summaryrefslogtreecommitdiff
path: root/0.2.7/hardened-php-4.3.10-0.2.7.patch
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:35:52 +0200
committerjvoisin2019-10-13 12:35:52 +0200
commit7ce0f98b0be3ad15a664e506dff461cf6d633a69 (patch)
tree1aae4c7d8fa8ac62609824629db9ba46add728cc /0.2.7/hardened-php-4.3.10-0.2.7.patch
parentd24fe97bf9a1614acf4e7431d17b762a73642e15 (diff)
Add more patches
Diffstat (limited to '0.2.7/hardened-php-4.3.10-0.2.7.patch')
-rw-r--r--0.2.7/hardened-php-4.3.10-0.2.7.patch5918
1 files changed, 5918 insertions, 0 deletions
diff --git a/0.2.7/hardened-php-4.3.10-0.2.7.patch b/0.2.7/hardened-php-4.3.10-0.2.7.patch
new file mode 100644
index 0000000..cb5c546
--- /dev/null
+++ b/0.2.7/hardened-php-4.3.10-0.2.7.patch
@@ -0,0 +1,5918 @@
1diff -Nur php-4.3.10/README.input_filter hardened-php-4.3.10-0.2.7/README.input_filter
2--- php-4.3.10/README.input_filter 1970-01-01 01:00:00.000000000 +0100
3+++ hardened-php-4.3.10-0.2.7/README.input_filter 2005-04-07 01:51:16.000000000 +0200
4@@ -0,0 +1,193 @@
5+Input Filter Support ported from PHP 5
6+--------------------------------------
7+
8+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
9+and can be quite difficult to prevent. Whenever you accept user data
10+and somehow display this data back to users, you are likely vulnerable
11+to XSS hacks.
12+
13+The Input Filter support in PHP 5 is aimed at providing the framework
14+through which a company-wide or site-wide security policy can be
15+enforced. It is implemented as a SAPI hook and is called from the
16+treat_data and post handler functions. To implement your own security
17+policy you will need to write a standard PHP extension.
18+
19+A simple implementation might look like the following. This stores the
20+original raw user data and adds a my_get_raw() function while the normal
21+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
22+data. In this simple example all I am doing is calling strip_tags() on
23+the data. If register_globals is turned on, the default globals that
24+are created will be stripped ($foo) while a $RAW_foo is created with the
25+original user input.
26+
27+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
28+ zval *post_array;
29+ zval *get_array;
30+ zval *cookie_array;
31+ZEND_END_MODULE_GLOBALS(my_input_filter)
32+
33+#ifdef ZTS
34+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
35+#else
36+#define IF_G(v) (my_input_filter_globals.v)
37+#endif
38+
39+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
40+
41+function_entry my_input_filter_functions[] = {
42+ PHP_FE(my_get_raw, NULL)
43+ {NULL, NULL, NULL}
44+};
45+
46+zend_module_entry my_input_filter_module_entry = {
47+ STANDARD_MODULE_HEADER,
48+ "my_input_filter",
49+ my_input_filter_functions,
50+ PHP_MINIT(my_input_filter),
51+ PHP_MSHUTDOWN(my_input_filter),
52+ NULL,
53+ PHP_RSHUTDOWN(my_input_filter),
54+ PHP_MINFO(my_input_filter),
55+ "0.1",
56+ STANDARD_MODULE_PROPERTIES
57+};
58+
59+PHP_MINIT_FUNCTION(my_input_filter)
60+{
61+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
62+
63+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
64+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
65+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
66+
67+ sapi_register_input_filter(my_sapi_input_filter);
68+ return SUCCESS;
69+}
70+
71+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
72+{
73+ if(IF_G(get_array)) {
74+ zval_ptr_dtor(&IF_G(get_array));
75+ IF_G(get_array) = NULL;
76+ }
77+ if(IF_G(post_array)) {
78+ zval_ptr_dtor(&IF_G(post_array));
79+ IF_G(post_array) = NULL;
80+ }
81+ if(IF_G(cookie_array)) {
82+ zval_ptr_dtor(&IF_G(cookie_array));
83+ IF_G(cookie_array) = NULL;
84+ }
85+ return SUCCESS;
86+}
87+
88+PHP_MINFO_FUNCTION(my_input_filter)
89+{
90+ php_info_print_table_start();
91+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
92+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
93+ php_info_print_table_end();
94+}
95+
96+/* The filter handler. If you return 1 from it, then PHP also registers the
97+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
98+ * you can use this if your filter already registers the variable under a
99+ * different name, or if you just don't want the variable registered at all. */
100+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
101+{
102+ zval new_var;
103+ zval *array_ptr = NULL;
104+ char *raw_var;
105+ int var_len;
106+
107+ assert(*val != NULL);
108+
109+ switch(arg) {
110+ case PARSE_GET:
111+ if(!IF_G(get_array)) {
112+ ALLOC_ZVAL(array_ptr);
113+ array_init(array_ptr);
114+ INIT_PZVAL(array_ptr);
115+ }
116+ IF_G(get_array) = array_ptr;
117+ break;
118+ case PARSE_POST:
119+ if(!IF_G(post_array)) {
120+ ALLOC_ZVAL(array_ptr);
121+ array_init(array_ptr);
122+ INIT_PZVAL(array_ptr);
123+ }
124+ IF_G(post_array) = array_ptr;
125+ break;
126+ case PARSE_COOKIE:
127+ if(!IF_G(cookie_array)) {
128+ ALLOC_ZVAL(array_ptr);
129+ array_init(array_ptr);
130+ INIT_PZVAL(array_ptr);
131+ }
132+ IF_G(cookie_array) = array_ptr;
133+ break;
134+ }
135+ Z_STRLEN(new_var) = val_len;
136+ Z_STRVAL(new_var) = estrndup(*val, val_len);
137+ Z_TYPE(new_var) = IS_STRING;
138+
139+ var_len = strlen(var);
140+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
141+ strcpy(raw_var, "RAW_");
142+ strlcat(raw_var,var,var_len+5);
143+
144+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
145+
146+ php_strip_tags(*val, val_len, NULL, NULL, 0);
147+
148+ *new_val_len = strlen(*val);
149+ return 1;
150+}
151+
152+PHP_FUNCTION(my_get_raw)
153+{
154+ long arg;
155+ char *var;
156+ int var_len;
157+ zval **tmp;
158+ zval *array_ptr = NULL;
159+ HashTable *hash_ptr;
160+ char *raw_var;
161+
162+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
163+ return;
164+ }
165+
166+ switch(arg) {
167+ case PARSE_GET:
168+ array_ptr = IF_G(get_array);
169+ break;
170+ case PARSE_POST:
171+ array_ptr = IF_G(post_array);
172+ break;
173+ case PARSE_COOKIE:
174+ array_ptr = IF_G(post_array);
175+ break;
176+ }
177+
178+ if(!array_ptr) RETURN_FALSE;
179+
180+ /*
181+ * I'm changing the variable name here because when running with register_globals on,
182+ * the variable will end up in the global symbol table
183+ */
184+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
185+ strcpy(raw_var, "RAW_");
186+ strlcat(raw_var,var,var_len+5);
187+ hash_ptr = HASH_OF(array_ptr);
188+
189+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
190+ *return_value = **tmp;
191+ zval_copy_ctor(return_value);
192+ } else {
193+ RETVAL_FALSE;
194+ }
195+ efree(raw_var);
196+}
197+
198diff -Nur php-4.3.10/TSRM/TSRM.h hardened-php-4.3.10-0.2.7/TSRM/TSRM.h
199--- php-4.3.10/TSRM/TSRM.h 2002-10-05 13:26:17.000000000 +0200
200+++ hardened-php-4.3.10-0.2.7/TSRM/TSRM.h 2005-04-07 01:51:16.000000000 +0200
201@@ -33,6 +33,13 @@
202 # define TSRM_API
203 #endif
204
205+#if HARDENED_PHP
206+# if HAVE_REALPATH
207+# undef realpath
208+# define realpath php_realpath
209+# endif
210+#endif
211+
212 /* Only compile multi-threading functions if we're in ZTS mode */
213 #ifdef ZTS
214
215@@ -90,6 +97,7 @@
216
217 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
218
219+
220 #ifdef __cplusplus
221 extern "C" {
222 #endif
223diff -Nur php-4.3.10/TSRM/tsrm_virtual_cwd.c hardened-php-4.3.10-0.2.7/TSRM/tsrm_virtual_cwd.c
224--- php-4.3.10/TSRM/tsrm_virtual_cwd.c 2004-12-02 02:04:46.000000000 +0100
225+++ hardened-php-4.3.10-0.2.7/TSRM/tsrm_virtual_cwd.c 2005-04-07 01:51:16.000000000 +0200
226@@ -17,7 +17,7 @@
227 +----------------------------------------------------------------------+
228 */
229
230-/* $Id: tsrm_virtual_cwd.c,v 1.41.2.8 2004/12/02 01:04:46 sesser Exp $ */
231+/* $Id: tsrm_virtual_cwd.c,v 1.41.2.4 2003/07/28 18:35:34 iliaa Exp $ */
232
233 #include <sys/types.h>
234 #include <sys/stat.h>
235@@ -192,6 +192,165 @@
236 return p;
237 }
238
239+#if HARDENED_PHP
240+CWD_API char *php_realpath(const char *path, char *resolved)
241+{
242+ struct stat sb;
243+ char *p, *q, *s;
244+ size_t left_len, resolved_len;
245+ unsigned symlinks;
246+ int serrno, slen;
247+ int is_dir = 1;
248+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
249+
250+ serrno = errno;
251+ symlinks = 0;
252+ if (path[0] == '/') {
253+ resolved[0] = '/';
254+ resolved[1] = '\0';
255+ if (path[1] == '\0')
256+ return (resolved);
257+ resolved_len = 1;
258+ left_len = strlcpy(left, path + 1, sizeof(left));
259+ } else {
260+ if (getcwd(resolved, PATH_MAX) == NULL) {
261+ strlcpy(resolved, ".", PATH_MAX);
262+ return (NULL);
263+ }
264+ resolved_len = strlen(resolved);
265+ left_len = strlcpy(left, path, sizeof(left));
266+ }
267+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
268+ errno = ENAMETOOLONG;
269+ return (NULL);
270+ }
271+
272+ /*
273+ * Iterate over path components in `left'.
274+ */
275+ while (left_len != 0) {
276+ /*
277+ * Extract the next path component and adjust `left'
278+ * and its length.
279+ */
280+ p = strchr(left, '/');
281+ s = p ? p : left + left_len;
282+ if (s - left >= sizeof(next_token)) {
283+ errno = ENAMETOOLONG;
284+ return (NULL);
285+ }
286+ memcpy(next_token, left, s - left);
287+ next_token[s - left] = '\0';
288+ left_len -= s - left;
289+ if (p != NULL)
290+ memmove(left, s + 1, left_len + 1);
291+ if (resolved[resolved_len - 1] != '/') {
292+ if (resolved_len + 1 >= PATH_MAX) {
293+ errno = ENAMETOOLONG;
294+ return (NULL);
295+ }
296+ resolved[resolved_len++] = '/';
297+ resolved[resolved_len] = '\0';
298+ }
299+ if (next_token[0] == '\0')
300+ continue;
301+ else if (strcmp(next_token, ".") == 0)
302+ continue;
303+ else if (strcmp(next_token, "..") == 0) {
304+ /*
305+ * Strip the last path component except when we have
306+ * single "/"
307+ */
308+ if (!is_dir) {
309+ errno = ENOENT;
310+ return (NULL);
311+ }
312+ if (resolved_len > 1) {
313+ resolved[resolved_len - 1] = '\0';
314+ q = strrchr(resolved, '/');
315+ *q = '\0';
316+ resolved_len = q - resolved;
317+ }
318+ continue;
319+ }
320+
321+ /*
322+ * Append the next path component and lstat() it. If
323+ * lstat() fails we still can return successfully if
324+ * there are no more path components left.
325+ */
326+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
327+ if (resolved_len >= PATH_MAX) {
328+ errno = ENAMETOOLONG;
329+ return (NULL);
330+ }
331+ if (lstat(resolved, &sb) != 0) {
332+ if (errno == ENOENT && p == NULL) {
333+ errno = serrno;
334+ return (resolved);
335+ }
336+ return (NULL);
337+ }
338+ if (S_ISLNK(sb.st_mode)) {
339+ if (symlinks++ > MAXSYMLINKS) {
340+ errno = ELOOP;
341+ return (NULL);
342+ }
343+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
344+ if (slen < 0)
345+ return (NULL);
346+ symlink[slen] = '\0';
347+ if (symlink[0] == '/') {
348+ resolved[1] = 0;
349+ resolved_len = 1;
350+ } else if (resolved_len > 1) {
351+ /* Strip the last path component. */
352+ resolved[resolved_len - 1] = '\0';
353+ q = strrchr(resolved, '/');
354+ *q = '\0';
355+ resolved_len = q - resolved;
356+ }
357+
358+ /*
359+ * If there are any path components left, then
360+ * append them to symlink. The result is placed
361+ * in `left'.
362+ */
363+ if (p != NULL) {
364+ if (symlink[slen - 1] != '/') {
365+ if (slen + 1 >= sizeof(symlink)) {
366+ errno = ENAMETOOLONG;
367+ return (NULL);
368+ }
369+ symlink[slen] = '/';
370+ symlink[slen + 1] = 0;
371+ }
372+ left_len = strlcat(symlink, left, sizeof(left));
373+ if (left_len >= sizeof(left)) {
374+ errno = ENAMETOOLONG;
375+ return (NULL);
376+ }
377+ }
378+ left_len = strlcpy(left, symlink, sizeof(left));
379+ } else {
380+ if (S_ISDIR(sb.st_mode)) {
381+ is_dir = 1;
382+ } else {
383+ is_dir = 0;
384+ }
385+ }
386+ }
387+
388+ /*
389+ * Remove trailing slash except when the resolved pathname
390+ * is a single "/".
391+ */
392+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
393+ resolved[resolved_len - 1] = '\0';
394+ return (resolved);
395+}
396+#endif
397+
398 CWD_API void virtual_cwd_startup(void)
399 {
400 char cwd[MAXPATHLEN];
401@@ -314,8 +473,7 @@
402 path = resolved_path;
403 path_length = strlen(path);
404 } else {
405- /* disable for now
406- return 1; */
407+ return 1;
408 }
409 }
410 } else { /* Concat current directory with relative path and then run realpath() on it */
411@@ -341,9 +499,8 @@
412 path = resolved_path;
413 path_length = strlen(path);
414 } else {
415- /* disable for now
416 free(tmp);
417- return 1; */
418+ return 1;
419 }
420 }
421 free(tmp);
422@@ -852,7 +1009,7 @@
423 dir_length = CWDG(cwd).cwd_length;
424 dir = CWDG(cwd).cwd;
425
426- ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1);
427+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +extra+1+1);
428 if (!command_line) {
429 return NULL;
430 }
431diff -Nur php-4.3.10/TSRM/tsrm_virtual_cwd.h hardened-php-4.3.10-0.2.7/TSRM/tsrm_virtual_cwd.h
432--- php-4.3.10/TSRM/tsrm_virtual_cwd.h 2003-09-20 04:08:12.000000000 +0200
433+++ hardened-php-4.3.10-0.2.7/TSRM/tsrm_virtual_cwd.h 2005-04-07 01:51:16.000000000 +0200
434@@ -128,6 +128,22 @@
435
436 typedef int (*verify_path_func)(const cwd_state *);
437
438+#ifndef HAVE_STRLCPY
439+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
440+#undef strlcpy
441+#define strlcpy php_strlcpy
442+#endif
443+
444+#ifndef HAVE_STRLCAT
445+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
446+#undef strlcat
447+#define strlcat php_strlcat
448+#endif
449+
450+
451+#if HARDENED_PHP
452+CWD_API char *php_realpath(const char *path, char *resolved);
453+#endif
454 CWD_API void virtual_cwd_startup(void);
455 CWD_API void virtual_cwd_shutdown(void);
456 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
457diff -Nur php-4.3.10/Zend/zend.c hardened-php-4.3.10-0.2.7/Zend/zend.c
458--- php-4.3.10/Zend/zend.c 2004-12-06 16:35:03.000000000 +0100
459+++ hardened-php-4.3.10-0.2.7/Zend/zend.c 2005-04-07 01:51:16.000000000 +0200
460@@ -53,6 +53,12 @@
461 ZEND_API void (*zend_unblock_interruptions)(void);
462 ZEND_API void (*zend_ticks_function)(int ticks);
463 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
464+#if HARDENED_PHP
465+ZEND_API void (*zend_security_log)(char *str);
466+#endif
467+#if HARDENED_PHP_INC_PROTECT
468+ZEND_API int (*zend_is_valid_include)(zval *z);
469+#endif
470
471 void (*zend_on_timeout)(int seconds TSRMLS_DC);
472
473@@ -424,6 +430,14 @@
474 extern zend_scanner_globals language_scanner_globals;
475 #endif
476
477+ /* Set up Hardened-PHP utility functions first */
478+#if HARDENED_PHP
479+ zend_security_log = utility_functions->security_log_function;
480+#endif
481+#if HARDENED_PHP_INC_PROTECT
482+ zend_is_valid_include = utility_functions->is_valid_include;
483+#endif
484+
485 #ifdef ZTS
486 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
487 #else
488diff -Nur php-4.3.10/Zend/zend.h hardened-php-4.3.10-0.2.7/Zend/zend.h
489--- php-4.3.10/Zend/zend.h 2004-07-28 21:06:48.000000000 +0200
490+++ hardened-php-4.3.10-0.2.7/Zend/zend.h 2005-04-07 01:51:16.000000000 +0200
491@@ -261,9 +261,9 @@
492 struct _zval_struct {
493 /* Variable information */
494 zvalue_value value; /* value */
495+ zend_uint refcount;
496 zend_uchar type; /* active type */
497 zend_uchar is_ref;
498- zend_ushort refcount;
499 };
500
501
502@@ -324,6 +324,12 @@
503 void (*ticks_function)(int ticks);
504 void (*on_timeout)(int seconds TSRMLS_DC);
505 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
506+#if HARDENED_PHP
507+ void (*security_log_function)(char *str);
508+#endif
509+#if HARDENED_PHP_INC_PROTECT
510+ int (*is_valid_include)(zval *z);
511+#endif
512 } zend_utility_functions;
513
514
515@@ -455,7 +461,16 @@
516 extern ZEND_API void (*zend_ticks_function)(int ticks);
517 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
518 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
519+#if HARDENED_PHP
520+extern ZEND_API void (*zend_security_log)(char *str);
521+#endif
522+#if HARDENED_PHP_INC_PROTECT
523+extern ZEND_API int (*zend_is_valid_include)(zval *z);
524+#endif
525
526+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
527+ZEND_API unsigned int zend_canary(void);
528+#endif
529
530 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
531
532@@ -574,6 +589,10 @@
533 #define EMPTY_SWITCH_DEFAULT_CASE()
534 #endif
535
536+#if HARDENED_PHP
537+#include "hardened_globals.h"
538+#endif
539+
540 #endif /* ZEND_H */
541
542 /*
543diff -Nur php-4.3.10/Zend/zend_alloc.c hardened-php-4.3.10-0.2.7/Zend/zend_alloc.c
544--- php-4.3.10/Zend/zend_alloc.c 2004-08-27 18:51:25.000000000 +0200
545+++ hardened-php-4.3.10-0.2.7/Zend/zend_alloc.c 2005-04-07 01:51:16.000000000 +0200
546@@ -56,6 +56,11 @@
547 # define END_MAGIC_SIZE 0
548 #endif
549
550+#if HARDENED_PHP_MM_PROTECT
551+# define CANARY_SIZE sizeof(unsigned int)
552+#else
553+# define CANARY_SIZE 0
554+#endif
555
556 # if MEMORY_LIMIT
557 # if ZEND_DEBUG
558@@ -95,9 +100,17 @@
559 if (p==AG(head)) { \
560 AG(head) = p->pNext; \
561 } else { \
562+ if (p != p->pLast->pNext) { \
563+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
564+ exit(1); \
565+ } \
566 p->pLast->pNext = p->pNext; \
567 } \
568 if (p->pNext) { \
569+ if (p != p->pNext->pLast) { \
570+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
571+ exit(1); \
572+ } \
573 p->pNext->pLast = p->pLast; \
574 }
575
576@@ -129,6 +142,12 @@
577 DECLARE_CACHE_VARS();
578 TSRMLS_FETCH();
579
580+#if HARDENED_PHP_MM_PROTECT
581+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
582+ zend_security_log("emalloc() - requested size would result in integer overflow");
583+ exit(1);
584+ }
585+#endif
586 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
587
588 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
589@@ -146,6 +165,10 @@
590 AG(cache_stats)[CACHE_INDEX][1]++;
591 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
592 #endif
593+#if HARDENED_PHP_MM_PROTECT
594+ p->canary = HG(canary_1);
595+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
596+#endif
597 p->cached = 0;
598 p->size = size;
599 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
600@@ -161,7 +184,7 @@
601 AG(allocated_memory_peak) = AG(allocated_memory);
602 }
603 #endif
604- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
605+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
606 }
607
608 HANDLE_BLOCK_INTERRUPTIONS();
609@@ -191,7 +214,10 @@
610 # endif
611 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
612 #endif
613-
614+#if HARDENED_PHP_MM_PROTECT
615+ p->canary = HG(canary_1);
616+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
617+#endif
618 HANDLE_UNBLOCK_INTERRUPTIONS();
619 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
620 }
621@@ -218,17 +244,33 @@
622 return emalloc_rel(lval + offset);
623 }
624 }
625-
626+
627+#if HARDENED_PHP
628+ zend_security_log("Possible integer overflow catched by safe_emalloc()");
629+#endif
630 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
631 return 0;
632 }
633
634 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
635 {
636+#if HARDENED_PHP_MM_PROTECT
637+ unsigned int *canary_2;
638+#endif
639 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
640 DECLARE_CACHE_VARS();
641 TSRMLS_FETCH();
642
643+#if HARDENED_PHP_MM_PROTECT
644+ canary_2 = (unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
645+ if (p->canary != HG(canary_1) || *canary_2 != HG(canary_2)) {
646+ zend_security_log("canary mismatch on efree() - heap overflow or double efree detected");
647+ exit(1);
648+ }
649+ /* to catch double efree()s */
650+ *canary_2 = p->canary = 0;
651+#endif
652+
653 #if defined(ZTS) && TSRM_DEBUG
654 if (p->thread_id != tsrm_thread_id()) {
655 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
656@@ -273,6 +315,9 @@
657 size_t _size = nmemb * size;
658
659 if (nmemb && (_size/nmemb!=size)) {
660+#if HARDENED_PHP
661+ zend_security_log("Possible integer overflow catched by ecalloc()");
662+#endif
663 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
664 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
665 kill(getpid(), SIGSEGV);
666@@ -292,6 +337,9 @@
667
668 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
669 {
670+#if HARDENED_PHP_MM_PROTECT
671+ unsigned int canary_2;
672+#endif
673 zend_mem_header *p;
674 zend_mem_header *orig;
675 DECLARE_CACHE_VARS();
676@@ -303,6 +351,14 @@
677
678 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
679
680+#if HARDENED_PHP_MM_PROTECT
681+ canary_2 = *(unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
682+ if (p->canary != HG(canary_1) || canary_2 != HG(canary_2)) {
683+ zend_security_log("canary mismatch on erealloc() - heap overflow detected");
684+ exit(1);
685+ }
686+#endif
687+
688 #if defined(ZTS) && TSRM_DEBUG
689 if (p->thread_id != tsrm_thread_id()) {
690 void *new_p;
691@@ -326,7 +382,7 @@
692 }
693 #endif
694 REMOVE_POINTER_FROM_LIST(p);
695- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
696+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
697 if (!p) {
698 if (!allow_failure) {
699 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
700@@ -348,6 +404,9 @@
701 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
702 #endif
703
704+#if HARDENED_PHP_MM_PROTECT
705+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
706+#endif
707 p->size = size;
708
709 HANDLE_UNBLOCK_INTERRUPTIONS();
710@@ -423,6 +482,10 @@
711 {
712 AG(head) = NULL;
713
714+#if HARDENED_PHP_MM_PROTECT
715+ HG(canary_1) = zend_canary();
716+ HG(canary_2) = zend_canary();
717+#endif
718 #if MEMORY_LIMIT
719 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
720 AG(allocated_memory) = 0;
721diff -Nur php-4.3.10/Zend/zend_alloc.h hardened-php-4.3.10-0.2.7/Zend/zend_alloc.h
722--- php-4.3.10/Zend/zend_alloc.h 2004-08-11 08:10:46.000000000 +0200
723+++ hardened-php-4.3.10-0.2.7/Zend/zend_alloc.h 2005-04-07 01:51:16.000000000 +0200
724@@ -32,6 +32,9 @@
725 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
726
727 typedef struct _zend_mem_header {
728+#if HARDENED_PHP_MM_PROTECT
729+ unsigned int canary;
730+#endif
731 #if ZEND_DEBUG
732 long magic;
733 char *filename;
734diff -Nur php-4.3.10/Zend/zend_builtin_functions.c hardened-php-4.3.10-0.2.7/Zend/zend_builtin_functions.c
735--- php-4.3.10/Zend/zend_builtin_functions.c 2004-04-01 21:05:01.000000000 +0200
736+++ hardened-php-4.3.10-0.2.7/Zend/zend_builtin_functions.c 2005-04-07 01:51:16.000000000 +0200
737@@ -49,6 +49,9 @@
738 static ZEND_FUNCTION(crash);
739 #endif
740 #endif
741+#if HARDENED_PHP_MM_PROTECT_DEBUG
742+static ZEND_FUNCTION(heap_overflow);
743+#endif
744 static ZEND_FUNCTION(get_included_files);
745 static ZEND_FUNCTION(is_subclass_of);
746 static ZEND_FUNCTION(is_a);
747@@ -101,6 +104,9 @@
748 ZEND_FE(crash, NULL)
749 #endif
750 #endif
751+#if HARDENED_PHP_MM_PROTECT_DEBUG
752+ ZEND_FE(heap_overflow, NULL)
753+#endif
754 ZEND_FE(get_included_files, NULL)
755 ZEND_FALIAS(get_required_files, get_included_files, NULL)
756 ZEND_FE(is_subclass_of, NULL)
757@@ -805,6 +811,19 @@
758
759 #endif /* ZEND_DEBUG */
760
761+
762+#if HARDENED_PHP_MM_PROTECT_DEBUG
763+ZEND_FUNCTION(heap_overflow)
764+{
765+ char *nowhere = emalloc(10);
766+
767+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
768+
769+ efree(nowhere);
770+}
771+#endif
772+
773+
774 /* {{{ proto array get_included_files(void)
775 Returns an array with the file names that were include_once()'d */
776 ZEND_FUNCTION(get_included_files)
777diff -Nur php-4.3.10/Zend/zend_canary.c hardened-php-4.3.10-0.2.7/Zend/zend_canary.c
778--- php-4.3.10/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
779+++ hardened-php-4.3.10-0.2.7/Zend/zend_canary.c 2005-04-07 01:51:16.000000000 +0200
780@@ -0,0 +1,58 @@
781+/*
782+ +----------------------------------------------------------------------+
783+ | Hardened-PHP |
784+ +----------------------------------------------------------------------+
785+ | Copyright (c) 2004 Stefan Esser |
786+ +----------------------------------------------------------------------+
787+ | This source file is subject to version 2.02 of the PHP license, |
788+ | that is bundled with this package in the file LICENSE, and is |
789+ | available at through the world-wide-web at |
790+ | http://www.php.net/license/2_02.txt. |
791+ | If you did not receive a copy of the PHP license and are unable to |
792+ | obtain it through the world-wide-web, please send a note to |
793+ | license@php.net so we can mail you a copy immediately. |
794+ +----------------------------------------------------------------------+
795+ | Author: Stefan Esser <sesser@php.net> |
796+ +----------------------------------------------------------------------+
797+ */
798+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
799+
800+#include "zend.h"
801+
802+#include <stdio.h>
803+#include <stdlib.h>
804+
805+
806+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
807+
808+/* will be replaced later with more compatible method */
809+ZEND_API unsigned int zend_canary()
810+{
811+ time_t t;
812+ unsigned int canary;
813+ int fd;
814+
815+ fd = open("/dev/urandom", 0);
816+ if (fd != -1) {
817+ int r = read(fd, &canary, sizeof(canary));
818+ close(fd);
819+ if (r == sizeof(canary)) {
820+ return (canary);
821+ }
822+ }
823+ /* not good but we never want to do this */
824+ time(&t);
825+ canary = *(unsigned int *)&t + getpid() << 16;
826+ return (canary);
827+}
828+#endif
829+
830+
831+/*
832+ * Local variables:
833+ * tab-width: 4
834+ * c-basic-offset: 4
835+ * End:
836+ * vim600: sw=4 ts=4 fdm=marker
837+ * vim<600: sw=4 ts=4
838+ */
839diff -Nur php-4.3.10/Zend/zend_execute.c hardened-php-4.3.10-0.2.7/Zend/zend_execute.c
840--- php-4.3.10/Zend/zend_execute.c 2004-11-03 12:23:59.000000000 +0100
841+++ hardened-php-4.3.10-0.2.7/Zend/zend_execute.c 2005-04-07 01:51:16.000000000 +0200
842@@ -2149,7 +2149,12 @@
843 int dummy = 1;
844 zend_file_handle file_handle = {0};
845
846+#if HARDENED_PHP_INC_PROTECT
847+ if (zend_is_valid_include(inc_filename)
848+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
849+#else
850 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
851+#endif
852 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
853
854 file_handle.filename = inc_filename->value.str.val;
855@@ -2178,6 +2183,11 @@
856 break;
857 case ZEND_INCLUDE:
858 case ZEND_REQUIRE:
859+#if HARDENED_PHP_INC_PROTECT
860+ if (!zend_is_valid_include(inc_filename)) {
861+ break;
862+ }
863+#endif
864 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
865 break;
866 case ZEND_EVAL: {
867diff -Nur php-4.3.10/Zend/zend_extensions.h hardened-php-4.3.10-0.2.7/Zend/zend_extensions.h
868--- php-4.3.10/Zend/zend_extensions.h 2002-12-31 17:23:02.000000000 +0100
869+++ hardened-php-4.3.10-0.2.7/Zend/zend_extensions.h 2005-04-07 01:51:16.000000000 +0200
870@@ -23,7 +23,9 @@
871
872 #include "zend_compile.h"
873
874-#define ZEND_EXTENSION_API_NO 20021010
875+/* Create own API version number for Hardened-PHP */
876+
877+#define ZEND_EXTENSION_API_NO 1020041222
878
879 typedef struct _zend_extension_version_info {
880 int zend_extension_api_no;
881diff -Nur php-4.3.10/Zend/zend_hash.c hardened-php-4.3.10-0.2.7/Zend/zend_hash.c
882--- php-4.3.10/Zend/zend_hash.c 2004-07-12 23:26:46.000000000 +0200
883+++ hardened-php-4.3.10-0.2.7/Zend/zend_hash.c 2005-04-07 01:51:16.000000000 +0200
884@@ -26,6 +26,17 @@
885 # include <stdlib.h>
886 #endif
887
888+#if HARDENED_PHP_HASH_PROTECT
889+ unsigned int zend_hash_canary = 0x1234567;
890+ zend_bool zend_hash_canary_inited = 0;
891+#endif
892+
893+#define CHECK_HASH_CANARY(hash) \
894+ if (zend_hash_canary != (hash)->canary) { \
895+ zend_security_log("Zend HashTable canary was overwritten"); \
896+ exit(1); \
897+ }
898+
899 #define HANDLE_NUMERIC(key, length, func) { \
900 register char *tmp=key; \
901 \
902@@ -175,6 +186,9 @@
903 {
904 uint i = 3;
905 Bucket **tmp;
906+#if HARDENED_PHP_HASH_PROTECT
907+ TSRMLS_FETCH();
908+#endif
909
910 SET_INCONSISTENT(HT_OK);
911
912@@ -184,6 +198,13 @@
913
914 ht->nTableSize = 1 << i;
915 ht->nTableMask = ht->nTableSize - 1;
916+#if HARDENED_PHP_HASH_PROTECT
917+ if (zend_hash_canary_inited==0) {
918+ zend_hash_canary = zend_canary();
919+ zend_hash_canary_inited = 1;
920+ }
921+ ht->canary = zend_hash_canary;
922+#endif
923 ht->pDestructor = pDestructor;
924 ht->pListHead = NULL;
925 ht->pListTail = NULL;
926@@ -259,6 +280,9 @@
927 }
928 #endif
929 if (ht->pDestructor) {
930+#if HARDENED_PHP_HASH_PROTECT
931+ CHECK_HASH_CANARY(ht);
932+#endif
933 ht->pDestructor(p->pData);
934 }
935 UPDATE_DATA(ht, p, pData, nDataSize);
936@@ -327,6 +351,9 @@
937 }
938 #endif
939 if (ht->pDestructor) {
940+#if HARDENED_PHP_HASH_PROTECT
941+ CHECK_HASH_CANARY(ht);
942+#endif
943 ht->pDestructor(p->pData);
944 }
945 UPDATE_DATA(ht, p, pData, nDataSize);
946@@ -402,6 +429,9 @@
947 }
948 #endif
949 if (ht->pDestructor) {
950+#if HARDENED_PHP_HASH_PROTECT
951+ CHECK_HASH_CANARY(ht);
952+#endif
953 ht->pDestructor(p->pData);
954 }
955 UPDATE_DATA(ht, p, pData, nDataSize);
956@@ -450,7 +480,7 @@
957 IS_CONSISTENT(ht);
958
959 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
960- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
961+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
962 if (t) {
963 HANDLE_BLOCK_INTERRUPTIONS();
964 ht->arBuckets = t;
965@@ -460,6 +490,7 @@
966 HANDLE_UNBLOCK_INTERRUPTIONS();
967 return SUCCESS;
968 }
969+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
970 return FAILURE;
971 }
972 return SUCCESS;
973@@ -524,6 +555,9 @@
974 ht->pInternalPointer = p->pListNext;
975 }
976 if (ht->pDestructor) {
977+#if HARDENED_PHP_HASH_PROTECT
978+ CHECK_HASH_CANARY(ht);
979+#endif
980 ht->pDestructor(p->pData);
981 }
982 if (!p->pDataPtr) {
983@@ -553,6 +587,9 @@
984 q = p;
985 p = p->pListNext;
986 if (ht->pDestructor) {
987+#if HARDENED_PHP_HASH_PROTECT
988+ CHECK_HASH_CANARY(ht);
989+#endif
990 ht->pDestructor(q->pData);
991 }
992 if (!q->pDataPtr && q->pData) {
993@@ -579,6 +616,9 @@
994 q = p;
995 p = p->pListNext;
996 if (ht->pDestructor) {
997+#if HARDENED_PHP_HASH_PROTECT
998+ CHECK_HASH_CANARY(ht);
999+#endif
1000 ht->pDestructor(q->pData);
1001 }
1002 if (!q->pDataPtr && q->pData) {
1003@@ -608,6 +648,9 @@
1004 HANDLE_BLOCK_INTERRUPTIONS();
1005
1006 if (ht->pDestructor) {
1007+#if HARDENED_PHP_HASH_PROTECT
1008+ CHECK_HASH_CANARY(ht);
1009+#endif
1010 ht->pDestructor(p->pData);
1011 }
1012 if (!p->pDataPtr) {
1013diff -Nur php-4.3.10/Zend/zend_hash.h hardened-php-4.3.10-0.2.7/Zend/zend_hash.h
1014--- php-4.3.10/Zend/zend_hash.h 2002-12-31 17:23:03.000000000 +0100
1015+++ hardened-php-4.3.10-0.2.7/Zend/zend_hash.h 2005-04-07 01:51:16.000000000 +0200
1016@@ -54,6 +54,9 @@
1017 } Bucket;
1018
1019 typedef struct _hashtable {
1020+#if HARDENED_PHP_HASH_PROTECT
1021+ unsigned int canary;
1022+#endif
1023 uint nTableSize;
1024 uint nTableMask;
1025 uint nNumOfElements;
1026diff -Nur php-4.3.10/Zend/zend_llist.c hardened-php-4.3.10-0.2.7/Zend/zend_llist.c
1027--- php-4.3.10/Zend/zend_llist.c 2002-12-31 17:23:04.000000000 +0100
1028+++ hardened-php-4.3.10-0.2.7/Zend/zend_llist.c 2005-04-07 01:51:16.000000000 +0200
1029@@ -21,9 +21,34 @@
1030 #include "zend.h"
1031 #include "zend_llist.h"
1032 #include "zend_qsort.h"
1033+#include "zend_globals.h"
1034+
1035+#define CHECK_LIST_CANARY(list) \
1036+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
1037+ zend_security_log("linked list canary was overwritten"); \
1038+ exit(1); \
1039+ }
1040+
1041+#define CHECK_LISTELEMENT_CANARY(elem) \
1042+ if (HG(canary_3) != (elem)->canary) { \
1043+ zend_security_log("linked list element canary was overwritten"); \
1044+ exit(1); \
1045+ }
1046+
1047
1048 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
1049 {
1050+#if HARDENED_PHP_LL_PROTECT
1051+ TSRMLS_FETCH();
1052+
1053+ if (!HG(ll_canary_inited)) {
1054+ HG(canary_3) = zend_canary();
1055+ HG(canary_4) = zend_canary();
1056+ HG(ll_canary_inited) = 1;
1057+ }
1058+ l->canary_h = HG(canary_3);
1059+ l->canary_t = HG(canary_4);
1060+#endif
1061 l->head = NULL;
1062 l->tail = NULL;
1063 l->count = 0;
1064@@ -37,6 +62,11 @@
1065 {
1066 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1067
1068+#if HARDENED_PHP_LL_PROTECT
1069+ TSRMLS_FETCH();
1070+ CHECK_LIST_CANARY(l)
1071+ tmp->canary = HG(canary_3);
1072+#endif
1073 tmp->prev = l->tail;
1074 tmp->next = NULL;
1075 if (l->tail) {
1076@@ -55,6 +85,11 @@
1077 {
1078 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1079
1080+#if HARDENED_PHP_LL_PROTECT
1081+ TSRMLS_FETCH();
1082+ CHECK_LIST_CANARY(l)
1083+ tmp->canary = HG(canary_3);
1084+#endif
1085 tmp->next = l->head;
1086 tmp->prev = NULL;
1087 if (l->head) {
1088@@ -91,10 +126,20 @@
1089 zend_llist_element *current=l->head;
1090 zend_llist_element *next;
1091
1092+#if HARDENED_PHP_LL_PROTECT
1093+ TSRMLS_FETCH();
1094+ CHECK_LIST_CANARY(l)
1095+#endif
1096 while (current) {
1097+#if HARDENED_PHP_LL_PROTECT
1098+ CHECK_LISTELEMENT_CANARY(current)
1099+#endif
1100 next = current->next;
1101 if (compare(current->data, element)) {
1102 DEL_LLIST_ELEMENT(current, l);
1103+#if HARDENED_PHP_LL_PROTECT
1104+ current->canary = 0;
1105+#endif
1106 break;
1107 }
1108 current = next;
1109@@ -106,7 +151,14 @@
1110 {
1111 zend_llist_element *current=l->head, *next;
1112
1113+#if HARDENED_PHP_LL_PROTECT
1114+ TSRMLS_FETCH();
1115+ CHECK_LIST_CANARY(l)
1116+#endif
1117 while (current) {
1118+#if HARDENED_PHP_LL_PROTECT
1119+ CHECK_LISTELEMENT_CANARY(current)
1120+#endif
1121 next = current->next;
1122 if (l->dtor) {
1123 l->dtor(current->data);
1124@@ -131,7 +183,14 @@
1125 zend_llist_element *old_tail;
1126 void *data;
1127
1128+#if HARDENED_PHP_LL_PROTECT
1129+ TSRMLS_FETCH();
1130+ CHECK_LIST_CANARY(l)
1131+#endif
1132 if ((old_tail = l->tail)) {
1133+#if HARDENED_PHP_LL_PROTECT
1134+ CHECK_LISTELEMENT_CANARY(old_tail)
1135+#endif
1136 if (l->tail->prev) {
1137 l->tail->prev->next = NULL;
1138 }
1139@@ -157,9 +216,16 @@
1140 {
1141 zend_llist_element *ptr;
1142
1143+#if HARDENED_PHP_LL_PROTECT
1144+ TSRMLS_FETCH();
1145+ CHECK_LIST_CANARY(src)
1146+#endif
1147 zend_llist_init(dst, src->size, src->dtor, src->persistent);
1148 ptr = src->head;
1149 while (ptr) {
1150+#if HARDENED_PHP_LL_PROTECT
1151+ CHECK_LISTELEMENT_CANARY(ptr)
1152+#endif
1153 zend_llist_add_element(dst, ptr->data);
1154 ptr = ptr->next;
1155 }
1156@@ -170,11 +236,21 @@
1157 {
1158 zend_llist_element *element, *next;
1159
1160+#if HARDENED_PHP_LL_PROTECT
1161+ TSRMLS_FETCH();
1162+ CHECK_LIST_CANARY(l)
1163+#endif
1164 element=l->head;
1165 while (element) {
1166+#if HARDENED_PHP_LL_PROTECT
1167+ CHECK_LISTELEMENT_CANARY(element)
1168+#endif
1169 next = element->next;
1170 if (func(element->data)) {
1171 DEL_LLIST_ELEMENT(element, l);
1172+#if HARDENED_PHP_LL_PROTECT
1173+ element->canary = 0;
1174+#endif
1175 }
1176 element = next;
1177 }
1178@@ -185,7 +261,13 @@
1179 {
1180 zend_llist_element *element;
1181
1182+#if HARDENED_PHP_LL_PROTECT
1183+ CHECK_LIST_CANARY(l)
1184+#endif
1185 for (element=l->head; element; element=element->next) {
1186+#if HARDENED_PHP_LL_PROTECT
1187+ CHECK_LISTELEMENT_CANARY(element)
1188+#endif
1189 func(element->data TSRMLS_CC);
1190 }
1191 }
1192@@ -197,6 +279,9 @@
1193 zend_llist_element **elements;
1194 zend_llist_element *element, **ptr;
1195
1196+#if HARDENED_PHP_LL_PROTECT
1197+ CHECK_LIST_CANARY(l)
1198+#endif
1199 if (l->count <= 0) {
1200 return;
1201 }
1202@@ -206,6 +291,9 @@
1203 ptr = &elements[0];
1204
1205 for (element=l->head; element; element=element->next) {
1206+#if HARDENED_PHP_LL_PROTECT
1207+ CHECK_LISTELEMENT_CANARY(element)
1208+#endif
1209 *ptr++ = element;
1210 }
1211
1212@@ -228,7 +316,13 @@
1213 {
1214 zend_llist_element *element;
1215
1216+#if HARDENED_PHP_LL_PROTECT
1217+ CHECK_LIST_CANARY(l)
1218+#endif
1219 for (element=l->head; element; element=element->next) {
1220+#if HARDENED_PHP_LL_PROTECT
1221+ CHECK_LISTELEMENT_CANARY(element)
1222+#endif
1223 func(element->data, arg TSRMLS_CC);
1224 }
1225 }
1226@@ -239,8 +333,14 @@
1227 zend_llist_element *element;
1228 va_list args;
1229
1230+#if HARDENED_PHP_LL_PROTECT
1231+ CHECK_LIST_CANARY(l)
1232+#endif
1233 va_start(args, num_args);
1234 for (element=l->head; element; element=element->next) {
1235+#if HARDENED_PHP_LL_PROTECT
1236+ CHECK_LISTELEMENT_CANARY(element)
1237+#endif
1238 func(element->data, num_args, args TSRMLS_CC);
1239 }
1240 va_end(args);
1241@@ -249,6 +349,10 @@
1242
1243 ZEND_API int zend_llist_count(zend_llist *l)
1244 {
1245+#if HARDENED_PHP_LL_PROTECT
1246+ TSRMLS_FETCH();
1247+ CHECK_LIST_CANARY(l)
1248+#endif
1249 return l->count;
1250 }
1251
1252@@ -256,8 +360,15 @@
1253 {
1254 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1255
1256+#if HARDENED_PHP_LL_PROTECT
1257+ TSRMLS_FETCH();
1258+ CHECK_LIST_CANARY(l)
1259+#endif
1260 *current = l->head;
1261 if (*current) {
1262+#if HARDENED_PHP_LL_PROTECT
1263+ CHECK_LISTELEMENT_CANARY(*current)
1264+#endif
1265 return (*current)->data;
1266 } else {
1267 return NULL;
1268@@ -269,8 +380,15 @@
1269 {
1270 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1271
1272+#if HARDENED_PHP_LL_PROTECT
1273+ TSRMLS_FETCH();
1274+ CHECK_LIST_CANARY(l)
1275+#endif
1276 *current = l->tail;
1277 if (*current) {
1278+#if HARDENED_PHP_LL_PROTECT
1279+ CHECK_LISTELEMENT_CANARY(*current)
1280+#endif
1281 return (*current)->data;
1282 } else {
1283 return NULL;
1284@@ -282,9 +400,19 @@
1285 {
1286 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1287
1288+#if HARDENED_PHP_LL_PROTECT
1289+ TSRMLS_FETCH();
1290+ CHECK_LIST_CANARY(l)
1291+#endif
1292 if (*current) {
1293+#if HARDENED_PHP_LL_PROTECT
1294+ CHECK_LISTELEMENT_CANARY(*current)
1295+#endif
1296 *current = (*current)->next;
1297 if (*current) {
1298+#if HARDENED_PHP_LL_PROTECT
1299+ CHECK_LISTELEMENT_CANARY(*current)
1300+#endif
1301 return (*current)->data;
1302 }
1303 }
1304@@ -296,9 +424,19 @@
1305 {
1306 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1307
1308+#if HARDENED_PHP_LL_PROTECT
1309+ TSRMLS_FETCH();
1310+ CHECK_LIST_CANARY(l)
1311+#endif
1312 if (*current) {
1313+#if HARDENED_PHP_LL_PROTECT
1314+ CHECK_LISTELEMENT_CANARY(*current)
1315+#endif
1316 *current = (*current)->prev;
1317 if (*current) {
1318+#if HARDENED_PHP_LL_PROTECT
1319+ CHECK_LISTELEMENT_CANARY(*current)
1320+#endif
1321 return (*current)->data;
1322 }
1323 }
1324diff -Nur php-4.3.10/Zend/zend_llist.h hardened-php-4.3.10-0.2.7/Zend/zend_llist.h
1325--- php-4.3.10/Zend/zend_llist.h 2002-12-31 17:23:04.000000000 +0100
1326+++ hardened-php-4.3.10-0.2.7/Zend/zend_llist.h 2005-04-07 01:51:16.000000000 +0200
1327@@ -24,6 +24,9 @@
1328 #include <stdlib.h>
1329
1330 typedef struct _zend_llist_element {
1331+#if HARDENED_PHP_LL_PROTECT
1332+ unsigned int canary;
1333+#endif
1334 struct _zend_llist_element *next;
1335 struct _zend_llist_element *prev;
1336 char data[1]; /* Needs to always be last in the struct */
1337@@ -36,6 +39,9 @@
1338 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
1339
1340 typedef struct _zend_llist {
1341+#if HARDENED_PHP_LL_PROTECT
1342+ unsigned int canary_h; /* head */
1343+#endif
1344 zend_llist_element *head;
1345 zend_llist_element *tail;
1346 size_t size;
1347@@ -43,6 +49,9 @@
1348 llist_dtor_func_t dtor;
1349 unsigned char persistent;
1350 zend_llist_element *traverse_ptr;
1351+#if HARDENED_PHP_LL_PROTECT
1352+ unsigned int canary_t; /* tail */
1353+#endif
1354 } zend_llist;
1355
1356 typedef zend_llist_element* zend_llist_position;
1357diff -Nur php-4.3.10/Zend/zend_modules.h hardened-php-4.3.10-0.2.7/Zend/zend_modules.h
1358--- php-4.3.10/Zend/zend_modules.h 2002-12-31 17:23:04.000000000 +0100
1359+++ hardened-php-4.3.10-0.2.7/Zend/zend_modules.h 2005-04-07 01:51:16.000000000 +0200
1360@@ -34,7 +34,7 @@
1361 ZEND_API extern unsigned char second_arg_force_ref[];
1362 ZEND_API extern unsigned char third_arg_force_ref[];
1363
1364-#define ZEND_MODULE_API_NO 20020429
1365+#define ZEND_MODULE_API_NO 1020041222
1366 #ifdef ZTS
1367 #define USING_ZTS 1
1368 #else
1369diff -Nur php-4.3.10/acinclude.m4 hardened-php-4.3.10-0.2.7/acinclude.m4
1370--- php-4.3.10/acinclude.m4 2004-12-11 12:17:21.000000000 +0100
1371+++ hardened-php-4.3.10-0.2.7/acinclude.m4 2005-04-07 01:51:16.000000000 +0200
1372@@ -1153,6 +1153,36 @@
1373 fi
1374 ])
1375
1376+dnl
1377+dnl Check for broken realpath()
1378+dnl
1379+dnl realpath("/etc/hosts/../passwd",XXX) should not return
1380+dnl "/etc/passwd"
1381+dnl
1382+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
1383+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
1384+ AC_TRY_RUN([
1385+main() {
1386+ char buf[4096+1];
1387+ buf[0] = 0;
1388+ realpath("/etc/hosts/../passwd", buf);
1389+ exit(strcmp(buf, "/etc/passwd")==0);
1390+}
1391+ ],[
1392+ ac_cv_broken_realpath=no
1393+ ],[
1394+ ac_cv_broken_realpath=yes
1395+ ],[
1396+ ac_cv_broken_realpath=no
1397+ ])
1398+ ])
1399+ if test "$ac_cv_broken_realpath" = "yes"; then
1400+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
1401+ else
1402+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
1403+ fi
1404+])
1405+
1406 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
1407 dnl
1408 dnl Basically sets up the link-stage for building module-name
1409diff -Nur php-4.3.10/configure hardened-php-4.3.10-0.2.7/configure
1410--- php-4.3.10/configure 2004-12-14 18:55:18.000000000 +0100
1411+++ hardened-php-4.3.10-0.2.7/configure 2005-04-07 01:51:16.000000000 +0200
1412@@ -389,6 +389,16 @@
1413 ac_default_prefix=/usr/local
1414 # Any additions from configure.in:
1415 ac_help="$ac_help
1416+ --disable-hardened-php-mm-protect Disable the Memory Manager protection."
1417+ac_help="$ac_help
1418+ --disable-hardened-php-ll-protect Disable the Linked List protection."
1419+ac_help="$ac_help
1420+ --disable-hardened-php-inc-protect Disable include/require protection."
1421+ac_help="$ac_help
1422+ --disable-hardened-php-fmt-protect Disable format string protection."
1423+ac_help="$ac_help
1424+ --disable-hardened-php-hash-protect Disable Zend HashTable DTOR protection."
1425+ac_help="$ac_help
1426
1427 SAPI modules:
1428 "
1429@@ -831,6 +841,8 @@
1430 ac_help="$ac_help
1431 --disable-tokenizer Disable tokenizer support"
1432 ac_help="$ac_help
1433+ --disable-varfilter Disable Hardened-PHP's variable filter"
1434+ac_help="$ac_help
1435 --enable-wddx Enable WDDX support."
1436 ac_help="$ac_help
1437 --disable-xml Disable XML support using bundled expat lib"
1438@@ -2643,6 +2655,157 @@
1439
1440
1441
1442+# Check whether --enable-hardened-php-mm-protect or --disable-hardened-php-mm-protect was given.
1443+if test "${enable_hardened_php_mm_protect+set}" = set; then
1444+ enableval="$enable_hardened_php_mm_protect"
1445+
1446+ DO_HARDENED_PHP_MM_PROTECT=$enableval
1447+
1448+else
1449+
1450+ DO_HARDENED_PHP_MM_PROTECT=yes
1451+
1452+fi
1453+
1454+
1455+# Check whether --enable-hardened-php-ll-protect or --disable-hardened-php-ll-protect was given.
1456+if test "${enable_hardened_php_ll_protect+set}" = set; then
1457+ enableval="$enable_hardened_php_ll_protect"
1458+
1459+ DO_HARDENED_PHP_LL_PROTECT=$enableval
1460+
1461+else
1462+
1463+ DO_HARDENED_PHP_LL_PROTECT=yes
1464+
1465+fi
1466+
1467+
1468+# Check whether --enable-hardened-php-inc-protect or --disable-hardened-php-inc-protect was given.
1469+if test "${enable_hardened_php_inc_protect+set}" = set; then
1470+ enableval="$enable_hardened_php_inc_protect"
1471+
1472+ DO_HARDENED_PHP_INC_PROTECT=$enableval
1473+
1474+else
1475+
1476+ DO_HARDENED_PHP_INC_PROTECT=yes
1477+
1478+fi
1479+
1480+
1481+# Check whether --enable-hardened-php-fmt-protect or --disable-hardened-php-fmt-protect was given.
1482+if test "${enable_hardened_php_fmt_protect+set}" = set; then
1483+ enableval="$enable_hardened_php_fmt_protect"
1484+
1485+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
1486+
1487+else
1488+
1489+ DO_HARDENED_PHP_FMT_PROTECT=yes
1490+
1491+fi
1492+
1493+
1494+# Check whether --enable-hardened-php-hash-protect or --disable-hardened-php-hash-protect was given.
1495+if test "${enable_hardened_php_hash_protect+set}" = set; then
1496+ enableval="$enable_hardened_php_hash_protect"
1497+
1498+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
1499+
1500+else
1501+
1502+ DO_HARDENED_PHP_HASH_PROTECT=yes
1503+
1504+fi
1505+
1506+
1507+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
1508+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
1509+echo "$ac_t""$DO_HARDENED_PHP_MM_PROTECT" 1>&6
1510+
1511+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
1512+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
1513+echo "$ac_t""$DO_HARDENED_PHP_LL_PROTECT" 1>&6
1514+
1515+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
1516+echo "configure:2733: checking whether to protect include/require statements" >&5
1517+echo "$ac_t""$DO_HARDENED_PHP_INC_PROTECT" 1>&6
1518+
1519+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
1520+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
1521+echo "$ac_t""$DO_HARDENED_PHP_FMT_PROTECT" 1>&6
1522+
1523+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
1524+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
1525+echo "$ac_t""$DO_HARDENED_PHP_HASH_PROTECT" 1>&6
1526+
1527+
1528+cat >> confdefs.h <<\EOF
1529+#define HARDENED_PHP 1
1530+EOF
1531+
1532+
1533+
1534+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
1535+ cat >> confdefs.h <<\EOF
1536+#define HARDENED_PHP_MM_PROTECT 1
1537+EOF
1538+
1539+else
1540+ cat >> confdefs.h <<\EOF
1541+#define HARDENED_PHP_MM_PROTECT 0
1542+EOF
1543+
1544+fi
1545+
1546+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
1547+ cat >> confdefs.h <<\EOF
1548+#define HARDENED_PHP_LL_PROTECT 1
1549+EOF
1550+
1551+else
1552+ cat >> confdefs.h <<\EOF
1553+#define HARDENED_PHP_LL_PROTECT 0
1554+EOF
1555+
1556+fi
1557+
1558+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
1559+ cat >> confdefs.h <<\EOF
1560+#define HARDENED_PHP_INC_PROTECT 1
1561+EOF
1562+
1563+else
1564+ cat >> confdefs.h <<\EOF
1565+#define HARDENED_PHP_INC_PROTECT 0
1566+EOF
1567+
1568+fi
1569+
1570+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
1571+ cat >> confdefs.h <<\EOF
1572+#define HARDENED_PHP_FMT_PROTECT 1
1573+EOF
1574+
1575+else
1576+ cat >> confdefs.h <<\EOF
1577+#define HARDENED_PHP_FMT_PROTECT 0
1578+EOF
1579+
1580+fi
1581+
1582+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
1583+ cat >> confdefs.h <<\EOF
1584+#define HARDENED_PHP_HASH_PROTECT 1
1585+EOF
1586+
1587+else
1588+ cat >> confdefs.h <<\EOF
1589+#define HARDENED_PHP_HASH_PROTECT 0
1590+EOF
1591+
1592+fi
1593
1594
1595
1596@@ -14890,6 +15053,62 @@
1597 fi
1598
1599
1600+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
1601+echo "configure:14928: checking whether realpath is broken" >&5
1602+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
1603+ echo $ac_n "(cached) $ac_c" 1>&6
1604+else
1605+
1606+ if test "$cross_compiling" = yes; then
1607+
1608+ ac_cv_broken_realpath=no
1609+
1610+else
1611+ cat > conftest.$ac_ext <<EOF
1612+#line 14939 "configure"
1613+#include "confdefs.h"
1614+
1615+main() {
1616+ char buf[4096+1];
1617+ buf[0] = 0;
1618+ realpath("/etc/hosts/../passwd", buf);
1619+ exit(strcmp(buf, "/etc/passwd")==0);
1620+}
1621+
1622+EOF
1623+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
1624+then
1625+
1626+ ac_cv_broken_realpath=no
1627+
1628+else
1629+ echo "configure: failed program was:" >&5
1630+ cat conftest.$ac_ext >&5
1631+ rm -fr conftest*
1632+
1633+ ac_cv_broken_realpath=yes
1634+
1635+fi
1636+rm -fr conftest*
1637+fi
1638+
1639+
1640+fi
1641+
1642+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
1643+ if test "$ac_cv_broken_realpath" = "yes"; then
1644+ cat >> confdefs.h <<\EOF
1645+#define PHP_BROKEN_REALPATH 1
1646+EOF
1647+
1648+ else
1649+ cat >> confdefs.h <<\EOF
1650+#define PHP_BROKEN_REALPATH 0
1651+EOF
1652+
1653+ fi
1654+
1655+
1656 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
1657 echo "configure:14895: checking for declared timezone" >&5
1658 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
1659@@ -82014,6 +82233,265 @@
1660 fi
1661
1662
1663+echo $ac_n "checking whether to enable Hardened-PHP's variable filter""... $ac_c" 1>&6
1664+echo "configure:82041: checking whether to enable Hardened-PHP's variable filter" >&5
1665+# Check whether --enable-varfilter or --disable-varfilter was given.
1666+if test "${enable_varfilter+set}" = set; then
1667+ enableval="$enable_varfilter"
1668+ PHP_VARFILTER=$enableval
1669+else
1670+
1671+ PHP_VARFILTER=yes
1672+
1673+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
1674+ PHP_VARFILTER=$PHP_ENABLE_ALL
1675+ fi
1676+
1677+fi
1678+
1679+
1680+
1681+ext_output="yes, shared"
1682+ext_shared=yes
1683+case $PHP_VARFILTER in
1684+shared,*)
1685+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
1686+ ;;
1687+shared)
1688+ PHP_VARFILTER=yes
1689+ ;;
1690+no)
1691+ ext_output=no
1692+ ext_shared=no
1693+ ;;
1694+*)
1695+ ext_output=yes
1696+ ext_shared=no
1697+ ;;
1698+esac
1699+
1700+
1701+
1702+echo "$ac_t""$ext_output" 1>&6
1703+
1704+
1705+
1706+
1707+if test "$PHP_VARFILTER" != "no"; then
1708+ cat >> confdefs.h <<\EOF
1709+#define HAVE_VARFILTER 1
1710+EOF
1711+
1712+
1713+ ext_builddir=ext/varfilter
1714+ ext_srcdir=$abs_srcdir/ext/varfilter
1715+
1716+ ac_extra=
1717+
1718+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
1719+
1720+
1721+
1722+ case ext/varfilter in
1723+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1724+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1725+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1726+ esac
1727+
1728+
1729+
1730+ b_c_pre=$php_c_pre
1731+ b_cxx_pre=$php_cxx_pre
1732+ b_c_meta=$php_c_meta
1733+ b_cxx_meta=$php_cxx_meta
1734+ b_c_post=$php_c_post
1735+ b_cxx_post=$php_cxx_post
1736+ b_lo=$php_lo
1737+
1738+
1739+ old_IFS=$IFS
1740+ for ac_src in varfilter.c; do
1741+
1742+ IFS=.
1743+ set $ac_src
1744+ ac_obj=$1
1745+ IFS=$old_IFS
1746+
1747+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1748+
1749+ case $ac_src in
1750+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1751+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1752+ esac
1753+
1754+ cat >>Makefile.objects<<EOF
1755+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1756+ $ac_comp
1757+EOF
1758+ done
1759+
1760+
1761+ EXT_STATIC="$EXT_STATIC varfilter"
1762+ if test "$ext_shared" != "nocli"; then
1763+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1764+ fi
1765+ else
1766+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
1767+
1768+ case ext/varfilter in
1769+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1770+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1771+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1772+ esac
1773+
1774+
1775+
1776+ b_c_pre=$shared_c_pre
1777+ b_cxx_pre=$shared_cxx_pre
1778+ b_c_meta=$shared_c_meta
1779+ b_cxx_meta=$shared_cxx_meta
1780+ b_c_post=$shared_c_post
1781+ b_cxx_post=$shared_cxx_post
1782+ b_lo=$shared_lo
1783+
1784+
1785+ old_IFS=$IFS
1786+ for ac_src in varfilter.c; do
1787+
1788+ IFS=.
1789+ set $ac_src
1790+ ac_obj=$1
1791+ IFS=$old_IFS
1792+
1793+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
1794+
1795+ case $ac_src in
1796+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1797+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1798+ esac
1799+
1800+ cat >>Makefile.objects<<EOF
1801+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1802+ $ac_comp
1803+EOF
1804+ done
1805+
1806+
1807+ install_modules="install-modules"
1808+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
1809+
1810+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
1811+
1812+ cat >>Makefile.objects<<EOF
1813+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
1814+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
1815+
1816+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
1817+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
1818+
1819+EOF
1820+
1821+ cat >> confdefs.h <<EOF
1822+#define COMPILE_DL_VARFILTER 1
1823+EOF
1824+
1825+ fi
1826+ fi
1827+
1828+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
1829+ if test "$PHP_SAPI" = "cgi"; then
1830+
1831+
1832+ case ext/varfilter in
1833+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1834+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1835+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1836+ esac
1837+
1838+
1839+
1840+ b_c_pre=$php_c_pre
1841+ b_cxx_pre=$php_cxx_pre
1842+ b_c_meta=$php_c_meta
1843+ b_cxx_meta=$php_cxx_meta
1844+ b_c_post=$php_c_post
1845+ b_cxx_post=$php_cxx_post
1846+ b_lo=$php_lo
1847+
1848+
1849+ old_IFS=$IFS
1850+ for ac_src in varfilter.c; do
1851+
1852+ IFS=.
1853+ set $ac_src
1854+ ac_obj=$1
1855+ IFS=$old_IFS
1856+
1857+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1858+
1859+ case $ac_src in
1860+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1861+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1862+ esac
1863+
1864+ cat >>Makefile.objects<<EOF
1865+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1866+ $ac_comp
1867+EOF
1868+ done
1869+
1870+
1871+ EXT_STATIC="$EXT_STATIC varfilter"
1872+ else
1873+
1874+
1875+ case ext/varfilter in
1876+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1877+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1878+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1879+ esac
1880+
1881+
1882+
1883+ b_c_pre=$php_c_pre
1884+ b_cxx_pre=$php_cxx_pre
1885+ b_c_meta=$php_c_meta
1886+ b_cxx_meta=$php_cxx_meta
1887+ b_c_post=$php_c_post
1888+ b_cxx_post=$php_cxx_post
1889+ b_lo=$php_lo
1890+
1891+
1892+ old_IFS=$IFS
1893+ for ac_src in varfilter.c; do
1894+
1895+ IFS=.
1896+ set $ac_src
1897+ ac_obj=$1
1898+ IFS=$old_IFS
1899+
1900+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
1901+
1902+ case $ac_src in
1903+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1904+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1905+ esac
1906+
1907+ cat >>Makefile.objects<<EOF
1908+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1909+ $ac_comp
1910+EOF
1911+ done
1912+
1913+
1914+ fi
1915+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1916+ fi
1917+
1918+ BUILD_DIR="$BUILD_DIR $ext_builddir"
1919+
1920+
1921+fi
1922
1923
1924 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
1925@@ -94503,7 +94981,7 @@
1926 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1927 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1928 streams.c network.c php_open_temporary_file.c php_logos.c \
1929- output.c memory_streams.c user_streams.c; do
1930+ output.c memory_streams.c user_streams.c hardened_php.c; do
1931
1932 IFS=.
1933 set $ac_src
1934@@ -94676,7 +95154,7 @@
1935 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1936 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1937 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1938- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
1939+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
1940
1941 IFS=.
1942 set $ac_src
1943diff -Nur php-4.3.10/configure.in hardened-php-4.3.10-0.2.7/configure.in
1944--- php-4.3.10/configure.in 2004-12-14 17:07:49.000000000 +0100
1945+++ hardened-php-4.3.10-0.2.7/configure.in 2005-04-07 01:51:16.000000000 +0200
1946@@ -205,7 +205,7 @@
1947 sinclude(Zend/acinclude.m4)
1948 sinclude(Zend/Zend.m4)
1949 sinclude(TSRM/tsrm.m4)
1950-
1951+sinclude(main/hardened_php.m4)
1952
1953
1954 divert(2)
1955@@ -573,6 +573,7 @@
1956 AC_FUNC_ALLOCA
1957 dnl PHP_AC_BROKEN_SPRINTF
1958 dnl PHP_AC_BROKEN_SNPRINTF
1959+PHP_AC_BROKEN_REALPATH
1960 PHP_DECLARED_TIMEZONE
1961 PHP_TIME_R_TYPE
1962 PHP_READDIR_R_TYPE
1963@@ -1201,7 +1202,7 @@
1964 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1965 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1966 streams.c network.c php_open_temporary_file.c php_logos.c \
1967- output.c memory_streams.c user_streams.c)
1968+ output.c memory_streams.c user_streams.c hardened_php.c)
1969 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
1970 PHP_ADD_SOURCES(/main, internal_functions_cli.c,, cli)
1971
1972@@ -1214,7 +1215,7 @@
1973 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1974 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1975 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1976- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
1977+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
1978
1979 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
1980 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
1981diff -Nur php-4.3.10/ext/curl/curl.c hardened-php-4.3.10-0.2.7/ext/curl/curl.c
1982--- php-4.3.10/ext/curl/curl.c 2004-11-01 05:56:10.000000000 +0100
1983+++ hardened-php-4.3.10-0.2.7/ext/curl/curl.c 2005-04-07 01:51:16.000000000 +0200
1984@@ -16,7 +16,7 @@
1985 +----------------------------------------------------------------------+
1986 */
1987
1988-/* $Id: curl.c,v 1.124.2.27 2004/11/01 04:56:10 iliaa Exp $ */
1989+/* $Id: curl.c,v 1.124.2.29 2005/03/14 09:03:09 sniper Exp $ */
1990
1991 #ifdef HAVE_CONFIG_H
1992 #include "config.h"
1993@@ -50,6 +50,7 @@
1994 #include "ext/standard/php_smart_str.h"
1995 #include "ext/standard/info.h"
1996 #include "ext/standard/file.h"
1997+#include "ext/standard/url.h"
1998 #include "php_curl.h"
1999
2000 static int le_curl;
2001@@ -64,6 +65,26 @@
2002 #define CAAS(s, v) add_assoc_string_ex(return_value, s, sizeof(s), (char *) v, 1);
2003 #define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
2004
2005+#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
2006+ if (PG(open_basedir) && *PG(open_basedir) && \
2007+ strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
2008+ { \
2009+ php_url *tmp_url; \
2010+ \
2011+ if (!(tmp_url = php_url_parse_ex(str, len))) { \
2012+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid url '%s'", str); \
2013+ RETURN_FALSE; \
2014+ } \
2015+ \
2016+ if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
2017+ (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
2018+ ) { \
2019+ php_url_free(tmp_url); \
2020+ RETURN_FALSE; \
2021+ } \
2022+ php_url_free(tmp_url); \
2023+ }
2024+
2025 /* {{{ curl_functions[]
2026 */
2027 function_entry curl_functions[] = {
2028@@ -682,6 +703,11 @@
2029 WRONG_PARAM_COUNT;
2030 }
2031
2032+ if (argc > 0) {
2033+ convert_to_string_ex(url);
2034+ PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
2035+ }
2036+
2037 alloc_curl_handle(&ch);
2038
2039 ch->cp = curl_easy_init();
2040@@ -712,7 +738,6 @@
2041
2042 if (argc > 0) {
2043 char *urlcopy;
2044- convert_to_string_ex(url);
2045
2046 urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
2047 curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
2048@@ -724,7 +749,7 @@
2049 }
2050 /* }}} */
2051
2052-/* {{{ proto bool curl_setopt(resource ch, string option, mixed value)
2053+/* {{{ proto bool curl_setopt(resource ch, int option, mixed value)
2054 Set an option for a CURL transfer */
2055 PHP_FUNCTION(curl_setopt)
2056 {
2057@@ -819,8 +844,12 @@
2058 char *copystr = NULL;
2059
2060 convert_to_string_ex(zvalue);
2061- copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
2062
2063+ if (option == CURLOPT_URL) {
2064+ PHP_CURL_CHECK_OPEN_BASEDIR(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
2065+ }
2066+
2067+ copystr = estrndup(Z_STRVAL_PP(zvalue), Z_STRLEN_PP(zvalue));
2068 error = curl_easy_setopt(ch->cp, option, copystr);
2069 zend_llist_add_element(&ch->to_free.str, &copystr);
2070
2071@@ -955,16 +984,16 @@
2072 if (*postval == '@') {
2073 error = curl_formadd(&first, &last,
2074 CURLFORM_COPYNAME, string_key,
2075- CURLFORM_NAMELENGTH, string_key_len - 1,
2076+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
2077 CURLFORM_FILE, ++postval,
2078 CURLFORM_END);
2079 }
2080 else {
2081 error = curl_formadd(&first, &last,
2082 CURLFORM_COPYNAME, string_key,
2083- CURLFORM_NAMELENGTH, string_key_len - 1,
2084+ CURLFORM_NAMELENGTH, (long)string_key_len - 1,
2085 CURLFORM_COPYCONTENTS, postval,
2086- CURLFORM_CONTENTSLENGTH, Z_STRLEN_PP(current),
2087+ CURLFORM_CONTENTSLENGTH, (long)Z_STRLEN_PP(current),
2088 CURLFORM_END);
2089 }
2090 }
2091diff -Nur php-4.3.10/ext/exif/exif.c hardened-php-4.3.10-0.2.7/ext/exif/exif.c
2092--- php-4.3.10/ext/exif/exif.c 2004-11-10 02:44:58.000000000 +0100
2093+++ hardened-php-4.3.10-0.2.7/ext/exif/exif.c 2005-04-07 01:51:16.000000000 +0200
2094@@ -17,7 +17,7 @@
2095 +----------------------------------------------------------------------+
2096 */
2097
2098-/* $Id: exif.c,v 1.118.2.29 2004/11/10 01:44:58 iliaa Exp $ */
2099+/* $Id: exif.c,v 1.118.2.37 2005/03/22 22:07:03 edink Exp $ */
2100
2101 /* ToDos
2102 *
2103@@ -58,7 +58,7 @@
2104 #include "ext/standard/php_image.h"
2105 #include "ext/standard/info.h"
2106
2107-#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
2108+#if defined(PHP_WIN32) || (HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING))
2109 #define EXIF_USE_MBSTRING 1
2110 #else
2111 #define EXIF_USE_MBSTRING 0
2112@@ -68,6 +68,12 @@
2113 #include "ext/mbstring/mbstring.h"
2114 #endif
2115
2116+/* needed for ssize_t definition */
2117+#include <sys/types.h>
2118+#if defined(PHP_WIN32) && !defined(ssize_t)
2119+typedef SSIZE_T ssize_t;
2120+#endif
2121+
2122 typedef unsigned char uchar;
2123
2124 #ifndef safe_emalloc
2125@@ -85,6 +91,8 @@
2126
2127 #define EFREE_IF(ptr) if (ptr) efree(ptr)
2128
2129+#define MAX_IFD_NESTING_LEVEL 100
2130+
2131 static unsigned char exif_thumbnail_force_ref[] = {2, BYREF_NONE, BYREF_FORCE_REST};
2132
2133 /* {{{ exif_functions[]
2134@@ -99,7 +107,7 @@
2135 };
2136 /* }}} */
2137
2138-#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.29 2004/11/10 01:44:58 iliaa Exp $"
2139+#define EXIF_VERSION "1.4 $Id: exif.c,v 1.118.2.37 2005/03/22 22:07:03 edink Exp $"
2140
2141 /* {{{ PHP_MINFO_FUNCTION
2142 */
2143@@ -1430,6 +1438,7 @@
2144 /* for parsing */
2145 int read_thumbnail;
2146 int read_all;
2147+ int ifd_nesting_level;
2148 /* internal */
2149 file_section_list file;
2150 } image_info_type;
2151@@ -2689,6 +2698,13 @@
2152 size_t byte_count, offset_val, fpos, fgot;
2153 xp_field_type *tmp_xp;
2154
2155+ /* Protect against corrupt headers */
2156+ if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
2157+ exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "corrupt EXIF header: maximum directory nesting level reached");
2158+ return FALSE;
2159+ }
2160+ ImageInfo->ifd_nesting_level++;
2161+
2162 tag = php_ifd_get16u(dir_entry, ImageInfo->motorola_intel);
2163 format = php_ifd_get16u(dir_entry+2, ImageInfo->motorola_intel);
2164 components = php_ifd_get32u(dir_entry+4, ImageInfo->motorola_intel);
2165@@ -2702,6 +2718,11 @@
2166
2167 byte_count = components * php_tiff_bytes_per_format[format];
2168
2169+ if ((ssize_t)byte_count < 0) {
2170+ exif_error_docref("exif_read_data#error_ifd" TSRMLS_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
2171+ return FALSE;
2172+ }
2173+
2174 if (byte_count > 4) {
2175 offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
2176 /* If its bigger than 4 bytes, the dir entry contains an offset. */
2177@@ -3372,7 +3393,7 @@
2178 return FALSE;
2179 }
2180 php_stream_read(ImageInfo->infile, (char*)(ImageInfo->file.list[sn].data+2), dir_size-2);
2181- /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Dump: %s", exif_char_dump(ImageInfo->file.list[sn].data, dir_size, 0));*/
2182+ /*exif_error_docref(NULL TSRMLS_CC, ImageInfo, E_NOTICE, "Dump: %s", exif_char_dump(ImageInfo->file.list[sn].data, dir_size, 0));*/
2183 next_offset = php_ifd_get32u(ImageInfo->file.list[sn].data + dir_size - 4, ImageInfo->motorola_intel);
2184 #ifdef EXIF_DEBUG
2185 exif_error_docref(NULL TSRMLS_CC, ImageInfo, E_NOTICE, "read from TIFF done, next offset x%04X", next_offset);
2186@@ -3713,6 +3734,8 @@
2187 }
2188 }
2189
2190+ ImageInfo->ifd_nesting_level = 0;
2191+
2192 /* Scan the JPEG headers. */
2193 ret = exif_scan_FILE_header(ImageInfo TSRMLS_CC);
2194
2195diff -Nur php-4.3.10/ext/fbsql/php_fbsql.c hardened-php-4.3.10-0.2.7/ext/fbsql/php_fbsql.c
2196--- php-4.3.10/ext/fbsql/php_fbsql.c 2004-08-24 20:00:05.000000000 +0200
2197+++ hardened-php-4.3.10-0.2.7/ext/fbsql/php_fbsql.c 2005-04-07 01:51:16.000000000 +0200
2198@@ -16,7 +16,7 @@
2199 +----------------------------------------------------------------------+
2200 */
2201
2202-/* $Id: php_fbsql.c,v 1.86.2.9 2004/08/24 18:00:05 fmk Exp $ */
2203+/* $Id: php_fbsql.c,v 1.86.2.14 2005/02/09 19:33:32 fmk Exp $ */
2204
2205 /* TODO:
2206 *
2207@@ -459,11 +459,11 @@
2208
2209 if (FB_SQL_G(allowPersistent))
2210 {
2211- sprintf(buf, "%ld", FB_SQL_G(persistentCount));
2212+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(persistentCount));
2213 php_info_print_table_row(2, "Active Persistent Links", buf);
2214 }
2215
2216- sprintf(buf, "%ld", FB_SQL_G(linkCount));
2217+ snprintf(buf, sizeof(buf), "%ld", FB_SQL_G(linkCount));
2218 php_info_print_table_row(2, "Active Links", buf);
2219
2220 /*
2221@@ -507,7 +507,9 @@
2222 if (userName == NULL) userName = FB_SQL_G(userName);
2223 if (userPassword == NULL) userPassword = FB_SQL_G(userPassword);
2224
2225- sprintf(name, "fbsql_%s_%s_%s", hostName, userName, userPassword);
2226+ if (snprintf(name, sizeof(name), "fbsql_%s_%s_%s", hostName, userName, userPassword) < 0) {
2227+ RETURN_FALSE;
2228+ }
2229
2230 if (!FB_SQL_G(allowPersistent)) {
2231 persistent=0;
2232@@ -818,9 +820,21 @@
2233 WRONG_PARAM_COUNT;
2234 break;
2235 }
2236+
2237+ if (Z_LVAL_PP(Locking) < 0 || Z_LVAL_PP(Locking) > 2) {
2238+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid locking type.");
2239+ RETURN_FALSE;
2240+ }
2241+ if (Z_LVAL_PP(Isolation) < 0 || Z_LVAL_PP(Isolation) > 4) {
2242+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid isolation type.");
2243+ RETURN_FALSE;
2244+ }
2245+
2246 ZEND_FETCH_RESOURCE2(phpLink, PHPFBLink *, fbsql_link_index, -1, "FrontBase-Link", le_link, le_plink);
2247
2248- sprintf(strSQL, "SET TRANSACTION LOCKING %s, ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]);
2249+ if (snprintf(strSQL, sizeof(strSQL) , "SET TRANSACTION LOCKING %s, ISOLATION %s;", strLocking[Z_LVAL_PP(Locking)], strIsolation[Z_LVAL_PP(Isolation)]) < 0) {
2250+ RETURN_FALSE;
2251+ }
2252
2253 md = fbcdcExecuteDirectSQL(phpLink->connection, strSQL);
2254 fbcmdRelease(md);
2255@@ -1417,7 +1431,9 @@
2256 convert_to_string_ex(password);
2257 userPassword = Z_STRVAL_PP(password);
2258
2259- sprintf(buffer, "SET AUTHORIZATION %s;", userName);
2260+ if (snprintf(buffer, sizeof(buffer), "SET AUTHORIZATION %s;", userName) < 0) {
2261+ RETURN_FALSE;
2262+ }
2263
2264 phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, buffer, phpLink);
2265 if (Z_LVAL_P(return_value))
2266@@ -1791,11 +1807,28 @@
2267 php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message");
2268 }
2269 link->errorText = strdup(emg);
2270- link->errorNo = fbcemdErrorCodeAtIndex(emd, 0);;
2271+ link->errorNo = fbcemdErrorCodeAtIndex(emd, 0);
2272 free(emg);
2273 fbcemdRelease(emd);
2274 result = 0;
2275 }
2276+ else if (fbcmdWarningsFound(md))
2277+ {
2278+ FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
2279+ char* emg = fbcemdAllErrorMessages(emd);
2280+ if (FB_SQL_G(generateWarnings))
2281+ {
2282+ if (emg)
2283+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Warning in statement: '%s' %s", sql, emg);
2284+ else
2285+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "No message");
2286+ }
2287+ link->errorText = strdup(emg);
2288+ link->errorNo = fbcemdErrorCodeAtIndex(emd, 0);
2289+ free(emg);
2290+ fbcemdRelease(emd);
2291+ result = 1;
2292+ }
2293 return result;
2294 }
2295 /* }}} */
2296@@ -1824,9 +1857,12 @@
2297 md = meta;
2298
2299 tp = fbcmdStatementType(md);
2300-
2301- if ((tp[0] == 'C') || (tp[0] == 'R'))
2302- {
2303+ if (tp == NULL) {
2304+ fbcmdRelease(meta);
2305+ ZVAL_BOOL(return_value, 1)
2306+ }
2307+ else if ((tp[0] == 'C') || (tp[0] == 'R'))
2308+ {
2309 if (sR == 1 && md) fbcmdRelease(md);
2310 ZVAL_BOOL(return_value, 1)
2311 }
2312@@ -2084,7 +2120,9 @@
2313 RETURN_FALSE;
2314 }
2315
2316- sprintf(sql, "SELECT * FROM %s WHERE 1=0;", tableName);
2317+ if (snprintf(sql, sizeof(sql), "SELECT * FROM %s WHERE 1=0;", tableName) < 0) {
2318+ RETURN_FALSE;
2319+ }
2320
2321 phpfbQuery(INTERNAL_FUNCTION_PARAM_PASSTHRU, sql, phpLink);
2322 }
2323@@ -2268,7 +2306,7 @@
2324 {
2325 int v = *((int*)data);
2326 char b[128];
2327- sprintf(b, "%d", v);
2328+ snprintf(b, sizeof(b), "%d", v);
2329 phpfbestrdup(b, length, value);
2330 }
2331 break;
2332@@ -2277,7 +2315,7 @@
2333 {
2334 short int v = *((FBTinyInteger*)data);
2335 char b[128];
2336- sprintf(b, "%d", v);
2337+ snprintf(b, sizeof(b), "%d", v);
2338 phpfbestrdup(b, length, value);
2339 }
2340 break;
2341@@ -2288,9 +2326,9 @@
2342 FBLongInteger v = *((FBLongInteger*)data);
2343 char b[128];
2344 #ifdef PHP_WIN32
2345- sprintf(b, "%I64i", v);
2346+ snprintf(b, sizeof(b), "%I64i", v);
2347 #else
2348- sprintf(b, "%ll", v);
2349+ snprintf(b, sizeof(b), "%ll", v);
2350 #endif
2351 phpfbestrdup(b, length, value);
2352 }
2353@@ -2300,7 +2338,7 @@
2354 {
2355 short v = *((short*)data);
2356 char b[128];
2357- sprintf(b, "%d", v);
2358+ snprintf(b, sizeof(b), "%d", v);
2359 phpfbestrdup(b, length, value);
2360 }
2361 break;
2362@@ -2313,7 +2351,7 @@
2363 {
2364 double v = *((double*)data);
2365 char b[128];
2366- sprintf(b, "%f", v);
2367+ snprintf(b, sizeof(b), "%f", v);
2368 phpfbestrdup(b, length, value);
2369 }
2370 break;
2371@@ -2346,7 +2384,7 @@
2372 *length = l*2+3+1;
2373 if (value)
2374 {
2375- char* r = emalloc(l*2+3+1);
2376+ char* r = safe_emalloc(l, 2, 4);
2377 r[0] = 'X';
2378 r[1] = '\'';
2379 for (i = 0; i < nBits / 8; i++)
2380@@ -2368,7 +2406,7 @@
2381 *length = l*2+3+1;
2382 if (value)
2383 {
2384- char* r = emalloc(l*2+3+1);
2385+ char* r = safe_emalloc(l, 2, 4);
2386 r[0] = 'B';
2387 r[1] = '\'';
2388 for (i = 0; i < nBits; i++)
2389@@ -2400,7 +2438,7 @@
2390 {
2391 char b[128];
2392 int v = *((unsigned int*)data);
2393- sprintf(b, "%d", v);
2394+ snprintf(b, sizeof(b), "%d", v);
2395 phpfbestrdup(b, length, value);
2396 }
2397 break;
2398@@ -2409,7 +2447,7 @@
2399 {
2400 char b[128];
2401 double seconds = *((double*)data);
2402- sprintf(b, "%f", seconds);
2403+ snprintf(b, sizeof(b), "%f", seconds);
2404 phpfbestrdup(b, length, value);
2405 }
2406 break;
2407diff -Nur php-4.3.10/ext/mbstring/mbstring.c hardened-php-4.3.10-0.2.7/ext/mbstring/mbstring.c
2408--- php-4.3.10/ext/mbstring/mbstring.c 2004-06-24 00:07:01.000000000 +0200
2409+++ hardened-php-4.3.10-0.2.7/ext/mbstring/mbstring.c 2005-04-07 01:51:16.000000000 +0200
2410@@ -1467,12 +1467,13 @@
2411
2412 /* {{{ static void php_mbstr_encoding_handler() */
2413 static void
2414-php_mbstr_encoding_handler(zval *arg, char *res, char *separator TSRMLS_DC)
2415+php_mbstr_encoding_handler(zval *arg, int parse_type, char *res, char *separator TSRMLS_DC)
2416 {
2417 char *var, *val, *s1, *s2;
2418 char *strtok_buf = NULL, **val_list;
2419 zval *array_ptr = (zval *) arg;
2420 int n, num, val_len, *len_list, elistsz;
2421+ unsigned int new_val_len;
2422 enum mbfl_no_encoding from_encoding, to_encoding, *elist;
2423 mbfl_string string, resvar, resval;
2424 mbfl_encoding_detector *identd = NULL;
2425@@ -1593,8 +1594,14 @@
2426 val_len = len_list[n];
2427 }
2428 n++;
2429- /* add variable to symbol table */
2430- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
2431+ /* we need val to be emalloc()ed */
2432+ val = estrndup(val, val_len);
2433+ if (sapi_module.input_filter(parse_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
2434+ /* add variable to symbol table */
2435+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
2436+ }
2437+ efree(val);
2438+
2439 if (convd != NULL){
2440 mbfl_string_clear(&resvar);
2441 mbfl_string_clear(&resval);
2442@@ -1620,7 +1627,7 @@
2443 {
2444 MBSTRG(http_input_identify_post) = mbfl_no_encoding_invalid;
2445
2446- php_mbstr_encoding_handler(arg, SG(request_info).post_data, "&" TSRMLS_CC);
2447+ php_mbstr_encoding_handler(arg, PARSE_POST, SG(request_info).post_data, "&" TSRMLS_CC);
2448
2449 if (MBSTRG(http_input_identify) != mbfl_no_encoding_invalid) {
2450 MBSTRG(http_input_identify_post) = MBSTRG(http_input_identify);
2451@@ -1720,7 +1727,7 @@
2452 break;
2453 }
2454
2455- php_mbstr_encoding_handler(array_ptr, res, separator TSRMLS_CC);
2456+ php_mbstr_encoding_handler(array_ptr, arg, res, separator TSRMLS_CC);
2457
2458 if (MBSTRG(http_input_identify) != mbfl_no_encoding_invalid) {
2459 switch(arg){
2460diff -Nur php-4.3.10/ext/session/session.c hardened-php-4.3.10-0.2.7/ext/session/session.c
2461--- php-4.3.10/ext/session/session.c 2004-12-09 18:16:57.000000000 +0100
2462+++ hardened-php-4.3.10-0.2.7/ext/session/session.c 2005-04-07 01:54:27.000000000 +0200
2463@@ -408,7 +408,7 @@
2464 p += namelen + 1;
2465
2466 if (has_value) {
2467- MAKE_STD_ZVAL(current);
2468+ ALLOC_INIT_ZVAL(current);
2469 if (php_var_unserialize(&current, (const unsigned char **)&p, endptr, &var_hash TSRMLS_CC)) {
2470 php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
2471 }
2472@@ -488,7 +488,7 @@
2473 q++;
2474
2475 if (has_value) {
2476- MAKE_STD_ZVAL(current);
2477+ ALLOC_INIT_ZVAL(current);
2478 if (php_var_unserialize(&current, (const unsigned char **)&q, endptr, &var_hash TSRMLS_CC)) {
2479 php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
2480 }
2481diff -Nur php-4.3.10/ext/standard/array.c hardened-php-4.3.10-0.2.7/ext/standard/array.c
2482--- php-4.3.10/ext/standard/array.c 2004-12-02 17:36:41.000000000 +0100
2483+++ hardened-php-4.3.10-0.2.7/ext/standard/array.c 2005-04-07 01:51:16.000000000 +0200
2484@@ -1153,6 +1153,31 @@
2485 }
2486 }
2487 }
2488+
2489+ if (var_name[0] == 'H') {
2490+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
2491+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
2492+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
2493+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
2494+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
2495+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
2496+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)) {
2497+ return 0;
2498+ }
2499+ } else if (var_name[0] == '_') {
2500+ if ((strcmp(var_name, "_COOKIE")==0)||
2501+ (strcmp(var_name, "_ENV")==0)||
2502+ (strcmp(var_name, "_FILES")==0)||
2503+ (strcmp(var_name, "_GET")==0)||
2504+ (strcmp(var_name, "_POST")==0)||
2505+ (strcmp(var_name, "_REQUEST")==0)||
2506+ (strcmp(var_name, "_SESSION")==0)||
2507+ (strcmp(var_name, "_SERVER")==0)) {
2508+ return 0;
2509+ }
2510+ } else if (strcmp(var_name, "GLOBALS")==0) {
2511+ return 0;
2512+ }
2513
2514 return 1;
2515 }
2516diff -Nur php-4.3.10/ext/standard/basic_functions.c hardened-php-4.3.10-0.2.7/ext/standard/basic_functions.c
2517--- php-4.3.10/ext/standard/basic_functions.c 2004-11-16 00:26:40.000000000 +0100
2518+++ hardened-php-4.3.10-0.2.7/ext/standard/basic_functions.c 2005-04-07 01:51:16.000000000 +0200
2519@@ -687,7 +687,7 @@
2520 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
2521
2522 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2523- PHP_FE(realpath, NULL)
2524+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
2525 #endif
2526
2527 #ifdef HAVE_FNMATCH
2528@@ -3008,6 +3008,34 @@
2529 memcpy(new_key, prefix, prefix_len);
2530 memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
2531
2532+ if (new_key[0] == 'H') {
2533+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
2534+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
2535+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
2536+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
2537+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
2538+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
2539+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)) {
2540+ efree(new_key);
2541+ return 0;
2542+ }
2543+ } else if (new_key[0] == '_') {
2544+ if ((strcmp(new_key, "_COOKIE")==0)||
2545+ (strcmp(new_key, "_ENV")==0)||
2546+ (strcmp(new_key, "_FILES")==0)||
2547+ (strcmp(new_key, "_GET")==0)||
2548+ (strcmp(new_key, "_POST")==0)||
2549+ (strcmp(new_key, "_REQUEST")==0)||
2550+ (strcmp(new_key, "_SESSION")==0)||
2551+ (strcmp(new_key, "_SERVER")==0)) {
2552+ efree(new_key);
2553+ return 0;
2554+ }
2555+ } else if (strcmp(new_key, "GLOBALS")==0) {
2556+ efree(new_key);
2557+ return 0;
2558+ }
2559+
2560 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
2561 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
2562
2563diff -Nur php-4.3.10/ext/standard/file.c hardened-php-4.3.10-0.2.7/ext/standard/file.c
2564--- php-4.3.10/ext/standard/file.c 2004-12-08 22:15:02.000000000 +0100
2565+++ hardened-php-4.3.10-0.2.7/ext/standard/file.c 2005-04-07 01:51:16.000000000 +0200
2566@@ -2472,7 +2472,7 @@
2567 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2568 /* {{{ proto string realpath(string path)
2569 Return the resolved path */
2570-PHP_FUNCTION(realpath)
2571+PHP_FUNCTION(real_path)
2572 {
2573 zval **path;
2574 char resolved_path_buff[MAXPATHLEN];
2575diff -Nur php-4.3.10/ext/standard/file.h hardened-php-4.3.10-0.2.7/ext/standard/file.h
2576--- php-4.3.10/ext/standard/file.h 2004-06-21 21:33:47.000000000 +0200
2577+++ hardened-php-4.3.10-0.2.7/ext/standard/file.h 2005-04-07 01:51:16.000000000 +0200
2578@@ -64,7 +64,7 @@
2579 PHP_FUNCTION(fd_set);
2580 PHP_FUNCTION(fd_isset);
2581 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2582-PHP_FUNCTION(realpath);
2583+PHP_FUNCTION(real_path);
2584 #endif
2585 #ifdef HAVE_FNMATCH
2586 PHP_FUNCTION(fnmatch);
2587diff -Nur php-4.3.10/ext/standard/image.c hardened-php-4.3.10-0.2.7/ext/standard/image.c
2588--- php-4.3.10/ext/standard/image.c 2004-10-04 22:44:07.000000000 +0200
2589+++ hardened-php-4.3.10-0.2.7/ext/standard/image.c 2005-04-07 01:51:16.000000000 +0200
2590@@ -17,7 +17,7 @@
2591 +----------------------------------------------------------------------+
2592 */
2593
2594-/* $Id: image.c,v 1.72.2.15 2004/10/04 20:44:07 iliaa Exp $ */
2595+/* $Id: image.c,v 1.72.2.18 2005/03/06 17:05:41 iliaa Exp $ */
2596
2597 #include "php.h"
2598 #include <stdio.h>
2599@@ -363,7 +363,7 @@
2600 /* just return 0 if we hit the end-of-file */
2601 if((php_stream_read(stream, a, sizeof(a))) <= 0) return 0;
2602
2603- return (((unsigned short) a[ 0 ]) << 8) + ((unsigned short) a[ 1 ]);
2604+ return (((unsigned short)a[0]) << 8) + ((unsigned short)a[1]);
2605 }
2606 /* }}} */
2607
2608@@ -374,7 +374,7 @@
2609 int a=0, marker;
2610
2611 /* get marker byte, swallowing possible padding */
2612- if ( last_marker==M_COM && comment_correction) {
2613+ if (last_marker==M_COM && comment_correction) {
2614 /* some software does not count the length bytes of COM section */
2615 /* one company doing so is very much envolved in JPEG... so we accept too */
2616 /* by the way: some of those companies changed their code now... */
2617@@ -383,7 +383,7 @@
2618 last_marker = 0;
2619 comment_correction = 0;
2620 }
2621- if ( ff_read) {
2622+ if (ff_read) {
2623 a = 1; /* already read 0xff in filetype detection */
2624 }
2625 do {
2626@@ -391,9 +391,9 @@
2627 {
2628 return M_EOI;/* we hit EOF */
2629 }
2630- if ( last_marker==M_COM && comment_correction>0)
2631+ if (last_marker==M_COM && comment_correction>0)
2632 {
2633- if ( marker != 0xFF)
2634+ if (marker != 0xFF)
2635 {
2636 marker = 0xff;
2637 comment_correction--;
2638@@ -401,14 +401,14 @@
2639 last_marker = M_PSEUDO; /* stop skipping non 0xff for M_COM */
2640 }
2641 }
2642- if ( ++a > 10)
2643+ if (++a > 10)
2644 {
2645 /* who knows the maxim amount of 0xff? though 7 */
2646 /* but found other implementations */
2647 return M_EOI;
2648 }
2649- } while ( marker == 0xff);
2650- if ( a < 2)
2651+ } while (marker == 0xff);
2652+ if (a < 2)
2653 {
2654 return M_EOI; /* at least one 0xff is needed before marker code */
2655 }
2656@@ -422,35 +422,39 @@
2657
2658 /* {{{ php_skip_variable
2659 * skip over a variable-length block; assumes proper length marker */
2660-static void php_skip_variable(php_stream * stream TSRMLS_DC)
2661+static int php_skip_variable(php_stream * stream TSRMLS_DC)
2662 {
2663 off_t length = ((unsigned int)php_read2(stream TSRMLS_CC));
2664
2665- length = length-2;
2666- if (length)
2667- {
2668- php_stream_seek(stream, (long)length, SEEK_CUR);
2669+ if (length < 2) {
2670+ return 0;
2671 }
2672+ length = length - 2;
2673+ php_stream_seek(stream, (long)length, SEEK_CUR);
2674+ return 1;
2675 }
2676 /* }}} */
2677
2678 /* {{{ php_read_APP
2679 */
2680-static void php_read_APP(php_stream * stream, unsigned int marker, zval *info TSRMLS_DC)
2681+static int php_read_APP(php_stream * stream, unsigned int marker, zval *info TSRMLS_DC)
2682 {
2683 unsigned short length;
2684 unsigned char *buffer;
2685- unsigned char markername[ 16 ];
2686+ unsigned char markername[16];
2687 zval *tmp;
2688
2689 length = php_read2(stream TSRMLS_CC);
2690+ if (length < 2) {
2691+ return 0;
2692+ }
2693 length -= 2; /* length includes itself */
2694
2695 buffer = emalloc(length);
2696
2697 if (php_stream_read(stream, buffer, (long) length) <= 0) {
2698 efree(buffer);
2699- return;
2700+ return 0;
2701 }
2702
2703 sprintf(markername, "APP%d", marker - M_APP0);
2704@@ -461,6 +465,7 @@
2705 }
2706
2707 efree(buffer);
2708+ return 1;
2709 }
2710 /* }}} */
2711
2712@@ -497,12 +502,16 @@
2713 result->height = php_read2(stream TSRMLS_CC);
2714 result->width = php_read2(stream TSRMLS_CC);
2715 result->channels = php_stream_getc(stream);
2716- if (!info || length<8) /* if we don't want an extanded info -> return */
2717+ if (!info || length < 8) { /* if we don't want an extanded info -> return */
2718 return result;
2719- if (php_stream_seek(stream, length-8, SEEK_CUR)) /* file error after info */
2720+ }
2721+ if (php_stream_seek(stream, length - 8, SEEK_CUR)) { /* file error after info */
2722 return result;
2723+ }
2724 } else {
2725- php_skip_variable(stream TSRMLS_CC);
2726+ if (!php_skip_variable(stream TSRMLS_CC)) {
2727+ return result;
2728+ }
2729 }
2730 break;
2731
2732@@ -523,9 +532,13 @@
2733 case M_APP14:
2734 case M_APP15:
2735 if (info) {
2736- php_read_APP(stream, marker, info TSRMLS_CC); /* read all the app markes... */
2737+ if (!php_read_APP(stream, marker, info TSRMLS_CC)) { /* read all the app markes... */
2738+ return result;
2739+ }
2740 } else {
2741- php_skip_variable(stream TSRMLS_CC);
2742+ if (!php_skip_variable(stream TSRMLS_CC)) {
2743+ return result;
2744+ }
2745 }
2746 break;
2747
2748@@ -534,7 +547,9 @@
2749 return result; /* we're about to hit image data, or are at EOF. stop processing. */
2750
2751 default:
2752- php_skip_variable(stream TSRMLS_CC); /* anything else isn't interesting */
2753+ if (!php_skip_variable(stream TSRMLS_CC)) { /* anything else isn't interesting */
2754+ return result;
2755+ }
2756 break;
2757 }
2758 }
2759@@ -613,17 +628,28 @@
2760
2761 dummy_short = php_read2(stream TSRMLS_CC); /* Lsiz */
2762 dummy_short = php_read2(stream TSRMLS_CC); /* Rsiz */
2763- result->height = php_read4(stream TSRMLS_CC); /* Xsiz */
2764 result->width = php_read4(stream TSRMLS_CC); /* Ysiz */
2765+ result->height = php_read4(stream TSRMLS_CC); /* Xsiz */
2766
2767+#if MBO_0
2768 dummy_int = php_read4(stream TSRMLS_CC); /* XOsiz */
2769 dummy_int = php_read4(stream TSRMLS_CC); /* YOsiz */
2770 dummy_int = php_read4(stream TSRMLS_CC); /* XTsiz */
2771 dummy_int = php_read4(stream TSRMLS_CC); /* YTsiz */
2772 dummy_int = php_read4(stream TSRMLS_CC); /* XTOsiz */
2773 dummy_int = php_read4(stream TSRMLS_CC); /* YTOsiz */
2774+#else
2775+ if (php_stream_seek(stream, 24, SEEK_CUR)) {
2776+ efree(result);
2777+ return NULL;
2778+ }
2779+#endif
2780
2781 result->channels = php_read2(stream TSRMLS_CC); /* Csiz */
2782+ if (result->channels < 0 || result->channels > 256) {
2783+ efree(result);
2784+ return NULL;
2785+ }
2786
2787 /* Collect bit depth info */
2788 highest_bit_depth = bit_depth = 0;
2789@@ -685,8 +711,15 @@
2790 break;
2791 }
2792
2793+ /* Stop if this was the last box */
2794+ if ((int)box_length <= 0) {
2795+ break;
2796+ }
2797+
2798 /* Skip over LBox (Which includes both TBox and LBox itself */
2799- php_stream_seek(stream, box_length - 8, SEEK_CUR);
2800+ if (php_stream_seek(stream, box_length - 8, SEEK_CUR)) {
2801+ break;
2802+ }
2803 }
2804
2805 if (result == NULL) {
2806@@ -849,43 +882,49 @@
2807 */
2808 static struct gfxinfo *php_handle_iff(php_stream * stream TSRMLS_DC)
2809 {
2810- struct gfxinfo *result = NULL;
2811+ struct gfxinfo * result;
2812 unsigned char a[10];
2813 int chunkId;
2814 int size;
2815+ short width, height, bits;
2816
2817- if (php_stream_read(stream, a, 8) != 8)
2818+ if (php_stream_read(stream, a, 8) != 8) {
2819 return NULL;
2820- if (strncmp(a+4, "ILBM", 4) && strncmp(a+4, "PBM ", 4))
2821+ }
2822+ if (strncmp(a+4, "ILBM", 4) && strncmp(a+4, "PBM ", 4)) {
2823 return NULL;
2824-
2825- result = (struct gfxinfo *) ecalloc(1, sizeof(struct gfxinfo));
2826+ }
2827
2828 /* loop chunks to find BMHD chunk */
2829 do {
2830 if (php_stream_read(stream, a, 8) != 8) {
2831- efree(result);
2832 return NULL;
2833 }
2834 chunkId = php_ifd_get32s(a+0, 1);
2835 size = php_ifd_get32s(a+4, 1);
2836+ if (size < 0) {
2837+ return NULL;
2838+ }
2839 if ((size & 1) == 1) {
2840 size++;
2841 }
2842 if (chunkId == 0x424d4844) { /* BMHD chunk */
2843- if (php_stream_read(stream, a, 9) != 9) {
2844- efree(result);
2845+ if (size < 9 || php_stream_read(stream, a, 9) != 9) {
2846 return NULL;
2847 }
2848- result->width = php_ifd_get16s(a+0, 1);
2849- result->height = php_ifd_get16s(a+2, 1);
2850- result->bits = a[8] & 0xff;
2851+ width = php_ifd_get16s(a+0, 1);
2852+ height = php_ifd_get16s(a+2, 1);
2853+ bits = a[8] & 0xff;
2854+ if (width > 0 && height > 0 && bits > 0 && bits < 33) {
2855+ result = (struct gfxinfo *) ecalloc(1, sizeof(struct gfxinfo));
2856+ result->width = width;
2857+ result->height = height;
2858+ result->bits = bits;
2859 result->channels = 0;
2860- if (result->width > 0 && result->height > 0 && result->bits > 0 && result->bits < 33)
2861 return result;
2862+ }
2863 } else {
2864 if (php_stream_seek(stream, size, SEEK_CUR)) {
2865- efree(result);
2866 return NULL;
2867 }
2868 }
2869@@ -1230,11 +1269,14 @@
2870 case IMAGE_FILETYPE_SWF:
2871 result = php_handle_swf(stream TSRMLS_CC);
2872 break;
2873-#if HAVE_ZLIB && !defined(COMPILE_DL_ZLIB)
2874 case IMAGE_FILETYPE_SWC:
2875+#if HAVE_ZLIB && !defined(COMPILE_DL_ZLIB)
2876 result = php_handle_swc(stream TSRMLS_CC);
2877- break;
2878+#else
2879+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "The image is a compressed SWF file, but you do not have a static version of the zlib extension enabled.");
2880+
2881 #endif
2882+ break;
2883 case IMAGE_FILETYPE_PSD:
2884 result = php_handle_psd(stream TSRMLS_CC);
2885 break;
2886diff -Nur php-4.3.10/ext/standard/info.c hardened-php-4.3.10-0.2.7/ext/standard/info.c
2887--- php-4.3.10/ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
2888+++ hardened-php-4.3.10-0.2.7/ext/standard/info.c 2005-04-07 01:51:16.000000000 +0200
2889@@ -397,7 +397,7 @@
2890
2891 if (flag & PHP_INFO_GENERAL) {
2892 char *zend_version = get_zend_version();
2893- char temp_api[9];
2894+ char temp_api[11];
2895
2896 php_uname = php_get_uname('a');
2897
2898@@ -417,11 +417,22 @@
2899 }
2900 }
2901
2902+#if HARDENED_PHP
2903+ if (!sapi_module.phpinfo_as_text) {
2904+ php_printf("<h1 class=\"p\">Hardened-PHP Version %s/%s</h1>\n", PHP_VERSION, HARDENED_PHP_VERSION);
2905+ } else {
2906+ char temp_ver[40];
2907+
2908+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENED_PHP_VERSION);
2909+ php_info_print_table_row(2, "Hardened-PHP Version", temp_ver);
2910+ }
2911+#else
2912 if (!sapi_module.phpinfo_as_text) {
2913 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2914 } else {
2915 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2916 }
2917+#endif
2918 php_info_print_box_end();
2919 php_info_print_table_start();
2920 php_info_print_table_row(2, "System", php_uname );
2921diff -Nur php-4.3.10/ext/standard/pack.c hardened-php-4.3.10-0.2.7/ext/standard/pack.c
2922--- php-4.3.10/ext/standard/pack.c 2004-11-28 13:44:56.000000000 +0100
2923+++ hardened-php-4.3.10-0.2.7/ext/standard/pack.c 2005-04-07 01:51:16.000000000 +0200
2924@@ -15,7 +15,7 @@
2925 | Author: Chris Schneider <cschneid@relog.ch> |
2926 +----------------------------------------------------------------------+
2927 */
2928-/* $Id: pack.c,v 1.40.2.6 2004/11/28 12:44:56 sesser Exp $ */
2929+/* $Id: pack.c,v 1.40.2.7 2005/01/25 22:52:19 iliaa Exp $ */
2930
2931 #include "php.h"
2932
2933@@ -833,7 +833,9 @@
2934
2935 inputpos += size;
2936 if (inputpos < 0) {
2937- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
2938+ if (size != -1) { /* only print warning if not working with * */
2939+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
2940+ }
2941 inputpos = 0;
2942 }
2943 } else if (arg < 0) {
2944diff -Nur php-4.3.10/ext/standard/php_var.h hardened-php-4.3.10-0.2.7/ext/standard/php_var.h
2945--- php-4.3.10/ext/standard/php_var.h 2004-09-24 23:57:18.000000000 +0200
2946+++ hardened-php-4.3.10-0.2.7/ext/standard/php_var.h 2005-04-07 01:51:16.000000000 +0200
2947@@ -16,7 +16,7 @@
2948 +----------------------------------------------------------------------+
2949 */
2950
2951-/* $Id: php_var.h,v 1.21.4.4 2004/09/24 21:57:18 helly Exp $ */
2952+/* $Id: php_var.h,v 1.21.4.5 2005/01/15 18:44:29 sesser Exp $ */
2953
2954 #ifndef PHP_VAR_H
2955 #define PHP_VAR_H
2956@@ -41,6 +41,7 @@
2957
2958 struct php_unserialize_data {
2959 void *first;
2960+ void *first_dtor;
2961 };
2962
2963 typedef struct php_unserialize_data php_unserialize_data_t;
2964@@ -54,7 +55,8 @@
2965 zend_hash_destroy(&(var_hash))
2966
2967 #define PHP_VAR_UNSERIALIZE_INIT(var_hash) \
2968- (var_hash).first = 0
2969+ (var_hash).first = 0; \
2970+ (var_hash).first_dtor = 0
2971 #define PHP_VAR_UNSERIALIZE_DESTROY(var_hash) \
2972 var_destroy(&(var_hash))
2973
2974diff -Nur php-4.3.10/ext/standard/var_unserializer.c hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.c
2975--- php-4.3.10/ext/standard/var_unserializer.c 2004-12-14 18:55:22.000000000 +0100
2976+++ hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.c 2005-04-07 01:51:16.000000000 +0200
2977@@ -1,4 +1,4 @@
2978-/* Generated by re2c 0.5 on Thu Nov 18 17:11:01 2004 */
2979+/* Generated by re2c 0.9.4 on Thu Mar 10 02:59:20 2005 */
2980 /*
2981 +----------------------------------------------------------------------+
2982 | PHP Version 4 |
2983@@ -17,7 +17,7 @@
2984 +----------------------------------------------------------------------+
2985 */
2986
2987-/* $Id: var_unserializer.c,v 1.18.4.14 2004/12/03 16:09:19 sesser Exp $ */
2988+/* $Id: var_unserializer.c,v 1.18.4.23 2005/03/10 02:01:40 helly Exp $ */
2989
2990 #include "php.h"
2991 #include "ext/standard/php_var.h"
2992@@ -28,7 +28,7 @@
2993
2994 typedef struct {
2995 zval *data[VAR_ENTRIES_MAX];
2996- int used_slots;
2997+ long used_slots;
2998 void *next;
2999 } var_entries;
3000
3001@@ -55,9 +55,33 @@
3002 var_hash->data[var_hash->used_slots++] = *rval;
3003 }
3004
3005+static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
3006+{
3007+ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
3008+
3009+ while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
3010+ prev = var_hash;
3011+ var_hash = var_hash->next;
3012+ }
3013+
3014+ if (!var_hash) {
3015+ var_hash = emalloc(sizeof(var_entries));
3016+ var_hash->used_slots = 0;
3017+ var_hash->next = 0;
3018+
3019+ if (!var_hashx->first_dtor)
3020+ var_hashx->first_dtor = var_hash;
3021+ else
3022+ prev->next = var_hash;
3023+ }
3024+
3025+ (*rval)->refcount++;
3026+ var_hash->data[var_hash->used_slots++] = *rval;
3027+}
3028+
3029 PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval)
3030 {
3031- int i;
3032+ long i;
3033 var_entries *var_hash = var_hashx->first;
3034
3035 while (var_hash) {
3036@@ -71,7 +95,7 @@
3037 }
3038 }
3039
3040-static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store)
3041+static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
3042 {
3043 var_entries *var_hash = var_hashx->first;
3044
3045@@ -92,6 +116,7 @@
3046 PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
3047 {
3048 void *next;
3049+ long i;
3050 var_entries *var_hash = var_hashx->first;
3051
3052 while (var_hash) {
3053@@ -99,6 +124,17 @@
3054 efree(var_hash);
3055 var_hash = next;
3056 }
3057+
3058+ var_hash = var_hashx->first_dtor;
3059+
3060+ while (var_hash) {
3061+ for (i = 0; i < var_hash->used_slots; i++) {
3062+ zval_ptr_dtor(&var_hash->data[i]);
3063+ }
3064+ next = var_hash->next;
3065+ efree(var_hash);
3066+ var_hash = next;
3067+ }
3068 }
3069
3070 /* }}} */
3071@@ -114,10 +150,10 @@
3072
3073
3074
3075-static inline int parse_iv2(const unsigned char *p, const unsigned char **q)
3076+static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
3077 {
3078 char cursor;
3079- int result = 0;
3080+ long result = 0;
3081 int neg = 0;
3082
3083 switch (*p) {
3084@@ -142,7 +178,7 @@
3085 return result;
3086 }
3087
3088-static inline int parse_iv(const unsigned char *p)
3089+static inline long parse_iv(const unsigned char *p)
3090 {
3091 return parse_iv2(p, NULL);
3092 }
3093@@ -172,10 +208,10 @@
3094 #define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC
3095 #define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC
3096
3097-static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
3098+static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements)
3099 {
3100 while (elements-- > 0) {
3101- zval *key, *data, *old_data;
3102+ zval *key, *data, **old_data;
3103
3104 ALLOC_INIT_ZVAL(key);
3105
3106@@ -203,14 +239,14 @@
3107
3108 switch (Z_TYPE_P(key)) {
3109 case IS_LONG:
3110- if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
3111- var_replace(var_hash, old_data, rval);
3112+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) {
3113+ var_push_dtor(var_hash, old_data);
3114 }
3115 zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
3116 break;
3117 case IS_STRING:
3118- if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
3119- var_replace(var_hash, old_data, rval);
3120+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
3121+ var_push_dtor(var_hash, old_data);
3122 }
3123 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
3124 break;
3125@@ -241,7 +277,7 @@
3126
3127 static inline int object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
3128 {
3129- int elements;
3130+ long elements;
3131
3132 elements = parse_iv2((*p) + 2, p);
3133
3134@@ -251,7 +287,7 @@
3135 return elements;
3136 }
3137
3138-static inline int object_common2(UNSERIALIZE_PARAMETER, int elements)
3139+static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
3140 {
3141 zval *retval_ptr = NULL;
3142 zval fname;
3143@@ -300,6 +336,7 @@
3144
3145
3146
3147+
3148 {
3149 YYCTYPE yych;
3150 unsigned int yyaccept;
3151@@ -378,7 +415,8 @@
3152 goto yy16;
3153 } else {
3154 if(yych <= '}') goto yy14;
3155- if(yych <= '\277') goto yy16;
3156+ if(yych <= 0xBF) goto yy16;
3157+ goto yy2;
3158 }
3159 }
3160 }
3161@@ -389,8 +427,9 @@
3162 yy3: yyaccept = 0;
3163 yych = *(YYMARKER = ++YYCURSOR);
3164 if(yych == ':') goto yy87;
3165+ goto yy4;
3166 yy4:
3167- { return 0; }
3168+{ return 0; }
3169 yy5: yyaccept = 0;
3170 yych = *(YYMARKER = ++YYCURSOR);
3171 if(yych == ':') goto yy81;
3172@@ -426,9 +465,10 @@
3173 yych = *(YYMARKER = ++YYCURSOR);
3174 if(yych == ':') goto yy17;
3175 goto yy4;
3176-yy14: yych = *++YYCURSOR;
3177+yy14: ++YYCURSOR;
3178+ goto yy15;
3179 yy15:
3180- {
3181+{
3182 /* this is the case where we have less data than planned */
3183 php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
3184 return 0; /* not sure if it should be 0 or 1 here? */
3185@@ -438,21 +478,26 @@
3186 yy17: yych = *++YYCURSOR;
3187 if(yybm[0+yych] & 128) goto yy19;
3188 if(yych != '+') goto yy2;
3189+ goto yy18;
3190 yy18: yych = *++YYCURSOR;
3191 if(yybm[0+yych] & 128) goto yy19;
3192 goto yy2;
3193 yy19: ++YYCURSOR;
3194 if(YYLIMIT == YYCURSOR) YYFILL(1);
3195 yych = *YYCURSOR;
3196+ goto yy20;
3197 yy20: if(yybm[0+yych] & 128) goto yy19;
3198 if(yych != ':') goto yy2;
3199+ goto yy21;
3200 yy21: yych = *++YYCURSOR;
3201 if(yych != '"') goto yy2;
3202-yy22: yych = *++YYCURSOR;
3203+ goto yy22;
3204+yy22: ++YYCURSOR;
3205+ goto yy23;
3206 yy23:
3207- {
3208- size_t len, len2, maxlen;
3209- int elements;
3210+{
3211+ size_t len, len2, len3, maxlen;
3212+ long elements;
3213 char *class_name;
3214 zend_class_entry *ce;
3215 int incomplete_class = 0;
3216@@ -486,6 +531,14 @@
3217 class_name = str_tolower_copy((char *)emalloc(len+1), class_name, len);
3218 class_name[len] = '\0';
3219
3220+ len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyz");
3221+ if (len3 != len)
3222+ {
3223+ *p = YYCURSOR + len3 - len;
3224+ efree(class_name);
3225+ return 0;
3226+ }
3227+
3228 if (zend_hash_find(CG(class_table), class_name, len + 1, (void **) &ce) != SUCCESS) {
3229 if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
3230 incomplete_class = 1;
3231@@ -533,6 +586,7 @@
3232 yy24: yych = *++YYCURSOR;
3233 if(yych <= ','){
3234 if(yych != '+') goto yy2;
3235+ goto yy25;
3236 } else {
3237 if(yych <= '-') goto yy25;
3238 if(yych <= '/') goto yy2;
3239@@ -542,17 +596,22 @@
3240 yy25: yych = *++YYCURSOR;
3241 if(yych <= '/') goto yy2;
3242 if(yych >= ':') goto yy2;
3243+ goto yy26;
3244 yy26: ++YYCURSOR;
3245 if(YYLIMIT == YYCURSOR) YYFILL(1);
3246 yych = *YYCURSOR;
3247+ goto yy27;
3248 yy27: if(yych <= '/') goto yy2;
3249 if(yych <= '9') goto yy26;
3250 if(yych >= ';') goto yy2;
3251+ goto yy28;
3252 yy28: yych = *++YYCURSOR;
3253 if(yych != '"') goto yy2;
3254-yy29: yych = *++YYCURSOR;
3255+ goto yy29;
3256+yy29: ++YYCURSOR;
3257+ goto yy30;
3258 yy30:
3259- {
3260+{
3261
3262 INIT_PZVAL(*rval);
3263
3264@@ -567,21 +626,34 @@
3265 yy32: yych = *++YYCURSOR;
3266 if(yych <= '/') goto yy2;
3267 if(yych >= ':') goto yy2;
3268+ goto yy33;
3269 yy33: ++YYCURSOR;
3270 if(YYLIMIT == YYCURSOR) YYFILL(1);
3271 yych = *YYCURSOR;
3272+ goto yy34;
3273 yy34: if(yych <= '/') goto yy2;
3274 if(yych <= '9') goto yy33;
3275 if(yych >= ';') goto yy2;
3276+ goto yy35;
3277 yy35: yych = *++YYCURSOR;
3278 if(yych != '{') goto yy2;
3279-yy36: yych = *++YYCURSOR;
3280+ goto yy36;
3281+yy36: ++YYCURSOR;
3282+ goto yy37;
3283 yy37:
3284- {
3285- int elements = parse_iv(start + 2);
3286-
3287+{
3288+ long elements = parse_iv(start + 2);
3289+ /* use iv() not uiv() in order to check data range */
3290 *p = YYCURSOR;
3291
3292+ if (elements < 0) {
3293+ return 0;
3294+ }
3295+
3296+ if (elements < 0) {
3297+ return 0;
3298+ }
3299+
3300 INIT_PZVAL(*rval);
3301 Z_TYPE_PP(rval) = IS_ARRAY;
3302 ALLOC_HASHTABLE(Z_ARRVAL_PP(rval));
3303@@ -602,17 +674,22 @@
3304 yy39: yych = *++YYCURSOR;
3305 if(yych <= '/') goto yy2;
3306 if(yych >= ':') goto yy2;
3307+ goto yy40;
3308 yy40: ++YYCURSOR;
3309 if(YYLIMIT == YYCURSOR) YYFILL(1);
3310 yych = *YYCURSOR;
3311+ goto yy41;
3312 yy41: if(yych <= '/') goto yy2;
3313 if(yych <= '9') goto yy40;
3314 if(yych >= ';') goto yy2;
3315+ goto yy42;
3316 yy42: yych = *++YYCURSOR;
3317 if(yych != '"') goto yy2;
3318-yy43: yych = *++YYCURSOR;
3319+ goto yy43;
3320+yy43: ++YYCURSOR;
3321+ goto yy44;
3322 yy44:
3323- {
3324+{
3325 size_t len, maxlen;
3326 char *str;
3327
3328@@ -656,6 +733,7 @@
3329 goto yy48;
3330 } else {
3331 if(yych != 'N') goto yy2;
3332+ goto yy46;
3333 }
3334 }
3335 yy46: yych = *++YYCURSOR;
3336@@ -668,6 +746,7 @@
3337 } else {
3338 if(yych <= '9') goto yy50;
3339 if(yych != 'I') goto yy2;
3340+ goto yy48;
3341 }
3342 yy48: yych = *++YYCURSOR;
3343 if(yych == 'N') goto yy64;
3344@@ -676,9 +755,11 @@
3345 if(yych == '.') goto yy52;
3346 if(yych <= '/') goto yy2;
3347 if(yych >= ':') goto yy2;
3348+ goto yy50;
3349 yy50: ++YYCURSOR;
3350 if(YYLIMIT == YYCURSOR) YYFILL(1);
3351 yych = *YYCURSOR;
3352+ goto yy51;
3353 yy51: if(yych <= ':'){
3354 if(yych <= '.'){
3355 if(yych <= '-') goto yy2;
3356@@ -701,13 +782,16 @@
3357 yy52: yych = *++YYCURSOR;
3358 if(yych <= '/') goto yy2;
3359 if(yych >= ':') goto yy2;
3360+ goto yy53;
3361 yy53: ++YYCURSOR;
3362 if(YYLIMIT == YYCURSOR) YYFILL(1);
3363 yych = *YYCURSOR;
3364+ goto yy54;
3365 yy54: if(yych <= ';'){
3366 if(yych <= '/') goto yy2;
3367 if(yych <= '9') goto yy53;
3368 if(yych <= ':') goto yy2;
3369+ goto yy55;
3370 } else {
3371 if(yych <= 'E'){
3372 if(yych <= 'D') goto yy2;
3373@@ -717,17 +801,19 @@
3374 goto yy2;
3375 }
3376 }
3377-yy55: yych = *++YYCURSOR;
3378+yy55: ++YYCURSOR;
3379+ goto yy56;
3380 yy56:
3381- {
3382+{
3383 *p = YYCURSOR;
3384 INIT_PZVAL(*rval);
3385- ZVAL_DOUBLE(*rval, atof(start + 2));
3386+ ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
3387 return 1;
3388 }
3389 yy57: yych = *++YYCURSOR;
3390 if(yych <= ','){
3391 if(yych != '+') goto yy2;
3392+ goto yy58;
3393 } else {
3394 if(yych <= '-') goto yy58;
3395 if(yych <= '/') goto yy2;
3396@@ -742,10 +828,12 @@
3397 if(yych <= '-') goto yy61;
3398 if(yych <= '/') goto yy2;
3399 if(yych >= ':') goto yy2;
3400+ goto yy59;
3401 }
3402 yy59: ++YYCURSOR;
3403 if(YYLIMIT == YYCURSOR) YYFILL(1);
3404 yych = *YYCURSOR;
3405+ goto yy60;
3406 yy60: if(yych <= '/') goto yy2;
3407 if(yych <= '9') goto yy59;
3408 if(yych == ';') goto yy55;
3409@@ -757,6 +845,7 @@
3410 yy62: ++YYCURSOR;
3411 if((YYLIMIT - YYCURSOR) < 4) YYFILL(4);
3412 yych = *YYCURSOR;
3413+ goto yy63;
3414 yy63: if(yych <= ';'){
3415 if(yych <= '/') goto yy2;
3416 if(yych <= '9') goto yy62;
3417@@ -773,16 +862,17 @@
3418 }
3419 yy64: yych = *++YYCURSOR;
3420 if(yych != 'F') goto yy2;
3421+ goto yy65;
3422 yy65: yych = *++YYCURSOR;
3423 if(yych != ';') goto yy2;
3424-yy66: yych = *++YYCURSOR;
3425+ goto yy66;
3426+yy66: ++YYCURSOR;
3427+ goto yy67;
3428 yy67:
3429- {
3430+{
3431 *p = YYCURSOR;
3432 INIT_PZVAL(*rval);
3433-#if defined(HAVE_ATOF_ACCEPTS_NAN) && defined(HAVE_ATOF_ACCEPTS_INF)
3434- ZVAL_DOUBLE(*rval, atof(start + 2));
3435-#else
3436+
3437 if (!strncmp(start + 2, "NAN", 3)) {
3438 ZVAL_DOUBLE(*rval, php_get_nan());
3439 } else if (!strncmp(start + 2, "INF", 3)) {
3440@@ -790,7 +880,7 @@
3441 } else if (!strncmp(start + 2, "-INF", 4)) {
3442 ZVAL_DOUBLE(*rval, -php_get_inf());
3443 }
3444-#endif
3445+
3446 return 1;
3447 }
3448 yy68: yych = *++YYCURSOR;
3449@@ -799,6 +889,7 @@
3450 yy69: yych = *++YYCURSOR;
3451 if(yych <= ','){
3452 if(yych != '+') goto yy2;
3453+ goto yy70;
3454 } else {
3455 if(yych <= '-') goto yy70;
3456 if(yych <= '/') goto yy2;
3457@@ -808,15 +899,19 @@
3458 yy70: yych = *++YYCURSOR;
3459 if(yych <= '/') goto yy2;
3460 if(yych >= ':') goto yy2;
3461+ goto yy71;
3462 yy71: ++YYCURSOR;
3463 if(YYLIMIT == YYCURSOR) YYFILL(1);
3464 yych = *YYCURSOR;
3465+ goto yy72;
3466 yy72: if(yych <= '/') goto yy2;
3467 if(yych <= '9') goto yy71;
3468 if(yych != ';') goto yy2;
3469-yy73: yych = *++YYCURSOR;
3470+ goto yy73;
3471+yy73: ++YYCURSOR;
3472+ goto yy74;
3473 yy74:
3474- {
3475+{
3476 *p = YYCURSOR;
3477 INIT_PZVAL(*rval);
3478 ZVAL_LONG(*rval, parse_iv(start + 2));
3479@@ -825,19 +920,23 @@
3480 yy75: yych = *++YYCURSOR;
3481 if(yych <= '/') goto yy2;
3482 if(yych >= '2') goto yy2;
3483+ goto yy76;
3484 yy76: yych = *++YYCURSOR;
3485 if(yych != ';') goto yy2;
3486-yy77: yych = *++YYCURSOR;
3487+ goto yy77;
3488+yy77: ++YYCURSOR;
3489+ goto yy78;
3490 yy78:
3491- {
3492+{
3493 *p = YYCURSOR;
3494 INIT_PZVAL(*rval);
3495 ZVAL_BOOL(*rval, parse_iv(start + 2));
3496 return 1;
3497 }
3498-yy79: yych = *++YYCURSOR;
3499+yy79: ++YYCURSOR;
3500+ goto yy80;
3501 yy80:
3502- {
3503+{
3504 *p = YYCURSOR;
3505 INIT_PZVAL(*rval);
3506 ZVAL_NULL(*rval);
3507@@ -846,6 +945,7 @@
3508 yy81: yych = *++YYCURSOR;
3509 if(yych <= ','){
3510 if(yych != '+') goto yy2;
3511+ goto yy82;
3512 } else {
3513 if(yych <= '-') goto yy82;
3514 if(yych <= '/') goto yy2;
3515@@ -855,16 +955,20 @@
3516 yy82: yych = *++YYCURSOR;
3517 if(yych <= '/') goto yy2;
3518 if(yych >= ':') goto yy2;
3519+ goto yy83;
3520 yy83: ++YYCURSOR;
3521 if(YYLIMIT == YYCURSOR) YYFILL(1);
3522 yych = *YYCURSOR;
3523+ goto yy84;
3524 yy84: if(yych <= '/') goto yy2;
3525 if(yych <= '9') goto yy83;
3526 if(yych != ';') goto yy2;
3527-yy85: yych = *++YYCURSOR;
3528+ goto yy85;
3529+yy85: ++YYCURSOR;
3530+ goto yy86;
3531 yy86:
3532- {
3533- int id;
3534+{
3535+ long id;
3536
3537 *p = YYCURSOR;
3538 if (!var_hash) return 0;
3539@@ -873,7 +977,7 @@
3540 if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
3541 return 0;
3542 }
3543-
3544+
3545 if (*rval == *rval_ref) return 0;
3546
3547 if (*rval != NULL) {
3548@@ -888,6 +992,7 @@
3549 yy87: yych = *++YYCURSOR;
3550 if(yych <= ','){
3551 if(yych != '+') goto yy2;
3552+ goto yy88;
3553 } else {
3554 if(yych <= '-') goto yy88;
3555 if(yych <= '/') goto yy2;
3556@@ -897,16 +1002,20 @@
3557 yy88: yych = *++YYCURSOR;
3558 if(yych <= '/') goto yy2;
3559 if(yych >= ':') goto yy2;
3560+ goto yy89;
3561 yy89: ++YYCURSOR;
3562 if(YYLIMIT == YYCURSOR) YYFILL(1);
3563 yych = *YYCURSOR;
3564+ goto yy90;
3565 yy90: if(yych <= '/') goto yy2;
3566 if(yych <= '9') goto yy89;
3567 if(yych != ';') goto yy2;
3568-yy91: yych = *++YYCURSOR;
3569+ goto yy91;
3570+yy91: ++YYCURSOR;
3571+ goto yy92;
3572 yy92:
3573- {
3574- int id;
3575+{
3576+ long id;
3577
3578 *p = YYCURSOR;
3579 if (!var_hash) return 0;
3580diff -Nur php-4.3.10/ext/standard/var_unserializer.c.orig hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.c.orig
3581--- php-4.3.10/ext/standard/var_unserializer.c.orig 2004-12-14 18:55:22.000000000 +0100
3582+++ hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.c.orig 2005-04-07 01:51:16.000000000 +0200
3583@@ -1,5 +1,5 @@
3584-/* Generated by re2c 0.5 on Thu Nov 18 17:11:01 2004 */
3585-#line 1 "/home/rei/php4/ext/standard/var_unserializer.re"
3586+/* Generated by re2c 0.9.4 on Thu Mar 10 02:59:20 2005 */
3587+#line 1 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3588 /*
3589 +----------------------------------------------------------------------+
3590 | PHP Version 4 |
3591@@ -18,7 +18,7 @@
3592 +----------------------------------------------------------------------+
3593 */
3594
3595-/* $Id: var_unserializer.c,v 1.18.4.14 2004/12/03 16:09:19 sesser Exp $ */
3596+/* $Id: var_unserializer.c,v 1.18.4.23 2005/03/10 02:01:40 helly Exp $ */
3597
3598 #include "php.h"
3599 #include "ext/standard/php_var.h"
3600@@ -29,7 +29,7 @@
3601
3602 typedef struct {
3603 zval *data[VAR_ENTRIES_MAX];
3604- int used_slots;
3605+ long used_slots;
3606 void *next;
3607 } var_entries;
3608
3609@@ -56,9 +56,33 @@
3610 var_hash->data[var_hash->used_slots++] = *rval;
3611 }
3612
3613+static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
3614+{
3615+ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
3616+
3617+ while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
3618+ prev = var_hash;
3619+ var_hash = var_hash->next;
3620+ }
3621+
3622+ if (!var_hash) {
3623+ var_hash = emalloc(sizeof(var_entries));
3624+ var_hash->used_slots = 0;
3625+ var_hash->next = 0;
3626+
3627+ if (!var_hashx->first_dtor)
3628+ var_hashx->first_dtor = var_hash;
3629+ else
3630+ prev->next = var_hash;
3631+ }
3632+
3633+ (*rval)->refcount++;
3634+ var_hash->data[var_hash->used_slots++] = *rval;
3635+}
3636+
3637 PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval)
3638 {
3639- int i;
3640+ long i;
3641 var_entries *var_hash = var_hashx->first;
3642
3643 while (var_hash) {
3644@@ -72,7 +96,7 @@
3645 }
3646 }
3647
3648-static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store)
3649+static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
3650 {
3651 var_entries *var_hash = var_hashx->first;
3652
3653@@ -93,6 +117,7 @@
3654 PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
3655 {
3656 void *next;
3657+ long i;
3658 var_entries *var_hash = var_hashx->first;
3659
3660 while (var_hash) {
3661@@ -100,6 +125,17 @@
3662 efree(var_hash);
3663 var_hash = next;
3664 }
3665+
3666+ var_hash = var_hashx->first_dtor;
3667+
3668+ while (var_hash) {
3669+ for (i = 0; i < var_hash->used_slots; i++) {
3670+ zval_ptr_dtor(&var_hash->data[i]);
3671+ }
3672+ next = var_hash->next;
3673+ efree(var_hash);
3674+ var_hash = next;
3675+ }
3676 }
3677
3678 /* }}} */
3679@@ -111,15 +147,15 @@
3680 #define YYMARKER marker
3681
3682
3683-#line 118
3684+#line 154 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3685
3686
3687
3688
3689-static inline int parse_iv2(const unsigned char *p, const unsigned char **q)
3690+static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
3691 {
3692 char cursor;
3693- int result = 0;
3694+ long result = 0;
3695 int neg = 0;
3696
3697 switch (*p) {
3698@@ -144,7 +180,7 @@
3699 return result;
3700 }
3701
3702-static inline int parse_iv(const unsigned char *p)
3703+static inline long parse_iv(const unsigned char *p)
3704 {
3705 return parse_iv2(p, NULL);
3706 }
3707@@ -174,10 +210,10 @@
3708 #define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC
3709 #define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC
3710
3711-static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
3712+static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements)
3713 {
3714 while (elements-- > 0) {
3715- zval *key, *data, *old_data;
3716+ zval *key, *data, **old_data;
3717
3718 ALLOC_INIT_ZVAL(key);
3719
3720@@ -205,14 +241,14 @@
3721
3722 switch (Z_TYPE_P(key)) {
3723 case IS_LONG:
3724- if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
3725- var_replace(var_hash, old_data, rval);
3726+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) {
3727+ var_push_dtor(var_hash, old_data);
3728 }
3729 zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
3730 break;
3731 case IS_STRING:
3732- if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
3733- var_replace(var_hash, old_data, rval);
3734+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
3735+ var_push_dtor(var_hash, old_data);
3736 }
3737 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
3738 break;
3739@@ -243,7 +279,7 @@
3740
3741 static inline int object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
3742 {
3743- int elements;
3744+ long elements;
3745
3746 elements = parse_iv2((*p) + 2, p);
3747
3748@@ -253,7 +289,7 @@
3749 return elements;
3750 }
3751
3752-static inline int object_common2(UNSERIALIZE_PARAMETER, int elements)
3753+static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
3754 {
3755 zval *retval_ptr = NULL;
3756 zval fname;
3757@@ -302,6 +338,8 @@
3758
3759
3760
3761+
3762+#line 7 "<stdout>"
3763 {
3764 YYCTYPE yych;
3765 unsigned int yyaccept;
3766@@ -380,7 +418,8 @@
3767 goto yy16;
3768 } else {
3769 if(yych <= '}') goto yy14;
3770- if(yych <= '\277') goto yy16;
3771+ if(yych <= 0xBF) goto yy16;
3772+ goto yy2;
3773 }
3774 }
3775 }
3776@@ -391,9 +430,11 @@
3777 yy3: yyaccept = 0;
3778 yych = *(YYMARKER = ++YYCURSOR);
3779 if(yych == ':') goto yy87;
3780+ goto yy4;
3781 yy4:
3782-#line 532
3783- { return 0; }
3784+#line 590 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3785+{ return 0; }
3786+#line 102 "<stdout>"
3787 yy5: yyaccept = 0;
3788 yych = *(YYMARKER = ++YYCURSOR);
3789 if(yych == ':') goto yy81;
3790@@ -429,35 +470,42 @@
3791 yych = *(YYMARKER = ++YYCURSOR);
3792 if(yych == ':') goto yy17;
3793 goto yy4;
3794-yy14: yych = *++YYCURSOR;
3795+yy14: ++YYCURSOR;
3796+ goto yy15;
3797 yy15:
3798-#line 526
3799- {
3800+#line 584 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3801+{
3802 /* this is the case where we have less data than planned */
3803 php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
3804 return 0; /* not sure if it should be 0 or 1 here? */
3805 }
3806+#line 147 "<stdout>"
3807 yy16: yych = *++YYCURSOR;
3808 goto yy4;
3809 yy17: yych = *++YYCURSOR;
3810 if(yybm[0+yych] & 128) goto yy19;
3811 if(yych != '+') goto yy2;
3812+ goto yy18;
3813 yy18: yych = *++YYCURSOR;
3814 if(yybm[0+yych] & 128) goto yy19;
3815 goto yy2;
3816 yy19: ++YYCURSOR;
3817 if(YYLIMIT == YYCURSOR) YYFILL(1);
3818 yych = *YYCURSOR;
3819+ goto yy20;
3820 yy20: if(yybm[0+yych] & 128) goto yy19;
3821 if(yych != ':') goto yy2;
3822+ goto yy21;
3823 yy21: yych = *++YYCURSOR;
3824 if(yych != '"') goto yy2;
3825-yy22: yych = *++YYCURSOR;
3826+ goto yy22;
3827+yy22: ++YYCURSOR;
3828+ goto yy23;
3829 yy23:
3830-#line 445
3831- {
3832- size_t len, len2, maxlen;
3833- int elements;
3834+#line 495 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3835+{
3836+ size_t len, len2, len3, maxlen;
3837+ long elements;
3838 char *class_name;
3839 zend_class_entry *ce;
3840 int incomplete_class = 0;
3841@@ -491,6 +539,14 @@
3842 class_name = str_tolower_copy((char *)emalloc(len+1), class_name, len);
3843 class_name[len] = '\0';
3844
3845+ len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyz");
3846+ if (len3 != len)
3847+ {
3848+ *p = YYCURSOR + len3 - len;
3849+ efree(class_name);
3850+ return 0;
3851+ }
3852+
3853 if (zend_hash_find(CG(class_table), class_name, len + 1, (void **) &ce) != SUCCESS) {
3854 if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
3855 incomplete_class = 1;
3856@@ -535,9 +591,11 @@
3857
3858 return object_common2(UNSERIALIZE_PASSTHRU, elements);
3859 }
3860+#line 260 "<stdout>"
3861 yy24: yych = *++YYCURSOR;
3862 if(yych <= ','){
3863 if(yych != '+') goto yy2;
3864+ goto yy25;
3865 } else {
3866 if(yych <= '-') goto yy25;
3867 if(yych <= '/') goto yy2;
3868@@ -547,24 +605,30 @@
3869 yy25: yych = *++YYCURSOR;
3870 if(yych <= '/') goto yy2;
3871 if(yych >= ':') goto yy2;
3872+ goto yy26;
3873 yy26: ++YYCURSOR;
3874 if(YYLIMIT == YYCURSOR) YYFILL(1);
3875 yych = *YYCURSOR;
3876+ goto yy27;
3877 yy27: if(yych <= '/') goto yy2;
3878 if(yych <= '9') goto yy26;
3879 if(yych >= ';') goto yy2;
3880+ goto yy28;
3881 yy28: yych = *++YYCURSOR;
3882 if(yych != '"') goto yy2;
3883-yy29: yych = *++YYCURSOR;
3884+ goto yy29;
3885+yy29: ++YYCURSOR;
3886+ goto yy30;
3887 yy30:
3888-#line 437
3889- {
3890+#line 487 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3891+{
3892
3893 INIT_PZVAL(*rval);
3894
3895 return object_common2(UNSERIALIZE_PASSTHRU,
3896 object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
3897 }
3898+#line 298 "<stdout>"
3899 yy31: yych = *++YYCURSOR;
3900 if(yych == '+') goto yy32;
3901 if(yych <= '/') goto yy2;
3902@@ -573,22 +637,35 @@
3903 yy32: yych = *++YYCURSOR;
3904 if(yych <= '/') goto yy2;
3905 if(yych >= ':') goto yy2;
3906+ goto yy33;
3907 yy33: ++YYCURSOR;
3908 if(YYLIMIT == YYCURSOR) YYFILL(1);
3909 yych = *YYCURSOR;
3910+ goto yy34;
3911 yy34: if(yych <= '/') goto yy2;
3912 if(yych <= '9') goto yy33;
3913 if(yych >= ';') goto yy2;
3914+ goto yy35;
3915 yy35: yych = *++YYCURSOR;
3916 if(yych != '{') goto yy2;
3917-yy36: yych = *++YYCURSOR;
3918+ goto yy36;
3919+yy36: ++YYCURSOR;
3920+ goto yy37;
3921 yy37:
3922-#line 419
3923- {
3924- int elements = parse_iv(start + 2);
3925-
3926+#line 461 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3927+{
3928+ long elements = parse_iv(start + 2);
3929+ /* use iv() not uiv() in order to check data range */
3930 *p = YYCURSOR;
3931
3932+ if (elements < 0) {
3933+ return 0;
3934+ }
3935+
3936+ if (elements < 0) {
3937+ return 0;
3938+ }
3939+
3940 INIT_PZVAL(*rval);
3941 Z_TYPE_PP(rval) = IS_ARRAY;
3942 ALLOC_HASHTABLE(Z_ARRVAL_PP(rval));
3943@@ -601,6 +678,7 @@
3944
3945 return finish_nested_data(UNSERIALIZE_PASSTHRU);
3946 }
3947+#line 349 "<stdout>"
3948 yy38: yych = *++YYCURSOR;
3949 if(yych == '+') goto yy39;
3950 if(yych <= '/') goto yy2;
3951@@ -609,18 +687,23 @@
3952 yy39: yych = *++YYCURSOR;
3953 if(yych <= '/') goto yy2;
3954 if(yych >= ':') goto yy2;
3955+ goto yy40;
3956 yy40: ++YYCURSOR;
3957 if(YYLIMIT == YYCURSOR) YYFILL(1);
3958 yych = *YYCURSOR;
3959+ goto yy41;
3960 yy41: if(yych <= '/') goto yy2;
3961 if(yych <= '9') goto yy40;
3962 if(yych >= ';') goto yy2;
3963+ goto yy42;
3964 yy42: yych = *++YYCURSOR;
3965 if(yych != '"') goto yy2;
3966-yy43: yych = *++YYCURSOR;
3967+ goto yy43;
3968+yy43: ++YYCURSOR;
3969+ goto yy44;
3970 yy44:
3971-#line 391
3972- {
3973+#line 433 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
3974+{
3975 size_t len, maxlen;
3976 char *str;
3977
3978@@ -647,6 +730,7 @@
3979 ZVAL_STRINGL(*rval, str, len, 1);
3980 return 1;
3981 }
3982+#line 402 "<stdout>"
3983 yy45: yych = *++YYCURSOR;
3984 if(yych <= '/'){
3985 if(yych <= ','){
3986@@ -664,6 +748,7 @@
3987 goto yy48;
3988 } else {
3989 if(yych != 'N') goto yy2;
3990+ goto yy46;
3991 }
3992 }
3993 yy46: yych = *++YYCURSOR;
3994@@ -676,6 +761,7 @@
3995 } else {
3996 if(yych <= '9') goto yy50;
3997 if(yych != 'I') goto yy2;
3998+ goto yy48;
3999 }
4000 yy48: yych = *++YYCURSOR;
4001 if(yych == 'N') goto yy64;
4002@@ -684,9 +770,11 @@
4003 if(yych == '.') goto yy52;
4004 if(yych <= '/') goto yy2;
4005 if(yych >= ':') goto yy2;
4006+ goto yy50;
4007 yy50: ++YYCURSOR;
4008 if(YYLIMIT == YYCURSOR) YYFILL(1);
4009 yych = *YYCURSOR;
4010+ goto yy51;
4011 yy51: if(yych <= ':'){
4012 if(yych <= '.'){
4013 if(yych <= '-') goto yy2;
4014@@ -709,13 +797,16 @@
4015 yy52: yych = *++YYCURSOR;
4016 if(yych <= '/') goto yy2;
4017 if(yych >= ':') goto yy2;
4018+ goto yy53;
4019 yy53: ++YYCURSOR;
4020 if(YYLIMIT == YYCURSOR) YYFILL(1);
4021 yych = *YYCURSOR;
4022+ goto yy54;
4023 yy54: if(yych <= ';'){
4024 if(yych <= '/') goto yy2;
4025 if(yych <= '9') goto yy53;
4026 if(yych <= ':') goto yy2;
4027+ goto yy55;
4028 } else {
4029 if(yych <= 'E'){
4030 if(yych <= 'D') goto yy2;
4031@@ -725,18 +816,21 @@
4032 goto yy2;
4033 }
4034 }
4035-yy55: yych = *++YYCURSOR;
4036+yy55: ++YYCURSOR;
4037+ goto yy56;
4038 yy56:
4039-#line 384
4040- {
4041+#line 426 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4042+{
4043 *p = YYCURSOR;
4044 INIT_PZVAL(*rval);
4045- ZVAL_DOUBLE(*rval, atof(start + 2));
4046+ ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
4047 return 1;
4048 }
4049+#line 500 "<stdout>"
4050 yy57: yych = *++YYCURSOR;
4051 if(yych <= ','){
4052 if(yych != '+') goto yy2;
4053+ goto yy58;
4054 } else {
4055 if(yych <= '-') goto yy58;
4056 if(yych <= '/') goto yy2;
4057@@ -751,10 +845,12 @@
4058 if(yych <= '-') goto yy61;
4059 if(yych <= '/') goto yy2;
4060 if(yych >= ':') goto yy2;
4061+ goto yy59;
4062 }
4063 yy59: ++YYCURSOR;
4064 if(YYLIMIT == YYCURSOR) YYFILL(1);
4065 yych = *YYCURSOR;
4066+ goto yy60;
4067 yy60: if(yych <= '/') goto yy2;
4068 if(yych <= '9') goto yy59;
4069 if(yych == ';') goto yy55;
4070@@ -766,6 +862,7 @@
4071 yy62: ++YYCURSOR;
4072 if((YYLIMIT - YYCURSOR) < 4) YYFILL(4);
4073 yych = *YYCURSOR;
4074+ goto yy63;
4075 yy63: if(yych <= ';'){
4076 if(yych <= '/') goto yy2;
4077 if(yych <= '9') goto yy62;
4078@@ -782,17 +879,18 @@
4079 }
4080 yy64: yych = *++YYCURSOR;
4081 if(yych != 'F') goto yy2;
4082+ goto yy65;
4083 yy65: yych = *++YYCURSOR;
4084 if(yych != ';') goto yy2;
4085-yy66: yych = *++YYCURSOR;
4086+ goto yy66;
4087+yy66: ++YYCURSOR;
4088+ goto yy67;
4089 yy67:
4090-#line 367
4091- {
4092+#line 411 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4093+{
4094 *p = YYCURSOR;
4095 INIT_PZVAL(*rval);
4096-#if defined(HAVE_ATOF_ACCEPTS_NAN) && defined(HAVE_ATOF_ACCEPTS_INF)
4097- ZVAL_DOUBLE(*rval, atof(start + 2));
4098-#else
4099+
4100 if (!strncmp(start + 2, "NAN", 3)) {
4101 ZVAL_DOUBLE(*rval, php_get_nan());
4102 } else if (!strncmp(start + 2, "INF", 3)) {
4103@@ -800,15 +898,17 @@
4104 } else if (!strncmp(start + 2, "-INF", 4)) {
4105 ZVAL_DOUBLE(*rval, -php_get_inf());
4106 }
4107-#endif
4108+
4109 return 1;
4110 }
4111+#line 577 "<stdout>"
4112 yy68: yych = *++YYCURSOR;
4113 if(yych == 'N') goto yy65;
4114 goto yy2;
4115 yy69: yych = *++YYCURSOR;
4116 if(yych <= ','){
4117 if(yych != '+') goto yy2;
4118+ goto yy70;
4119 } else {
4120 if(yych <= '-') goto yy70;
4121 if(yych <= '/') goto yy2;
4122@@ -818,47 +918,59 @@
4123 yy70: yych = *++YYCURSOR;
4124 if(yych <= '/') goto yy2;
4125 if(yych >= ':') goto yy2;
4126+ goto yy71;
4127 yy71: ++YYCURSOR;
4128 if(YYLIMIT == YYCURSOR) YYFILL(1);
4129 yych = *YYCURSOR;
4130+ goto yy72;
4131 yy72: if(yych <= '/') goto yy2;
4132 if(yych <= '9') goto yy71;
4133 if(yych != ';') goto yy2;
4134-yy73: yych = *++YYCURSOR;
4135+ goto yy73;
4136+yy73: ++YYCURSOR;
4137+ goto yy74;
4138 yy74:
4139-#line 360
4140- {
4141+#line 404 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4142+{
4143 *p = YYCURSOR;
4144 INIT_PZVAL(*rval);
4145 ZVAL_LONG(*rval, parse_iv(start + 2));
4146 return 1;
4147 }
4148+#line 614 "<stdout>"
4149 yy75: yych = *++YYCURSOR;
4150 if(yych <= '/') goto yy2;
4151 if(yych >= '2') goto yy2;
4152+ goto yy76;
4153 yy76: yych = *++YYCURSOR;
4154 if(yych != ';') goto yy2;
4155-yy77: yych = *++YYCURSOR;
4156+ goto yy77;
4157+yy77: ++YYCURSOR;
4158+ goto yy78;
4159 yy78:
4160-#line 353
4161- {
4162+#line 397 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4163+{
4164 *p = YYCURSOR;
4165 INIT_PZVAL(*rval);
4166 ZVAL_BOOL(*rval, parse_iv(start + 2));
4167 return 1;
4168 }
4169-yy79: yych = *++YYCURSOR;
4170+#line 632 "<stdout>"
4171+yy79: ++YYCURSOR;
4172+ goto yy80;
4173 yy80:
4174-#line 346
4175- {
4176+#line 390 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4177+{
4178 *p = YYCURSOR;
4179 INIT_PZVAL(*rval);
4180 ZVAL_NULL(*rval);
4181 return 1;
4182 }
4183+#line 643 "<stdout>"
4184 yy81: yych = *++YYCURSOR;
4185 if(yych <= ','){
4186 if(yych != '+') goto yy2;
4187+ goto yy82;
4188 } else {
4189 if(yych <= '-') goto yy82;
4190 if(yych <= '/') goto yy2;
4191@@ -868,17 +980,21 @@
4192 yy82: yych = *++YYCURSOR;
4193 if(yych <= '/') goto yy2;
4194 if(yych >= ':') goto yy2;
4195+ goto yy83;
4196 yy83: ++YYCURSOR;
4197 if(YYLIMIT == YYCURSOR) YYFILL(1);
4198 yych = *YYCURSOR;
4199+ goto yy84;
4200 yy84: if(yych <= '/') goto yy2;
4201 if(yych <= '9') goto yy83;
4202 if(yych != ';') goto yy2;
4203-yy85: yych = *++YYCURSOR;
4204+ goto yy85;
4205+yy85: ++YYCURSOR;
4206+ goto yy86;
4207 yy86:
4208-#line 325
4209- {
4210- int id;
4211+#line 367 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4212+{
4213+ long id;
4214
4215 *p = YYCURSOR;
4216 if (!var_hash) return 0;
4217@@ -887,7 +1003,7 @@
4218 if (id == -1 || var_access(var_hash, id, &rval_ref) != SUCCESS) {
4219 return 0;
4220 }
4221-
4222+
4223 if (*rval == *rval_ref) return 0;
4224
4225 if (*rval != NULL) {
4226@@ -899,9 +1015,11 @@
4227
4228 return 1;
4229 }
4230+#line 693 "<stdout>"
4231 yy87: yych = *++YYCURSOR;
4232 if(yych <= ','){
4233 if(yych != '+') goto yy2;
4234+ goto yy88;
4235 } else {
4236 if(yych <= '-') goto yy88;
4237 if(yych <= '/') goto yy2;
4238@@ -911,17 +1029,21 @@
4239 yy88: yych = *++YYCURSOR;
4240 if(yych <= '/') goto yy2;
4241 if(yych >= ':') goto yy2;
4242+ goto yy89;
4243 yy89: ++YYCURSOR;
4244 if(YYLIMIT == YYCURSOR) YYFILL(1);
4245 yych = *YYCURSOR;
4246+ goto yy90;
4247 yy90: if(yych <= '/') goto yy2;
4248 if(yych <= '9') goto yy89;
4249 if(yych != ';') goto yy2;
4250-yy91: yych = *++YYCURSOR;
4251+ goto yy91;
4252+yy91: ++YYCURSOR;
4253+ goto yy92;
4254 yy92:
4255-#line 304
4256- {
4257- int id;
4258+#line 346 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4259+{
4260+ long id;
4261
4262 *p = YYCURSOR;
4263 if (!var_hash) return 0;
4264@@ -940,8 +1062,9 @@
4265
4266 return 1;
4267 }
4268+#line 741 "<stdout>"
4269 }
4270-#line 534
4271+#line 592 "/usr/src/PHP_4_3_0/ext/standard/var_unserializer.re"
4272
4273
4274 return 0;
4275diff -Nur php-4.3.10/ext/standard/var_unserializer.re hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.re
4276--- php-4.3.10/ext/standard/var_unserializer.re 2004-12-03 17:09:19.000000000 +0100
4277+++ hardened-php-4.3.10-0.2.7/ext/standard/var_unserializer.re 2005-04-07 01:51:16.000000000 +0200
4278@@ -16,7 +16,7 @@
4279 +----------------------------------------------------------------------+
4280 */
4281
4282-/* $Id: var_unserializer.re,v 1.11.4.8 2004/12/03 16:09:19 sesser Exp $ */
4283+/* $Id: var_unserializer.re,v 1.11.4.16 2005/03/10 02:00:17 helly Exp $ */
4284
4285 #include "php.h"
4286 #include "ext/standard/php_var.h"
4287@@ -27,7 +27,7 @@
4288
4289 typedef struct {
4290 zval *data[VAR_ENTRIES_MAX];
4291- int used_slots;
4292+ long used_slots;
4293 void *next;
4294 } var_entries;
4295
4296@@ -54,9 +54,33 @@
4297 var_hash->data[var_hash->used_slots++] = *rval;
4298 }
4299
4300+static inline void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
4301+{
4302+ var_entries *var_hash = var_hashx->first_dtor, *prev = NULL;
4303+
4304+ while (var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
4305+ prev = var_hash;
4306+ var_hash = var_hash->next;
4307+ }
4308+
4309+ if (!var_hash) {
4310+ var_hash = emalloc(sizeof(var_entries));
4311+ var_hash->used_slots = 0;
4312+ var_hash->next = 0;
4313+
4314+ if (!var_hashx->first_dtor)
4315+ var_hashx->first_dtor = var_hash;
4316+ else
4317+ prev->next = var_hash;
4318+ }
4319+
4320+ (*rval)->refcount++;
4321+ var_hash->data[var_hash->used_slots++] = *rval;
4322+}
4323+
4324 PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **nzval)
4325 {
4326- int i;
4327+ long i;
4328 var_entries *var_hash = var_hashx->first;
4329
4330 while (var_hash) {
4331@@ -70,7 +94,7 @@
4332 }
4333 }
4334
4335-static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store)
4336+static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
4337 {
4338 var_entries *var_hash = var_hashx->first;
4339
4340@@ -91,6 +115,7 @@
4341 PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
4342 {
4343 void *next;
4344+ long i;
4345 var_entries *var_hash = var_hashx->first;
4346
4347 while (var_hash) {
4348@@ -98,6 +123,17 @@
4349 efree(var_hash);
4350 var_hash = next;
4351 }
4352+
4353+ var_hash = var_hashx->first_dtor;
4354+
4355+ while (var_hash) {
4356+ for (i = 0; i < var_hash->used_slots; i++) {
4357+ zval_ptr_dtor(&var_hash->data[i]);
4358+ }
4359+ next = var_hash->next;
4360+ efree(var_hash);
4361+ var_hash = next;
4362+ }
4363 }
4364
4365 /* }}} */
4366@@ -119,10 +155,10 @@
4367
4368
4369
4370-static inline int parse_iv2(const unsigned char *p, const unsigned char **q)
4371+static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
4372 {
4373 char cursor;
4374- int result = 0;
4375+ long result = 0;
4376 int neg = 0;
4377
4378 switch (*p) {
4379@@ -147,7 +183,7 @@
4380 return result;
4381 }
4382
4383-static inline int parse_iv(const unsigned char *p)
4384+static inline long parse_iv(const unsigned char *p)
4385 {
4386 return parse_iv2(p, NULL);
4387 }
4388@@ -177,10 +213,10 @@
4389 #define UNSERIALIZE_PARAMETER zval **rval, const unsigned char **p, const unsigned char *max, php_unserialize_data_t *var_hash TSRMLS_DC
4390 #define UNSERIALIZE_PASSTHRU rval, p, max, var_hash TSRMLS_CC
4391
4392-static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
4393+static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements)
4394 {
4395 while (elements-- > 0) {
4396- zval *key, *data, *old_data;
4397+ zval *key, *data, **old_data;
4398
4399 ALLOC_INIT_ZVAL(key);
4400
4401@@ -208,14 +244,14 @@
4402
4403 switch (Z_TYPE_P(key)) {
4404 case IS_LONG:
4405- if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
4406- var_replace(var_hash, old_data, rval);
4407+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)==SUCCESS) {
4408+ var_push_dtor(var_hash, old_data);
4409 }
4410 zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
4411 break;
4412 case IS_STRING:
4413- if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
4414- var_replace(var_hash, old_data, rval);
4415+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
4416+ var_push_dtor(var_hash, old_data);
4417 }
4418 zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
4419 break;
4420@@ -246,7 +282,7 @@
4421
4422 static inline int object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
4423 {
4424- int elements;
4425+ long elements;
4426
4427 elements = parse_iv2((*p) + 2, p);
4428
4429@@ -256,7 +292,7 @@
4430 return elements;
4431 }
4432
4433-static inline int object_common2(UNSERIALIZE_PARAMETER, int elements)
4434+static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
4435 {
4436 zval *retval_ptr = NULL;
4437 zval fname;
4438@@ -308,7 +344,7 @@
4439 /*!re2c
4440
4441 "R:" iv ";" {
4442- int id;
4443+ long id;
4444
4445 *p = YYCURSOR;
4446 if (!var_hash) return 0;
4447@@ -329,7 +365,7 @@
4448 }
4449
4450 "r:" iv ";" {
4451- int id;
4452+ long id;
4453
4454 *p = YYCURSOR;
4455 if (!var_hash) return 0;
4456@@ -375,9 +411,7 @@
4457 "d:" ("NAN" | "-"? "INF") ";" {
4458 *p = YYCURSOR;
4459 INIT_PZVAL(*rval);
4460-#if defined(HAVE_ATOF_ACCEPTS_NAN) && defined(HAVE_ATOF_ACCEPTS_INF)
4461- ZVAL_DOUBLE(*rval, atof(start + 2));
4462-#else
4463+
4464 if (!strncmp(start + 2, "NAN", 3)) {
4465 ZVAL_DOUBLE(*rval, php_get_nan());
4466 } else if (!strncmp(start + 2, "INF", 3)) {
4467@@ -385,14 +419,14 @@
4468 } else if (!strncmp(start + 2, "-INF", 4)) {
4469 ZVAL_DOUBLE(*rval, -php_get_inf());
4470 }
4471-#endif
4472+
4473 return 1;
4474 }
4475
4476 "d:" (iv | nv | nvexp) ";" {
4477 *p = YYCURSOR;
4478 INIT_PZVAL(*rval);
4479- ZVAL_DOUBLE(*rval, atof(start + 2));
4480+ ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
4481 return 1;
4482 }
4483
4484@@ -425,10 +459,18 @@
4485 }
4486
4487 "a:" uiv ":" "{" {
4488- int elements = parse_iv(start + 2);
4489-
4490+ long elements = parse_iv(start + 2);
4491+ /* use iv() not uiv() in order to check data range */
4492 *p = YYCURSOR;
4493
4494+ if (elements < 0) {
4495+ return 0;
4496+ }
4497+
4498+ if (elements < 0) {
4499+ return 0;
4500+ }
4501+
4502 INIT_PZVAL(*rval);
4503 Z_TYPE_PP(rval) = IS_ARRAY;
4504 ALLOC_HASHTABLE(Z_ARRVAL_PP(rval));
4505@@ -451,8 +493,8 @@
4506 }
4507
4508 "O:" uiv ":" ["] {
4509- size_t len, len2, maxlen;
4510- int elements;
4511+ size_t len, len2, len3, maxlen;
4512+ long elements;
4513 char *class_name;
4514 zend_class_entry *ce;
4515 int incomplete_class = 0;
4516@@ -486,6 +528,14 @@
4517 class_name = str_tolower_copy((char *)emalloc(len+1), class_name, len);
4518 class_name[len] = '\0';
4519
4520+ len3 = strspn(class_name, "0123456789_abcdefghijklmnopqrstuvwxyz");
4521+ if (len3 != len)
4522+ {
4523+ *p = YYCURSOR + len3 - len;
4524+ efree(class_name);
4525+ return 0;
4526+ }
4527+
4528 if (zend_hash_find(CG(class_table), class_name, len + 1, (void **) &ce) != SUCCESS) {
4529 if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
4530 incomplete_class = 1;
4531diff -Nur php-4.3.10/ext/swf/swf.c hardened-php-4.3.10-0.2.7/ext/swf/swf.c
4532--- php-4.3.10/ext/swf/swf.c 2003-09-12 06:53:39.000000000 +0200
4533+++ hardened-php-4.3.10-0.2.7/ext/swf/swf.c 2005-04-07 01:51:16.000000000 +0200
4534@@ -16,7 +16,7 @@
4535 +----------------------------------------------------------------------+
4536 */
4537
4538-/* $Id: swf.c,v 1.46.2.2 2003/09/12 04:53:39 iliaa Exp $ */
4539+/* $Id: swf.c,v 1.46.2.4 2004/12/23 18:29:36 iliaa Exp $ */
4540
4541
4542 #ifdef HAVE_CONFIG_H
4543@@ -239,12 +239,17 @@
4544 }
4545 na = tmpna;
4546 #endif
4547+ if (php_check_open_basedir(na TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(na, "wb+", CHECKUID_CHECK_MODE_PARAM))) {
4548+ goto err;
4549+ }
4550+
4551 if (!SWFG(use_file))
4552 SWFG(tmpfile_name) = na;
4553
4554 swf_openfile(na,(float)Z_DVAL_PP(sizeX), (float)Z_DVAL_PP(sizeY),
4555 (float)Z_DVAL_PP(frameRate), (float)Z_DVAL_PP(r),
4556 (float)Z_DVAL_PP(g), (float)Z_DVAL_PP(b));
4557+err:
4558 #ifdef VIRTUAL_DIR
4559 free(na);
4560 #endif
4561@@ -606,8 +611,13 @@
4562 convert_to_double_ex(width);
4563
4564 if (Z_TYPE_PP(coordinates) != IS_ARRAY) {
4565- return;
4566 php_error(E_WARNING, "Wrong datatype of second argument to swf_definepoly");
4567+ RETURN_FALSE;
4568+ }
4569+
4570+ if (Z_LVAL_PP(NumPoints) > 256) {
4571+ php_error(E_WARNING, "The npoints value cannot be larger then 256.");
4572+ RETURN_FALSE;
4573 }
4574
4575 npoints = Z_LVAL_PP(NumPoints);
4576diff -Nur php-4.3.10/ext/varfilter/CREDITS hardened-php-4.3.10-0.2.7/ext/varfilter/CREDITS
4577--- php-4.3.10/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
4578+++ hardened-php-4.3.10-0.2.7/ext/varfilter/CREDITS 2005-04-07 01:51:16.000000000 +0200
4579@@ -0,0 +1,2 @@
4580+varfilter
4581+Stefan Esser
4582\ No newline at end of file
4583diff -Nur php-4.3.10/ext/varfilter/config.m4 hardened-php-4.3.10-0.2.7/ext/varfilter/config.m4
4584--- php-4.3.10/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
4585+++ hardened-php-4.3.10-0.2.7/ext/varfilter/config.m4 2005-04-07 01:51:16.000000000 +0200
4586@@ -0,0 +1,11 @@
4587+dnl
4588+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
4589+dnl
4590+
4591+PHP_ARG_ENABLE(varfilter, whether to enable Hardened-PHP's variable filter,
4592+[ --disable-varfilter Disable Hardened-PHP's variable filter], yes)
4593+
4594+if test "$PHP_VARFILTER" != "no"; then
4595+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
4596+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
4597+fi
4598diff -Nur php-4.3.10/ext/varfilter/php_varfilter.h hardened-php-4.3.10-0.2.7/ext/varfilter/php_varfilter.h
4599--- php-4.3.10/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
4600+++ hardened-php-4.3.10-0.2.7/ext/varfilter/php_varfilter.h 2005-04-07 01:51:16.000000000 +0200
4601@@ -0,0 +1,72 @@
4602+/*
4603+ +----------------------------------------------------------------------+
4604+ | PHP Version 4 |
4605+ +----------------------------------------------------------------------+
4606+ | Copyright (c) 1997-2003 The PHP Group |
4607+ +----------------------------------------------------------------------+
4608+ | This source file is subject to version 2.02 of the PHP license, |
4609+ | that is bundled with this package in the file LICENSE, and is |
4610+ | available at through the world-wide-web at |
4611+ | http://www.php.net/license/2_02.txt. |
4612+ | If you did not receive a copy of the PHP license and are unable to |
4613+ | obtain it through the world-wide-web, please send a note to |
4614+ | license@php.net so we can mail you a copy immediately. |
4615+ +----------------------------------------------------------------------+
4616+ | Author: Stefan Esser |
4617+ +----------------------------------------------------------------------+
4618+
4619+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
4620+*/
4621+
4622+#ifndef PHP_VARFILTER_H
4623+#define PHP_VARFILTER_H
4624+
4625+extern zend_module_entry varfilter_module_entry;
4626+#define phpext_varfilter_ptr &varfilter_module_entry
4627+
4628+#ifdef PHP_WIN32
4629+#define PHP_VARFILTER_API __declspec(dllexport)
4630+#else
4631+#define PHP_VARFILTER_API
4632+#endif
4633+
4634+#ifdef ZTS
4635+#include "TSRM.h"
4636+#endif
4637+
4638+#include "SAPI.h"
4639+
4640+PHP_MINIT_FUNCTION(varfilter);
4641+PHP_MSHUTDOWN_FUNCTION(varfilter);
4642+PHP_RINIT_FUNCTION(varfilter);
4643+PHP_RSHUTDOWN_FUNCTION(varfilter);
4644+PHP_MINFO_FUNCTION(varfilter);
4645+
4646+
4647+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
4648+ long max_request_variables;
4649+ long cur_request_variables;
4650+ long max_varname_length;
4651+ long max_value_length;
4652+ long max_array_depth;
4653+ZEND_END_MODULE_GLOBALS(varfilter)
4654+
4655+
4656+#ifdef ZTS
4657+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
4658+#else
4659+#define VARFILTER_G(v) (varfilter_globals.v)
4660+#endif
4661+
4662+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
4663+
4664+#endif /* PHP_VARFILTER_H */
4665+
4666+
4667+/*
4668+ * Local variables:
4669+ * tab-width: 4
4670+ * c-basic-offset: 4
4671+ * indent-tabs-mode: t
4672+ * End:
4673+ */
4674diff -Nur php-4.3.10/ext/varfilter/varfilter.c hardened-php-4.3.10-0.2.7/ext/varfilter/varfilter.c
4675--- php-4.3.10/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
4676+++ hardened-php-4.3.10-0.2.7/ext/varfilter/varfilter.c 2005-04-07 01:51:16.000000000 +0200
4677@@ -0,0 +1,196 @@
4678+/*
4679+ +----------------------------------------------------------------------+
4680+ | PHP Version 4 |
4681+ +----------------------------------------------------------------------+
4682+ | Copyright (c) 1997-2003 The PHP Group |
4683+ +----------------------------------------------------------------------+
4684+ | This source file is subject to version 2.02 of the PHP license, |
4685+ | that is bundled with this package in the file LICENSE, and is |
4686+ | available at through the world-wide-web at |
4687+ | http://www.php.net/license/2_02.txt. |
4688+ | If you did not receive a copy of the PHP license and are unable to |
4689+ | obtain it through the world-wide-web, please send a note to |
4690+ | license@php.net so we can mail you a copy immediately. |
4691+ +----------------------------------------------------------------------+
4692+ | Author: |
4693+ +----------------------------------------------------------------------+
4694+
4695+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
4696+*/
4697+
4698+#ifdef HAVE_CONFIG_H
4699+#include "config.h"
4700+#endif
4701+
4702+#include "php.h"
4703+#include "php_ini.h"
4704+#include "ext/standard/info.h"
4705+#include "php_varfilter.h"
4706+#include "hardened_php.h"
4707+
4708+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
4709+
4710+/* True global resources - no need for thread safety here */
4711+static int le_varfilter;
4712+
4713+/* {{{ varfilter_module_entry
4714+ */
4715+zend_module_entry varfilter_module_entry = {
4716+#if ZEND_MODULE_API_NO >= 20010901
4717+ STANDARD_MODULE_HEADER,
4718+#endif
4719+ "varfilter",
4720+ NULL,
4721+ PHP_MINIT(varfilter),
4722+ PHP_MSHUTDOWN(varfilter),
4723+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
4724+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
4725+ PHP_MINFO(varfilter),
4726+#if ZEND_MODULE_API_NO >= 20010901
4727+ "0.2.0", /* Replace with version number for your extension */
4728+#endif
4729+ STANDARD_MODULE_PROPERTIES
4730+};
4731+/* }}} */
4732+
4733+#ifdef COMPILE_DL_VARFILTER
4734+ZEND_GET_MODULE(varfilter)
4735+#endif
4736+
4737+/* {{{ PHP_INI
4738+ */
4739+PHP_INI_BEGIN()
4740+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_SYSTEM, OnUpdateInt, max_request_variables, zend_varfilter_globals, varfilter_globals)
4741+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_SYSTEM, OnUpdateInt, max_varname_length, zend_varfilter_globals, varfilter_globals)
4742+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "10000", PHP_INI_SYSTEM, OnUpdateInt, max_value_length, zend_varfilter_globals, varfilter_globals)
4743+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_SYSTEM, OnUpdateInt, max_array_depth, zend_varfilter_globals, varfilter_globals)
4744+PHP_INI_END()
4745+/* }}} */
4746+
4747+/* {{{ php_varfilter_init_globals
4748+ */
4749+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
4750+{
4751+ varfilter_globals->max_request_variables = 200;
4752+ varfilter_globals->cur_request_variables = 0;
4753+ varfilter_globals->max_varname_length = 64;
4754+ varfilter_globals->max_value_length = 10000;
4755+ varfilter_globals->max_array_depth = 100;
4756+}
4757+/* }}} */
4758+
4759+/* {{{ PHP_MINIT_FUNCTION
4760+ */
4761+PHP_MINIT_FUNCTION(varfilter)
4762+{
4763+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
4764+ REGISTER_INI_ENTRIES();
4765+
4766+ sapi_register_input_filter(varfilter_input_filter);
4767+ return SUCCESS;
4768+}
4769+/* }}} */
4770+
4771+/* {{{ PHP_MSHUTDOWN_FUNCTION
4772+ */
4773+PHP_MSHUTDOWN_FUNCTION(varfilter)
4774+{
4775+ UNREGISTER_INI_ENTRIES();
4776+
4777+ return SUCCESS;
4778+}
4779+/* }}} */
4780+
4781+/* Remove if there's nothing to do at request start */
4782+/* {{{ PHP_RINIT_FUNCTION
4783+ */
4784+PHP_RINIT_FUNCTION(varfilter)
4785+{
4786+ VARFILTER_G(cur_request_variables) = 0;
4787+
4788+ return SUCCESS;
4789+}
4790+/* }}} */
4791+
4792+/* Remove if there's nothing to do at request end */
4793+/* {{{ PHP_RSHUTDOWN_FUNCTION
4794+ */
4795+PHP_RSHUTDOWN_FUNCTION(varfilter)
4796+{
4797+ return SUCCESS;
4798+}
4799+/* }}} */
4800+
4801+/* {{{ PHP_MINFO_FUNCTION
4802+ */
4803+PHP_MINFO_FUNCTION(varfilter)
4804+{
4805+ php_info_print_table_start();
4806+ php_info_print_table_header(2, "Hardened-PHP's variable filter support", "enabled");
4807+ php_info_print_table_end();
4808+
4809+ DISPLAY_INI_ENTRIES();
4810+}
4811+/* }}} */
4812+
4813+/* {{{ SAPI_INPUT_FILTER_FUNC
4814+ */
4815+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
4816+{
4817+ char *index;
4818+ unsigned int var_len, depth = 0;
4819+
4820+ /* Drop this variable if the limit is reached */
4821+ if (VARFILTER_G(max_request_variables) == VARFILTER_G(cur_request_variables)) {
4822+ php_security_log("tried to register too many variables");
4823+ return 0;
4824+ }
4825+
4826+ /* Drop this variable if it exceeds the value length limit */
4827+ if (VARFILTER_G(max_value_length) < val_len) {
4828+ php_security_log("tried to register a variable with a too long value");
4829+ return 0;
4830+ }
4831+
4832+ /* Find length of variable name */
4833+ index = strchr(var, '[');
4834+ var_len = index ? index-var : strlen(var);
4835+
4836+ /* Drop this variable if it exceeds the varname length limit */
4837+ if (VARFILTER_G(max_varname_length) < var_len) {
4838+ php_security_log("tried to register a variable with a too long variable name");
4839+ return 0;
4840+ }
4841+
4842+ /* Find out array depth */
4843+ while (index) {
4844+ depth++;
4845+ index = strchr(index+1, '[');
4846+ }
4847+
4848+ /* Drop this variable if it exceeds the array depth limit */
4849+ if (VARFILTER_G(max_array_depth) < depth) {
4850+ php_security_log("tried to register a too deep array variable");
4851+ return 0;
4852+ }
4853+
4854+ /* Okay let PHP register this variable */
4855+ VARFILTER_G(cur_request_variables)++;
4856+
4857+ if (new_val_len) {
4858+ *new_val_len = val_len;
4859+ }
4860+
4861+ return 1;
4862+}
4863+/* }}} */
4864+
4865+
4866+/*
4867+ * Local variables:
4868+ * tab-width: 4
4869+ * c-basic-offset: 4
4870+ * End:
4871+ * vim600: noet sw=4 ts=4 fdm=marker
4872+ * vim<600: noet sw=4 ts=4
4873+ */
4874diff -Nur php-4.3.10/main/SAPI.c hardened-php-4.3.10-0.2.7/main/SAPI.c
4875--- php-4.3.10/main/SAPI.c 2004-08-19 22:35:36.000000000 +0200
4876+++ hardened-php-4.3.10-0.2.7/main/SAPI.c 2005-04-07 01:51:16.000000000 +0200
4877@@ -823,6 +823,12 @@
4878 return SUCCESS;
4879 }
4880
4881+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
4882+{
4883+ sapi_module.input_filter = input_filter;
4884+ return SUCCESS;
4885+}
4886+
4887
4888 SAPI_API int sapi_flush(TSRMLS_D)
4889 {
4890diff -Nur php-4.3.10/main/SAPI.h hardened-php-4.3.10-0.2.7/main/SAPI.h
4891--- php-4.3.10/main/SAPI.h 2003-04-09 22:27:55.000000000 +0200
4892+++ hardened-php-4.3.10-0.2.7/main/SAPI.h 2005-04-07 01:51:16.000000000 +0200
4893@@ -101,9 +101,14 @@
4894 char *current_user;
4895 int current_user_length;
4896
4897- /* this is necessary for CLI module */
4898- int argc;
4899- char **argv;
4900+ /* this is necessary for CLI module */
4901+ int argc;
4902+ char **argv;
4903+
4904+#if HARDENED_PHP
4905+ /* this is necessary for IP logging */
4906+ char ip_address[64];
4907+#endif
4908 } sapi_request_info;
4909
4910
4911@@ -177,6 +182,7 @@
4912 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
4913 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
4914 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
4915+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
4916
4917 SAPI_API int sapi_flush(TSRMLS_D);
4918 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
4919@@ -238,8 +244,11 @@
4920 int (*get_target_uid)(uid_t * TSRMLS_DC);
4921 int (*get_target_gid)(gid_t * TSRMLS_DC);
4922
4923+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
4924+
4925 void (*ini_defaults)(HashTable *configuration_hash);
4926 int phpinfo_as_text;
4927+
4928 };
4929
4930
4931@@ -262,16 +271,23 @@
4932
4933 #define SAPI_DEFAULT_MIMETYPE "text/html"
4934 #define SAPI_DEFAULT_CHARSET ""
4935+
4936+#if HARDENED_PHP
4937+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: Hardened-PHP/" PHP_VERSION
4938+#else
4939 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
4940+#endif
4941
4942 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
4943 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
4944
4945 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
4946+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
4947
4948 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
4949 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
4950 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
4951+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
4952
4953 #define STANDARD_SAPI_MODULE_PROPERTIES
4954
4955diff -Nur php-4.3.10/main/fopen_wrappers.c hardened-php-4.3.10-0.2.7/main/fopen_wrappers.c
4956--- php-4.3.10/main/fopen_wrappers.c 2004-03-16 01:32:09.000000000 +0100
4957+++ hardened-php-4.3.10-0.2.7/main/fopen_wrappers.c 2005-04-07 01:51:16.000000000 +0200
4958@@ -16,7 +16,7 @@
4959 | Jim Winstead <jimw@php.net> |
4960 +----------------------------------------------------------------------+
4961 */
4962-/* $Id: fopen_wrappers.c,v 1.153.2.9 2004/03/16 00:32:09 iliaa Exp $ */
4963+/* $Id: fopen_wrappers.c,v 1.153.2.10 2005/02/02 23:44:07 iliaa Exp $ */
4964
4965 /* {{{ includes
4966 */
4967@@ -106,24 +106,11 @@
4968 char resolved_name[MAXPATHLEN];
4969 char resolved_basedir[MAXPATHLEN];
4970 char local_open_basedir[MAXPATHLEN];
4971- int local_open_basedir_pos;
4972 int resolved_basedir_len;
4973 int resolved_name_len;
4974
4975 /* Special case basedir==".": Use script-directory */
4976- if ((strcmp(basedir, ".") == 0) &&
4977- SG(request_info).path_translated &&
4978- *SG(request_info).path_translated
4979- ) {
4980- strlcpy(local_open_basedir, SG(request_info).path_translated, sizeof(local_open_basedir));
4981- local_open_basedir_pos = strlen(local_open_basedir) - 1;
4982-
4983- /* Strip filename */
4984- while (!IS_SLASH(local_open_basedir[local_open_basedir_pos])
4985- && (local_open_basedir_pos >= 0)) {
4986- local_open_basedir[local_open_basedir_pos--] = 0;
4987- }
4988- } else {
4989+ if (strcmp(basedir, ".") || !VCWD_GETCWD(local_open_basedir, MAXPATHLEN)) {
4990 /* Else use the unmodified path */
4991 strlcpy(local_open_basedir, basedir, sizeof(local_open_basedir));
4992 }
4993@@ -179,6 +166,21 @@
4994 char *pathbuf;
4995 char *ptr;
4996 char *end;
4997+ char path_copy[MAXPATHLEN];
4998+ int path_len;
4999+
5000+ /* Special case path ends with a trailing slash */
5001+ path_len = strlen(path);
5002+ if (path_len >= MAXPATHLEN) {
5003+ errno = EPERM; /* we deny permission to open it */
5004+ return -1;
5005+ }
5006+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
5007+ memcpy(path_copy, path, path_len+1);
5008+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
5009+ path_copy[path_len] = '\0';
5010+ path = (const char *)&path_copy;
5011+ }
5012
5013 pathbuf = estrdup(PG(open_basedir));
5014
5015diff -Nur php-4.3.10/main/hardened_globals.h hardened-php-4.3.10-0.2.7/main/hardened_globals.h
5016--- php-4.3.10/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
5017+++ hardened-php-4.3.10-0.2.7/main/hardened_globals.h 2005-04-07 01:51:16.000000000 +0200
5018@@ -0,0 +1,54 @@
5019+/*
5020+ +----------------------------------------------------------------------+
5021+ | Hardened-PHP |
5022+ +----------------------------------------------------------------------+
5023+ | Copyright (c) 2004 Stefan Esser |
5024+ +----------------------------------------------------------------------+
5025+ | This source file is subject to version 2.02 of the PHP license, |
5026+ | that is bundled with this package in the file LICENSE, and is |
5027+ | available at through the world-wide-web at |
5028+ | http://www.php.net/license/2_02.txt. |
5029+ | If you did not receive a copy of the PHP license and are unable to |
5030+ | obtain it through the world-wide-web, please send a note to |
5031+ | license@php.net so we can mail you a copy immediately. |
5032+ +----------------------------------------------------------------------+
5033+ | Author: Stefan Esser <sesser@php.net> |
5034+ +----------------------------------------------------------------------+
5035+ */
5036+
5037+#ifndef HARDENED_GLOBALS_H
5038+#define HARDENED_GLOBALS_H
5039+
5040+typedef struct _hardened_globals hardened_globals_struct;
5041+
5042+#ifdef ZTS
5043+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
5044+extern int hardened_globals_id;
5045+#else
5046+# define HG(v) (hardened_globals.v)
5047+extern struct _hardened_globals hardened_globals;
5048+#endif
5049+
5050+
5051+struct _hardened_globals {
5052+#if HARDENED_PHP_MM_PROTECT
5053+ unsigned int canary_1;
5054+ unsigned int canary_2;
5055+#endif
5056+#if HARDENED_PHP_LL_PROTECT
5057+ unsigned int canary_3;
5058+ unsigned int canary_4;
5059+ unsigned int ll_canary_inited;
5060+#endif
5061+ unsigned int dummy;
5062+};
5063+
5064+
5065+#endif /* HARDENED_GLOBALS_H */
5066+
5067+/*
5068+ * Local variables:
5069+ * tab-width: 4
5070+ * c-basic-offset: 4
5071+ * End:
5072+ */
5073diff -Nur php-4.3.10/main/hardened_php.c hardened-php-4.3.10-0.2.7/main/hardened_php.c
5074--- php-4.3.10/main/hardened_php.c 1970-01-01 01:00:00.000000000 +0100
5075+++ hardened-php-4.3.10-0.2.7/main/hardened_php.c 2005-04-07 01:51:16.000000000 +0200
5076@@ -0,0 +1,205 @@
5077+/*
5078+ +----------------------------------------------------------------------+
5079+ | Hardened-PHP |
5080+ +----------------------------------------------------------------------+
5081+ | Copyright (c) 2004 Stefan Esser |
5082+ +----------------------------------------------------------------------+
5083+ | This source file is subject to version 2.02 of the PHP license, |
5084+ | that is bundled with this package in the file LICENSE, and is |
5085+ | available at through the world-wide-web at |
5086+ | http://www.php.net/license/2_02.txt. |
5087+ | If you did not receive a copy of the PHP license and are unable to |
5088+ | obtain it through the world-wide-web, please send a note to |
5089+ | license@php.net so we can mail you a copy immediately. |
5090+ +----------------------------------------------------------------------+
5091+ | Author: Stefan Esser <sesser@php.net> |
5092+ +----------------------------------------------------------------------+
5093+ */
5094+/* $Id: hardened_php.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
5095+
5096+#include "php.h"
5097+
5098+#include <stdio.h>
5099+#include <stdlib.h>
5100+
5101+#if HAVE_UNISTD_H
5102+#include <unistd.h>
5103+#endif
5104+#include "SAPI.h"
5105+#include "php_globals.h"
5106+
5107+#if HARDENED_PHP
5108+
5109+#ifdef HAVE_SYS_SOCKET_H
5110+#include <sys/socket.h>
5111+#endif
5112+
5113+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
5114+#undef AF_UNIX
5115+#endif
5116+
5117+#if defined(AF_UNIX)
5118+#include <sys/un.h>
5119+#endif
5120+
5121+#define SYSLOG_PATH "/dev/log"
5122+
5123+#include "snprintf.h"
5124+
5125+#ifdef ZTS
5126+#include "hardened_globals.h"
5127+int hardened_globals_id;
5128+#else
5129+struct _hardened_globals hardened_globals;
5130+#endif
5131+
5132+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
5133+{
5134+ memset(hardened_globals, 0, sizeof(*hardened_globals));
5135+}
5136+
5137+PHPAPI void hardened_startup()
5138+{
5139+#ifdef ZTS
5140+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
5141+#else
5142+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
5143+#endif
5144+}
5145+
5146+PHPAPI void php_security_log(char *str)
5147+{
5148+#if defined(AF_UNIX)
5149+ int s, r;
5150+ struct sockaddr_un saun;
5151+ char buf[1024];
5152+ char *ip_address;
5153+ char *fname;
5154+ TSRMLS_FETCH();
5155+
5156+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
5157+ if (ip_address == NULL) {
5158+ ip_address = "REMOTE_ADDR not set";
5159+ }
5160+
5161+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
5162+
5163+ ap_php_snprintf(buf, 1024, "php security-alert: %s (attacker '%s', file '%s')\n", str, ip_address, fname);
5164+
5165+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
5166+ if (s == -1) {
5167+ return;
5168+ }
5169+
5170+ memset(&saun, 0, sizeof(saun));
5171+ saun.sun_family = AF_UNIX;
5172+ strcpy(saun.sun_path, SYSLOG_PATH);
5173+ /*saun.sun_len = sizeof(saun);*/
5174+
5175+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
5176+ if (r) {
5177+ close(s);
5178+ s = socket(AF_UNIX, SOCK_STREAM, 0);
5179+ if (s == -1) {
5180+ return;
5181+ }
5182+
5183+ memset(&saun, 0, sizeof(saun));
5184+ saun.sun_family = AF_UNIX;
5185+ strcpy(saun.sun_path, SYSLOG_PATH);
5186+ /*saun.sun_len = sizeof(saun);*/
5187+
5188+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
5189+ if (r) {
5190+ close(s);
5191+ return;
5192+ }
5193+ }
5194+ send(s, buf, strlen(buf), 0);
5195+
5196+ close(s);
5197+#endif
5198+}
5199+#endif
5200+
5201+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
5202+
5203+/* will be replaced later with more compatible method */
5204+PHPAPI unsigned int php_canary()
5205+{
5206+ time_t t;
5207+ unsigned int canary;
5208+ int fd;
5209+
5210+ fd = open("/dev/urandom", 0);
5211+ if (fd != -1) {
5212+ int r = read(fd, &canary, sizeof(canary));
5213+ close(fd);
5214+ if (r == sizeof(canary)) {
5215+ return (canary);
5216+ }
5217+ }
5218+ /* not good but we never want to do this */
5219+ time(&t);
5220+ canary = *(unsigned int *)&t + getpid() << 16;
5221+ return (canary);
5222+}
5223+#endif
5224+
5225+#if HARDENED_PHP_INC_PROTECT
5226+
5227+PHPAPI int php_is_valid_include(zval *z)
5228+{
5229+ char *filename;
5230+ int len;
5231+ TSRMLS_FETCH();
5232+
5233+ /* must be of type string */
5234+ if (z->type != IS_STRING || z->value.str.val == NULL) {
5235+ return (0);
5236+ }
5237+
5238+ /* short cut */
5239+ filename = z->value.str.val;
5240+ len = z->value.str.len;
5241+
5242+ /* 1. must be shorter than MAXPATHLEN */
5243+ if (len > MAXPATHLEN) {
5244+ php_security_log("Include filename longer than MAXPATHLEN chars");
5245+ return (0);
5246+ }
5247+
5248+ /* 2. must not be cutted */
5249+ if (len != strlen(filename)) {
5250+ php_security_log("Include filename has a \\0 cut");
5251+ return (0);
5252+ }
5253+
5254+ /* 3. must not be a URL */
5255+ if (strstr(filename, "://")) {
5256+ php_security_log("Include filename is an URL");
5257+ return (0);
5258+ }
5259+
5260+ /* 4. must not be an uploaded file */
5261+ if (SG(rfc1867_uploaded_files)) {
5262+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
5263+ php_security_log("Include filename is an uploaded file");
5264+ return (0);
5265+ }
5266+ }
5267+
5268+ /* passed all tests */
5269+ return (1);
5270+}
5271+
5272+#endif
5273+
5274+/*
5275+ * Local variables:
5276+ * tab-width: 4
5277+ * c-basic-offset: 4
5278+ * End:
5279+ * vim600: sw=4 ts=4 fdm=marker
5280+ * vim<600: sw=4 ts=4
5281+ */
5282diff -Nur php-4.3.10/main/hardened_php.h hardened-php-4.3.10-0.2.7/main/hardened_php.h
5283--- php-4.3.10/main/hardened_php.h 1970-01-01 01:00:00.000000000 +0100
5284+++ hardened-php-4.3.10-0.2.7/main/hardened_php.h 2005-04-07 01:51:16.000000000 +0200
5285@@ -0,0 +1,45 @@
5286+/*
5287+ +----------------------------------------------------------------------+
5288+ | Hardened-PHP |
5289+ +----------------------------------------------------------------------+
5290+ | Copyright (c) 2004 Stefan Esser |
5291+ +----------------------------------------------------------------------+
5292+ | This source file is subject to version 2.02 of the PHP license, |
5293+ | that is bundled with this package in the file LICENSE, and is |
5294+ | available at through the world-wide-web at |
5295+ | http://www.php.net/license/2_02.txt. |
5296+ | If you did not receive a copy of the PHP license and are unable to |
5297+ | obtain it through the world-wide-web, please send a note to |
5298+ | license@php.net so we can mail you a copy immediately. |
5299+ +----------------------------------------------------------------------+
5300+ | Author: Stefan Esser <sesser@php.net> |
5301+ +----------------------------------------------------------------------+
5302+ */
5303+
5304+#ifndef HARDENED_PHP_H
5305+#define HARDENED_PHP_H
5306+
5307+#include "zend.h"
5308+
5309+#if HARDENED_PHP
5310+PHPAPI void php_security_log(char *str);
5311+PHPAPI void hardened_startup();
5312+#define HARDENED_PHP_VERSION "0.2.7"
5313+#endif
5314+
5315+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
5316+PHPAPI unsigned int php_canary();
5317+#endif
5318+
5319+#if HARDENED_PHP_INC_PROTECT
5320+PHPAPI int php_is_valid_include(zval *z);
5321+#endif
5322+
5323+#endif /* HARDENED_PHP_H */
5324+
5325+/*
5326+ * Local variables:
5327+ * tab-width: 4
5328+ * c-basic-offset: 4
5329+ * End:
5330+ */
5331diff -Nur php-4.3.10/main/hardened_php.m4 hardened-php-4.3.10-0.2.7/main/hardened_php.m4
5332--- php-4.3.10/main/hardened_php.m4 1970-01-01 01:00:00.000000000 +0100
5333+++ hardened-php-4.3.10-0.2.7/main/hardened_php.m4 2005-04-07 01:51:16.000000000 +0200
5334@@ -0,0 +1,95 @@
5335+dnl
5336+dnl $Id: hardened_php.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
5337+dnl
5338+dnl This file contains Hardened-PHP specific autoconf functions.
5339+dnl
5340+
5341+AC_ARG_ENABLE(hardened-php-mm-protect,
5342+[ --disable-hardened-php-mm-protect Disable the Memory Manager protection.],[
5343+ DO_HARDENED_PHP_MM_PROTECT=$enableval
5344+],[
5345+ DO_HARDENED_PHP_MM_PROTECT=yes
5346+])
5347+
5348+AC_ARG_ENABLE(hardened-php-ll-protect,
5349+[ --disable-hardened-php-ll-protect Disable the Linked List protection.],[
5350+ DO_HARDENED_PHP_LL_PROTECT=$enableval
5351+],[
5352+ DO_HARDENED_PHP_LL_PROTECT=yes
5353+])
5354+
5355+AC_ARG_ENABLE(hardened-php-inc-protect,
5356+[ --disable-hardened-php-inc-protect Disable include/require protection.],[
5357+ DO_HARDENED_PHP_INC_PROTECT=$enableval
5358+],[
5359+ DO_HARDENED_PHP_INC_PROTECT=yes
5360+])
5361+
5362+AC_ARG_ENABLE(hardened-php-fmt-protect,
5363+[ --disable-hardened-php-fmt-protect Disable format string protection.],[
5364+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
5365+],[
5366+ DO_HARDENED_PHP_FMT_PROTECT=yes
5367+])
5368+
5369+AC_ARG_ENABLE(hardened-php-hash-protect,
5370+[ --disable-hardened-php-hash-protect Disable HashTable destructor protection.],[
5371+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
5372+],[
5373+ DO_HARDENED_PHP_HASH_PROTECT=yes
5374+])
5375+
5376+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
5377+AC_MSG_RESULT($DO_HARDENED_PHP_MM_PROTECT)
5378+
5379+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
5380+AC_MSG_RESULT($DO_HARDENED_PHP_LL_PROTECT)
5381+
5382+AC_MSG_CHECKING(whether to protect include/require statements)
5383+AC_MSG_RESULT($DO_HARDENED_PHP_INC_PROTECT)
5384+
5385+AC_MSG_CHECKING(whether to protect PHP Format String functions)
5386+AC_MSG_RESULT($DO_HARDENED_PHP_FMT_PROTECT)
5387+
5388+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
5389+AC_MSG_RESULT($DO_HARDENED_PHP_HASH_PROTECT)
5390+
5391+
5392+AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5393+
5394+
5395+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
5396+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5397+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 1, [Memory Manager Protection])
5398+else
5399+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 0, [Memory Manager Protection])
5400+fi
5401+
5402+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
5403+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5404+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 1, [Linked List Protection])
5405+else
5406+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 0, [Linked List Protection])
5407+fi
5408+
5409+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
5410+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5411+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 1, [Include/Require Protection])
5412+else
5413+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 0, [Include/Require Protection])
5414+fi
5415+
5416+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
5417+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5418+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 1, [Fmt String Protection])
5419+else
5420+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 0, [Fmt String Protection])
5421+fi
5422+
5423+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
5424+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
5425+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 1, [HashTable DTOR Protection])
5426+else
5427+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 0, [HashTable DTOR Protection])
5428+fi
5429+
5430diff -Nur php-4.3.10/main/main.c hardened-php-4.3.10-0.2.7/main/main.c
5431--- php-4.3.10/main/main.c 2004-10-01 16:27:13.000000000 +0200
5432+++ hardened-php-4.3.10-0.2.7/main/main.c 2005-04-07 01:51:16.000000000 +0200
5433@@ -100,6 +100,10 @@
5434 PHPAPI int core_globals_id;
5435 #endif
5436
5437+#if HARDENED_PHP
5438+#include "hardened_globals.h"
5439+#endif
5440+
5441 #define ERROR_BUF_LEN 1024
5442
5443 typedef struct {
5444@@ -150,10 +154,33 @@
5445 */
5446 static PHP_INI_MH(OnChangeMemoryLimit)
5447 {
5448+#if HARDENED_PHP
5449+ long orig_memory_limit;
5450+
5451+ if (entry->modified) {
5452+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
5453+ } else {
5454+ orig_memory_limit = 1<<30;
5455+ }
5456+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
5457+ orig_memory_limit = 1<<30;
5458+ }
5459+#endif
5460 if (new_value) {
5461 PG(memory_limit) = zend_atoi(new_value, new_value_length);
5462+#if HARDENED_PHP
5463+ if (PG(memory_limit) > orig_memory_limit) {
5464+ PG(memory_limit) = orig_memory_limit;
5465+ php_security_log("script tried to increase memory_limit above allowed value");
5466+ return FAILURE;
5467+ }
5468+#endif
5469 } else {
5470+#if HARDENED_PHP
5471+ PG(memory_limit) = orig_memory_limit;
5472+#else
5473 PG(memory_limit) = 1<<30; /* effectively, no limit */
5474+#endif
5475 }
5476 return zend_set_memory_limit(PG(memory_limit));
5477 }
5478@@ -1091,6 +1118,10 @@
5479 tsrm_ls = ts_resource(0);
5480 #endif
5481
5482+#if HARDENED_PHP
5483+ hardened_startup();
5484+#endif
5485+
5486 sapi_initialize_empty_request(TSRMLS_C);
5487 sapi_activate(TSRMLS_C);
5488
5489@@ -1103,6 +1134,12 @@
5490 php_output_startup();
5491 php_output_activate(TSRMLS_C);
5492
5493+#if HARDENED_PHP_INC_PROTECT
5494+ zuf.is_valid_include = php_is_valid_include;
5495+#endif
5496+#if HARDENED_PHP
5497+ zuf.security_log_function = php_security_log;
5498+#endif
5499 zuf.error_function = php_error_cb;
5500 zuf.printf_function = php_printf;
5501 zuf.write_function = php_body_write_wrapper;
5502@@ -1204,6 +1241,10 @@
5503 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
5504 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
5505 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
5506+#if HARDENED_PHP
5507+ REGISTER_MAIN_LONG_CONSTANT("HARDENED_PHP", 1, CONST_PERSISTENT | CONST_CS);
5508+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENED_PHP_VERSION", HARDENED_PHP_VERSION, sizeof(HARDENED_PHP_VERSION)-1, CONST_PERSISTENT | CONST_CS);
5509+#endif
5510 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
5511 php_output_register_constants(TSRMLS_C);
5512 php_rfc1867_register_constants(TSRMLS_C);
5513@@ -1339,6 +1380,7 @@
5514 ulong num_key;
5515 HashPosition pos;
5516 int key_type;
5517+ int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
5518
5519 zend_hash_internal_pointer_reset_ex(src, &pos);
5520 while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
5521@@ -1349,7 +1391,12 @@
5522 || Z_TYPE_PP(dest_entry) != IS_ARRAY) {
5523 (*src_entry)->refcount++;
5524 if (key_type == HASH_KEY_IS_STRING) {
5525- zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
5526+ /* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
5527+ if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
5528+ zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
5529+ } else {
5530+ (*src_entry)->refcount--;
5531+ }
5532 } else {
5533 zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
5534 }
5535diff -Nur php-4.3.10/main/php.h hardened-php-4.3.10-0.2.7/main/php.h
5536--- php-4.3.10/main/php.h 2004-11-28 13:44:56.000000000 +0100
5537+++ hardened-php-4.3.10-0.2.7/main/php.h 2005-04-07 01:51:16.000000000 +0200
5538@@ -35,11 +35,19 @@
5539 #include "zend_qsort.h"
5540 #include "php_compat.h"
5541
5542+
5543 #include "zend_API.h"
5544
5545 #undef sprintf
5546 #define sprintf php_sprintf
5547
5548+#if HARDENED_PHP
5549+#if HAVE_REALPATH
5550+#undef realpath
5551+#define realpath php_realpath
5552+#endif
5553+#endif
5554+
5555 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
5556 #undef PHP_DEBUG
5557 #define PHP_DEBUG ZEND_DEBUG
5558@@ -436,6 +444,10 @@
5559 #endif
5560 #endif /* !XtOffsetOf */
5561
5562+#if HARDENED_PHP
5563+#include "hardened_php.h"
5564+#endif
5565+
5566 #endif
5567
5568 /*
5569diff -Nur php-4.3.10/main/php_config.h.in hardened-php-4.3.10-0.2.7/main/php_config.h.in
5570--- php-4.3.10/main/php_config.h.in 2004-12-14 18:55:22.000000000 +0100
5571+++ hardened-php-4.3.10-0.2.7/main/php_config.h.in 2005-04-07 01:51:16.000000000 +0200
5572@@ -834,6 +834,39 @@
5573 /* Enabling BIND8 compatibility for Panther */
5574 #undef BIND_8_COMPAT
5575
5576+/* Hardened-PHP */
5577+#undef HARDENED_PHP
5578+
5579+/* Memory Manager Protection */
5580+#undef HARDENED_PHP_MM_PROTECT
5581+
5582+/* Memory Manager Protection */
5583+#undef HARDENED_PHP_MM_PROTECT
5584+
5585+/* Linked List Protection */
5586+#undef HARDENED_PHP_LL_PROTECT
5587+
5588+/* Linked List Protection */
5589+#undef HARDENED_PHP_LL_PROTECT
5590+
5591+/* Include/Require Protection */
5592+#undef HARDENED_PHP_INC_PROTECT
5593+
5594+/* Include/Require Protection */
5595+#undef HARDENED_PHP_INC_PROTECT
5596+
5597+/* Fmt String Protection */
5598+#undef HARDENED_PHP_FMT_PROTECT
5599+
5600+/* Fmt String Protection */
5601+#undef HARDENED_PHP_FMT_PROTECT
5602+
5603+/* HashTable DTOR Protection */
5604+#undef HARDENED_PHP_HASH_PROTECT
5605+
5606+/* HashTable DTOR Protection */
5607+#undef HARDENED_PHP_HASH_PROTECT
5608+
5609 /* Whether you have AOLserver */
5610 #undef HAVE_AOLSERVER
5611
5612@@ -1117,6 +1150,12 @@
5613 /* Define if you have the getaddrinfo function */
5614 #undef HAVE_GETADDRINFO
5615
5616+/* Whether realpath is broken */
5617+#undef PHP_BROKEN_REALPATH
5618+
5619+/* Whether realpath is broken */
5620+#undef PHP_BROKEN_REALPATH
5621+
5622 /* Whether system headers declare timezone */
5623 #undef HAVE_DECLARED_TIMEZONE
5624
5625diff -Nur php-4.3.10/main/php_content_types.c hardened-php-4.3.10-0.2.7/main/php_content_types.c
5626--- php-4.3.10/main/php_content_types.c 2002-12-31 17:26:14.000000000 +0100
5627+++ hardened-php-4.3.10-0.2.7/main/php_content_types.c 2005-04-07 01:51:16.000000000 +0200
5628@@ -77,6 +77,7 @@
5629 sapi_register_post_entries(php_post_entries);
5630 sapi_register_default_post_reader(php_default_post_reader);
5631 sapi_register_treat_data(php_default_treat_data);
5632+ sapi_register_input_filter(php_default_input_filter);
5633 return SUCCESS;
5634 }
5635 /* }}} */
5636diff -Nur php-4.3.10/main/php_variables.c hardened-php-4.3.10-0.2.7/main/php_variables.c
5637--- php-4.3.10/main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
5638+++ hardened-php-4.3.10-0.2.7/main/php_variables.c 2005-04-07 01:51:16.000000000 +0200
5639@@ -211,17 +211,28 @@
5640 while (var) {
5641 val = strchr(var, '=');
5642 if (val) { /* have a value */
5643- int val_len;
5644+ unsigned int val_len, new_val_len;
5645
5646 *val++ = '\0';
5647 php_url_decode(var, strlen(var));
5648 val_len = php_url_decode(val, strlen(val));
5649- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5650+ val = estrndup(val, val_len);
5651+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5652+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5653+ }
5654+ efree(val);
5655 }
5656 var = php_strtok_r(NULL, "&", &strtok_buf);
5657 }
5658 }
5659
5660+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
5661+{
5662+ /* TODO: check .ini setting here and apply user-defined input filter */
5663+ *new_val_len = val_len;
5664+ return 1;
5665+}
5666+
5667 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
5668 {
5669 char *res = NULL, *var, *val, *separator=NULL;
5670@@ -299,15 +310,26 @@
5671 while (var) {
5672 val = strchr(var, '=');
5673 if (val) { /* have a value */
5674- int val_len;
5675+ unsigned int val_len, new_val_len;
5676
5677 *val++ = '\0';
5678 php_url_decode(var, strlen(var));
5679 val_len = php_url_decode(val, strlen(val));
5680- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5681+ val = estrndup(val, val_len);
5682+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5683+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5684+ }
5685+ efree(val);
5686 } else {
5687+ unsigned int val_len, new_val_len;
5688+
5689 php_url_decode(var, strlen(var));
5690- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
5691+ val_len = 0;
5692+ val = estrndup("", 0);
5693+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5694+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5695+ }
5696+ efree(val);
5697 }
5698 var = php_strtok_r(NULL, separator, &strtok_buf);
5699 }
5700diff -Nur php-4.3.10/main/rfc1867.c hardened-php-4.3.10-0.2.7/main/rfc1867.c
5701--- php-4.3.10/main/rfc1867.c 2004-11-20 21:16:44.000000000 +0100
5702+++ hardened-php-4.3.10-0.2.7/main/rfc1867.c 2005-04-07 01:51:16.000000000 +0200
5703@@ -891,21 +891,24 @@
5704 if (!filename && param) {
5705
5706 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
5707+ unsigned int new_val_len; /* Dummy variable */
5708
5709 if (!value) {
5710 value = estrdup("");
5711 }
5712
5713+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
5714 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
5715- if (php_mb_encoding_translation(TSRMLS_C)) {
5716- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5717- &num_vars, &num_vars_max TSRMLS_CC);
5718- } else {
5719- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5720- }
5721+ if (php_mb_encoding_translation(TSRMLS_C)) {
5722+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5723+ &num_vars, &num_vars_max TSRMLS_CC);
5724+ } else {
5725+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5726+ }
5727 #else
5728- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5729+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5730 #endif
5731+ }
5732 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
5733 max_file_size = atol(value);
5734 }
5735diff -Nur php-4.3.10/main/snprintf.c hardened-php-4.3.10-0.2.7/main/snprintf.c
5736--- php-4.3.10/main/snprintf.c 2004-11-16 00:27:26.000000000 +0100
5737+++ hardened-php-4.3.10-0.2.7/main/snprintf.c 2005-04-07 01:51:16.000000000 +0200
5738@@ -850,7 +850,11 @@
5739
5740
5741 case 'n':
5742+#if HARDENED_PHP_FMT_PROTECT
5743+ php_security_log("'n' specifier within format string");
5744+#else
5745 *(va_arg(ap, int *)) = cc;
5746+#endif
5747 break;
5748
5749 /*
5750diff -Nur php-4.3.10/main/spprintf.c hardened-php-4.3.10-0.2.7/main/spprintf.c
5751--- php-4.3.10/main/spprintf.c 2003-09-29 03:09:36.000000000 +0200
5752+++ hardened-php-4.3.10-0.2.7/main/spprintf.c 2005-04-07 01:51:16.000000000 +0200
5753@@ -531,7 +531,11 @@
5754
5755
5756 case 'n':
5757+#if HARDENED_PHP_FMT_PROTECT
5758+ php_security_log("'n' specifier within format string");
5759+#else
5760 *(va_arg(ap, int *)) = cc;
5761+#endif
5762 break;
5763
5764 /*
5765diff -Nur php-4.3.10/php.ini-dist hardened-php-4.3.10-0.2.7/php.ini-dist
5766--- php-4.3.10/php.ini-dist 2004-08-18 07:05:23.000000000 +0200
5767+++ hardened-php-4.3.10-0.2.7/php.ini-dist 2005-04-07 01:51:16.000000000 +0200
5768@@ -1113,6 +1113,23 @@
5769 ;exif.decode_jis_motorola = JIS
5770 ;exif.decode_jis_intel = JIS
5771
5772+[varfilter]
5773+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5774+; Hardened-PHP's variable filter
5775+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5776+
5777+; Maximum number of input variables per request
5778+varfilter.max_request_variables = 200
5779+
5780+; Maximum characters in input variable names
5781+varfilter.max_varname_length = 64
5782+
5783+; Maximum length of input variable values
5784+varfilter.max_value_length = 10000
5785+
5786+; Maximum depth of input variable arrays
5787+varfilter.max_array_depth = 100
5788+
5789 ; Local Variables:
5790 ; tab-width: 4
5791 ; End:
5792diff -Nur php-4.3.10/php.ini-recommended hardened-php-4.3.10-0.2.7/php.ini-recommended
5793--- php-4.3.10/php.ini-recommended 2004-08-18 07:05:23.000000000 +0200
5794+++ hardened-php-4.3.10-0.2.7/php.ini-recommended 2005-04-07 01:51:16.000000000 +0200
5795@@ -1111,6 +1111,23 @@
5796 ;exif.decode_jis_motorola = JIS
5797 ;exif.decode_jis_intel = JIS
5798
5799+[varfilter]
5800+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5801+; Hardened-PHP's variable filter
5802+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5803+
5804+; Maximum number of input variables per request
5805+varfilter.max_request_variables = 200
5806+
5807+; Maximum characters in input variable names
5808+varfilter.max_varname_length = 64
5809+
5810+; Maximum length of input variable values
5811+varfilter.max_value_length = 10000
5812+
5813+; Maximum depth of input variable arrays
5814+varfilter.max_array_depth = 100
5815+
5816 ; Local Variables:
5817 ; tab-width: 4
5818 ; End:
5819diff -Nur php-4.3.10/sapi/apache/mod_php4.c hardened-php-4.3.10-0.2.7/sapi/apache/mod_php4.c
5820--- php-4.3.10/sapi/apache/mod_php4.c 2004-07-21 18:25:28.000000000 +0200
5821+++ hardened-php-4.3.10-0.2.7/sapi/apache/mod_php4.c 2005-04-07 01:51:16.000000000 +0200
5822@@ -446,7 +446,7 @@
5823 sapi_apache_get_fd,
5824 sapi_apache_force_http_10,
5825 sapi_apache_get_target_uid,
5826- sapi_apache_get_target_gid
5827+ sapi_apache_get_target_gid,
5828 };
5829 /* }}} */
5830
5831@@ -892,7 +892,11 @@
5832 {
5833 TSRMLS_FETCH();
5834 if (PG(expose_php)) {
5835+#if HARDENED_PHP
5836+ ap_add_version_component("Hardened-PHP/" PHP_VERSION);
5837+#else
5838 ap_add_version_component("PHP/" PHP_VERSION);
5839+#endif
5840 }
5841 }
5842 #endif
5843diff -Nur php-4.3.10/sapi/apache2filter/sapi_apache2.c hardened-php-4.3.10-0.2.7/sapi/apache2filter/sapi_apache2.c
5844--- php-4.3.10/sapi/apache2filter/sapi_apache2.c 2004-06-18 02:37:02.000000000 +0200
5845+++ hardened-php-4.3.10-0.2.7/sapi/apache2filter/sapi_apache2.c 2005-04-07 01:51:16.000000000 +0200
5846@@ -560,7 +560,11 @@
5847 {
5848 TSRMLS_FETCH();
5849 if (PG(expose_php)) {
5850+#if HARDENED_PHP
5851+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
5852+#else
5853 ap_add_version_component(p, "PHP/" PHP_VERSION);
5854+#endif
5855 }
5856 }
5857
5858diff -Nur php-4.3.10/sapi/apache2handler/sapi_apache2.c hardened-php-4.3.10-0.2.7/sapi/apache2handler/sapi_apache2.c
5859--- php-4.3.10/sapi/apache2handler/sapi_apache2.c 2004-12-06 19:55:16.000000000 +0100
5860+++ hardened-php-4.3.10-0.2.7/sapi/apache2handler/sapi_apache2.c 2005-04-07 01:51:16.000000000 +0200
5861@@ -337,7 +337,11 @@
5862 {
5863 TSRMLS_FETCH();
5864 if (PG(expose_php)) {
5865+#if HARDENED_PHP
5866+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
5867+#else
5868 ap_add_version_component(p, "PHP/" PHP_VERSION);
5869+#endif
5870 }
5871 }
5872
5873diff -Nur php-4.3.10/sapi/cgi/cgi_main.c hardened-php-4.3.10-0.2.7/sapi/cgi/cgi_main.c
5874--- php-4.3.10/sapi/cgi/cgi_main.c 2004-07-15 00:38:18.000000000 +0200
5875+++ hardened-php-4.3.10-0.2.7/sapi/cgi/cgi_main.c 2005-04-07 01:51:16.000000000 +0200
5876@@ -1426,11 +1426,19 @@
5877 SG(headers_sent) = 1;
5878 SG(request_info).no_headers = 1;
5879 }
5880+#if HARDENED_PHP
5881+#if ZEND_DEBUG
5882+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5883+#else
5884+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5885+#endif
5886+#else
5887 #if ZEND_DEBUG
5888 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5889 #else
5890 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5891 #endif
5892+#endif
5893 php_end_ob_buffers(1 TSRMLS_CC);
5894 exit(1);
5895 break;
5896diff -Nur php-4.3.10/sapi/cli/php_cli.c hardened-php-4.3.10-0.2.7/sapi/cli/php_cli.c
5897--- php-4.3.10/sapi/cli/php_cli.c 2004-07-15 00:38:18.000000000 +0200
5898+++ hardened-php-4.3.10-0.2.7/sapi/cli/php_cli.c 2005-04-07 01:51:16.000000000 +0200
5899@@ -646,11 +646,19 @@
5900 if (php_request_startup(TSRMLS_C)==FAILURE) {
5901 goto err;
5902 }
5903+#if HARDENED_PHP
5904+#if ZEND_DEBUG
5905+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5906+#else
5907+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5908+#endif
5909+#else
5910 #if ZEND_DEBUG
5911 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5912 #else
5913 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5914 #endif
5915+#endif
5916 php_end_ob_buffers(1 TSRMLS_CC);
5917 exit_status=1;
5918 goto out;