = set; then
1430+ enableval="$enable_hardened_php_ll_protect"
1431+
1432+ DO_HARDENED_PHP_LL_PROTECT=$enableval
1433+
1434+else
1435+
1436+ DO_HARDENED_PHP_LL_PROTECT=yes
1437+
1438+fi
1439+
1440+
1441+# Check whether --enable-hardened-php-inc-protect or --disable-hardened-php-inc-protect was given.
1442+if test "${enable_hardened_php_inc_protect+set}" = set; then
1443+ enableval="$enable_hardened_php_inc_protect"
1444+
1445+ DO_HARDENED_PHP_INC_PROTECT=$enableval
1446+
1447+else
1448+
1449+ DO_HARDENED_PHP_INC_PROTECT=yes
1450+
1451+fi
1452+
1453+
1454+# Check whether --enable-hardened-php-fmt-protect or --disable-hardened-php-fmt-protect was given.
1455+if test "${enable_hardened_php_fmt_protect+set}" = set; then
1456+ enableval="$enable_hardened_php_fmt_protect"
1457+
1458+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
1459+
1460+else
1461+
1462+ DO_HARDENED_PHP_FMT_PROTECT=yes
1463+
1464+fi
1465+
1466+
1467+# Check whether --enable-hardened-php-hash-protect or --disable-hardened-php-hash-protect was given.
1468+if test "${enable_hardened_php_hash_protect+set}" = set; then
1469+ enableval="$enable_hardened_php_hash_protect"
1470+
1471+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
1472+
1473+else
1474+
1475+ DO_HARDENED_PHP_HASH_PROTECT=yes
1476+
1477+fi
1478+
1479+
1480+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
1481+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
1482+echo "$ac_t""$DO_HARDENED_PHP_MM_PROTECT" 1>&6
1483+
1484+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
1485+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
1486+echo "$ac_t""$DO_HARDENED_PHP_LL_PROTECT" 1>&6
1487+
1488+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
1489+echo "configure:2733: checking whether to protect include/require statements" >&5
1490+echo "$ac_t""$DO_HARDENED_PHP_INC_PROTECT" 1>&6
1491+
1492+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
1493+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
1494+echo "$ac_t""$DO_HARDENED_PHP_FMT_PROTECT" 1>&6
1495+
1496+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
1497+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
1498+echo "$ac_t""$DO_HARDENED_PHP_HASH_PROTECT" 1>&6
1499+
1500+
1501+cat >> confdefs.h <<\EOF
1502+#define HARDENED_PHP 1
1503+EOF
1504+
1505+
1506+
1507+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
1508+ cat >> confdefs.h <<\EOF
1509+#define HARDENED_PHP_MM_PROTECT 1
1510+EOF
1511+
1512+else
1513+ cat >> confdefs.h <<\EOF
1514+#define HARDENED_PHP_MM_PROTECT 0
1515+EOF
1516+
1517+fi
1518+
1519+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
1520+ cat >> confdefs.h <<\EOF
1521+#define HARDENED_PHP_LL_PROTECT 1
1522+EOF
1523+
1524+else
1525+ cat >> confdefs.h <<\EOF
1526+#define HARDENED_PHP_LL_PROTECT 0
1527+EOF
1528+
1529+fi
1530+
1531+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
1532+ cat >> confdefs.h <<\EOF
1533+#define HARDENED_PHP_INC_PROTECT 1
1534+EOF
1535+
1536+else
1537+ cat >> confdefs.h <<\EOF
1538+#define HARDENED_PHP_INC_PROTECT 0
1539+EOF
1540+
1541+fi
1542+
1543+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
1544+ cat >> confdefs.h <<\EOF
1545+#define HARDENED_PHP_FMT_PROTECT 1
1546+EOF
1547+
1548+else
1549+ cat >> confdefs.h <<\EOF
1550+#define HARDENED_PHP_FMT_PROTECT 0
1551+EOF
1552+
1553+fi
1554+
1555+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
1556+ cat >> confdefs.h <<\EOF
1557+#define HARDENED_PHP_HASH_PROTECT 1
1558+EOF
1559+
1560+else
1561+ cat >> confdefs.h <<\EOF
1562+#define HARDENED_PHP_HASH_PROTECT 0
1563+EOF
1564+
1565+fi
1566
1567
1568
1569@@ -14890,6 +15053,62 @@
1570 fi
1571
1572
1573+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
1574+echo "configure:14928: checking whether realpath is broken" >&5
1575+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
1576+ echo $ac_n "(cached) $ac_c" 1>&6
1577+else
1578+
1579+ if test "$cross_compiling" = yes; then
1580+
1581+ ac_cv_broken_realpath=no
1582+
1583+else
1584+ cat > conftest.$ac_ext <<EOF
1585+#line 14939 "configure"
1586+#include "confdefs.h"
1587+
1588+main() {
1589+ char buf[4096+1];
1590+ buf[0] = 0;
1591+ realpath("/etc/hosts/../passwd", buf);
1592+ exit(strcmp(buf, "/etc/passwd")==0);
1593+}
1594+
1595+EOF
1596+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
1597+then
1598+
1599+ ac_cv_broken_realpath=no
1600+
1601+else
1602+ echo "configure: failed program was:" >&5
1603+ cat conftest.$ac_ext >&5
1604+ rm -fr conftest*
1605+
1606+ ac_cv_broken_realpath=yes
1607+
1608+fi
1609+rm -fr conftest*
1610+fi
1611+
1612+
1613+fi
1614+
1615+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
1616+ if test "$ac_cv_broken_realpath" = "yes"; then
1617+ cat >> confdefs.h <<\EOF
1618+#define PHP_BROKEN_REALPATH 1
1619+EOF
1620+
1621+ else
1622+ cat >> confdefs.h <<\EOF
1623+#define PHP_BROKEN_REALPATH 0
1624+EOF
1625+
1626+ fi
1627+
1628+
1629 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
1630 echo "configure:14895: checking for declared timezone" >&5
1631 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
1632@@ -82014,6 +82233,265 @@
1633 fi
1634
1635
1636+echo $ac_n "checking whether to enable Hardened-PHP's variable filter""... $ac_c" 1>&6
1637+echo "configure:82041: checking whether to enable Hardened-PHP's variable filter" >&5
1638+# Check whether --enable-varfilter or --disable-varfilter was given.
1639+if test "${enable_varfilter+set}" = set; then
1640+ enableval="$enable_varfilter"
1641+ PHP_VARFILTER=$enableval
1642+else
1643+
1644+ PHP_VARFILTER=yes
1645+
1646+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
1647+ PHP_VARFILTER=$PHP_ENABLE_ALL
1648+ fi
1649+
1650+fi
1651+
1652+
1653+
1654+ext_output="yes, shared"
1655+ext_shared=yes
1656+case $PHP_VARFILTER in
1657+shared,*)
1658+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
1659+ ;;
1660+shared)
1661+ PHP_VARFILTER=yes
1662+ ;;
1663+no)
1664+ ext_output=no
1665+ ext_shared=no
1666+ ;;
1667+*)
1668+ ext_output=yes
1669+ ext_shared=no
1670+ ;;
1671+esac
1672+
1673+
1674+
1675+echo "$ac_t""$ext_output" 1>&6
1676+
1677+
1678+
1679+
1680+if test "$PHP_VARFILTER" != "no"; then
1681+ cat >> confdefs.h <<\EOF
1682+#define HAVE_VARFILTER 1
1683+EOF
1684+
1685+
1686+ ext_builddir=ext/varfilter
1687+ ext_srcdir=$abs_srcdir/ext/varfilter
1688+
1689+ ac_extra=
1690+
1691+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
1692+
1693+
1694+
1695+ case ext/varfilter in
1696+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1697+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1698+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1699+ esac
1700+
1701+
1702+
1703+ b_c_pre=$php_c_pre
1704+ b_cxx_pre=$php_cxx_pre
1705+ b_c_meta=$php_c_meta
1706+ b_cxx_meta=$php_cxx_meta
1707+ b_c_post=$php_c_post
1708+ b_cxx_post=$php_cxx_post
1709+ b_lo=$php_lo
1710+
1711+
1712+ old_IFS=$IFS
1713+ for ac_src in varfilter.c; do
1714+
1715+ IFS=.
1716+ set $ac_src
1717+ ac_obj=$1
1718+ IFS=$old_IFS
1719+
1720+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1721+
1722+ case $ac_src in
1723+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1724+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1725+ esac
1726+
1727+ cat >>Makefile.objects<<EOF
1728+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1729+ $ac_comp
1730+EOF
1731+ done
1732+
1733+
1734+ EXT_STATIC="$EXT_STATIC varfilter"
1735+ if test "$ext_shared" != "nocli"; then
1736+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1737+ fi
1738+ else
1739+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
1740+
1741+ case ext/varfilter in
1742+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1743+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1744+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1745+ esac
1746+
1747+
1748+
1749+ b_c_pre=$shared_c_pre
1750+ b_cxx_pre=$shared_cxx_pre
1751+ b_c_meta=$shared_c_meta
1752+ b_cxx_meta=$shared_cxx_meta
1753+ b_c_post=$shared_c_post
1754+ b_cxx_post=$shared_cxx_post
1755+ b_lo=$shared_lo
1756+
1757+
1758+ old_IFS=$IFS
1759+ for ac_src in varfilter.c; do
1760+
1761+ IFS=.
1762+ set $ac_src
1763+ ac_obj=$1
1764+ IFS=$old_IFS
1765+
1766+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
1767+
1768+ case $ac_src in
1769+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1770+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1771+ esac
1772+
1773+ cat >>Makefile.objects<<EOF
1774+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1775+ $ac_comp
1776+EOF
1777+ done
1778+
1779+
1780+ install_modules="install-modules"
1781+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
1782+
1783+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
1784+
1785+ cat >>Makefile.objects<<EOF
1786+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
1787+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
1788+
1789+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
1790+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
1791+
1792+EOF
1793+
1794+ cat >> confdefs.h <<EOF
1795+#define COMPILE_DL_VARFILTER 1
1796+EOF
1797+
1798+ fi
1799+ fi
1800+
1801+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
1802+ if test "$PHP_SAPI" = "cgi"; then
1803+
1804+
1805+ case ext/varfilter in
1806+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1807+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1808+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1809+ esac
1810+
1811+
1812+
1813+ b_c_pre=$php_c_pre
1814+ b_cxx_pre=$php_cxx_pre
1815+ b_c_meta=$php_c_meta
1816+ b_cxx_meta=$php_cxx_meta
1817+ b_c_post=$php_c_post
1818+ b_cxx_post=$php_cxx_post
1819+ b_lo=$php_lo
1820+
1821+
1822+ old_IFS=$IFS
1823+ for ac_src in varfilter.c; do
1824+
1825+ IFS=.
1826+ set $ac_src
1827+ ac_obj=$1
1828+ IFS=$old_IFS
1829+
1830+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1831+
1832+ case $ac_src in
1833+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1834+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1835+ esac
1836+
1837+ cat >>Makefile.objects<<EOF
1838+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1839+ $ac_comp
1840+EOF
1841+ done
1842+
1843+
1844+ EXT_STATIC="$EXT_STATIC varfilter"
1845+ else
1846+
1847+
1848+ case ext/varfilter in
1849+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1850+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1851+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1852+ esac
1853+
1854+
1855+
1856+ b_c_pre=$php_c_pre
1857+ b_cxx_pre=$php_cxx_pre
1858+ b_c_meta=$php_c_meta
1859+ b_cxx_meta=$php_cxx_meta
1860+ b_c_post=$php_c_post
1861+ b_cxx_post=$php_cxx_post
1862+ b_lo=$php_lo
1863+
1864+
1865+ old_IFS=$IFS
1866+ for ac_src in varfilter.c; do
1867+
1868+ IFS=.
1869+ set $ac_src
1870+ ac_obj=$1
1871+ IFS=$old_IFS
1872+
1873+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
1874+
1875+ case $ac_src in
1876+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1877+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1878+ esac
1879+
1880+ cat >>Makefile.objects<<EOF
1881+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1882+ $ac_comp
1883+EOF
1884+ done
1885+
1886+
1887+ fi
1888+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1889+ fi
1890+
1891+ BUILD_DIR="$BUILD_DIR $ext_builddir"
1892+
1893+
1894+fi
1895
1896
1897 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
1898@@ -94503,7 +94981,7 @@
1899 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1900 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1901 streams.c network.c php_open_temporary_file.c php_logos.c \
1902- output.c memory_streams.c user_streams.c; do
1903+ output.c memory_streams.c user_streams.c hardened_php.c; do
1904
1905 IFS=.
1906 set $ac_src
1907@@ -94676,7 +95154,7 @@
1908 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1909 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1910 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1911- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
1912+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
1913
1914 IFS=.
1915 set $ac_src
1916diff -Nur php-4.3.10/configure.in hardened-php-4.3.10-0.2.6/configure.in
1917--- php-4.3.10/configure.in 2004-12-14 17:07:49.000000000 +0100
1918+++ hardened-php-4.3.10-0.2.6/configure.in 2004-12-22 16:16:31.000000000 +0100
1919@@ -205,7 +205,7 @@
1920 sinclude(Zend/acinclude.m4)
1921 sinclude(Zend/Zend.m4)
1922 sinclude(TSRM/tsrm.m4)
1923-
1924+sinclude(main/hardened_php.m4)
1925
1926
1927 divert(2)
1928@@ -573,6 +573,7 @@
1929 AC_FUNC_ALLOCA
1930 dnl PHP_AC_BROKEN_SPRINTF
1931 dnl PHP_AC_BROKEN_SNPRINTF
1932+PHP_AC_BROKEN_REALPATH
1933 PHP_DECLARED_TIMEZONE
1934 PHP_TIME_R_TYPE
1935 PHP_READDIR_R_TYPE
1936@@ -1201,7 +1202,7 @@
1937 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1938 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1939 streams.c network.c php_open_temporary_file.c php_logos.c \
1940- output.c memory_streams.c user_streams.c)
1941+ output.c memory_streams.c user_streams.c hardened_php.c)
1942 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
1943 PHP_ADD_SOURCES(/main, internal_functions_cli.c,, cli)
1944
1945@@ -1214,7 +1215,7 @@
1946 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1947 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1948 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1949- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
1950+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
1951
1952 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
1953 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
1954diff -Nur php-4.3.10/ext/mbstring/mbstring.c hardened-php-4.3.10-0.2.6/ext/mbstring/mbstring.c
1955--- php-4.3.10/ext/mbstring/mbstring.c 2004-06-24 00:07:01.000000000 +0200
1956+++ hardened-php-4.3.10-0.2.6/ext/mbstring/mbstring.c 2004-12-22 16:16:31.000000000 +0100
1957@@ -1467,12 +1467,13 @@
1958
1959 /* {{{ static void php_mbstr_encoding_handler() */
1960 static void
1961-php_mbstr_encoding_handler(zval *arg, char *res, char *separator TSRMLS_DC)
1962+php_mbstr_encoding_handler(zval *arg, int parse_type, char *res, char *separator TSRMLS_DC)
1963 {
1964 char *var, *val, *s1, *s2;
1965 char *strtok_buf = NULL, **val_list;
1966 zval *array_ptr = (zval *) arg;
1967 int n, num, val_len, *len_list, elistsz;
1968+ unsigned int new_val_len;
1969 enum mbfl_no_encoding from_encoding, to_encoding, *elist;
1970 mbfl_string string, resvar, resval;
1971 mbfl_encoding_detector *identd = NULL;
1972@@ -1593,8 +1594,14 @@
1973 val_len = len_list[n];
1974 }
1975 n++;
1976- /* add variable to symbol table */
1977- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
1978+ /* we need val to be emalloc()ed */
1979+ val = estrndup(val, val_len);
1980+ if (sapi_module.input_filter(parse_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
1981+ /* add variable to symbol table */
1982+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
1983+ }
1984+ efree(val);
1985+
1986 if (convd != NULL){
1987 mbfl_string_clear(&resvar);
1988 mbfl_string_clear(&resval);
1989@@ -1620,7 +1627,7 @@
1990 {
1991 MBSTRG(http_input_identify_post) = mbfl_no_encoding_invalid;
1992
1993- php_mbstr_encoding_handler(arg, SG(request_info).post_data, "&" TSRMLS_CC);
1994+ php_mbstr_encoding_handler(arg, PARSE_POST, SG(request_info).post_data, "&" TSRMLS_CC);
1995
1996 if (MBSTRG(http_input_identify) != mbfl_no_encoding_invalid) {
1997 MBSTRG(http_input_identify_post) = MBSTRG(http_input_identify);
1998@@ -1720,7 +1727,7 @@
1999 break;
2000 }
2001
2002- php_mbstr_encoding_handler(array_ptr, res, separator TSRMLS_CC);
2003+ php_mbstr_encoding_handler(array_ptr, arg, res, separator TSRMLS_CC);
2004
2005 if (MBSTRG(http_input_identify) != mbfl_no_encoding_invalid) {
2006 switch(arg){
2007diff -Nur php-4.3.10/ext/standard/array.c hardened-php-4.3.10-0.2.6/ext/standard/array.c
2008--- php-4.3.10/ext/standard/array.c 2004-12-02 17:36:41.000000000 +0100
2009+++ hardened-php-4.3.10-0.2.6/ext/standard/array.c 2004-12-22 16:16:31.000000000 +0100
2010@@ -1153,6 +1153,31 @@
2011 }
2012 }
2013 }
2014+
2015+ if (var_name[0] == 'H') {
2016+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
2017+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
2018+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
2019+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
2020+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
2021+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
2022+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)) {
2023+ return 0;
2024+ }
2025+ } else if (var_name[0] == '_') {
2026+ if ((strcmp(var_name, "_COOKIE")==0)||
2027+ (strcmp(var_name, "_ENV")==0)||
2028+ (strcmp(var_name, "_FILES")==0)||
2029+ (strcmp(var_name, "_GET")==0)||
2030+ (strcmp(var_name, "_POST")==0)||
2031+ (strcmp(var_name, "_REQUEST")==0)||
2032+ (strcmp(var_name, "_SESSION")==0)||
2033+ (strcmp(var_name, "_SERVER")==0)) {
2034+ return 0;
2035+ }
2036+ } else if (strcmp(var_name, "GLOBALS")==0) {
2037+ return 0;
2038+ }
2039
2040 return 1;
2041 }
2042diff -Nur php-4.3.10/ext/standard/basic_functions.c hardened-php-4.3.10-0.2.6/ext/standard/basic_functions.c
2043--- php-4.3.10/ext/standard/basic_functions.c 2004-11-16 00:26:40.000000000 +0100
2044+++ hardened-php-4.3.10-0.2.6/ext/standard/basic_functions.c 2004-12-22 16:16:31.000000000 +0100
2045@@ -687,7 +687,7 @@
2046 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
2047
2048 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2049- PHP_FE(realpath, NULL)
2050+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
2051 #endif
2052
2053 #ifdef HAVE_FNMATCH
2054@@ -3008,6 +3008,34 @@
2055 memcpy(new_key, prefix, prefix_len);
2056 memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
2057
2058+ if (new_key[0] == 'H') {
2059+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
2060+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
2061+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
2062+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
2063+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
2064+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
2065+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)) {
2066+ efree(new_key);
2067+ return 0;
2068+ }
2069+ } else if (new_key[0] == '_') {
2070+ if ((strcmp(new_key, "_COOKIE")==0)||
2071+ (strcmp(new_key, "_ENV")==0)||
2072+ (strcmp(new_key, "_FILES")==0)||
2073+ (strcmp(new_key, "_GET")==0)||
2074+ (strcmp(new_key, "_POST")==0)||
2075+ (strcmp(new_key, "_REQUEST")==0)||
2076+ (strcmp(new_key, "_SESSION")==0)||
2077+ (strcmp(new_key, "_SERVER")==0)) {
2078+ efree(new_key);
2079+ return 0;
2080+ }
2081+ } else if (strcmp(new_key, "GLOBALS")==0) {
2082+ efree(new_key);
2083+ return 0;
2084+ }
2085+
2086 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
2087 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
2088
2089diff -Nur php-4.3.10/ext/standard/file.c hardened-php-4.3.10-0.2.6/ext/standard/file.c
2090--- php-4.3.10/ext/standard/file.c 2004-12-08 22:15:02.000000000 +0100
2091+++ hardened-php-4.3.10-0.2.6/ext/standard/file.c 2004-12-22 16:16:31.000000000 +0100
2092@@ -2472,7 +2472,7 @@
2093 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2094 /* {{{ proto string realpath(string path)
2095 Return the resolved path */
2096-PHP_FUNCTION(realpath)
2097+PHP_FUNCTION(real_path)
2098 {
2099 zval **path;
2100 char resolved_path_buff[MAXPATHLEN];
2101diff -Nur php-4.3.10/ext/standard/file.h hardened-php-4.3.10-0.2.6/ext/standard/file.h
2102--- php-4.3.10/ext/standard/file.h 2004-06-21 21:33:47.000000000 +0200
2103+++ hardened-php-4.3.10-0.2.6/ext/standard/file.h 2004-12-22 16:16:31.000000000 +0100
2104@@ -64,7 +64,7 @@
2105 PHP_FUNCTION(fd_set);
2106 PHP_FUNCTION(fd_isset);
2107 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2108-PHP_FUNCTION(realpath);
2109+PHP_FUNCTION(real_path);
2110 #endif
2111 #ifdef HAVE_FNMATCH
2112 PHP_FUNCTION(fnmatch);
2113diff -Nur php-4.3.10/ext/standard/info.c hardened-php-4.3.10-0.2.6/ext/standard/info.c
2114--- php-4.3.10/ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
2115+++ hardened-php-4.3.10-0.2.6/ext/standard/info.c 2004-12-22 17:33:18.000000000 +0100
2116@@ -397,7 +397,7 @@
2117
2118 if (flag & PHP_INFO_GENERAL) {
2119 char *zend_version = get_zend_version();
2120- char temp_api[9];
2121+ char temp_api[11];
2122
2123 php_uname = php_get_uname('a');
2124
2125@@ -417,11 +417,22 @@
2126 }
2127 }
2128
2129+#if HARDENED_PHP
2130+ if (!sapi_module.phpinfo_as_text) {
2131+ php_printf("<h1 class=\"p\">Hardened-PHP Version %s/%s</h1>\n", PHP_VERSION, HARDENED_PHP_VERSION);
2132+ } else {
2133+ char temp_ver[40];
2134+
2135+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENED_PHP_VERSION);
2136+ php_info_print_table_row(2, "Hardened-PHP Version", temp_ver);
2137+ }
2138+#else
2139 if (!sapi_module.phpinfo_as_text) {
2140 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2141 } else {
2142 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2143 }
2144+#endif
2145 php_info_print_box_end();
2146 php_info_print_table_start();
2147 php_info_print_table_row(2, "System", php_uname );
2148diff -Nur php-4.3.10/ext/varfilter/CREDITS hardened-php-4.3.10-0.2.6/ext/varfilter/CREDITS
2149--- php-4.3.10/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
2150+++ hardened-php-4.3.10-0.2.6/ext/varfilter/CREDITS 2004-12-22 16:16:31.000000000 +0100
2151@@ -0,0 +1,2 @@
2152+varfilter
2153+Stefan Esser
2154\ No newline at end of file
2155diff -Nur php-4.3.10/ext/varfilter/config.m4 hardened-php-4.3.10-0.2.6/ext/varfilter/config.m4
2156--- php-4.3.10/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
2157+++ hardened-php-4.3.10-0.2.6/ext/varfilter/config.m4 2004-12-22 16:16:31.000000000 +0100
2158@@ -0,0 +1,11 @@
2159+dnl
2160+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
2161+dnl
2162+
2163+PHP_ARG_ENABLE(varfilter, whether to enable Hardened-PHP's variable filter,
2164+[ --disable-varfilter Disable Hardened-PHP's variable filter], yes)
2165+
2166+if test "$PHP_VARFILTER" != "no"; then
2167+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
2168+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
2169+fi
2170diff -Nur php-4.3.10/ext/varfilter/php_varfilter.h hardened-php-4.3.10-0.2.6/ext/varfilter/php_varfilter.h
2171--- php-4.3.10/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
2172+++ hardened-php-4.3.10-0.2.6/ext/varfilter/php_varfilter.h 2004-12-22 16:16:31.000000000 +0100
2173@@ -0,0 +1,72 @@
2174+/*
2175+ +----------------------------------------------------------------------+
2176+ | PHP Version 4 |
2177+ +----------------------------------------------------------------------+
2178+ | Copyright (c) 1997-2003 The PHP Group |
2179+ +----------------------------------------------------------------------+
2180+ | This source file is subject to version 2.02 of the PHP license, |
2181+ | that is bundled with this package in the file LICENSE, and is |
2182+ | available at through the world-wide-web at |
2183+ | http://www.php.net/license/2_02.txt. |
2184+ | If you did not receive a copy of the PHP license and are unable to |
2185+ | obtain it through the world-wide-web, please send a note to |
2186+ | license@php.net so we can mail you a copy immediately. |
2187+ +----------------------------------------------------------------------+
2188+ | Author: Stefan Esser |
2189+ +----------------------------------------------------------------------+
2190+
2191+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
2192+*/
2193+
2194+#ifndef PHP_VARFILTER_H
2195+#define PHP_VARFILTER_H
2196+
2197+extern zend_module_entry varfilter_module_entry;
2198+#define phpext_varfilter_ptr &varfilter_module_entry
2199+
2200+#ifdef PHP_WIN32
2201+#define PHP_VARFILTER_API __declspec(dllexport)
2202+#else
2203+#define PHP_VARFILTER_API
2204+#endif
2205+
2206+#ifdef ZTS
2207+#include "TSRM.h"
2208+#endif
2209+
2210+#include "SAPI.h"
2211+
2212+PHP_MINIT_FUNCTION(varfilter);
2213+PHP_MSHUTDOWN_FUNCTION(varfilter);
2214+PHP_RINIT_FUNCTION(varfilter);
2215+PHP_RSHUTDOWN_FUNCTION(varfilter);
2216+PHP_MINFO_FUNCTION(varfilter);
2217+
2218+
2219+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
2220+ long max_request_variables;
2221+ long cur_request_variables;
2222+ long max_varname_length;
2223+ long max_value_length;
2224+ long max_array_depth;
2225+ZEND_END_MODULE_GLOBALS(varfilter)
2226+
2227+
2228+#ifdef ZTS
2229+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
2230+#else
2231+#define VARFILTER_G(v) (varfilter_globals.v)
2232+#endif
2233+
2234+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
2235+
2236+#endif /* PHP_VARFILTER_H */
2237+
2238+
2239+/*
2240+ * Local variables:
2241+ * tab-width: 4
2242+ * c-basic-offset: 4
2243+ * indent-tabs-mode: t
2244+ * End:
2245+ */
2246diff -Nur php-4.3.10/ext/varfilter/varfilter.c hardened-php-4.3.10-0.2.6/ext/varfilter/varfilter.c
2247--- php-4.3.10/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
2248+++ hardened-php-4.3.10-0.2.6/ext/varfilter/varfilter.c 2004-12-22 16:16:31.000000000 +0100
2249@@ -0,0 +1,196 @@
2250+/*
2251+ +----------------------------------------------------------------------+
2252+ | PHP Version 4 |
2253+ +----------------------------------------------------------------------+
2254+ | Copyright (c) 1997-2003 The PHP Group |
2255+ +----------------------------------------------------------------------+
2256+ | This source file is subject to version 2.02 of the PHP license, |
2257+ | that is bundled with this package in the file LICENSE, and is |
2258+ | available at through the world-wide-web at |
2259+ | http://www.php.net/license/2_02.txt. |
2260+ | If you did not receive a copy of the PHP license and are unable to |
2261+ | obtain it through the world-wide-web, please send a note to |
2262+ | license@php.net so we can mail you a copy immediately. |
2263+ +----------------------------------------------------------------------+
2264+ | Author: |
2265+ +----------------------------------------------------------------------+
2266+
2267+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
2268+*/
2269+
2270+#ifdef HAVE_CONFIG_H
2271+#include "config.h"
2272+#endif
2273+
2274+#include "php.h"
2275+#include "php_ini.h"
2276+#include "ext/standard/info.h"
2277+#include "php_varfilter.h"
2278+#include "hardened_php.h"
2279+
2280+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
2281+
2282+/* True global resources - no need for thread safety here */
2283+static int le_varfilter;
2284+
2285+/* {{{ varfilter_module_entry
2286+ */
2287+zend_module_entry varfilter_module_entry = {
2288+#if ZEND_MODULE_API_NO >= 20010901
2289+ STANDARD_MODULE_HEADER,
2290+#endif
2291+ "varfilter",
2292+ NULL,
2293+ PHP_MINIT(varfilter),
2294+ PHP_MSHUTDOWN(varfilter),
2295+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
2296+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
2297+ PHP_MINFO(varfilter),
2298+#if ZEND_MODULE_API_NO >= 20010901
2299+ "0.2.0", /* Replace with version number for your extension */
2300+#endif
2301+ STANDARD_MODULE_PROPERTIES
2302+};
2303+/* }}} */
2304+
2305+#ifdef COMPILE_DL_VARFILTER
2306+ZEND_GET_MODULE(varfilter)
2307+#endif
2308+
2309+/* {{{ PHP_INI
2310+ */
2311+PHP_INI_BEGIN()
2312+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_SYSTEM, OnUpdateInt, max_request_variables, zend_varfilter_globals, varfilter_globals)
2313+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_SYSTEM, OnUpdateInt, max_varname_length, zend_varfilter_globals, varfilter_globals)
2314+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "10000", PHP_INI_SYSTEM, OnUpdateInt, max_value_length, zend_varfilter_globals, varfilter_globals)
2315+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_SYSTEM, OnUpdateInt, max_array_depth, zend_varfilter_globals, varfilter_globals)
2316+PHP_INI_END()
2317+/* }}} */
2318+
2319+/* {{{ php_varfilter_init_globals
2320+ */
2321+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
2322+{
2323+ varfilter_globals->max_request_variables = 200;
2324+ varfilter_globals->cur_request_variables = 0;
2325+ varfilter_globals->max_varname_length = 64;
2326+ varfilter_globals->max_value_length = 10000;
2327+ varfilter_globals->max_array_depth = 100;
2328+}
2329+/* }}} */
2330+
2331+/* {{{ PHP_MINIT_FUNCTION
2332+ */
2333+PHP_MINIT_FUNCTION(varfilter)
2334+{
2335+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
2336+ REGISTER_INI_ENTRIES();
2337+
2338+ sapi_register_input_filter(varfilter_input_filter);
2339+ return SUCCESS;
2340+}
2341+/* }}} */
2342+
2343+/* {{{ PHP_MSHUTDOWN_FUNCTION
2344+ */
2345+PHP_MSHUTDOWN_FUNCTION(varfilter)
2346+{
2347+ UNREGISTER_INI_ENTRIES();
2348+
2349+ return SUCCESS;
2350+}
2351+/* }}} */
2352+
2353+/* Remove if there's nothing to do at request start */
2354+/* {{{ PHP_RINIT_FUNCTION
2355+ */
2356+PHP_RINIT_FUNCTION(varfilter)
2357+{
2358+ VARFILTER_G(cur_request_variables) = 0;
2359+
2360+ return SUCCESS;
2361+}
2362+/* }}} */
2363+
2364+/* Remove if there's nothing to do at request end */
2365+/* {{{ PHP_RSHUTDOWN_FUNCTION
2366+ */
2367+PHP_RSHUTDOWN_FUNCTION(varfilter)
2368+{
2369+ return SUCCESS;
2370+}
2371+/* }}} */
2372+
2373+/* {{{ PHP_MINFO_FUNCTION
2374+ */
2375+PHP_MINFO_FUNCTION(varfilter)
2376+{
2377+ php_info_print_table_start();
2378+ php_info_print_table_header(2, "Hardened-PHP's variable filter support", "enabled");
2379+ php_info_print_table_end();
2380+
2381+ DISPLAY_INI_ENTRIES();
2382+}
2383+/* }}} */
2384+
2385+/* {{{ SAPI_INPUT_FILTER_FUNC
2386+ */
2387+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
2388+{
2389+ char *index;
2390+ unsigned int var_len, depth = 0;
2391+
2392+ /* Drop this variable if the limit is reached */
2393+ if (VARFILTER_G(max_request_variables) == VARFILTER_G(cur_request_variables)) {
2394+ php_security_log("tried to register too many variables");
2395+ return 0;
2396+ }
2397+
2398+ /* Drop this variable if it exceeds the value length limit */
2399+ if (VARFILTER_G(max_value_length) < val_len) {
2400+ php_security_log("tried to register a variable with a too long value");
2401+ return 0;
2402+ }
2403+
2404+ /* Find length of variable name */
2405+ index = strchr(var, '[');
2406+ var_len = index ? index-var : strlen(var);
2407+
2408+ /* Drop this variable if it exceeds the varname length limit */
2409+ if (VARFILTER_G(max_varname_length) < var_len) {
2410+ php_security_log("tried to register a variable with a too long variable name");
2411+ return 0;
2412+ }
2413+
2414+ /* Find out array depth */
2415+ while (index) {
2416+ depth++;
2417+ index = strchr(index+1, '[');
2418+ }
2419+
2420+ /* Drop this variable if it exceeds the array depth limit */
2421+ if (VARFILTER_G(max_array_depth) < depth) {
2422+ php_security_log("tried to register a too deep array variable");
2423+ return 0;
2424+ }
2425+
2426+ /* Okay let PHP register this variable */
2427+ VARFILTER_G(cur_request_variables)++;
2428+
2429+ if (new_val_len) {
2430+ *new_val_len = val_len;
2431+ }
2432+
2433+ return 1;
2434+}
2435+/* }}} */
2436+
2437+
2438+/*
2439+ * Local variables:
2440+ * tab-width: 4
2441+ * c-basic-offset: 4
2442+ * End:
2443+ * vim600: noet sw=4 ts=4 fdm=marker
2444+ * vim<600: noet sw=4 ts=4
2445+ */
2446diff -Nur php-4.3.10/main/SAPI.c hardened-php-4.3.10-0.2.6/main/SAPI.c
2447--- php-4.3.10/main/SAPI.c 2004-08-19 22:35:36.000000000 +0200
2448+++ hardened-php-4.3.10-0.2.6/main/SAPI.c 2004-12-22 16:16:31.000000000 +0100
2449@@ -823,6 +823,12 @@
2450 return SUCCESS;
2451 }
2452
2453+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
2454+{
2455+ sapi_module.input_filter = input_filter;
2456+ return SUCCESS;
2457+}
2458+
2459
2460 SAPI_API int sapi_flush(TSRMLS_D)
2461 {
2462diff -Nur php-4.3.10/main/SAPI.h hardened-php-4.3.10-0.2.6/main/SAPI.h
2463--- php-4.3.10/main/SAPI.h 2003-04-09 22:27:55.000000000 +0200
2464+++ hardened-php-4.3.10-0.2.6/main/SAPI.h 2004-12-22 16:16:31.000000000 +0100
2465@@ -101,9 +101,14 @@
2466 char *current_user;
2467 int current_user_length;
2468
2469- /* this is necessary for CLI module */
2470- int argc;
2471- char **argv;
2472+ /* this is necessary for CLI module */
2473+ int argc;
2474+ char **argv;
2475+
2476+#if HARDENED_PHP
2477+ /* this is necessary for IP logging */
2478+ char ip_address[64];
2479+#endif
2480 } sapi_request_info;
2481
2482
2483@@ -177,6 +182,7 @@
2484 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
2485 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
2486 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
2487+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
2488
2489 SAPI_API int sapi_flush(TSRMLS_D);
2490 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
2491@@ -238,8 +244,11 @@
2492 int (*get_target_uid)(uid_t * TSRMLS_DC);
2493 int (*get_target_gid)(gid_t * TSRMLS_DC);
2494
2495+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
2496+
2497 void (*ini_defaults)(HashTable *configuration_hash);
2498 int phpinfo_as_text;
2499+
2500 };
2501
2502
2503@@ -262,16 +271,23 @@
2504
2505 #define SAPI_DEFAULT_MIMETYPE "text/html"
2506 #define SAPI_DEFAULT_CHARSET ""
2507+
2508+#if HARDENED_PHP
2509+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: Hardened-PHP/" PHP_VERSION
2510+#else
2511 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
2512+#endif
2513
2514 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
2515 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
2516
2517 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
2518+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
2519
2520 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
2521 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
2522 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
2523+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
2524
2525 #define STANDARD_SAPI_MODULE_PROPERTIES
2526
2527diff -Nur php-4.3.10/main/hardened_globals.h hardened-php-4.3.10-0.2.6/main/hardened_globals.h
2528--- php-4.3.10/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
2529+++ hardened-php-4.3.10-0.2.6/main/hardened_globals.h 2004-12-22 16:16:31.000000000 +0100
2530@@ -0,0 +1,54 @@
2531+/*
2532+ +----------------------------------------------------------------------+
2533+ | Hardened-PHP |
2534+ +----------------------------------------------------------------------+
2535+ | Copyright (c) 2004 Stefan Esser |
2536+ +----------------------------------------------------------------------+
2537+ | This source file is subject to version 2.02 of the PHP license, |
2538+ | that is bundled with this package in the file LICENSE, and is |
2539+ | available at through the world-wide-web at |
2540+ | http://www.php.net/license/2_02.txt. |
2541+ | If you did not receive a copy of the PHP license and are unable to |
2542+ | obtain it through the world-wide-web, please send a note to |
2543+ | license@php.net so we can mail you a copy immediately. |
2544+ +----------------------------------------------------------------------+
2545+ | Author: Stefan Esser <sesser@php.net> |
2546+ +----------------------------------------------------------------------+
2547+ */
2548+
2549+#ifndef HARDENED_GLOBALS_H
2550+#define HARDENED_GLOBALS_H
2551+
2552+typedef struct _hardened_globals hardened_globals_struct;
2553+
2554+#ifdef ZTS
2555+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
2556+extern int hardened_globals_id;
2557+#else
2558+# define HG(v) (hardened_globals.v)
2559+extern struct _hardened_globals hardened_globals;
2560+#endif
2561+
2562+
2563+struct _hardened_globals {
2564+#if HARDENED_PHP_MM_PROTECT
2565+ unsigned int canary_1;
2566+ unsigned int canary_2;
2567+#endif
2568+#if HARDENED_PHP_LL_PROTECT
2569+ unsigned int canary_3;
2570+ unsigned int canary_4;
2571+ unsigned int ll_canary_inited;
2572+#endif
2573+ unsigned int dummy;
2574+};
2575+
2576+
2577+#endif /* HARDENED_GLOBALS_H */
2578+
2579+/*
2580+ * Local variables:
2581+ * tab-width: 4
2582+ * c-basic-offset: 4
2583+ * End:
2584+ */
2585diff -Nur php-4.3.10/main/hardened_php.c hardened-php-4.3.10-0.2.6/main/hardened_php.c
2586--- php-4.3.10/main/hardened_php.c 1970-01-01 01:00:00.000000000 +0100
2587+++ hardened-php-4.3.10-0.2.6/main/hardened_php.c 2004-12-22 16:33:57.000000000 +0100
2588@@ -0,0 +1,205 @@
2589+/*
2590+ +----------------------------------------------------------------------+
2591+ | Hardened-PHP |
2592+ +----------------------------------------------------------------------+
2593+ | Copyright (c) 2004 Stefan Esser |
2594+ +----------------------------------------------------------------------+
2595+ | This source file is subject to version 2.02 of the PHP license, |
2596+ | that is bundled with this package in the file LICENSE, and is |
2597+ | available at through the world-wide-web at |
2598+ | http://www.php.net/license/2_02.txt. |
2599+ | If you did not receive a copy of the PHP license and are unable to |
2600+ | obtain it through the world-wide-web, please send a note to |
2601+ | license@php.net so we can mail you a copy immediately. |
2602+ +----------------------------------------------------------------------+
2603+ | Author: Stefan Esser <sesser@php.net> |
2604+ +----------------------------------------------------------------------+
2605+ */
2606+/* $Id: hardened_php.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
2607+
2608+#include "php.h"
2609+
2610+#include <stdio.h>
2611+#include <stdlib.h>
2612+
2613+#if HAVE_UNISTD_H
2614+#include <unistd.h>
2615+#endif
2616+#include "SAPI.h"
2617+#include "php_globals.h"
2618+
2619+#if HARDENED_PHP
2620+
2621+#ifdef HAVE_SYS_SOCKET_H
2622+#include <sys/socket.h>
2623+#endif
2624+
2625+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
2626+#undef AF_UNIX
2627+#endif
2628+
2629+#if defined(AF_UNIX)
2630+#include <sys/un.h>
2631+#endif
2632+
2633+#define SYSLOG_PATH "/dev/log"
2634+
2635+#include "snprintf.h"
2636+
2637+#ifdef ZTS
2638+#include "hardened_globals.h"
2639+int hardened_globals_id;
2640+#else
2641+struct _hardened_globals hardened_globals;
2642+#endif
2643+
2644+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
2645+{
2646+ memset(hardened_globals, 0, sizeof(*hardened_globals));
2647+}
2648+
2649+PHPAPI void hardened_startup()
2650+{
2651+#ifdef ZTS
2652+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
2653+#else
2654+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
2655+#endif
2656+}
2657+
2658+PHPAPI void php_security_log(char *str)
2659+{
2660+#if defined(AF_UNIX)
2661+ int s, r;
2662+ struct sockaddr_un saun;
2663+ char buf[1024];
2664+ char *ip_address;
2665+ char *fname;
2666+ TSRMLS_FETCH();
2667+
2668+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
2669+ if (ip_address == NULL) {
2670+ ip_address = "REMOTE_ADDR not set";
2671+ }
2672+
2673+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
2674+
2675+ ap_php_snprintf(buf, 1024, "php security-alert: %s (attacker '%s', file '%s')\n", str, ip_address, fname);
2676+
2677+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
2678+ if (s == -1) {
2679+ return;
2680+ }
2681+
2682+ memset(&saun, 0, sizeof(saun));
2683+ saun.sun_family = AF_UNIX;
2684+ strcpy(saun.sun_path, SYSLOG_PATH);
2685+ /*saun.sun_len = sizeof(saun);*/
2686+
2687+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2688+ if (r) {
2689+ close(s);
2690+ s = socket(AF_UNIX, SOCK_STREAM, 0);
2691+ if (s == -1) {
2692+ return;
2693+ }
2694+
2695+ memset(&saun, 0, sizeof(saun));
2696+ saun.sun_family = AF_UNIX;
2697+ strcpy(saun.sun_path, SYSLOG_PATH);
2698+ /*saun.sun_len = sizeof(saun);*/
2699+
2700+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2701+ if (r) {
2702+ close(s);
2703+ return;
2704+ }
2705+ }
2706+ send(s, buf, strlen(buf), 0);
2707+
2708+ close(s);
2709+#endif
2710+}
2711+#endif
2712+
2713+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2714+
2715+/* will be replaced later with more compatible method */
2716+PHPAPI unsigned int php_canary()
2717+{
2718+ time_t t;
2719+ unsigned int canary;
2720+ int fd;
2721+
2722+ fd = open("/dev/urandom", 0);
2723+ if (fd != -1) {
2724+ int r = read(fd, &canary, sizeof(canary));
2725+ close(fd);
2726+ if (r == sizeof(canary)) {
2727+ return (canary);
2728+ }
2729+ }
2730+ /* not good but we never want to do this */
2731+ time(&t);
2732+ canary = *(unsigned int *)&t + getpid() << 16;
2733+ return (canary);
2734+}
2735+#endif
2736+
2737+#if HARDENED_PHP_INC_PROTECT
2738+
2739+PHPAPI int php_is_valid_include(zval *z)
2740+{
2741+ char *filename;
2742+ int len;
2743+ TSRMLS_FETCH();
2744+
2745+ /* must be of type string */
2746+ if (z->type != IS_STRING || z->value.str.val == NULL) {
2747+ return (0);
2748+ }
2749+
2750+ /* short cut */
2751+ filename = z->value.str.val;
2752+ len = z->value.str.len;
2753+
2754+ /* 1. must be shorter than MAXPATHLEN */
2755+ if (len > MAXPATHLEN) {
2756+ php_security_log("Include filename longer than MAXPATHLEN chars");
2757+ return (0);
2758+ }
2759+
2760+ /* 2. must not be cutted */
2761+ if (len != strlen(filename)) {
2762+ php_security_log("Include filename has a \\0 cut");
2763+ return (0);
2764+ }
2765+
2766+ /* 3. must not be a URL */
2767+ if (strstr(filename, "://")) {
2768+ php_security_log("Include filename is an URL");
2769+ return (0);
2770+ }
2771+
2772+ /* 4. must not be an uploaded file */
2773+ if (SG(rfc1867_uploaded_files)) {
2774+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
2775+ php_security_log("Include filename is an uploaded file");
2776+ return (0);
2777+ }
2778+ }
2779+
2780+ /* passed all tests */
2781+ return (1);
2782+}
2783+
2784+#endif
2785+
2786+/*
2787+ * Local variables:
2788+ * tab-width: 4
2789+ * c-basic-offset: 4
2790+ * End:
2791+ * vim600: sw=4 ts=4 fdm=marker
2792+ * vim<600: sw=4 ts=4
2793+ */
2794diff -Nur php-4.3.10/main/hardened_php.h hardened-php-4.3.10-0.2.6/main/hardened_php.h
2795--- php-4.3.10/main/hardened_php.h 1970-01-01 01:00:00.000000000 +0100
2796+++ hardened-php-4.3.10-0.2.6/main/hardened_php.h 2004-12-22 16:32:48.000000000 +0100
2797@@ -0,0 +1,45 @@
2798+/*
2799+ +----------------------------------------------------------------------+
2800+ | Hardened-PHP |
2801+ +----------------------------------------------------------------------+
2802+ | Copyright (c) 2004 Stefan Esser |
2803+ +----------------------------------------------------------------------+
2804+ | This source file is subject to version 2.02 of the PHP license, |
2805+ | that is bundled with this package in the file LICENSE, and is |
2806+ | available at through the world-wide-web at |
2807+ | http://www.php.net/license/2_02.txt. |
2808+ | If you did not receive a copy of the PHP license and are unable to |
2809+ | obtain it through the world-wide-web, please send a note to |
2810+ | license@php.net so we can mail you a copy immediately. |
2811+ +----------------------------------------------------------------------+
2812+ | Author: Stefan Esser <sesser@php.net> |
2813+ +----------------------------------------------------------------------+
2814+ */
2815+
2816+#ifndef HARDENED_PHP_H
2817+#define HARDENED_PHP_H
2818+
2819+#include "zend.h"
2820+
2821+#if HARDENED_PHP
2822+PHPAPI void php_security_log(char *str);
2823+PHPAPI void hardened_startup();
2824+#define HARDENED_PHP_VERSION "0.2.6"
2825+#endif
2826+
2827+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2828+PHPAPI unsigned int php_canary();
2829+#endif
2830+
2831+#if HARDENED_PHP_INC_PROTECT
2832+PHPAPI int php_is_valid_include(zval *z);
2833+#endif
2834+
2835+#endif /* HARDENED_PHP_H */
2836+
2837+/*
2838+ * Local variables:
2839+ * tab-width: 4
2840+ * c-basic-offset: 4
2841+ * End:
2842+ */
2843diff -Nur php-4.3.10/main/hardened_php.m4 hardened-php-4.3.10-0.2.6/main/hardened_php.m4
2844--- php-4.3.10/main/hardened_php.m4 1970-01-01 01:00:00.000000000 +0100
2845+++ hardened-php-4.3.10-0.2.6/main/hardened_php.m4 2004-12-22 16:16:31.000000000 +0100
2846@@ -0,0 +1,95 @@
2847+dnl
2848+dnl $Id: hardened_php.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
2849+dnl
2850+dnl This file contains Hardened-PHP specific autoconf functions.
2851+dnl
2852+
2853+AC_ARG_ENABLE(hardened-php-mm-protect,
2854+[ --disable-hardened-php-mm-protect Disable the Memory Manager protection.],[
2855+ DO_HARDENED_PHP_MM_PROTECT=$enableval
2856+],[
2857+ DO_HARDENED_PHP_MM_PROTECT=yes
2858+])
2859+
2860+AC_ARG_ENABLE(hardened-php-ll-protect,
2861+[ --disable-hardened-php-ll-protect Disable the Linked List protection.],[
2862+ DO_HARDENED_PHP_LL_PROTECT=$enableval
2863+],[
2864+ DO_HARDENED_PHP_LL_PROTECT=yes
2865+])
2866+
2867+AC_ARG_ENABLE(hardened-php-inc-protect,
2868+[ --disable-hardened-php-inc-protect Disable include/require protection.],[
2869+ DO_HARDENED_PHP_INC_PROTECT=$enableval
2870+],[
2871+ DO_HARDENED_PHP_INC_PROTECT=yes
2872+])
2873+
2874+AC_ARG_ENABLE(hardened-php-fmt-protect,
2875+[ --disable-hardened-php-fmt-protect Disable format string protection.],[
2876+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
2877+],[
2878+ DO_HARDENED_PHP_FMT_PROTECT=yes
2879+])
2880+
2881+AC_ARG_ENABLE(hardened-php-hash-protect,
2882+[ --disable-hardened-php-hash-protect Disable HashTable destructor protection.],[
2883+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
2884+],[
2885+ DO_HARDENED_PHP_HASH_PROTECT=yes
2886+])
2887+
2888+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
2889+AC_MSG_RESULT($DO_HARDENED_PHP_MM_PROTECT)
2890+
2891+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
2892+AC_MSG_RESULT($DO_HARDENED_PHP_LL_PROTECT)
2893+
2894+AC_MSG_CHECKING(whether to protect include/require statements)
2895+AC_MSG_RESULT($DO_HARDENED_PHP_INC_PROTECT)
2896+
2897+AC_MSG_CHECKING(whether to protect PHP Format String functions)
2898+AC_MSG_RESULT($DO_HARDENED_PHP_FMT_PROTECT)
2899+
2900+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
2901+AC_MSG_RESULT($DO_HARDENED_PHP_HASH_PROTECT)
2902+
2903+
2904+AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2905+
2906+
2907+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
2908+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2909+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 1, [Memory Manager Protection])
2910+else
2911+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 0, [Memory Manager Protection])
2912+fi
2913+
2914+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
2915+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2916+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 1, [Linked List Protection])
2917+else
2918+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 0, [Linked List Protection])
2919+fi
2920+
2921+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
2922+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2923+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 1, [Include/Require Protection])
2924+else
2925+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 0, [Include/Require Protection])
2926+fi
2927+
2928+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
2929+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2930+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 1, [Fmt String Protection])
2931+else
2932+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 0, [Fmt String Protection])
2933+fi
2934+
2935+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
2936+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2937+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 1, [HashTable DTOR Protection])
2938+else
2939+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 0, [HashTable DTOR Protection])
2940+fi
2941+
2942diff -Nur php-4.3.10/main/main.c hardened-php-4.3.10-0.2.6/main/main.c
2943--- php-4.3.10/main/main.c 2004-10-01 16:27:13.000000000 +0200
2944+++ hardened-php-4.3.10-0.2.6/main/main.c 2004-12-22 16:16:31.000000000 +0100
2945@@ -100,6 +100,10 @@
2946 PHPAPI int core_globals_id;
2947 #endif
2948
2949+#if HARDENED_PHP
2950+#include "hardened_globals.h"
2951+#endif
2952+
2953 #define ERROR_BUF_LEN 1024
2954
2955 typedef struct {
2956@@ -150,10 +154,33 @@
2957 */
2958 static PHP_INI_MH(OnChangeMemoryLimit)
2959 {
2960+#if HARDENED_PHP
2961+ long orig_memory_limit;
2962+
2963+ if (entry->modified) {
2964+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
2965+ } else {
2966+ orig_memory_limit = 1<<30;
2967+ }
2968+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
2969+ orig_memory_limit = 1<<30;
2970+ }
2971+#endif
2972 if (new_value) {
2973 PG(memory_limit) = zend_atoi(new_value, new_value_length);
2974+#if HARDENED_PHP
2975+ if (PG(memory_limit) > orig_memory_limit) {
2976+ PG(memory_limit) = orig_memory_limit;
2977+ php_security_log("script tried to increase memory_limit above allowed value");
2978+ return FAILURE;
2979+ }
2980+#endif
2981 } else {
2982+#if HARDENED_PHP
2983+ PG(memory_limit) = orig_memory_limit;
2984+#else
2985 PG(memory_limit) = 1<<30; /* effectively, no limit */
2986+#endif
2987 }
2988 return zend_set_memory_limit(PG(memory_limit));
2989 }
2990@@ -1091,6 +1118,10 @@
2991 tsrm_ls = ts_resource(0);
2992 #endif
2993
2994+#if HARDENED_PHP
2995+ hardened_startup();
2996+#endif
2997+
2998 sapi_initialize_empty_request(TSRMLS_C);
2999 sapi_activate(TSRMLS_C);
3000
3001@@ -1103,6 +1134,12 @@
3002 php_output_startup();
3003 php_output_activate(TSRMLS_C);
3004
3005+#if HARDENED_PHP_INC_PROTECT
3006+ zuf.is_valid_include = php_is_valid_include;
3007+#endif
3008+#if HARDENED_PHP
3009+ zuf.security_log_function = php_security_log;
3010+#endif
3011 zuf.error_function = php_error_cb;
3012 zuf.printf_function = php_printf;
3013 zuf.write_function = php_body_write_wrapper;
3014@@ -1204,6 +1241,10 @@
3015 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
3016 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
3017 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
3018+#if HARDENED_PHP
3019+ REGISTER_MAIN_LONG_CONSTANT("HARDENED_PHP", 1, CONST_PERSISTENT | CONST_CS);
3020+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENED_PHP_VERSION", HARDENED_PHP_VERSION, sizeof(HARDENED_PHP_VERSION)-1, CONST_PERSISTENT | CONST_CS);
3021+#endif
3022 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
3023 php_output_register_constants(TSRMLS_C);
3024 php_rfc1867_register_constants(TSRMLS_C);
3025diff -Nur php-4.3.10/main/php.h hardened-php-4.3.10-0.2.6/main/php.h
3026--- php-4.3.10/main/php.h 2004-11-28 13:44:56.000000000 +0100
3027+++ hardened-php-4.3.10-0.2.6/main/php.h 2004-12-22 16:16:31.000000000 +0100
3028@@ -35,11 +35,19 @@
3029 #include "zend_qsort.h"
3030 #include "php_compat.h"
3031
3032+
3033 #include "zend_API.h"
3034
3035 #undef sprintf
3036 #define sprintf php_sprintf
3037
3038+#if HARDENED_PHP
3039+#if HAVE_REALPATH
3040+#undef realpath
3041+#define realpath php_realpath
3042+#endif
3043+#endif
3044+
3045 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
3046 #undef PHP_DEBUG
3047 #define PHP_DEBUG ZEND_DEBUG
3048@@ -436,6 +444,10 @@
3049 #endif
3050 #endif /* !XtOffsetOf */
3051
3052+#if HARDENED_PHP
3053+#include "hardened_php.h"
3054+#endif
3055+
3056 #endif
3057
3058 /*
3059diff -Nur php-4.3.10/main/php_config.h.in hardened-php-4.3.10-0.2.6/main/php_config.h.in
3060--- php-4.3.10/main/php_config.h.in 2004-12-14 18:55:22.000000000 +0100
3061+++ hardened-php-4.3.10-0.2.6/main/php_config.h.in 2004-12-22 16:16:31.000000000 +0100
3062@@ -834,6 +834,39 @@
3063 /* Enabling BIND8 compatibility for Panther */
3064 #undef BIND_8_COMPAT
3065
3066+/* Hardened-PHP */
3067+#undef HARDENED_PHP
3068+
3069+/* Memory Manager Protection */
3070+#undef HARDENED_PHP_MM_PROTECT
3071+
3072+/* Memory Manager Protection */
3073+#undef HARDENED_PHP_MM_PROTECT
3074+
3075+/* Linked List Protection */
3076+#undef HARDENED_PHP_LL_PROTECT
3077+
3078+/* Linked List Protection */
3079+#undef HARDENED_PHP_LL_PROTECT
3080+
3081+/* Include/Require Protection */
3082+#undef HARDENED_PHP_INC_PROTECT
3083+
3084+/* Include/Require Protection */
3085+#undef HARDENED_PHP_INC_PROTECT
3086+
3087+/* Fmt String Protection */
3088+#undef HARDENED_PHP_FMT_PROTECT
3089+
3090+/* Fmt String Protection */
3091+#undef HARDENED_PHP_FMT_PROTECT
3092+
3093+/* HashTable DTOR Protection */
3094+#undef HARDENED_PHP_HASH_PROTECT
3095+
3096+/* HashTable DTOR Protection */
3097+#undef HARDENED_PHP_HASH_PROTECT
3098+
3099 /* Whether you have AOLserver */
3100 #undef HAVE_AOLSERVER
3101
3102@@ -1117,6 +1150,12 @@
3103 /* Define if you have the getaddrinfo function */
3104 #undef HAVE_GETADDRINFO
3105
3106+/* Whether realpath is broken */
3107+#undef PHP_BROKEN_REALPATH
3108+
3109+/* Whether realpath is broken */
3110+#undef PHP_BROKEN_REALPATH
3111+
3112 /* Whether system headers declare timezone */
3113 #undef HAVE_DECLARED_TIMEZONE
3114
3115diff -Nur php-4.3.10/main/php_content_types.c hardened-php-4.3.10-0.2.6/main/php_content_types.c
3116--- php-4.3.10/main/php_content_types.c 2002-12-31 17:26:14.000000000 +0100
3117+++ hardened-php-4.3.10-0.2.6/main/php_content_types.c 2004-12-22 16:16:31.000000000 +0100
3118@@ -77,6 +77,7 @@
3119 sapi_register_post_entries(php_post_entries);
3120 sapi_register_default_post_reader(php_default_post_reader);
3121 sapi_register_treat_data(php_default_treat_data);
3122+ sapi_register_input_filter(php_default_input_filter);
3123 return SUCCESS;
3124 }
3125 /* }}} */
3126diff -Nur php-4.3.10/main/php_variables.c hardened-php-4.3.10-0.2.6/main/php_variables.c
3127--- php-4.3.10/main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
3128+++ hardened-php-4.3.10-0.2.6/main/php_variables.c 2004-12-22 16:16:31.000000000 +0100
3129@@ -211,17 +211,28 @@
3130 while (var) {
3131 val = strchr(var, '=');
3132 if (val) { /* have a value */
3133- int val_len;
3134+ unsigned int val_len, new_val_len;
3135
3136 *val++ = '\0';
3137 php_url_decode(var, strlen(var));
3138 val_len = php_url_decode(val, strlen(val));
3139- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
3140+ val = estrndup(val, val_len);
3141+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3142+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3143+ }
3144+ efree(val);
3145 }
3146 var = php_strtok_r(NULL, "&", &strtok_buf);
3147 }
3148 }
3149
3150+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
3151+{
3152+ /* TODO: check .ini setting here and apply user-defined input filter */
3153+ *new_val_len = val_len;
3154+ return 1;
3155+}
3156+
3157 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
3158 {
3159 char *res = NULL, *var, *val, *separator=NULL;
3160@@ -299,15 +310,26 @@
3161 while (var) {
3162 val = strchr(var, '=');
3163 if (val) { /* have a value */
3164- int val_len;
3165+ unsigned int val_len, new_val_len;
3166
3167 *val++ = '\0';
3168 php_url_decode(var, strlen(var));
3169 val_len = php_url_decode(val, strlen(val));
3170- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
3171+ val = estrndup(val, val_len);
3172+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3173+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3174+ }
3175+ efree(val);
3176 } else {
3177+ unsigned int val_len, new_val_len;
3178+
3179 php_url_decode(var, strlen(var));
3180- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
3181+ val_len = 0;
3182+ val = estrndup("", 0);
3183+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3184+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3185+ }
3186+ efree(val);
3187 }
3188 var = php_strtok_r(NULL, separator, &strtok_buf);
3189 }
3190diff -Nur php-4.3.10/main/rfc1867.c hardened-php-4.3.10-0.2.6/main/rfc1867.c
3191--- php-4.3.10/main/rfc1867.c 2004-11-20 21:16:44.000000000 +0100
3192+++ hardened-php-4.3.10-0.2.6/main/rfc1867.c 2004-12-22 16:16:31.000000000 +0100
3193@@ -891,21 +891,24 @@
3194 if (!filename && param) {
3195
3196 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
3197+ unsigned int new_val_len; /* Dummy variable */
3198
3199 if (!value) {
3200 value = estrdup("");
3201 }
3202
3203+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
3204 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
3205- if (php_mb_encoding_translation(TSRMLS_C)) {
3206- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
3207- &num_vars, &num_vars_max TSRMLS_CC);
3208- } else {
3209- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3210- }
3211+ if (php_mb_encoding_translation(TSRMLS_C)) {
3212+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
3213+ &num_vars, &num_vars_max TSRMLS_CC);
3214+ } else {
3215+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3216+ }
3217 #else
3218- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3219+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3220 #endif
3221+ }
3222 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
3223 max_file_size = atol(value);
3224 }
3225diff -Nur php-4.3.10/main/snprintf.c hardened-php-4.3.10-0.2.6/main/snprintf.c
3226--- php-4.3.10/main/snprintf.c 2004-11-16 00:27:26.000000000 +0100
3227+++ hardened-php-4.3.10-0.2.6/main/snprintf.c 2004-12-22 16:16:31.000000000 +0100
3228@@ -850,7 +850,11 @@
3229
3230
3231 case 'n':
3232+#if HARDENED_PHP_FMT_PROTECT
3233+ php_security_log("'n' specifier within format string");
3234+#else
3235 *(va_arg(ap, int *)) = cc;
3236+#endif
3237 break;
3238
3239 /*
3240diff -Nur php-4.3.10/main/spprintf.c hardened-php-4.3.10-0.2.6/main/spprintf.c
3241--- php-4.3.10/main/spprintf.c 2003-09-29 03:09:36.000000000 +0200
3242+++ hardened-php-4.3.10-0.2.6/main/spprintf.c 2004-12-22 16:16:31.000000000 +0100
3243@@ -531,7 +531,11 @@
3244
3245
3246 case 'n':
3247+#if HARDENED_PHP_FMT_PROTECT
3248+ php_security_log("'n' specifier within format string");
3249+#else
3250 *(va_arg(ap, int *)) = cc;
3251+#endif
3252 break;
3253
3254 /*
3255diff -Nur php-4.3.10/php.ini-dist hardened-php-4.3.10-0.2.6/php.ini-dist
3256--- php-4.3.10/php.ini-dist 2004-08-18 07:05:23.000000000 +0200
3257+++ hardened-php-4.3.10-0.2.6/php.ini-dist 2004-12-22 16:16:31.000000000 +0100
3258@@ -1113,6 +1113,23 @@
3259 ;exif.decode_jis_motorola = JIS
3260 ;exif.decode_jis_intel = JIS
3261
3262+[varfilter]
3263+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3264+; Hardened-PHP's variable filter
3265+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3266+
3267+; Maximum number of input variables per request
3268+varfilter.max_request_variables = 200
3269+
3270+; Maximum characters in input variable names
3271+varfilter.max_varname_length = 64
3272+
3273+; Maximum length of input variable values
3274+varfilter.max_value_length = 10000
3275+
3276+; Maximum depth of input variable arrays
3277+varfilter.max_array_depth = 100
3278+
3279 ; Local Variables:
3280 ; tab-width: 4
3281 ; End:
3282diff -Nur php-4.3.10/php.ini-recommended hardened-php-4.3.10-0.2.6/php.ini-recommended
3283--- php-4.3.10/php.ini-recommended 2004-08-18 07:05:23.000000000 +0200
3284+++ hardened-php-4.3.10-0.2.6/php.ini-recommended 2004-12-22 16:16:31.000000000 +0100
3285@@ -1111,6 +1111,23 @@
3286 ;exif.decode_jis_motorola = JIS
3287 ;exif.decode_jis_intel = JIS
3288
3289+[varfilter]
3290+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3291+; Hardened-PHP's variable filter
3292+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3293+
3294+; Maximum number of input variables per request
3295+varfilter.max_request_variables = 200
3296+
3297+; Maximum characters in input variable names
3298+varfilter.max_varname_length = 64
3299+
3300+; Maximum length of input variable values
3301+varfilter.max_value_length = 10000
3302+
3303+; Maximum depth of input variable arrays
3304+varfilter.max_array_depth = 100
3305+
3306 ; Local Variables:
3307 ; tab-width: 4
3308 ; End:
3309diff -Nur php-4.3.10/sapi/apache/mod_php4.c hardened-php-4.3.10-0.2.6/sapi/apache/mod_php4.c
3310--- php-4.3.10/sapi/apache/mod_php4.c 2004-07-21 18:25:28.000000000 +0200
3311+++ hardened-php-4.3.10-0.2.6/sapi/apache/mod_php4.c 2004-12-22 16:16:31.000000000 +0100
3312@@ -446,7 +446,7 @@
3313 sapi_apache_get_fd,
3314 sapi_apache_force_http_10,
3315 sapi_apache_get_target_uid,
3316- sapi_apache_get_target_gid
3317+ sapi_apache_get_target_gid,
3318 };
3319 /* }}} */
3320
3321@@ -892,7 +892,11 @@
3322 {
3323 TSRMLS_FETCH();
3324 if (PG(expose_php)) {
3325+#if HARDENED_PHP
3326+ ap_add_version_component("Hardened-PHP/" PHP_VERSION);
3327+#else
3328 ap_add_version_component("PHP/" PHP_VERSION);
3329+#endif
3330 }
3331 }
3332 #endif
3333diff -Nur php-4.3.10/sapi/apache2filter/sapi_apache2.c hardened-php-4.3.10-0.2.6/sapi/apache2filter/sapi_apache2.c
3334--- php-4.3.10/sapi/apache2filter/sapi_apache2.c 2004-06-18 02:37:02.000000000 +0200
3335+++ hardened-php-4.3.10-0.2.6/sapi/apache2filter/sapi_apache2.c 2004-12-22 16:16:31.000000000 +0100
3336@@ -560,7 +560,11 @@
3337 {
3338 TSRMLS_FETCH();
3339 if (PG(expose_php)) {
3340+#if HARDENED_PHP
3341+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3342+#else
3343 ap_add_version_component(p, "PHP/" PHP_VERSION);
3344+#endif
3345 }
3346 }
3347
3348diff -Nur php-4.3.10/sapi/apache2handler/sapi_apache2.c hardened-php-4.3.10-0.2.6/sapi/apache2handler/sapi_apache2.c
3349--- php-4.3.10/sapi/apache2handler/sapi_apache2.c 2004-12-06 19:55:16.000000000 +0100
3350+++ hardened-php-4.3.10-0.2.6/sapi/apache2handler/sapi_apache2.c 2004-12-22 16:16:31.000000000 +0100
3351@@ -337,7 +337,11 @@
3352 {
3353 TSRMLS_FETCH();
3354 if (PG(expose_php)) {
3355+#if HARDENED_PHP
3356+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3357+#else
3358 ap_add_version_component(p, "PHP/" PHP_VERSION);
3359+#endif
3360 }
3361 }
3362
3363diff -Nur php-4.3.10/sapi/cgi/cgi_main.c hardened-php-4.3.10-0.2.6/sapi/cgi/cgi_main.c
3364--- php-4.3.10/sapi/cgi/cgi_main.c 2004-07-15 00:38:18.000000000 +0200
3365+++ hardened-php-4.3.10-0.2.6/sapi/cgi/cgi_main.c 2004-12-22 17:09:47.000000000 +0100
3366@@ -1426,11 +1426,19 @@
3367 SG(headers_sent) = 1;
3368 SG(request_info).no_headers = 1;
3369 }
3370+#if HARDENED_PHP
3371+#if ZEND_DEBUG
3372+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3373+#else
3374+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3375+#endif
3376+#else
3377 #if ZEND_DEBUG
3378 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3379 #else
3380 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3381 #endif
3382+#endif
3383 php_end_ob_buffers(1 TSRMLS_CC);
3384 exit(1);
3385 break;
3386diff -Nur php-4.3.10/sapi/cli/php_cli.c hardened-php-4.3.10-0.2.6/sapi/cli/php_cli.c
3387--- php-4.3.10/sapi/cli/php_cli.c 2004-07-15 00:38:18.000000000 +0200
3388+++ hardened-php-4.3.10-0.2.6/sapi/cli/php_cli.c 2004-12-22 17:09:18.000000000 +0100
3389@@ -646,11 +646,19 @@
3390 if (php_request_startup(TSRMLS_C)==FAILURE) {
3391 goto err;
3392 }
3393+#if HARDENED_PHP
3394+#if ZEND_DEBUG
3395+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3396+#else
3397+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3398+#endif
3399+#else
3400 #if ZEND_DEBUG
3401 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3402 #else
3403 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3404 #endif
3405+#endif
3406 php_end_ob_buffers(1 TSRMLS_CC);
3407 exit_status=1;
3408 goto out;