summaryrefslogtreecommitdiff
path: root/0.2.7/hardened-php-4.3.11-0.2.7.patch
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:35:52 +0200
committerjvoisin2019-10-13 12:35:52 +0200
commit7ce0f98b0be3ad15a664e506dff461cf6d633a69 (patch)
tree1aae4c7d8fa8ac62609824629db9ba46add728cc /0.2.7/hardened-php-4.3.11-0.2.7.patch
parentd24fe97bf9a1614acf4e7431d17b762a73642e15 (diff)
Add more patches
Diffstat (limited to '0.2.7/hardened-php-4.3.11-0.2.7.patch')
-rw-r--r--0.2.7/hardened-php-4.3.11-0.2.7.patch3417
1 files changed, 3417 insertions, 0 deletions
diff --git a/0.2.7/hardened-php-4.3.11-0.2.7.patch b/0.2.7/hardened-php-4.3.11-0.2.7.patch
new file mode 100644
index 0000000..d91abe4
--- /dev/null
+++ b/0.2.7/hardened-php-4.3.11-0.2.7.patch
@@ -0,0 +1,3417 @@
1diff -Nur php-4.3.11/README.input_filter hardened-php-4.3.11-0.2.7/README.input_filter
2--- php-4.3.11/README.input_filter 1970-01-01 01:00:00.000000000 +0100
3+++ hardened-php-4.3.11-0.2.7/README.input_filter 2005-04-07 02:08:26.000000000 +0200
4@@ -0,0 +1,193 @@
5+Input Filter Support ported from PHP 5
6+--------------------------------------
7+
8+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
9+and can be quite difficult to prevent. Whenever you accept user data
10+and somehow display this data back to users, you are likely vulnerable
11+to XSS hacks.
12+
13+The Input Filter support in PHP 5 is aimed at providing the framework
14+through which a company-wide or site-wide security policy can be
15+enforced. It is implemented as a SAPI hook and is called from the
16+treat_data and post handler functions. To implement your own security
17+policy you will need to write a standard PHP extension.
18+
19+A simple implementation might look like the following. This stores the
20+original raw user data and adds a my_get_raw() function while the normal
21+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
22+data. In this simple example all I am doing is calling strip_tags() on
23+the data. If register_globals is turned on, the default globals that
24+are created will be stripped ($foo) while a $RAW_foo is created with the
25+original user input.
26+
27+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
28+ zval *post_array;
29+ zval *get_array;
30+ zval *cookie_array;
31+ZEND_END_MODULE_GLOBALS(my_input_filter)
32+
33+#ifdef ZTS
34+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
35+#else
36+#define IF_G(v) (my_input_filter_globals.v)
37+#endif
38+
39+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
40+
41+function_entry my_input_filter_functions[] = {
42+ PHP_FE(my_get_raw, NULL)
43+ {NULL, NULL, NULL}
44+};
45+
46+zend_module_entry my_input_filter_module_entry = {
47+ STANDARD_MODULE_HEADER,
48+ "my_input_filter",
49+ my_input_filter_functions,
50+ PHP_MINIT(my_input_filter),
51+ PHP_MSHUTDOWN(my_input_filter),
52+ NULL,
53+ PHP_RSHUTDOWN(my_input_filter),
54+ PHP_MINFO(my_input_filter),
55+ "0.1",
56+ STANDARD_MODULE_PROPERTIES
57+};
58+
59+PHP_MINIT_FUNCTION(my_input_filter)
60+{
61+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
62+
63+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
64+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
65+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
66+
67+ sapi_register_input_filter(my_sapi_input_filter);
68+ return SUCCESS;
69+}
70+
71+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
72+{
73+ if(IF_G(get_array)) {
74+ zval_ptr_dtor(&IF_G(get_array));
75+ IF_G(get_array) = NULL;
76+ }
77+ if(IF_G(post_array)) {
78+ zval_ptr_dtor(&IF_G(post_array));
79+ IF_G(post_array) = NULL;
80+ }
81+ if(IF_G(cookie_array)) {
82+ zval_ptr_dtor(&IF_G(cookie_array));
83+ IF_G(cookie_array) = NULL;
84+ }
85+ return SUCCESS;
86+}
87+
88+PHP_MINFO_FUNCTION(my_input_filter)
89+{
90+ php_info_print_table_start();
91+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
92+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
93+ php_info_print_table_end();
94+}
95+
96+/* The filter handler. If you return 1 from it, then PHP also registers the
97+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
98+ * you can use this if your filter already registers the variable under a
99+ * different name, or if you just don't want the variable registered at all. */
100+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
101+{
102+ zval new_var;
103+ zval *array_ptr = NULL;
104+ char *raw_var;
105+ int var_len;
106+
107+ assert(*val != NULL);
108+
109+ switch(arg) {
110+ case PARSE_GET:
111+ if(!IF_G(get_array)) {
112+ ALLOC_ZVAL(array_ptr);
113+ array_init(array_ptr);
114+ INIT_PZVAL(array_ptr);
115+ }
116+ IF_G(get_array) = array_ptr;
117+ break;
118+ case PARSE_POST:
119+ if(!IF_G(post_array)) {
120+ ALLOC_ZVAL(array_ptr);
121+ array_init(array_ptr);
122+ INIT_PZVAL(array_ptr);
123+ }
124+ IF_G(post_array) = array_ptr;
125+ break;
126+ case PARSE_COOKIE:
127+ if(!IF_G(cookie_array)) {
128+ ALLOC_ZVAL(array_ptr);
129+ array_init(array_ptr);
130+ INIT_PZVAL(array_ptr);
131+ }
132+ IF_G(cookie_array) = array_ptr;
133+ break;
134+ }
135+ Z_STRLEN(new_var) = val_len;
136+ Z_STRVAL(new_var) = estrndup(*val, val_len);
137+ Z_TYPE(new_var) = IS_STRING;
138+
139+ var_len = strlen(var);
140+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
141+ strcpy(raw_var, "RAW_");
142+ strlcat(raw_var,var,var_len+5);
143+
144+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
145+
146+ php_strip_tags(*val, val_len, NULL, NULL, 0);
147+
148+ *new_val_len = strlen(*val);
149+ return 1;
150+}
151+
152+PHP_FUNCTION(my_get_raw)
153+{
154+ long arg;
155+ char *var;
156+ int var_len;
157+ zval **tmp;
158+ zval *array_ptr = NULL;
159+ HashTable *hash_ptr;
160+ char *raw_var;
161+
162+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
163+ return;
164+ }
165+
166+ switch(arg) {
167+ case PARSE_GET:
168+ array_ptr = IF_G(get_array);
169+ break;
170+ case PARSE_POST:
171+ array_ptr = IF_G(post_array);
172+ break;
173+ case PARSE_COOKIE:
174+ array_ptr = IF_G(post_array);
175+ break;
176+ }
177+
178+ if(!array_ptr) RETURN_FALSE;
179+
180+ /*
181+ * I'm changing the variable name here because when running with register_globals on,
182+ * the variable will end up in the global symbol table
183+ */
184+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
185+ strcpy(raw_var, "RAW_");
186+ strlcat(raw_var,var,var_len+5);
187+ hash_ptr = HASH_OF(array_ptr);
188+
189+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
190+ *return_value = **tmp;
191+ zval_copy_ctor(return_value);
192+ } else {
193+ RETVAL_FALSE;
194+ }
195+ efree(raw_var);
196+}
197+
198diff -Nur php-4.3.11/TSRM/TSRM.h hardened-php-4.3.11-0.2.7/TSRM/TSRM.h
199--- php-4.3.11/TSRM/TSRM.h 2005-02-11 04:34:04.000000000 +0100
200+++ hardened-php-4.3.11-0.2.7/TSRM/TSRM.h 2005-04-07 02:08:26.000000000 +0200
201@@ -33,6 +33,13 @@
202 # define TSRM_API
203 #endif
204
205+#if HARDENED_PHP
206+# if HAVE_REALPATH
207+# undef realpath
208+# define realpath php_realpath
209+# endif
210+#endif
211+
212 /* Only compile multi-threading functions if we're in ZTS mode */
213 #ifdef ZTS
214
215@@ -90,6 +97,7 @@
216
217 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
218
219+
220 #ifdef __cplusplus
221 extern "C" {
222 #endif
223diff -Nur php-4.3.11/TSRM/tsrm_virtual_cwd.c hardened-php-4.3.11-0.2.7/TSRM/tsrm_virtual_cwd.c
224--- php-4.3.11/TSRM/tsrm_virtual_cwd.c 2005-02-11 04:34:04.000000000 +0100
225+++ hardened-php-4.3.11-0.2.7/TSRM/tsrm_virtual_cwd.c 2005-04-07 02:08:26.000000000 +0200
226@@ -192,6 +192,165 @@
227 return p;
228 }
229
230+#if HARDENED_PHP
231+CWD_API char *php_realpath(const char *path, char *resolved)
232+{
233+ struct stat sb;
234+ char *p, *q, *s;
235+ size_t left_len, resolved_len;
236+ unsigned symlinks;
237+ int serrno, slen;
238+ int is_dir = 1;
239+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
240+
241+ serrno = errno;
242+ symlinks = 0;
243+ if (path[0] == '/') {
244+ resolved[0] = '/';
245+ resolved[1] = '\0';
246+ if (path[1] == '\0')
247+ return (resolved);
248+ resolved_len = 1;
249+ left_len = strlcpy(left, path + 1, sizeof(left));
250+ } else {
251+ if (getcwd(resolved, PATH_MAX) == NULL) {
252+ strlcpy(resolved, ".", PATH_MAX);
253+ return (NULL);
254+ }
255+ resolved_len = strlen(resolved);
256+ left_len = strlcpy(left, path, sizeof(left));
257+ }
258+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
259+ errno = ENAMETOOLONG;
260+ return (NULL);
261+ }
262+
263+ /*
264+ * Iterate over path components in `left'.
265+ */
266+ while (left_len != 0) {
267+ /*
268+ * Extract the next path component and adjust `left'
269+ * and its length.
270+ */
271+ p = strchr(left, '/');
272+ s = p ? p : left + left_len;
273+ if (s - left >= sizeof(next_token)) {
274+ errno = ENAMETOOLONG;
275+ return (NULL);
276+ }
277+ memcpy(next_token, left, s - left);
278+ next_token[s - left] = '\0';
279+ left_len -= s - left;
280+ if (p != NULL)
281+ memmove(left, s + 1, left_len + 1);
282+ if (resolved[resolved_len - 1] != '/') {
283+ if (resolved_len + 1 >= PATH_MAX) {
284+ errno = ENAMETOOLONG;
285+ return (NULL);
286+ }
287+ resolved[resolved_len++] = '/';
288+ resolved[resolved_len] = '\0';
289+ }
290+ if (next_token[0] == '\0')
291+ continue;
292+ else if (strcmp(next_token, ".") == 0)
293+ continue;
294+ else if (strcmp(next_token, "..") == 0) {
295+ /*
296+ * Strip the last path component except when we have
297+ * single "/"
298+ */
299+ if (!is_dir) {
300+ errno = ENOENT;
301+ return (NULL);
302+ }
303+ if (resolved_len > 1) {
304+ resolved[resolved_len - 1] = '\0';
305+ q = strrchr(resolved, '/');
306+ *q = '\0';
307+ resolved_len = q - resolved;
308+ }
309+ continue;
310+ }
311+
312+ /*
313+ * Append the next path component and lstat() it. If
314+ * lstat() fails we still can return successfully if
315+ * there are no more path components left.
316+ */
317+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
318+ if (resolved_len >= PATH_MAX) {
319+ errno = ENAMETOOLONG;
320+ return (NULL);
321+ }
322+ if (lstat(resolved, &sb) != 0) {
323+ if (errno == ENOENT && p == NULL) {
324+ errno = serrno;
325+ return (resolved);
326+ }
327+ return (NULL);
328+ }
329+ if (S_ISLNK(sb.st_mode)) {
330+ if (symlinks++ > MAXSYMLINKS) {
331+ errno = ELOOP;
332+ return (NULL);
333+ }
334+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
335+ if (slen < 0)
336+ return (NULL);
337+ symlink[slen] = '\0';
338+ if (symlink[0] == '/') {
339+ resolved[1] = 0;
340+ resolved_len = 1;
341+ } else if (resolved_len > 1) {
342+ /* Strip the last path component. */
343+ resolved[resolved_len - 1] = '\0';
344+ q = strrchr(resolved, '/');
345+ *q = '\0';
346+ resolved_len = q - resolved;
347+ }
348+
349+ /*
350+ * If there are any path components left, then
351+ * append them to symlink. The result is placed
352+ * in `left'.
353+ */
354+ if (p != NULL) {
355+ if (symlink[slen - 1] != '/') {
356+ if (slen + 1 >= sizeof(symlink)) {
357+ errno = ENAMETOOLONG;
358+ return (NULL);
359+ }
360+ symlink[slen] = '/';
361+ symlink[slen + 1] = 0;
362+ }
363+ left_len = strlcat(symlink, left, sizeof(left));
364+ if (left_len >= sizeof(left)) {
365+ errno = ENAMETOOLONG;
366+ return (NULL);
367+ }
368+ }
369+ left_len = strlcpy(left, symlink, sizeof(left));
370+ } else {
371+ if (S_ISDIR(sb.st_mode)) {
372+ is_dir = 1;
373+ } else {
374+ is_dir = 0;
375+ }
376+ }
377+ }
378+
379+ /*
380+ * Remove trailing slash except when the resolved pathname
381+ * is a single "/".
382+ */
383+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
384+ resolved[resolved_len - 1] = '\0';
385+ return (resolved);
386+}
387+#endif
388+
389 CWD_API void virtual_cwd_startup(void)
390 {
391 char cwd[MAXPATHLEN];
392@@ -314,8 +473,7 @@
393 path = resolved_path;
394 path_length = strlen(path);
395 } else {
396- /* disable for now
397- return 1; */
398+ return 1;
399 }
400 }
401 } else { /* Concat current directory with relative path and then run realpath() on it */
402@@ -341,9 +499,8 @@
403 path = resolved_path;
404 path_length = strlen(path);
405 } else {
406- /* disable for now
407 free(tmp);
408- return 1; */
409+ return 1;
410 }
411 }
412 free(tmp);
413diff -Nur php-4.3.11/TSRM/tsrm_virtual_cwd.h hardened-php-4.3.11-0.2.7/TSRM/tsrm_virtual_cwd.h
414--- php-4.3.11/TSRM/tsrm_virtual_cwd.h 2005-02-11 04:34:04.000000000 +0100
415+++ hardened-php-4.3.11-0.2.7/TSRM/tsrm_virtual_cwd.h 2005-04-07 02:08:26.000000000 +0200
416@@ -128,6 +128,22 @@
417
418 typedef int (*verify_path_func)(const cwd_state *);
419
420+#ifndef HAVE_STRLCPY
421+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
422+#undef strlcpy
423+#define strlcpy php_strlcpy
424+#endif
425+
426+#ifndef HAVE_STRLCAT
427+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
428+#undef strlcat
429+#define strlcat php_strlcat
430+#endif
431+
432+
433+#if HARDENED_PHP
434+CWD_API char *php_realpath(const char *path, char *resolved);
435+#endif
436 CWD_API void virtual_cwd_startup(void);
437 CWD_API void virtual_cwd_shutdown(void);
438 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
439diff -Nur php-4.3.11/Zend/zend.c hardened-php-4.3.11-0.2.7/Zend/zend.c
440--- php-4.3.11/Zend/zend.c 2005-01-22 21:36:34.000000000 +0100
441+++ hardened-php-4.3.11-0.2.7/Zend/zend.c 2005-04-07 02:08:26.000000000 +0200
442@@ -53,6 +53,12 @@
443 ZEND_API void (*zend_unblock_interruptions)(void);
444 ZEND_API void (*zend_ticks_function)(int ticks);
445 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
446+#if HARDENED_PHP
447+ZEND_API void (*zend_security_log)(char *str);
448+#endif
449+#if HARDENED_PHP_INC_PROTECT
450+ZEND_API int (*zend_is_valid_include)(zval *z);
451+#endif
452
453 void (*zend_on_timeout)(int seconds TSRMLS_DC);
454
455@@ -420,6 +426,14 @@
456 extern zend_scanner_globals language_scanner_globals;
457 #endif
458
459+ /* Set up Hardened-PHP utility functions first */
460+#if HARDENED_PHP
461+ zend_security_log = utility_functions->security_log_function;
462+#endif
463+#if HARDENED_PHP_INC_PROTECT
464+ zend_is_valid_include = utility_functions->is_valid_include;
465+#endif
466+
467 #ifdef ZTS
468 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
469 #else
470diff -Nur php-4.3.11/Zend/zend.h hardened-php-4.3.11-0.2.7/Zend/zend.h
471--- php-4.3.11/Zend/zend.h 2005-01-25 14:08:41.000000000 +0100
472+++ hardened-php-4.3.11-0.2.7/Zend/zend.h 2005-04-07 02:08:26.000000000 +0200
473@@ -275,9 +275,9 @@
474 struct _zval_struct {
475 /* Variable information */
476 zvalue_value value; /* value */
477+ zend_uint refcount;
478 zend_uchar type; /* active type */
479 zend_uchar is_ref;
480- zend_ushort refcount;
481 };
482
483
484@@ -338,6 +338,12 @@
485 void (*ticks_function)(int ticks);
486 void (*on_timeout)(int seconds TSRMLS_DC);
487 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
488+#if HARDENED_PHP
489+ void (*security_log_function)(char *str);
490+#endif
491+#if HARDENED_PHP_INC_PROTECT
492+ int (*is_valid_include)(zval *z);
493+#endif
494 } zend_utility_functions;
495
496
497@@ -469,7 +475,16 @@
498 extern ZEND_API void (*zend_ticks_function)(int ticks);
499 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
500 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
501+#if HARDENED_PHP
502+extern ZEND_API void (*zend_security_log)(char *str);
503+#endif
504+#if HARDENED_PHP_INC_PROTECT
505+extern ZEND_API int (*zend_is_valid_include)(zval *z);
506+#endif
507
508+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
509+ZEND_API unsigned int zend_canary(void);
510+#endif
511
512 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
513
514@@ -576,6 +591,10 @@
515
516 #define ZEND_MAX_RESERVED_RESOURCES 4
517
518+#if HARDENED_PHP
519+#include "hardened_globals.h"
520+#endif
521+
522 #endif /* ZEND_H */
523
524 /*
525diff -Nur php-4.3.11/Zend/zend_alloc.c hardened-php-4.3.11-0.2.7/Zend/zend_alloc.c
526--- php-4.3.11/Zend/zend_alloc.c 2004-08-27 18:51:25.000000000 +0200
527+++ hardened-php-4.3.11-0.2.7/Zend/zend_alloc.c 2005-04-07 02:11:04.000000000 +0200
528@@ -56,6 +56,11 @@
529 # define END_MAGIC_SIZE 0
530 #endif
531
532+#if HARDENED_PHP_MM_PROTECT
533+# define CANARY_SIZE sizeof(unsigned int)
534+#else
535+# define CANARY_SIZE 0
536+#endif
537
538 # if MEMORY_LIMIT
539 # if ZEND_DEBUG
540@@ -95,9 +100,17 @@
541 if (p==AG(head)) { \
542 AG(head) = p->pNext; \
543 } else { \
544+ if (p != p->pLast->pNext) { \
545+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
546+ exit(1); \
547+ } \
548 p->pLast->pNext = p->pNext; \
549 } \
550 if (p->pNext) { \
551+ if (p != p->pNext->pLast) { \
552+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
553+ exit(1); \
554+ } \
555 p->pNext->pLast = p->pLast; \
556 }
557
558@@ -129,6 +142,12 @@
559 DECLARE_CACHE_VARS();
560 TSRMLS_FETCH();
561
562+#if HARDENED_PHP_MM_PROTECT
563+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
564+ zend_security_log("emalloc() - requested size would result in integer overflow");
565+ exit(1);
566+ }
567+#endif
568 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
569
570 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
571@@ -146,6 +165,10 @@
572 AG(cache_stats)[CACHE_INDEX][1]++;
573 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
574 #endif
575+#if HARDENED_PHP_MM_PROTECT
576+ p->canary = HG(canary_1);
577+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
578+#endif
579 p->cached = 0;
580 p->size = size;
581 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
582@@ -161,7 +184,7 @@
583 AG(allocated_memory_peak) = AG(allocated_memory);
584 }
585 #endif
586- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
587+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
588 }
589
590 HANDLE_BLOCK_INTERRUPTIONS();
591@@ -191,7 +214,10 @@
592 # endif
593 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
594 #endif
595-
596+#if HARDENED_PHP_MM_PROTECT
597+ p->canary = HG(canary_1);
598+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
599+#endif
600 HANDLE_UNBLOCK_INTERRUPTIONS();
601 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
602 }
603@@ -218,17 +244,33 @@
604 return emalloc_rel(lval + offset);
605 }
606 }
607-
608+
609+#if HARDENED_PHP
610+ zend_security_log("Possible integer overflow catched by safe_emalloc()");
611+#endif
612 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
613 return 0;
614 }
615
616 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
617 {
618+#if HARDENED_PHP_MM_PROTECT
619+ unsigned int *canary_2;
620+#endif
621 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
622 DECLARE_CACHE_VARS();
623 TSRMLS_FETCH();
624
625+#if HARDENED_PHP_MM_PROTECT
626+ canary_2 = (unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
627+ if (p->canary != HG(canary_1) || *canary_2 != HG(canary_2)) {
628+ zend_security_log("canary mismatch on efree() - heap overflow or double efree detected");
629+ exit(1);
630+ }
631+ /* to catch double efree()s */
632+ *canary_2 = p->canary = 0;
633+#endif
634+
635 #if defined(ZTS) && TSRM_DEBUG
636 if (p->thread_id != tsrm_thread_id()) {
637 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
638@@ -273,6 +315,9 @@
639 size_t _size = nmemb * size;
640
641 if (nmemb && (_size/nmemb!=size)) {
642+#if HARDENED_PHP
643+ zend_security_log("Possible integer overflow catched by ecalloc()");
644+#endif
645 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
646 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
647 kill(getpid(), SIGSEGV);
648@@ -292,6 +337,9 @@
649
650 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
651 {
652+#if HARDENED_PHP_MM_PROTECT
653+ unsigned int canary_2;
654+#endif
655 zend_mem_header *p;
656 zend_mem_header *orig;
657 DECLARE_CACHE_VARS();
658@@ -303,6 +351,14 @@
659
660 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
661
662+#if HARDENED_PHP_MM_PROTECT
663+ canary_2 = *(unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
664+ if (p->canary != HG(canary_1) || canary_2 != HG(canary_2)) {
665+ zend_security_log("canary mismatch on erealloc() - heap overflow detected");
666+ exit(1);
667+ }
668+#endif
669+
670 #if defined(ZTS) && TSRM_DEBUG
671 if (p->thread_id != tsrm_thread_id()) {
672 void *new_p;
673@@ -326,7 +382,7 @@
674 }
675 #endif
676 REMOVE_POINTER_FROM_LIST(p);
677- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
678+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
679 if (!p) {
680 if (!allow_failure) {
681 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
682@@ -348,6 +404,9 @@
683 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
684 #endif
685
686+#if HARDENED_PHP_MM_PROTECT
687+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
688+#endif
689 p->size = size;
690
691 HANDLE_UNBLOCK_INTERRUPTIONS();
692@@ -423,6 +482,10 @@
693 {
694 AG(head) = NULL;
695
696+#if HARDENED_PHP_MM_PROTECT
697+ HG(canary_1) = zend_canary();
698+ HG(canary_2) = zend_canary();
699+#endif
700 #if MEMORY_LIMIT
701 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
702 AG(allocated_memory) = 0;
703diff -Nur php-4.3.11/Zend/zend_alloc.h hardened-php-4.3.11-0.2.7/Zend/zend_alloc.h
704--- php-4.3.11/Zend/zend_alloc.h 2004-08-11 08:10:46.000000000 +0200
705+++ hardened-php-4.3.11-0.2.7/Zend/zend_alloc.h 2005-04-07 02:08:26.000000000 +0200
706@@ -32,6 +32,9 @@
707 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
708
709 typedef struct _zend_mem_header {
710+#if HARDENED_PHP_MM_PROTECT
711+ unsigned int canary;
712+#endif
713 #if ZEND_DEBUG
714 long magic;
715 char *filename;
716diff -Nur php-4.3.11/Zend/zend_builtin_functions.c hardened-php-4.3.11-0.2.7/Zend/zend_builtin_functions.c
717--- php-4.3.11/Zend/zend_builtin_functions.c 2004-12-27 20:28:35.000000000 +0100
718+++ hardened-php-4.3.11-0.2.7/Zend/zend_builtin_functions.c 2005-04-07 02:08:26.000000000 +0200
719@@ -49,6 +49,9 @@
720 static ZEND_FUNCTION(crash);
721 #endif
722 #endif
723+#if HARDENED_PHP_MM_PROTECT_DEBUG
724+static ZEND_FUNCTION(heap_overflow);
725+#endif
726 static ZEND_FUNCTION(get_included_files);
727 static ZEND_FUNCTION(is_subclass_of);
728 static ZEND_FUNCTION(is_a);
729@@ -101,6 +104,9 @@
730 ZEND_FE(crash, NULL)
731 #endif
732 #endif
733+#if HARDENED_PHP_MM_PROTECT_DEBUG
734+ ZEND_FE(heap_overflow, NULL)
735+#endif
736 ZEND_FE(get_included_files, NULL)
737 ZEND_FALIAS(get_required_files, get_included_files, NULL)
738 ZEND_FE(is_subclass_of, NULL)
739@@ -805,6 +811,19 @@
740
741 #endif /* ZEND_DEBUG */
742
743+
744+#if HARDENED_PHP_MM_PROTECT_DEBUG
745+ZEND_FUNCTION(heap_overflow)
746+{
747+ char *nowhere = emalloc(10);
748+
749+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
750+
751+ efree(nowhere);
752+}
753+#endif
754+
755+
756 /* {{{ proto array get_included_files(void)
757 Returns an array with the file names that were include_once()'d */
758 ZEND_FUNCTION(get_included_files)
759diff -Nur php-4.3.11/Zend/zend_canary.c hardened-php-4.3.11-0.2.7/Zend/zend_canary.c
760--- php-4.3.11/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
761+++ hardened-php-4.3.11-0.2.7/Zend/zend_canary.c 2005-04-07 02:08:26.000000000 +0200
762@@ -0,0 +1,58 @@
763+/*
764+ +----------------------------------------------------------------------+
765+ | Hardened-PHP |
766+ +----------------------------------------------------------------------+
767+ | Copyright (c) 2004 Stefan Esser |
768+ +----------------------------------------------------------------------+
769+ | This source file is subject to version 2.02 of the PHP license, |
770+ | that is bundled with this package in the file LICENSE, and is |
771+ | available at through the world-wide-web at |
772+ | http://www.php.net/license/2_02.txt. |
773+ | If you did not receive a copy of the PHP license and are unable to |
774+ | obtain it through the world-wide-web, please send a note to |
775+ | license@php.net so we can mail you a copy immediately. |
776+ +----------------------------------------------------------------------+
777+ | Author: Stefan Esser <sesser@php.net> |
778+ +----------------------------------------------------------------------+
779+ */
780+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
781+
782+#include "zend.h"
783+
784+#include <stdio.h>
785+#include <stdlib.h>
786+
787+
788+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT
789+
790+/* will be replaced later with more compatible method */
791+ZEND_API unsigned int zend_canary()
792+{
793+ time_t t;
794+ unsigned int canary;
795+ int fd;
796+
797+ fd = open("/dev/urandom", 0);
798+ if (fd != -1) {
799+ int r = read(fd, &canary, sizeof(canary));
800+ close(fd);
801+ if (r == sizeof(canary)) {
802+ return (canary);
803+ }
804+ }
805+ /* not good but we never want to do this */
806+ time(&t);
807+ canary = *(unsigned int *)&t + getpid() << 16;
808+ return (canary);
809+}
810+#endif
811+
812+
813+/*
814+ * Local variables:
815+ * tab-width: 4
816+ * c-basic-offset: 4
817+ * End:
818+ * vim600: sw=4 ts=4 fdm=marker
819+ * vim<600: sw=4 ts=4
820+ */
821diff -Nur php-4.3.11/Zend/zend_execute.c hardened-php-4.3.11-0.2.7/Zend/zend_execute.c
822--- php-4.3.11/Zend/zend_execute.c 2005-02-21 13:38:54.000000000 +0100
823+++ hardened-php-4.3.11-0.2.7/Zend/zend_execute.c 2005-04-07 02:08:26.000000000 +0200
824@@ -2161,7 +2161,12 @@
825 int dummy = 1;
826 zend_file_handle file_handle = {0};
827
828+#if HARDENED_PHP_INC_PROTECT
829+ if (zend_is_valid_include(inc_filename)
830+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
831+#else
832 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
833+#endif
834 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
835
836 file_handle.filename = inc_filename->value.str.val;
837@@ -2190,6 +2195,11 @@
838 break;
839 case ZEND_INCLUDE:
840 case ZEND_REQUIRE:
841+#if HARDENED_PHP_INC_PROTECT
842+ if (!zend_is_valid_include(inc_filename)) {
843+ break;
844+ }
845+#endif
846 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
847 break;
848 case ZEND_EVAL: {
849diff -Nur php-4.3.11/Zend/zend_extensions.h hardened-php-4.3.11-0.2.7/Zend/zend_extensions.h
850--- php-4.3.11/Zend/zend_extensions.h 2002-12-31 17:23:02.000000000 +0100
851+++ hardened-php-4.3.11-0.2.7/Zend/zend_extensions.h 2005-04-07 02:08:26.000000000 +0200
852@@ -23,7 +23,9 @@
853
854 #include "zend_compile.h"
855
856-#define ZEND_EXTENSION_API_NO 20021010
857+/* Create own API version number for Hardened-PHP */
858+
859+#define ZEND_EXTENSION_API_NO 1020041222
860
861 typedef struct _zend_extension_version_info {
862 int zend_extension_api_no;
863diff -Nur php-4.3.11/Zend/zend_hash.c hardened-php-4.3.11-0.2.7/Zend/zend_hash.c
864--- php-4.3.11/Zend/zend_hash.c 2004-07-12 23:26:46.000000000 +0200
865+++ hardened-php-4.3.11-0.2.7/Zend/zend_hash.c 2005-04-07 02:09:31.000000000 +0200
866@@ -26,6 +26,17 @@
867 # include <stdlib.h>
868 #endif
869
870+#if HARDENED_PHP_HASH_PROTECT
871+ unsigned int zend_hash_canary = 0x1234567;
872+ zend_bool zend_hash_canary_inited = 0;
873+#endif
874+
875+#define CHECK_HASH_CANARY(hash) \
876+ if (zend_hash_canary != (hash)->canary) { \
877+ zend_security_log("Zend HashTable canary was overwritten"); \
878+ exit(1); \
879+ }
880+
881 #define HANDLE_NUMERIC(key, length, func) { \
882 register char *tmp=key; \
883 \
884@@ -175,6 +186,9 @@
885 {
886 uint i = 3;
887 Bucket **tmp;
888+#if HARDENED_PHP_HASH_PROTECT
889+ TSRMLS_FETCH();
890+#endif
891
892 SET_INCONSISTENT(HT_OK);
893
894@@ -184,6 +198,13 @@
895
896 ht->nTableSize = 1 << i;
897 ht->nTableMask = ht->nTableSize - 1;
898+#if HARDENED_PHP_HASH_PROTECT
899+ if (zend_hash_canary_inited==0) {
900+ zend_hash_canary = zend_canary();
901+ zend_hash_canary_inited = 1;
902+ }
903+ ht->canary = zend_hash_canary;
904+#endif
905 ht->pDestructor = pDestructor;
906 ht->pListHead = NULL;
907 ht->pListTail = NULL;
908@@ -259,6 +280,9 @@
909 }
910 #endif
911 if (ht->pDestructor) {
912+#if HARDENED_PHP_HASH_PROTECT
913+ CHECK_HASH_CANARY(ht);
914+#endif
915 ht->pDestructor(p->pData);
916 }
917 UPDATE_DATA(ht, p, pData, nDataSize);
918@@ -327,6 +351,9 @@
919 }
920 #endif
921 if (ht->pDestructor) {
922+#if HARDENED_PHP_HASH_PROTECT
923+ CHECK_HASH_CANARY(ht);
924+#endif
925 ht->pDestructor(p->pData);
926 }
927 UPDATE_DATA(ht, p, pData, nDataSize);
928@@ -402,6 +429,9 @@
929 }
930 #endif
931 if (ht->pDestructor) {
932+#if HARDENED_PHP_HASH_PROTECT
933+ CHECK_HASH_CANARY(ht);
934+#endif
935 ht->pDestructor(p->pData);
936 }
937 UPDATE_DATA(ht, p, pData, nDataSize);
938@@ -450,7 +480,7 @@
939 IS_CONSISTENT(ht);
940
941 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
942- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
943+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
944 if (t) {
945 HANDLE_BLOCK_INTERRUPTIONS();
946 ht->arBuckets = t;
947@@ -460,6 +490,7 @@
948 HANDLE_UNBLOCK_INTERRUPTIONS();
949 return SUCCESS;
950 }
951+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
952 return FAILURE;
953 }
954 return SUCCESS;
955@@ -524,6 +555,9 @@
956 ht->pInternalPointer = p->pListNext;
957 }
958 if (ht->pDestructor) {
959+#if HARDENED_PHP_HASH_PROTECT
960+ CHECK_HASH_CANARY(ht);
961+#endif
962 ht->pDestructor(p->pData);
963 }
964 if (!p->pDataPtr) {
965@@ -553,6 +587,9 @@
966 q = p;
967 p = p->pListNext;
968 if (ht->pDestructor) {
969+#if HARDENED_PHP_HASH_PROTECT
970+ CHECK_HASH_CANARY(ht);
971+#endif
972 ht->pDestructor(q->pData);
973 }
974 if (!q->pDataPtr && q->pData) {
975@@ -579,6 +616,9 @@
976 q = p;
977 p = p->pListNext;
978 if (ht->pDestructor) {
979+#if HARDENED_PHP_HASH_PROTECT
980+ CHECK_HASH_CANARY(ht);
981+#endif
982 ht->pDestructor(q->pData);
983 }
984 if (!q->pDataPtr && q->pData) {
985@@ -608,6 +648,9 @@
986 HANDLE_BLOCK_INTERRUPTIONS();
987
988 if (ht->pDestructor) {
989+#if HARDENED_PHP_HASH_PROTECT
990+ CHECK_HASH_CANARY(ht);
991+#endif
992 ht->pDestructor(p->pData);
993 }
994 if (!p->pDataPtr) {
995diff -Nur php-4.3.11/Zend/zend_hash.h hardened-php-4.3.11-0.2.7/Zend/zend_hash.h
996--- php-4.3.11/Zend/zend_hash.h 2002-12-31 17:23:03.000000000 +0100
997+++ hardened-php-4.3.11-0.2.7/Zend/zend_hash.h 2005-04-07 02:08:26.000000000 +0200
998@@ -54,6 +54,9 @@
999 } Bucket;
1000
1001 typedef struct _hashtable {
1002+#if HARDENED_PHP_HASH_PROTECT
1003+ unsigned int canary;
1004+#endif
1005 uint nTableSize;
1006 uint nTableMask;
1007 uint nNumOfElements;
1008diff -Nur php-4.3.11/Zend/zend_llist.c hardened-php-4.3.11-0.2.7/Zend/zend_llist.c
1009--- php-4.3.11/Zend/zend_llist.c 2002-12-31 17:23:04.000000000 +0100
1010+++ hardened-php-4.3.11-0.2.7/Zend/zend_llist.c 2005-04-07 02:08:26.000000000 +0200
1011@@ -21,9 +21,34 @@
1012 #include "zend.h"
1013 #include "zend_llist.h"
1014 #include "zend_qsort.h"
1015+#include "zend_globals.h"
1016+
1017+#define CHECK_LIST_CANARY(list) \
1018+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
1019+ zend_security_log("linked list canary was overwritten"); \
1020+ exit(1); \
1021+ }
1022+
1023+#define CHECK_LISTELEMENT_CANARY(elem) \
1024+ if (HG(canary_3) != (elem)->canary) { \
1025+ zend_security_log("linked list element canary was overwritten"); \
1026+ exit(1); \
1027+ }
1028+
1029
1030 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
1031 {
1032+#if HARDENED_PHP_LL_PROTECT
1033+ TSRMLS_FETCH();
1034+
1035+ if (!HG(ll_canary_inited)) {
1036+ HG(canary_3) = zend_canary();
1037+ HG(canary_4) = zend_canary();
1038+ HG(ll_canary_inited) = 1;
1039+ }
1040+ l->canary_h = HG(canary_3);
1041+ l->canary_t = HG(canary_4);
1042+#endif
1043 l->head = NULL;
1044 l->tail = NULL;
1045 l->count = 0;
1046@@ -37,6 +62,11 @@
1047 {
1048 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1049
1050+#if HARDENED_PHP_LL_PROTECT
1051+ TSRMLS_FETCH();
1052+ CHECK_LIST_CANARY(l)
1053+ tmp->canary = HG(canary_3);
1054+#endif
1055 tmp->prev = l->tail;
1056 tmp->next = NULL;
1057 if (l->tail) {
1058@@ -55,6 +85,11 @@
1059 {
1060 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
1061
1062+#if HARDENED_PHP_LL_PROTECT
1063+ TSRMLS_FETCH();
1064+ CHECK_LIST_CANARY(l)
1065+ tmp->canary = HG(canary_3);
1066+#endif
1067 tmp->next = l->head;
1068 tmp->prev = NULL;
1069 if (l->head) {
1070@@ -91,10 +126,20 @@
1071 zend_llist_element *current=l->head;
1072 zend_llist_element *next;
1073
1074+#if HARDENED_PHP_LL_PROTECT
1075+ TSRMLS_FETCH();
1076+ CHECK_LIST_CANARY(l)
1077+#endif
1078 while (current) {
1079+#if HARDENED_PHP_LL_PROTECT
1080+ CHECK_LISTELEMENT_CANARY(current)
1081+#endif
1082 next = current->next;
1083 if (compare(current->data, element)) {
1084 DEL_LLIST_ELEMENT(current, l);
1085+#if HARDENED_PHP_LL_PROTECT
1086+ current->canary = 0;
1087+#endif
1088 break;
1089 }
1090 current = next;
1091@@ -106,7 +151,14 @@
1092 {
1093 zend_llist_element *current=l->head, *next;
1094
1095+#if HARDENED_PHP_LL_PROTECT
1096+ TSRMLS_FETCH();
1097+ CHECK_LIST_CANARY(l)
1098+#endif
1099 while (current) {
1100+#if HARDENED_PHP_LL_PROTECT
1101+ CHECK_LISTELEMENT_CANARY(current)
1102+#endif
1103 next = current->next;
1104 if (l->dtor) {
1105 l->dtor(current->data);
1106@@ -131,7 +183,14 @@
1107 zend_llist_element *old_tail;
1108 void *data;
1109
1110+#if HARDENED_PHP_LL_PROTECT
1111+ TSRMLS_FETCH();
1112+ CHECK_LIST_CANARY(l)
1113+#endif
1114 if ((old_tail = l->tail)) {
1115+#if HARDENED_PHP_LL_PROTECT
1116+ CHECK_LISTELEMENT_CANARY(old_tail)
1117+#endif
1118 if (l->tail->prev) {
1119 l->tail->prev->next = NULL;
1120 }
1121@@ -157,9 +216,16 @@
1122 {
1123 zend_llist_element *ptr;
1124
1125+#if HARDENED_PHP_LL_PROTECT
1126+ TSRMLS_FETCH();
1127+ CHECK_LIST_CANARY(src)
1128+#endif
1129 zend_llist_init(dst, src->size, src->dtor, src->persistent);
1130 ptr = src->head;
1131 while (ptr) {
1132+#if HARDENED_PHP_LL_PROTECT
1133+ CHECK_LISTELEMENT_CANARY(ptr)
1134+#endif
1135 zend_llist_add_element(dst, ptr->data);
1136 ptr = ptr->next;
1137 }
1138@@ -170,11 +236,21 @@
1139 {
1140 zend_llist_element *element, *next;
1141
1142+#if HARDENED_PHP_LL_PROTECT
1143+ TSRMLS_FETCH();
1144+ CHECK_LIST_CANARY(l)
1145+#endif
1146 element=l->head;
1147 while (element) {
1148+#if HARDENED_PHP_LL_PROTECT
1149+ CHECK_LISTELEMENT_CANARY(element)
1150+#endif
1151 next = element->next;
1152 if (func(element->data)) {
1153 DEL_LLIST_ELEMENT(element, l);
1154+#if HARDENED_PHP_LL_PROTECT
1155+ element->canary = 0;
1156+#endif
1157 }
1158 element = next;
1159 }
1160@@ -185,7 +261,13 @@
1161 {
1162 zend_llist_element *element;
1163
1164+#if HARDENED_PHP_LL_PROTECT
1165+ CHECK_LIST_CANARY(l)
1166+#endif
1167 for (element=l->head; element; element=element->next) {
1168+#if HARDENED_PHP_LL_PROTECT
1169+ CHECK_LISTELEMENT_CANARY(element)
1170+#endif
1171 func(element->data TSRMLS_CC);
1172 }
1173 }
1174@@ -197,6 +279,9 @@
1175 zend_llist_element **elements;
1176 zend_llist_element *element, **ptr;
1177
1178+#if HARDENED_PHP_LL_PROTECT
1179+ CHECK_LIST_CANARY(l)
1180+#endif
1181 if (l->count <= 0) {
1182 return;
1183 }
1184@@ -206,6 +291,9 @@
1185 ptr = &elements[0];
1186
1187 for (element=l->head; element; element=element->next) {
1188+#if HARDENED_PHP_LL_PROTECT
1189+ CHECK_LISTELEMENT_CANARY(element)
1190+#endif
1191 *ptr++ = element;
1192 }
1193
1194@@ -228,7 +316,13 @@
1195 {
1196 zend_llist_element *element;
1197
1198+#if HARDENED_PHP_LL_PROTECT
1199+ CHECK_LIST_CANARY(l)
1200+#endif
1201 for (element=l->head; element; element=element->next) {
1202+#if HARDENED_PHP_LL_PROTECT
1203+ CHECK_LISTELEMENT_CANARY(element)
1204+#endif
1205 func(element->data, arg TSRMLS_CC);
1206 }
1207 }
1208@@ -239,8 +333,14 @@
1209 zend_llist_element *element;
1210 va_list args;
1211
1212+#if HARDENED_PHP_LL_PROTECT
1213+ CHECK_LIST_CANARY(l)
1214+#endif
1215 va_start(args, num_args);
1216 for (element=l->head; element; element=element->next) {
1217+#if HARDENED_PHP_LL_PROTECT
1218+ CHECK_LISTELEMENT_CANARY(element)
1219+#endif
1220 func(element->data, num_args, args TSRMLS_CC);
1221 }
1222 va_end(args);
1223@@ -249,6 +349,10 @@
1224
1225 ZEND_API int zend_llist_count(zend_llist *l)
1226 {
1227+#if HARDENED_PHP_LL_PROTECT
1228+ TSRMLS_FETCH();
1229+ CHECK_LIST_CANARY(l)
1230+#endif
1231 return l->count;
1232 }
1233
1234@@ -256,8 +360,15 @@
1235 {
1236 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1237
1238+#if HARDENED_PHP_LL_PROTECT
1239+ TSRMLS_FETCH();
1240+ CHECK_LIST_CANARY(l)
1241+#endif
1242 *current = l->head;
1243 if (*current) {
1244+#if HARDENED_PHP_LL_PROTECT
1245+ CHECK_LISTELEMENT_CANARY(*current)
1246+#endif
1247 return (*current)->data;
1248 } else {
1249 return NULL;
1250@@ -269,8 +380,15 @@
1251 {
1252 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1253
1254+#if HARDENED_PHP_LL_PROTECT
1255+ TSRMLS_FETCH();
1256+ CHECK_LIST_CANARY(l)
1257+#endif
1258 *current = l->tail;
1259 if (*current) {
1260+#if HARDENED_PHP_LL_PROTECT
1261+ CHECK_LISTELEMENT_CANARY(*current)
1262+#endif
1263 return (*current)->data;
1264 } else {
1265 return NULL;
1266@@ -282,9 +400,19 @@
1267 {
1268 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1269
1270+#if HARDENED_PHP_LL_PROTECT
1271+ TSRMLS_FETCH();
1272+ CHECK_LIST_CANARY(l)
1273+#endif
1274 if (*current) {
1275+#if HARDENED_PHP_LL_PROTECT
1276+ CHECK_LISTELEMENT_CANARY(*current)
1277+#endif
1278 *current = (*current)->next;
1279 if (*current) {
1280+#if HARDENED_PHP_LL_PROTECT
1281+ CHECK_LISTELEMENT_CANARY(*current)
1282+#endif
1283 return (*current)->data;
1284 }
1285 }
1286@@ -296,9 +424,19 @@
1287 {
1288 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1289
1290+#if HARDENED_PHP_LL_PROTECT
1291+ TSRMLS_FETCH();
1292+ CHECK_LIST_CANARY(l)
1293+#endif
1294 if (*current) {
1295+#if HARDENED_PHP_LL_PROTECT
1296+ CHECK_LISTELEMENT_CANARY(*current)
1297+#endif
1298 *current = (*current)->prev;
1299 if (*current) {
1300+#if HARDENED_PHP_LL_PROTECT
1301+ CHECK_LISTELEMENT_CANARY(*current)
1302+#endif
1303 return (*current)->data;
1304 }
1305 }
1306diff -Nur php-4.3.11/Zend/zend_llist.h hardened-php-4.3.11-0.2.7/Zend/zend_llist.h
1307--- php-4.3.11/Zend/zend_llist.h 2002-12-31 17:23:04.000000000 +0100
1308+++ hardened-php-4.3.11-0.2.7/Zend/zend_llist.h 2005-04-07 02:08:26.000000000 +0200
1309@@ -24,6 +24,9 @@
1310 #include <stdlib.h>
1311
1312 typedef struct _zend_llist_element {
1313+#if HARDENED_PHP_LL_PROTECT
1314+ unsigned int canary;
1315+#endif
1316 struct _zend_llist_element *next;
1317 struct _zend_llist_element *prev;
1318 char data[1]; /* Needs to always be last in the struct */
1319@@ -36,6 +39,9 @@
1320 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
1321
1322 typedef struct _zend_llist {
1323+#if HARDENED_PHP_LL_PROTECT
1324+ unsigned int canary_h; /* head */
1325+#endif
1326 zend_llist_element *head;
1327 zend_llist_element *tail;
1328 size_t size;
1329@@ -43,6 +49,9 @@
1330 llist_dtor_func_t dtor;
1331 unsigned char persistent;
1332 zend_llist_element *traverse_ptr;
1333+#if HARDENED_PHP_LL_PROTECT
1334+ unsigned int canary_t; /* tail */
1335+#endif
1336 } zend_llist;
1337
1338 typedef zend_llist_element* zend_llist_position;
1339diff -Nur php-4.3.11/Zend/zend_modules.h hardened-php-4.3.11-0.2.7/Zend/zend_modules.h
1340--- php-4.3.11/Zend/zend_modules.h 2002-12-31 17:23:04.000000000 +0100
1341+++ hardened-php-4.3.11-0.2.7/Zend/zend_modules.h 2005-04-07 02:08:26.000000000 +0200
1342@@ -34,7 +34,7 @@
1343 ZEND_API extern unsigned char second_arg_force_ref[];
1344 ZEND_API extern unsigned char third_arg_force_ref[];
1345
1346-#define ZEND_MODULE_API_NO 20020429
1347+#define ZEND_MODULE_API_NO 1020041222
1348 #ifdef ZTS
1349 #define USING_ZTS 1
1350 #else
1351diff -Nur php-4.3.11/acinclude.m4 hardened-php-4.3.11-0.2.7/acinclude.m4
1352--- php-4.3.11/acinclude.m4 2005-01-25 14:03:06.000000000 +0100
1353+++ hardened-php-4.3.11-0.2.7/acinclude.m4 2005-04-07 02:08:26.000000000 +0200
1354@@ -1173,6 +1173,36 @@
1355 fi
1356 ])
1357
1358+dnl
1359+dnl Check for broken realpath()
1360+dnl
1361+dnl realpath("/etc/hosts/../passwd",XXX) should not return
1362+dnl "/etc/passwd"
1363+dnl
1364+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
1365+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
1366+ AC_TRY_RUN([
1367+main() {
1368+ char buf[4096+1];
1369+ buf[0] = 0;
1370+ realpath("/etc/hosts/../passwd", buf);
1371+ exit(strcmp(buf, "/etc/passwd")==0);
1372+}
1373+ ],[
1374+ ac_cv_broken_realpath=no
1375+ ],[
1376+ ac_cv_broken_realpath=yes
1377+ ],[
1378+ ac_cv_broken_realpath=no
1379+ ])
1380+ ])
1381+ if test "$ac_cv_broken_realpath" = "yes"; then
1382+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
1383+ else
1384+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
1385+ fi
1386+])
1387+
1388 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
1389 dnl
1390 dnl Basically sets up the link-stage for building module-name
1391diff -Nur php-4.3.11/configure hardened-php-4.3.11-0.2.7/configure
1392--- php-4.3.11/configure 2005-03-30 16:35:34.000000000 +0200
1393+++ hardened-php-4.3.11-0.2.7/configure 2005-04-07 02:08:26.000000000 +0200
1394@@ -394,6 +394,16 @@
1395 ac_default_prefix=/usr/local
1396 # Any additions from configure.in:
1397 ac_help="$ac_help
1398+ --disable-hardened-php-mm-protect Disable the Memory Manager protection."
1399+ac_help="$ac_help
1400+ --disable-hardened-php-ll-protect Disable the Linked List protection."
1401+ac_help="$ac_help
1402+ --disable-hardened-php-inc-protect Disable include/require protection."
1403+ac_help="$ac_help
1404+ --disable-hardened-php-fmt-protect Disable format string protection."
1405+ac_help="$ac_help
1406+ --disable-hardened-php-hash-protect Disable Zend HashTable DTOR protection."
1407+ac_help="$ac_help
1408
1409 SAPI modules:
1410 "
1411@@ -846,6 +856,8 @@
1412 ac_help="$ac_help
1413 --disable-tokenizer Disable tokenizer support"
1414 ac_help="$ac_help
1415+ --disable-varfilter Disable Hardened-PHP's variable filter"
1416+ac_help="$ac_help
1417 --enable-wddx Enable WDDX support."
1418 ac_help="$ac_help
1419 --disable-xml Disable XML support using bundled expat lib"
1420@@ -2669,6 +2681,157 @@
1421
1422
1423
1424+# Check whether --enable-hardened-php-mm-protect or --disable-hardened-php-mm-protect was given.
1425+if test "${enable_hardened_php_mm_protect+set}" = set; then
1426+ enableval="$enable_hardened_php_mm_protect"
1427+
1428+ DO_HARDENED_PHP_MM_PROTECT=$enableval
1429+
1430+else
1431+
1432+ DO_HARDENED_PHP_MM_PROTECT=yes
1433+
1434+fi
1435+
1436+
1437+# Check whether --enable-hardened-php-ll-protect or --disable-hardened-php-ll-protect was given.
1438+if test "${enable_hardened_php_ll_protect+set}" = set; then
1439+ enableval="$enable_hardened_php_ll_protect"
1440+
1441+ DO_HARDENED_PHP_LL_PROTECT=$enableval
1442+
1443+else
1444+
1445+ DO_HARDENED_PHP_LL_PROTECT=yes
1446+
1447+fi
1448+
1449+
1450+# Check whether --enable-hardened-php-inc-protect or --disable-hardened-php-inc-protect was given.
1451+if test "${enable_hardened_php_inc_protect+set}" = set; then
1452+ enableval="$enable_hardened_php_inc_protect"
1453+
1454+ DO_HARDENED_PHP_INC_PROTECT=$enableval
1455+
1456+else
1457+
1458+ DO_HARDENED_PHP_INC_PROTECT=yes
1459+
1460+fi
1461+
1462+
1463+# Check whether --enable-hardened-php-fmt-protect or --disable-hardened-php-fmt-protect was given.
1464+if test "${enable_hardened_php_fmt_protect+set}" = set; then
1465+ enableval="$enable_hardened_php_fmt_protect"
1466+
1467+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
1468+
1469+else
1470+
1471+ DO_HARDENED_PHP_FMT_PROTECT=yes
1472+
1473+fi
1474+
1475+
1476+# Check whether --enable-hardened-php-hash-protect or --disable-hardened-php-hash-protect was given.
1477+if test "${enable_hardened_php_hash_protect+set}" = set; then
1478+ enableval="$enable_hardened_php_hash_protect"
1479+
1480+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
1481+
1482+else
1483+
1484+ DO_HARDENED_PHP_HASH_PROTECT=yes
1485+
1486+fi
1487+
1488+
1489+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
1490+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
1491+echo "$ac_t""$DO_HARDENED_PHP_MM_PROTECT" 1>&6
1492+
1493+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
1494+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
1495+echo "$ac_t""$DO_HARDENED_PHP_LL_PROTECT" 1>&6
1496+
1497+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
1498+echo "configure:2733: checking whether to protect include/require statements" >&5
1499+echo "$ac_t""$DO_HARDENED_PHP_INC_PROTECT" 1>&6
1500+
1501+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
1502+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
1503+echo "$ac_t""$DO_HARDENED_PHP_FMT_PROTECT" 1>&6
1504+
1505+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
1506+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
1507+echo "$ac_t""$DO_HARDENED_PHP_HASH_PROTECT" 1>&6
1508+
1509+
1510+cat >> confdefs.h <<\EOF
1511+#define HARDENED_PHP 1
1512+EOF
1513+
1514+
1515+
1516+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
1517+ cat >> confdefs.h <<\EOF
1518+#define HARDENED_PHP_MM_PROTECT 1
1519+EOF
1520+
1521+else
1522+ cat >> confdefs.h <<\EOF
1523+#define HARDENED_PHP_MM_PROTECT 0
1524+EOF
1525+
1526+fi
1527+
1528+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
1529+ cat >> confdefs.h <<\EOF
1530+#define HARDENED_PHP_LL_PROTECT 1
1531+EOF
1532+
1533+else
1534+ cat >> confdefs.h <<\EOF
1535+#define HARDENED_PHP_LL_PROTECT 0
1536+EOF
1537+
1538+fi
1539+
1540+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
1541+ cat >> confdefs.h <<\EOF
1542+#define HARDENED_PHP_INC_PROTECT 1
1543+EOF
1544+
1545+else
1546+ cat >> confdefs.h <<\EOF
1547+#define HARDENED_PHP_INC_PROTECT 0
1548+EOF
1549+
1550+fi
1551+
1552+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
1553+ cat >> confdefs.h <<\EOF
1554+#define HARDENED_PHP_FMT_PROTECT 1
1555+EOF
1556+
1557+else
1558+ cat >> confdefs.h <<\EOF
1559+#define HARDENED_PHP_FMT_PROTECT 0
1560+EOF
1561+
1562+fi
1563+
1564+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
1565+ cat >> confdefs.h <<\EOF
1566+#define HARDENED_PHP_HASH_PROTECT 1
1567+EOF
1568+
1569+else
1570+ cat >> confdefs.h <<\EOF
1571+#define HARDENED_PHP_HASH_PROTECT 0
1572+EOF
1573+
1574+fi
1575
1576
1577
1578@@ -15486,6 +15649,62 @@
1579 fi
1580
1581
1582+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
1583+echo "configure:14928: checking whether realpath is broken" >&5
1584+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
1585+ echo $ac_n "(cached) $ac_c" 1>&6
1586+else
1587+
1588+ if test "$cross_compiling" = yes; then
1589+
1590+ ac_cv_broken_realpath=no
1591+
1592+else
1593+ cat > conftest.$ac_ext <<EOF
1594+#line 14939 "configure"
1595+#include "confdefs.h"
1596+
1597+main() {
1598+ char buf[4096+1];
1599+ buf[0] = 0;
1600+ realpath("/etc/hosts/../passwd", buf);
1601+ exit(strcmp(buf, "/etc/passwd")==0);
1602+}
1603+
1604+EOF
1605+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
1606+then
1607+
1608+ ac_cv_broken_realpath=no
1609+
1610+else
1611+ echo "configure: failed program was:" >&5
1612+ cat conftest.$ac_ext >&5
1613+ rm -fr conftest*
1614+
1615+ ac_cv_broken_realpath=yes
1616+
1617+fi
1618+rm -fr conftest*
1619+fi
1620+
1621+
1622+fi
1623+
1624+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
1625+ if test "$ac_cv_broken_realpath" = "yes"; then
1626+ cat >> confdefs.h <<\EOF
1627+#define PHP_BROKEN_REALPATH 1
1628+EOF
1629+
1630+ else
1631+ cat >> confdefs.h <<\EOF
1632+#define PHP_BROKEN_REALPATH 0
1633+EOF
1634+
1635+ fi
1636+
1637+
1638 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
1639 echo "configure:15491: checking for declared timezone" >&5
1640 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
1641@@ -85975,6 +86194,265 @@
1642 fi
1643
1644
1645+echo $ac_n "checking whether to enable Hardened-PHP's variable filter""... $ac_c" 1>&6
1646+echo "configure:82041: checking whether to enable Hardened-PHP's variable filter" >&5
1647+# Check whether --enable-varfilter or --disable-varfilter was given.
1648+if test "${enable_varfilter+set}" = set; then
1649+ enableval="$enable_varfilter"
1650+ PHP_VARFILTER=$enableval
1651+else
1652+
1653+ PHP_VARFILTER=yes
1654+
1655+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
1656+ PHP_VARFILTER=$PHP_ENABLE_ALL
1657+ fi
1658+
1659+fi
1660+
1661+
1662+
1663+ext_output="yes, shared"
1664+ext_shared=yes
1665+case $PHP_VARFILTER in
1666+shared,*)
1667+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
1668+ ;;
1669+shared)
1670+ PHP_VARFILTER=yes
1671+ ;;
1672+no)
1673+ ext_output=no
1674+ ext_shared=no
1675+ ;;
1676+*)
1677+ ext_output=yes
1678+ ext_shared=no
1679+ ;;
1680+esac
1681+
1682+
1683+
1684+echo "$ac_t""$ext_output" 1>&6
1685+
1686+
1687+
1688+
1689+if test "$PHP_VARFILTER" != "no"; then
1690+ cat >> confdefs.h <<\EOF
1691+#define HAVE_VARFILTER 1
1692+EOF
1693+
1694+
1695+ ext_builddir=ext/varfilter
1696+ ext_srcdir=$abs_srcdir/ext/varfilter
1697+
1698+ ac_extra=
1699+
1700+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
1701+
1702+
1703+
1704+ case ext/varfilter in
1705+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1706+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1707+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1708+ esac
1709+
1710+
1711+
1712+ b_c_pre=$php_c_pre
1713+ b_cxx_pre=$php_cxx_pre
1714+ b_c_meta=$php_c_meta
1715+ b_cxx_meta=$php_cxx_meta
1716+ b_c_post=$php_c_post
1717+ b_cxx_post=$php_cxx_post
1718+ b_lo=$php_lo
1719+
1720+
1721+ old_IFS=$IFS
1722+ for ac_src in varfilter.c; do
1723+
1724+ IFS=.
1725+ set $ac_src
1726+ ac_obj=$1
1727+ IFS=$old_IFS
1728+
1729+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1730+
1731+ case $ac_src in
1732+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1733+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1734+ esac
1735+
1736+ cat >>Makefile.objects<<EOF
1737+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1738+ $ac_comp
1739+EOF
1740+ done
1741+
1742+
1743+ EXT_STATIC="$EXT_STATIC varfilter"
1744+ if test "$ext_shared" != "nocli"; then
1745+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1746+ fi
1747+ else
1748+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
1749+
1750+ case ext/varfilter in
1751+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1752+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1753+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1754+ esac
1755+
1756+
1757+
1758+ b_c_pre=$shared_c_pre
1759+ b_cxx_pre=$shared_cxx_pre
1760+ b_c_meta=$shared_c_meta
1761+ b_cxx_meta=$shared_cxx_meta
1762+ b_c_post=$shared_c_post
1763+ b_cxx_post=$shared_cxx_post
1764+ b_lo=$shared_lo
1765+
1766+
1767+ old_IFS=$IFS
1768+ for ac_src in varfilter.c; do
1769+
1770+ IFS=.
1771+ set $ac_src
1772+ ac_obj=$1
1773+ IFS=$old_IFS
1774+
1775+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
1776+
1777+ case $ac_src in
1778+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1779+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1780+ esac
1781+
1782+ cat >>Makefile.objects<<EOF
1783+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1784+ $ac_comp
1785+EOF
1786+ done
1787+
1788+
1789+ install_modules="install-modules"
1790+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
1791+
1792+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
1793+
1794+ cat >>Makefile.objects<<EOF
1795+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
1796+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
1797+
1798+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
1799+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
1800+
1801+EOF
1802+
1803+ cat >> confdefs.h <<EOF
1804+#define COMPILE_DL_VARFILTER 1
1805+EOF
1806+
1807+ fi
1808+ fi
1809+
1810+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
1811+ if test "$PHP_SAPI" = "cgi"; then
1812+
1813+
1814+ case ext/varfilter in
1815+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1816+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1817+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1818+ esac
1819+
1820+
1821+
1822+ b_c_pre=$php_c_pre
1823+ b_cxx_pre=$php_cxx_pre
1824+ b_c_meta=$php_c_meta
1825+ b_cxx_meta=$php_cxx_meta
1826+ b_c_post=$php_c_post
1827+ b_cxx_post=$php_cxx_post
1828+ b_lo=$php_lo
1829+
1830+
1831+ old_IFS=$IFS
1832+ for ac_src in varfilter.c; do
1833+
1834+ IFS=.
1835+ set $ac_src
1836+ ac_obj=$1
1837+ IFS=$old_IFS
1838+
1839+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1840+
1841+ case $ac_src in
1842+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1843+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1844+ esac
1845+
1846+ cat >>Makefile.objects<<EOF
1847+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1848+ $ac_comp
1849+EOF
1850+ done
1851+
1852+
1853+ EXT_STATIC="$EXT_STATIC varfilter"
1854+ else
1855+
1856+
1857+ case ext/varfilter in
1858+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1859+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1860+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1861+ esac
1862+
1863+
1864+
1865+ b_c_pre=$php_c_pre
1866+ b_cxx_pre=$php_cxx_pre
1867+ b_c_meta=$php_c_meta
1868+ b_cxx_meta=$php_cxx_meta
1869+ b_c_post=$php_c_post
1870+ b_cxx_post=$php_cxx_post
1871+ b_lo=$php_lo
1872+
1873+
1874+ old_IFS=$IFS
1875+ for ac_src in varfilter.c; do
1876+
1877+ IFS=.
1878+ set $ac_src
1879+ ac_obj=$1
1880+ IFS=$old_IFS
1881+
1882+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
1883+
1884+ case $ac_src in
1885+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1886+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1887+ esac
1888+
1889+ cat >>Makefile.objects<<EOF
1890+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1891+ $ac_comp
1892+EOF
1893+ done
1894+
1895+
1896+ fi
1897+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1898+ fi
1899+
1900+ BUILD_DIR="$BUILD_DIR $ext_builddir"
1901+
1902+
1903+fi
1904
1905
1906 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
1907@@ -98629,7 +99107,7 @@
1908 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1909 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1910 streams.c network.c php_open_temporary_file.c php_logos.c \
1911- output.c memory_streams.c user_streams.c; do
1912+ output.c memory_streams.c user_streams.c hardened_php.c; do
1913
1914 IFS=.
1915 set $ac_src
1916@@ -98802,7 +99280,7 @@
1917 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1918 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1919 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1920- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
1921+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
1922
1923 IFS=.
1924 set $ac_src
1925diff -Nur php-4.3.11/configure.in hardened-php-4.3.11-0.2.7/configure.in
1926--- php-4.3.11/configure.in 2005-03-30 16:18:36.000000000 +0200
1927+++ hardened-php-4.3.11-0.2.7/configure.in 2005-04-07 02:08:26.000000000 +0200
1928@@ -227,7 +227,7 @@
1929 sinclude(Zend/acinclude.m4)
1930 sinclude(Zend/Zend.m4)
1931 sinclude(TSRM/tsrm.m4)
1932-
1933+sinclude(main/hardened_php.m4)
1934
1935
1936 divert(2)
1937@@ -595,6 +595,7 @@
1938 AC_FUNC_ALLOCA
1939 dnl PHP_AC_BROKEN_SPRINTF
1940 dnl PHP_AC_BROKEN_SNPRINTF
1941+PHP_AC_BROKEN_REALPATH
1942 PHP_DECLARED_TIMEZONE
1943 PHP_TIME_R_TYPE
1944 PHP_READDIR_R_TYPE
1945@@ -1224,7 +1225,7 @@
1946 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1947 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1948 streams.c network.c php_open_temporary_file.c php_logos.c \
1949- output.c memory_streams.c user_streams.c)
1950+ output.c memory_streams.c user_streams.c hardened_php.c)
1951 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
1952 PHP_ADD_SOURCES(/main, internal_functions_cli.c,, cli)
1953
1954@@ -1237,7 +1238,7 @@
1955 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
1956 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1957 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1958- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
1959+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
1960
1961 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
1962 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
1963diff -Nur php-4.3.11/ext/mbstring/mbstring.c hardened-php-4.3.11-0.2.7/ext/mbstring/mbstring.c
1964--- php-4.3.11/ext/mbstring/mbstring.c 2005-02-21 09:03:47.000000000 +0100
1965+++ hardened-php-4.3.11-0.2.7/ext/mbstring/mbstring.c 2005-04-07 02:08:26.000000000 +0200
1966@@ -1487,6 +1487,7 @@
1967 char *strtok_buf = NULL, **val_list;
1968 zval *array_ptr = (zval *) arg;
1969 int n, num, val_len, *len_list;
1970+ unsigned int new_val_len;
1971 enum mbfl_no_encoding from_encoding;
1972 mbfl_string string, resvar, resval;
1973 mbfl_encoding_detector *identd = NULL;
1974@@ -1609,8 +1610,14 @@
1975 val_len = len_list[n];
1976 }
1977 n++;
1978- /* add variable to symbol table */
1979- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
1980+ /* we need val to be emalloc()ed */
1981+ val = estrndup(val, val_len);
1982+ if (sapi_module.input_filter(info->data_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
1983+ /* add variable to symbol table */
1984+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
1985+ }
1986+ efree(val);
1987+
1988 if (convd != NULL){
1989 mbfl_string_clear(&resvar);
1990 mbfl_string_clear(&resval);
1991diff -Nur php-4.3.11/ext/standard/array.c hardened-php-4.3.11-0.2.7/ext/standard/array.c
1992--- php-4.3.11/ext/standard/array.c 2004-12-23 17:40:03.000000000 +0100
1993+++ hardened-php-4.3.11-0.2.7/ext/standard/array.c 2005-04-07 02:08:26.000000000 +0200
1994@@ -1153,6 +1153,31 @@
1995 }
1996 }
1997 }
1998+
1999+ if (var_name[0] == 'H') {
2000+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
2001+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
2002+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
2003+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
2004+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
2005+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
2006+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)) {
2007+ return 0;
2008+ }
2009+ } else if (var_name[0] == '_') {
2010+ if ((strcmp(var_name, "_COOKIE")==0)||
2011+ (strcmp(var_name, "_ENV")==0)||
2012+ (strcmp(var_name, "_FILES")==0)||
2013+ (strcmp(var_name, "_GET")==0)||
2014+ (strcmp(var_name, "_POST")==0)||
2015+ (strcmp(var_name, "_REQUEST")==0)||
2016+ (strcmp(var_name, "_SESSION")==0)||
2017+ (strcmp(var_name, "_SERVER")==0)) {
2018+ return 0;
2019+ }
2020+ } else if (strcmp(var_name, "GLOBALS")==0) {
2021+ return 0;
2022+ }
2023
2024 return 1;
2025 }
2026diff -Nur php-4.3.11/ext/standard/basic_functions.c hardened-php-4.3.11-0.2.7/ext/standard/basic_functions.c
2027--- php-4.3.11/ext/standard/basic_functions.c 2005-01-18 12:01:20.000000000 +0100
2028+++ hardened-php-4.3.11-0.2.7/ext/standard/basic_functions.c 2005-04-07 02:08:26.000000000 +0200
2029@@ -687,7 +687,7 @@
2030 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
2031
2032 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2033- PHP_FE(realpath, NULL)
2034+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
2035 #endif
2036
2037 #ifdef HAVE_FNMATCH
2038@@ -3020,6 +3020,34 @@
2039 memcpy(new_key, prefix, prefix_len);
2040 memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
2041
2042+ if (new_key[0] == 'H') {
2043+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
2044+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
2045+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
2046+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
2047+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
2048+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
2049+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)) {
2050+ efree(new_key);
2051+ return 0;
2052+ }
2053+ } else if (new_key[0] == '_') {
2054+ if ((strcmp(new_key, "_COOKIE")==0)||
2055+ (strcmp(new_key, "_ENV")==0)||
2056+ (strcmp(new_key, "_FILES")==0)||
2057+ (strcmp(new_key, "_GET")==0)||
2058+ (strcmp(new_key, "_POST")==0)||
2059+ (strcmp(new_key, "_REQUEST")==0)||
2060+ (strcmp(new_key, "_SESSION")==0)||
2061+ (strcmp(new_key, "_SERVER")==0)) {
2062+ efree(new_key);
2063+ return 0;
2064+ }
2065+ } else if (strcmp(new_key, "GLOBALS")==0) {
2066+ efree(new_key);
2067+ return 0;
2068+ }
2069+
2070 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
2071 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
2072
2073diff -Nur php-4.3.11/ext/standard/file.c hardened-php-4.3.11-0.2.7/ext/standard/file.c
2074--- php-4.3.11/ext/standard/file.c 2005-03-27 17:53:59.000000000 +0200
2075+++ hardened-php-4.3.11-0.2.7/ext/standard/file.c 2005-04-07 02:08:26.000000000 +0200
2076@@ -2469,7 +2469,7 @@
2077 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2078 /* {{{ proto string realpath(string path)
2079 Return the resolved path */
2080-PHP_FUNCTION(realpath)
2081+PHP_FUNCTION(real_path)
2082 {
2083 zval **path;
2084 char resolved_path_buff[MAXPATHLEN];
2085diff -Nur php-4.3.11/ext/standard/file.h hardened-php-4.3.11-0.2.7/ext/standard/file.h
2086--- php-4.3.11/ext/standard/file.h 2004-06-21 21:33:47.000000000 +0200
2087+++ hardened-php-4.3.11-0.2.7/ext/standard/file.h 2005-04-07 02:08:26.000000000 +0200
2088@@ -64,7 +64,7 @@
2089 PHP_FUNCTION(fd_set);
2090 PHP_FUNCTION(fd_isset);
2091 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2092-PHP_FUNCTION(realpath);
2093+PHP_FUNCTION(real_path);
2094 #endif
2095 #ifdef HAVE_FNMATCH
2096 PHP_FUNCTION(fnmatch);
2097diff -Nur php-4.3.11/ext/standard/info.c hardened-php-4.3.11-0.2.7/ext/standard/info.c
2098--- php-4.3.11/ext/standard/info.c 2004-06-09 17:10:19.000000000 +0200
2099+++ hardened-php-4.3.11-0.2.7/ext/standard/info.c 2005-04-07 02:08:26.000000000 +0200
2100@@ -397,7 +397,7 @@
2101
2102 if (flag & PHP_INFO_GENERAL) {
2103 char *zend_version = get_zend_version();
2104- char temp_api[9];
2105+ char temp_api[11];
2106
2107 php_uname = php_get_uname('a');
2108
2109@@ -417,11 +417,22 @@
2110 }
2111 }
2112
2113+#if HARDENED_PHP
2114+ if (!sapi_module.phpinfo_as_text) {
2115+ php_printf("<h1 class=\"p\">Hardened-PHP Version %s/%s</h1>\n", PHP_VERSION, HARDENED_PHP_VERSION);
2116+ } else {
2117+ char temp_ver[40];
2118+
2119+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENED_PHP_VERSION);
2120+ php_info_print_table_row(2, "Hardened-PHP Version", temp_ver);
2121+ }
2122+#else
2123 if (!sapi_module.phpinfo_as_text) {
2124 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2125 } else {
2126 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2127 }
2128+#endif
2129 php_info_print_box_end();
2130 php_info_print_table_start();
2131 php_info_print_table_row(2, "System", php_uname );
2132diff -Nur php-4.3.11/ext/varfilter/CREDITS hardened-php-4.3.11-0.2.7/ext/varfilter/CREDITS
2133--- php-4.3.11/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
2134+++ hardened-php-4.3.11-0.2.7/ext/varfilter/CREDITS 2005-04-07 02:08:26.000000000 +0200
2135@@ -0,0 +1,2 @@
2136+varfilter
2137+Stefan Esser
2138\ No newline at end of file
2139diff -Nur php-4.3.11/ext/varfilter/config.m4 hardened-php-4.3.11-0.2.7/ext/varfilter/config.m4
2140--- php-4.3.11/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
2141+++ hardened-php-4.3.11-0.2.7/ext/varfilter/config.m4 2005-04-07 02:08:26.000000000 +0200
2142@@ -0,0 +1,11 @@
2143+dnl
2144+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
2145+dnl
2146+
2147+PHP_ARG_ENABLE(varfilter, whether to enable Hardened-PHP's variable filter,
2148+[ --disable-varfilter Disable Hardened-PHP's variable filter], yes)
2149+
2150+if test "$PHP_VARFILTER" != "no"; then
2151+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
2152+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
2153+fi
2154diff -Nur php-4.3.11/ext/varfilter/php_varfilter.h hardened-php-4.3.11-0.2.7/ext/varfilter/php_varfilter.h
2155--- php-4.3.11/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
2156+++ hardened-php-4.3.11-0.2.7/ext/varfilter/php_varfilter.h 2005-04-07 02:08:26.000000000 +0200
2157@@ -0,0 +1,72 @@
2158+/*
2159+ +----------------------------------------------------------------------+
2160+ | PHP Version 4 |
2161+ +----------------------------------------------------------------------+
2162+ | Copyright (c) 1997-2003 The PHP Group |
2163+ +----------------------------------------------------------------------+
2164+ | This source file is subject to version 2.02 of the PHP license, |
2165+ | that is bundled with this package in the file LICENSE, and is |
2166+ | available at through the world-wide-web at |
2167+ | http://www.php.net/license/2_02.txt. |
2168+ | If you did not receive a copy of the PHP license and are unable to |
2169+ | obtain it through the world-wide-web, please send a note to |
2170+ | license@php.net so we can mail you a copy immediately. |
2171+ +----------------------------------------------------------------------+
2172+ | Author: Stefan Esser |
2173+ +----------------------------------------------------------------------+
2174+
2175+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
2176+*/
2177+
2178+#ifndef PHP_VARFILTER_H
2179+#define PHP_VARFILTER_H
2180+
2181+extern zend_module_entry varfilter_module_entry;
2182+#define phpext_varfilter_ptr &varfilter_module_entry
2183+
2184+#ifdef PHP_WIN32
2185+#define PHP_VARFILTER_API __declspec(dllexport)
2186+#else
2187+#define PHP_VARFILTER_API
2188+#endif
2189+
2190+#ifdef ZTS
2191+#include "TSRM.h"
2192+#endif
2193+
2194+#include "SAPI.h"
2195+
2196+PHP_MINIT_FUNCTION(varfilter);
2197+PHP_MSHUTDOWN_FUNCTION(varfilter);
2198+PHP_RINIT_FUNCTION(varfilter);
2199+PHP_RSHUTDOWN_FUNCTION(varfilter);
2200+PHP_MINFO_FUNCTION(varfilter);
2201+
2202+
2203+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
2204+ long max_request_variables;
2205+ long cur_request_variables;
2206+ long max_varname_length;
2207+ long max_value_length;
2208+ long max_array_depth;
2209+ZEND_END_MODULE_GLOBALS(varfilter)
2210+
2211+
2212+#ifdef ZTS
2213+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
2214+#else
2215+#define VARFILTER_G(v) (varfilter_globals.v)
2216+#endif
2217+
2218+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
2219+
2220+#endif /* PHP_VARFILTER_H */
2221+
2222+
2223+/*
2224+ * Local variables:
2225+ * tab-width: 4
2226+ * c-basic-offset: 4
2227+ * indent-tabs-mode: t
2228+ * End:
2229+ */
2230diff -Nur php-4.3.11/ext/varfilter/varfilter.c hardened-php-4.3.11-0.2.7/ext/varfilter/varfilter.c
2231--- php-4.3.11/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
2232+++ hardened-php-4.3.11-0.2.7/ext/varfilter/varfilter.c 2005-04-07 02:08:26.000000000 +0200
2233@@ -0,0 +1,196 @@
2234+/*
2235+ +----------------------------------------------------------------------+
2236+ | PHP Version 4 |
2237+ +----------------------------------------------------------------------+
2238+ | Copyright (c) 1997-2003 The PHP Group |
2239+ +----------------------------------------------------------------------+
2240+ | This source file is subject to version 2.02 of the PHP license, |
2241+ | that is bundled with this package in the file LICENSE, and is |
2242+ | available at through the world-wide-web at |
2243+ | http://www.php.net/license/2_02.txt. |
2244+ | If you did not receive a copy of the PHP license and are unable to |
2245+ | obtain it through the world-wide-web, please send a note to |
2246+ | license@php.net so we can mail you a copy immediately. |
2247+ +----------------------------------------------------------------------+
2248+ | Author: |
2249+ +----------------------------------------------------------------------+
2250+
2251+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
2252+*/
2253+
2254+#ifdef HAVE_CONFIG_H
2255+#include "config.h"
2256+#endif
2257+
2258+#include "php.h"
2259+#include "php_ini.h"
2260+#include "ext/standard/info.h"
2261+#include "php_varfilter.h"
2262+#include "hardened_php.h"
2263+
2264+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
2265+
2266+/* True global resources - no need for thread safety here */
2267+static int le_varfilter;
2268+
2269+/* {{{ varfilter_module_entry
2270+ */
2271+zend_module_entry varfilter_module_entry = {
2272+#if ZEND_MODULE_API_NO >= 20010901
2273+ STANDARD_MODULE_HEADER,
2274+#endif
2275+ "varfilter",
2276+ NULL,
2277+ PHP_MINIT(varfilter),
2278+ PHP_MSHUTDOWN(varfilter),
2279+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
2280+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
2281+ PHP_MINFO(varfilter),
2282+#if ZEND_MODULE_API_NO >= 20010901
2283+ "0.2.0", /* Replace with version number for your extension */
2284+#endif
2285+ STANDARD_MODULE_PROPERTIES
2286+};
2287+/* }}} */
2288+
2289+#ifdef COMPILE_DL_VARFILTER
2290+ZEND_GET_MODULE(varfilter)
2291+#endif
2292+
2293+/* {{{ PHP_INI
2294+ */
2295+PHP_INI_BEGIN()
2296+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_SYSTEM, OnUpdateInt, max_request_variables, zend_varfilter_globals, varfilter_globals)
2297+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_SYSTEM, OnUpdateInt, max_varname_length, zend_varfilter_globals, varfilter_globals)
2298+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "10000", PHP_INI_SYSTEM, OnUpdateInt, max_value_length, zend_varfilter_globals, varfilter_globals)
2299+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_SYSTEM, OnUpdateInt, max_array_depth, zend_varfilter_globals, varfilter_globals)
2300+PHP_INI_END()
2301+/* }}} */
2302+
2303+/* {{{ php_varfilter_init_globals
2304+ */
2305+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
2306+{
2307+ varfilter_globals->max_request_variables = 200;
2308+ varfilter_globals->cur_request_variables = 0;
2309+ varfilter_globals->max_varname_length = 64;
2310+ varfilter_globals->max_value_length = 10000;
2311+ varfilter_globals->max_array_depth = 100;
2312+}
2313+/* }}} */
2314+
2315+/* {{{ PHP_MINIT_FUNCTION
2316+ */
2317+PHP_MINIT_FUNCTION(varfilter)
2318+{
2319+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
2320+ REGISTER_INI_ENTRIES();
2321+
2322+ sapi_register_input_filter(varfilter_input_filter);
2323+ return SUCCESS;
2324+}
2325+/* }}} */
2326+
2327+/* {{{ PHP_MSHUTDOWN_FUNCTION
2328+ */
2329+PHP_MSHUTDOWN_FUNCTION(varfilter)
2330+{
2331+ UNREGISTER_INI_ENTRIES();
2332+
2333+ return SUCCESS;
2334+}
2335+/* }}} */
2336+
2337+/* Remove if there's nothing to do at request start */
2338+/* {{{ PHP_RINIT_FUNCTION
2339+ */
2340+PHP_RINIT_FUNCTION(varfilter)
2341+{
2342+ VARFILTER_G(cur_request_variables) = 0;
2343+
2344+ return SUCCESS;
2345+}
2346+/* }}} */
2347+
2348+/* Remove if there's nothing to do at request end */
2349+/* {{{ PHP_RSHUTDOWN_FUNCTION
2350+ */
2351+PHP_RSHUTDOWN_FUNCTION(varfilter)
2352+{
2353+ return SUCCESS;
2354+}
2355+/* }}} */
2356+
2357+/* {{{ PHP_MINFO_FUNCTION
2358+ */
2359+PHP_MINFO_FUNCTION(varfilter)
2360+{
2361+ php_info_print_table_start();
2362+ php_info_print_table_header(2, "Hardened-PHP's variable filter support", "enabled");
2363+ php_info_print_table_end();
2364+
2365+ DISPLAY_INI_ENTRIES();
2366+}
2367+/* }}} */
2368+
2369+/* {{{ SAPI_INPUT_FILTER_FUNC
2370+ */
2371+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
2372+{
2373+ char *index;
2374+ unsigned int var_len, depth = 0;
2375+
2376+ /* Drop this variable if the limit is reached */
2377+ if (VARFILTER_G(max_request_variables) == VARFILTER_G(cur_request_variables)) {
2378+ php_security_log("tried to register too many variables");
2379+ return 0;
2380+ }
2381+
2382+ /* Drop this variable if it exceeds the value length limit */
2383+ if (VARFILTER_G(max_value_length) < val_len) {
2384+ php_security_log("tried to register a variable with a too long value");
2385+ return 0;
2386+ }
2387+
2388+ /* Find length of variable name */
2389+ index = strchr(var, '[');
2390+ var_len = index ? index-var : strlen(var);
2391+
2392+ /* Drop this variable if it exceeds the varname length limit */
2393+ if (VARFILTER_G(max_varname_length) < var_len) {
2394+ php_security_log("tried to register a variable with a too long variable name");
2395+ return 0;
2396+ }
2397+
2398+ /* Find out array depth */
2399+ while (index) {
2400+ depth++;
2401+ index = strchr(index+1, '[');
2402+ }
2403+
2404+ /* Drop this variable if it exceeds the array depth limit */
2405+ if (VARFILTER_G(max_array_depth) < depth) {
2406+ php_security_log("tried to register a too deep array variable");
2407+ return 0;
2408+ }
2409+
2410+ /* Okay let PHP register this variable */
2411+ VARFILTER_G(cur_request_variables)++;
2412+
2413+ if (new_val_len) {
2414+ *new_val_len = val_len;
2415+ }
2416+
2417+ return 1;
2418+}
2419+/* }}} */
2420+
2421+
2422+/*
2423+ * Local variables:
2424+ * tab-width: 4
2425+ * c-basic-offset: 4
2426+ * End:
2427+ * vim600: noet sw=4 ts=4 fdm=marker
2428+ * vim<600: noet sw=4 ts=4
2429+ */
2430diff -Nur php-4.3.11/main/SAPI.c hardened-php-4.3.11-0.2.7/main/SAPI.c
2431--- php-4.3.11/main/SAPI.c 2005-02-22 15:46:24.000000000 +0100
2432+++ hardened-php-4.3.11-0.2.7/main/SAPI.c 2005-04-07 02:08:26.000000000 +0200
2433@@ -831,6 +831,12 @@
2434 return SUCCESS;
2435 }
2436
2437+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
2438+{
2439+ sapi_module.input_filter = input_filter;
2440+ return SUCCESS;
2441+}
2442+
2443
2444 SAPI_API int sapi_flush(TSRMLS_D)
2445 {
2446diff -Nur php-4.3.11/main/SAPI.h hardened-php-4.3.11-0.2.7/main/SAPI.h
2447--- php-4.3.11/main/SAPI.h 2003-04-09 22:27:55.000000000 +0200
2448+++ hardened-php-4.3.11-0.2.7/main/SAPI.h 2005-04-07 02:08:26.000000000 +0200
2449@@ -101,9 +101,14 @@
2450 char *current_user;
2451 int current_user_length;
2452
2453- /* this is necessary for CLI module */
2454- int argc;
2455- char **argv;
2456+ /* this is necessary for CLI module */
2457+ int argc;
2458+ char **argv;
2459+
2460+#if HARDENED_PHP
2461+ /* this is necessary for IP logging */
2462+ char ip_address[64];
2463+#endif
2464 } sapi_request_info;
2465
2466
2467@@ -177,6 +182,7 @@
2468 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
2469 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
2470 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
2471+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
2472
2473 SAPI_API int sapi_flush(TSRMLS_D);
2474 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
2475@@ -238,8 +244,11 @@
2476 int (*get_target_uid)(uid_t * TSRMLS_DC);
2477 int (*get_target_gid)(gid_t * TSRMLS_DC);
2478
2479+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
2480+
2481 void (*ini_defaults)(HashTable *configuration_hash);
2482 int phpinfo_as_text;
2483+
2484 };
2485
2486
2487@@ -262,16 +271,23 @@
2488
2489 #define SAPI_DEFAULT_MIMETYPE "text/html"
2490 #define SAPI_DEFAULT_CHARSET ""
2491+
2492+#if HARDENED_PHP
2493+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: Hardened-PHP/" PHP_VERSION
2494+#else
2495 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
2496+#endif
2497
2498 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
2499 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
2500
2501 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
2502+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
2503
2504 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
2505 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
2506 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
2507+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
2508
2509 #define STANDARD_SAPI_MODULE_PROPERTIES
2510
2511diff -Nur php-4.3.11/main/fopen_wrappers.c hardened-php-4.3.11-0.2.7/main/fopen_wrappers.c
2512--- php-4.3.11/main/fopen_wrappers.c 2005-02-03 00:44:07.000000000 +0100
2513+++ hardened-php-4.3.11-0.2.7/main/fopen_wrappers.c 2005-04-07 02:07:07.000000000 +0200
2514@@ -166,6 +166,21 @@
2515 char *pathbuf;
2516 char *ptr;
2517 char *end;
2518+ char path_copy[MAXPATHLEN];
2519+ int path_len;
2520+
2521+ /* Special case path ends with a trailing slash */
2522+ path_len = strlen(path);
2523+ if (path_len >= MAXPATHLEN) {
2524+ errno = EPERM; /* we deny permission to open it */
2525+ return -1;
2526+ }
2527+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
2528+ memcpy(path_copy, path, path_len+1);
2529+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
2530+ path_copy[path_len] = '\0';
2531+ path = (const char *)&path_copy;
2532+ }
2533
2534 pathbuf = estrdup(PG(open_basedir));
2535
2536diff -Nur php-4.3.11/main/hardened_globals.h hardened-php-4.3.11-0.2.7/main/hardened_globals.h
2537--- php-4.3.11/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
2538+++ hardened-php-4.3.11-0.2.7/main/hardened_globals.h 2005-04-07 02:08:26.000000000 +0200
2539@@ -0,0 +1,54 @@
2540+/*
2541+ +----------------------------------------------------------------------+
2542+ | Hardened-PHP |
2543+ +----------------------------------------------------------------------+
2544+ | Copyright (c) 2004 Stefan Esser |
2545+ +----------------------------------------------------------------------+
2546+ | This source file is subject to version 2.02 of the PHP license, |
2547+ | that is bundled with this package in the file LICENSE, and is |
2548+ | available at through the world-wide-web at |
2549+ | http://www.php.net/license/2_02.txt. |
2550+ | If you did not receive a copy of the PHP license and are unable to |
2551+ | obtain it through the world-wide-web, please send a note to |
2552+ | license@php.net so we can mail you a copy immediately. |
2553+ +----------------------------------------------------------------------+
2554+ | Author: Stefan Esser <sesser@php.net> |
2555+ +----------------------------------------------------------------------+
2556+ */
2557+
2558+#ifndef HARDENED_GLOBALS_H
2559+#define HARDENED_GLOBALS_H
2560+
2561+typedef struct _hardened_globals hardened_globals_struct;
2562+
2563+#ifdef ZTS
2564+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
2565+extern int hardened_globals_id;
2566+#else
2567+# define HG(v) (hardened_globals.v)
2568+extern struct _hardened_globals hardened_globals;
2569+#endif
2570+
2571+
2572+struct _hardened_globals {
2573+#if HARDENED_PHP_MM_PROTECT
2574+ unsigned int canary_1;
2575+ unsigned int canary_2;
2576+#endif
2577+#if HARDENED_PHP_LL_PROTECT
2578+ unsigned int canary_3;
2579+ unsigned int canary_4;
2580+ unsigned int ll_canary_inited;
2581+#endif
2582+ unsigned int dummy;
2583+};
2584+
2585+
2586+#endif /* HARDENED_GLOBALS_H */
2587+
2588+/*
2589+ * Local variables:
2590+ * tab-width: 4
2591+ * c-basic-offset: 4
2592+ * End:
2593+ */
2594diff -Nur php-4.3.11/main/hardened_php.c hardened-php-4.3.11-0.2.7/main/hardened_php.c
2595--- php-4.3.11/main/hardened_php.c 1970-01-01 01:00:00.000000000 +0100
2596+++ hardened-php-4.3.11-0.2.7/main/hardened_php.c 2005-04-07 02:08:26.000000000 +0200
2597@@ -0,0 +1,205 @@
2598+/*
2599+ +----------------------------------------------------------------------+
2600+ | Hardened-PHP |
2601+ +----------------------------------------------------------------------+
2602+ | Copyright (c) 2004 Stefan Esser |
2603+ +----------------------------------------------------------------------+
2604+ | This source file is subject to version 2.02 of the PHP license, |
2605+ | that is bundled with this package in the file LICENSE, and is |
2606+ | available at through the world-wide-web at |
2607+ | http://www.php.net/license/2_02.txt. |
2608+ | If you did not receive a copy of the PHP license and are unable to |
2609+ | obtain it through the world-wide-web, please send a note to |
2610+ | license@php.net so we can mail you a copy immediately. |
2611+ +----------------------------------------------------------------------+
2612+ | Author: Stefan Esser <sesser@php.net> |
2613+ +----------------------------------------------------------------------+
2614+ */
2615+/* $Id: hardened_php.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
2616+
2617+#include "php.h"
2618+
2619+#include <stdio.h>
2620+#include <stdlib.h>
2621+
2622+#if HAVE_UNISTD_H
2623+#include <unistd.h>
2624+#endif
2625+#include "SAPI.h"
2626+#include "php_globals.h"
2627+
2628+#if HARDENED_PHP
2629+
2630+#ifdef HAVE_SYS_SOCKET_H
2631+#include <sys/socket.h>
2632+#endif
2633+
2634+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
2635+#undef AF_UNIX
2636+#endif
2637+
2638+#if defined(AF_UNIX)
2639+#include <sys/un.h>
2640+#endif
2641+
2642+#define SYSLOG_PATH "/dev/log"
2643+
2644+#include "snprintf.h"
2645+
2646+#ifdef ZTS
2647+#include "hardened_globals.h"
2648+int hardened_globals_id;
2649+#else
2650+struct _hardened_globals hardened_globals;
2651+#endif
2652+
2653+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
2654+{
2655+ memset(hardened_globals, 0, sizeof(*hardened_globals));
2656+}
2657+
2658+PHPAPI void hardened_startup()
2659+{
2660+#ifdef ZTS
2661+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
2662+#else
2663+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
2664+#endif
2665+}
2666+
2667+PHPAPI void php_security_log(char *str)
2668+{
2669+#if defined(AF_UNIX)
2670+ int s, r;
2671+ struct sockaddr_un saun;
2672+ char buf[1024];
2673+ char *ip_address;
2674+ char *fname;
2675+ TSRMLS_FETCH();
2676+
2677+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
2678+ if (ip_address == NULL) {
2679+ ip_address = "REMOTE_ADDR not set";
2680+ }
2681+
2682+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
2683+
2684+ ap_php_snprintf(buf, 1024, "php security-alert: %s (attacker '%s', file '%s')\n", str, ip_address, fname);
2685+
2686+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
2687+ if (s == -1) {
2688+ return;
2689+ }
2690+
2691+ memset(&saun, 0, sizeof(saun));
2692+ saun.sun_family = AF_UNIX;
2693+ strcpy(saun.sun_path, SYSLOG_PATH);
2694+ /*saun.sun_len = sizeof(saun);*/
2695+
2696+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2697+ if (r) {
2698+ close(s);
2699+ s = socket(AF_UNIX, SOCK_STREAM, 0);
2700+ if (s == -1) {
2701+ return;
2702+ }
2703+
2704+ memset(&saun, 0, sizeof(saun));
2705+ saun.sun_family = AF_UNIX;
2706+ strcpy(saun.sun_path, SYSLOG_PATH);
2707+ /*saun.sun_len = sizeof(saun);*/
2708+
2709+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2710+ if (r) {
2711+ close(s);
2712+ return;
2713+ }
2714+ }
2715+ send(s, buf, strlen(buf), 0);
2716+
2717+ close(s);
2718+#endif
2719+}
2720+#endif
2721+
2722+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2723+
2724+/* will be replaced later with more compatible method */
2725+PHPAPI unsigned int php_canary()
2726+{
2727+ time_t t;
2728+ unsigned int canary;
2729+ int fd;
2730+
2731+ fd = open("/dev/urandom", 0);
2732+ if (fd != -1) {
2733+ int r = read(fd, &canary, sizeof(canary));
2734+ close(fd);
2735+ if (r == sizeof(canary)) {
2736+ return (canary);
2737+ }
2738+ }
2739+ /* not good but we never want to do this */
2740+ time(&t);
2741+ canary = *(unsigned int *)&t + getpid() << 16;
2742+ return (canary);
2743+}
2744+#endif
2745+
2746+#if HARDENED_PHP_INC_PROTECT
2747+
2748+PHPAPI int php_is_valid_include(zval *z)
2749+{
2750+ char *filename;
2751+ int len;
2752+ TSRMLS_FETCH();
2753+
2754+ /* must be of type string */
2755+ if (z->type != IS_STRING || z->value.str.val == NULL) {
2756+ return (0);
2757+ }
2758+
2759+ /* short cut */
2760+ filename = z->value.str.val;
2761+ len = z->value.str.len;
2762+
2763+ /* 1. must be shorter than MAXPATHLEN */
2764+ if (len > MAXPATHLEN) {
2765+ php_security_log("Include filename longer than MAXPATHLEN chars");
2766+ return (0);
2767+ }
2768+
2769+ /* 2. must not be cutted */
2770+ if (len != strlen(filename)) {
2771+ php_security_log("Include filename has a \\0 cut");
2772+ return (0);
2773+ }
2774+
2775+ /* 3. must not be a URL */
2776+ if (strstr(filename, "://")) {
2777+ php_security_log("Include filename is an URL");
2778+ return (0);
2779+ }
2780+
2781+ /* 4. must not be an uploaded file */
2782+ if (SG(rfc1867_uploaded_files)) {
2783+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
2784+ php_security_log("Include filename is an uploaded file");
2785+ return (0);
2786+ }
2787+ }
2788+
2789+ /* passed all tests */
2790+ return (1);
2791+}
2792+
2793+#endif
2794+
2795+/*
2796+ * Local variables:
2797+ * tab-width: 4
2798+ * c-basic-offset: 4
2799+ * End:
2800+ * vim600: sw=4 ts=4 fdm=marker
2801+ * vim<600: sw=4 ts=4
2802+ */
2803diff -Nur php-4.3.11/main/hardened_php.h hardened-php-4.3.11-0.2.7/main/hardened_php.h
2804--- php-4.3.11/main/hardened_php.h 1970-01-01 01:00:00.000000000 +0100
2805+++ hardened-php-4.3.11-0.2.7/main/hardened_php.h 2005-04-07 02:08:45.000000000 +0200
2806@@ -0,0 +1,45 @@
2807+/*
2808+ +----------------------------------------------------------------------+
2809+ | Hardened-PHP |
2810+ +----------------------------------------------------------------------+
2811+ | Copyright (c) 2004 Stefan Esser |
2812+ +----------------------------------------------------------------------+
2813+ | This source file is subject to version 2.02 of the PHP license, |
2814+ | that is bundled with this package in the file LICENSE, and is |
2815+ | available at through the world-wide-web at |
2816+ | http://www.php.net/license/2_02.txt. |
2817+ | If you did not receive a copy of the PHP license and are unable to |
2818+ | obtain it through the world-wide-web, please send a note to |
2819+ | license@php.net so we can mail you a copy immediately. |
2820+ +----------------------------------------------------------------------+
2821+ | Author: Stefan Esser <sesser@php.net> |
2822+ +----------------------------------------------------------------------+
2823+ */
2824+
2825+#ifndef HARDENED_PHP_H
2826+#define HARDENED_PHP_H
2827+
2828+#include "zend.h"
2829+
2830+#if HARDENED_PHP
2831+PHPAPI void php_security_log(char *str);
2832+PHPAPI void hardened_startup();
2833+#define HARDENED_PHP_VERSION "0.2.7"
2834+#endif
2835+
2836+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2837+PHPAPI unsigned int php_canary();
2838+#endif
2839+
2840+#if HARDENED_PHP_INC_PROTECT
2841+PHPAPI int php_is_valid_include(zval *z);
2842+#endif
2843+
2844+#endif /* HARDENED_PHP_H */
2845+
2846+/*
2847+ * Local variables:
2848+ * tab-width: 4
2849+ * c-basic-offset: 4
2850+ * End:
2851+ */
2852diff -Nur php-4.3.11/main/hardened_php.m4 hardened-php-4.3.11-0.2.7/main/hardened_php.m4
2853--- php-4.3.11/main/hardened_php.m4 1970-01-01 01:00:00.000000000 +0100
2854+++ hardened-php-4.3.11-0.2.7/main/hardened_php.m4 2005-04-07 02:08:26.000000000 +0200
2855@@ -0,0 +1,95 @@
2856+dnl
2857+dnl $Id: hardened_php.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
2858+dnl
2859+dnl This file contains Hardened-PHP specific autoconf functions.
2860+dnl
2861+
2862+AC_ARG_ENABLE(hardened-php-mm-protect,
2863+[ --disable-hardened-php-mm-protect Disable the Memory Manager protection.],[
2864+ DO_HARDENED_PHP_MM_PROTECT=$enableval
2865+],[
2866+ DO_HARDENED_PHP_MM_PROTECT=yes
2867+])
2868+
2869+AC_ARG_ENABLE(hardened-php-ll-protect,
2870+[ --disable-hardened-php-ll-protect Disable the Linked List protection.],[
2871+ DO_HARDENED_PHP_LL_PROTECT=$enableval
2872+],[
2873+ DO_HARDENED_PHP_LL_PROTECT=yes
2874+])
2875+
2876+AC_ARG_ENABLE(hardened-php-inc-protect,
2877+[ --disable-hardened-php-inc-protect Disable include/require protection.],[
2878+ DO_HARDENED_PHP_INC_PROTECT=$enableval
2879+],[
2880+ DO_HARDENED_PHP_INC_PROTECT=yes
2881+])
2882+
2883+AC_ARG_ENABLE(hardened-php-fmt-protect,
2884+[ --disable-hardened-php-fmt-protect Disable format string protection.],[
2885+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
2886+],[
2887+ DO_HARDENED_PHP_FMT_PROTECT=yes
2888+])
2889+
2890+AC_ARG_ENABLE(hardened-php-hash-protect,
2891+[ --disable-hardened-php-hash-protect Disable HashTable destructor protection.],[
2892+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
2893+],[
2894+ DO_HARDENED_PHP_HASH_PROTECT=yes
2895+])
2896+
2897+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
2898+AC_MSG_RESULT($DO_HARDENED_PHP_MM_PROTECT)
2899+
2900+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
2901+AC_MSG_RESULT($DO_HARDENED_PHP_LL_PROTECT)
2902+
2903+AC_MSG_CHECKING(whether to protect include/require statements)
2904+AC_MSG_RESULT($DO_HARDENED_PHP_INC_PROTECT)
2905+
2906+AC_MSG_CHECKING(whether to protect PHP Format String functions)
2907+AC_MSG_RESULT($DO_HARDENED_PHP_FMT_PROTECT)
2908+
2909+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
2910+AC_MSG_RESULT($DO_HARDENED_PHP_HASH_PROTECT)
2911+
2912+
2913+AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2914+
2915+
2916+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
2917+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2918+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 1, [Memory Manager Protection])
2919+else
2920+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 0, [Memory Manager Protection])
2921+fi
2922+
2923+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
2924+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2925+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 1, [Linked List Protection])
2926+else
2927+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 0, [Linked List Protection])
2928+fi
2929+
2930+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
2931+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2932+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 1, [Include/Require Protection])
2933+else
2934+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 0, [Include/Require Protection])
2935+fi
2936+
2937+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
2938+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2939+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 1, [Fmt String Protection])
2940+else
2941+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 0, [Fmt String Protection])
2942+fi
2943+
2944+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
2945+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2946+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 1, [HashTable DTOR Protection])
2947+else
2948+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 0, [HashTable DTOR Protection])
2949+fi
2950+
2951diff -Nur php-4.3.11/main/main.c hardened-php-4.3.11-0.2.7/main/main.c
2952--- php-4.3.11/main/main.c 2005-03-08 22:45:51.000000000 +0100
2953+++ hardened-php-4.3.11-0.2.7/main/main.c 2005-04-07 02:08:26.000000000 +0200
2954@@ -100,6 +100,10 @@
2955 PHPAPI int core_globals_id;
2956 #endif
2957
2958+#if HARDENED_PHP
2959+#include "hardened_globals.h"
2960+#endif
2961+
2962 #define ERROR_BUF_LEN 1024
2963
2964 typedef struct {
2965@@ -150,10 +154,33 @@
2966 */
2967 static PHP_INI_MH(OnChangeMemoryLimit)
2968 {
2969+#if HARDENED_PHP
2970+ long orig_memory_limit;
2971+
2972+ if (entry->modified) {
2973+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
2974+ } else {
2975+ orig_memory_limit = 1<<30;
2976+ }
2977+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
2978+ orig_memory_limit = 1<<30;
2979+ }
2980+#endif
2981 if (new_value) {
2982 PG(memory_limit) = zend_atoi(new_value, new_value_length);
2983+#if HARDENED_PHP
2984+ if (PG(memory_limit) > orig_memory_limit) {
2985+ PG(memory_limit) = orig_memory_limit;
2986+ php_security_log("script tried to increase memory_limit above allowed value");
2987+ return FAILURE;
2988+ }
2989+#endif
2990 } else {
2991+#if HARDENED_PHP
2992+ PG(memory_limit) = orig_memory_limit;
2993+#else
2994 PG(memory_limit) = 1<<30; /* effectively, no limit */
2995+#endif
2996 }
2997 return zend_set_memory_limit(PG(memory_limit));
2998 }
2999@@ -1092,6 +1119,10 @@
3000 tsrm_ls = ts_resource(0);
3001 #endif
3002
3003+#if HARDENED_PHP
3004+ hardened_startup();
3005+#endif
3006+
3007 sapi_initialize_empty_request(TSRMLS_C);
3008 sapi_activate(TSRMLS_C);
3009
3010@@ -1104,6 +1135,12 @@
3011 php_output_startup();
3012 php_output_activate(TSRMLS_C);
3013
3014+#if HARDENED_PHP_INC_PROTECT
3015+ zuf.is_valid_include = php_is_valid_include;
3016+#endif
3017+#if HARDENED_PHP
3018+ zuf.security_log_function = php_security_log;
3019+#endif
3020 zuf.error_function = php_error_cb;
3021 zuf.printf_function = php_printf;
3022 zuf.write_function = php_body_write_wrapper;
3023@@ -1205,6 +1242,10 @@
3024 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
3025 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
3026 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
3027+#if HARDENED_PHP
3028+ REGISTER_MAIN_LONG_CONSTANT("HARDENED_PHP", 1, CONST_PERSISTENT | CONST_CS);
3029+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENED_PHP_VERSION", HARDENED_PHP_VERSION, sizeof(HARDENED_PHP_VERSION)-1, CONST_PERSISTENT | CONST_CS);
3030+#endif
3031 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
3032 php_output_register_constants(TSRMLS_C);
3033 php_rfc1867_register_constants(TSRMLS_C);
3034diff -Nur php-4.3.11/main/php.h hardened-php-4.3.11-0.2.7/main/php.h
3035--- php-4.3.11/main/php.h 2005-03-08 22:45:51.000000000 +0100
3036+++ hardened-php-4.3.11-0.2.7/main/php.h 2005-04-07 02:08:26.000000000 +0200
3037@@ -35,11 +35,19 @@
3038 #include "zend_qsort.h"
3039 #include "php_compat.h"
3040
3041+
3042 #include "zend_API.h"
3043
3044 #undef sprintf
3045 #define sprintf php_sprintf
3046
3047+#if HARDENED_PHP
3048+#if HAVE_REALPATH
3049+#undef realpath
3050+#define realpath php_realpath
3051+#endif
3052+#endif
3053+
3054 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
3055 #undef PHP_DEBUG
3056 #define PHP_DEBUG ZEND_DEBUG
3057@@ -436,6 +444,10 @@
3058 #endif
3059 #endif /* !XtOffsetOf */
3060
3061+#if HARDENED_PHP
3062+#include "hardened_php.h"
3063+#endif
3064+
3065 #endif
3066
3067 /*
3068diff -Nur php-4.3.11/main/php_config.h.in hardened-php-4.3.11-0.2.7/main/php_config.h.in
3069--- php-4.3.11/main/php_config.h.in 2005-03-30 16:35:47.000000000 +0200
3070+++ hardened-php-4.3.11-0.2.7/main/php_config.h.in 2005-04-07 02:08:26.000000000 +0200
3071@@ -839,6 +839,39 @@
3072 /* Enabling BIND8 compatibility for Panther */
3073 #undef BIND_8_COMPAT
3074
3075+/* Hardened-PHP */
3076+#undef HARDENED_PHP
3077+
3078+/* Memory Manager Protection */
3079+#undef HARDENED_PHP_MM_PROTECT
3080+
3081+/* Memory Manager Protection */
3082+#undef HARDENED_PHP_MM_PROTECT
3083+
3084+/* Linked List Protection */
3085+#undef HARDENED_PHP_LL_PROTECT
3086+
3087+/* Linked List Protection */
3088+#undef HARDENED_PHP_LL_PROTECT
3089+
3090+/* Include/Require Protection */
3091+#undef HARDENED_PHP_INC_PROTECT
3092+
3093+/* Include/Require Protection */
3094+#undef HARDENED_PHP_INC_PROTECT
3095+
3096+/* Fmt String Protection */
3097+#undef HARDENED_PHP_FMT_PROTECT
3098+
3099+/* Fmt String Protection */
3100+#undef HARDENED_PHP_FMT_PROTECT
3101+
3102+/* HashTable DTOR Protection */
3103+#undef HARDENED_PHP_HASH_PROTECT
3104+
3105+/* HashTable DTOR Protection */
3106+#undef HARDENED_PHP_HASH_PROTECT
3107+
3108 /* Whether you have AOLserver */
3109 #undef HAVE_AOLSERVER
3110
3111@@ -1122,6 +1155,12 @@
3112 /* Define if you have the getaddrinfo function */
3113 #undef HAVE_GETADDRINFO
3114
3115+/* Whether realpath is broken */
3116+#undef PHP_BROKEN_REALPATH
3117+
3118+/* Whether realpath is broken */
3119+#undef PHP_BROKEN_REALPATH
3120+
3121 /* Whether system headers declare timezone */
3122 #undef HAVE_DECLARED_TIMEZONE
3123
3124diff -Nur php-4.3.11/main/php_content_types.c hardened-php-4.3.11-0.2.7/main/php_content_types.c
3125--- php-4.3.11/main/php_content_types.c 2002-12-31 17:26:14.000000000 +0100
3126+++ hardened-php-4.3.11-0.2.7/main/php_content_types.c 2005-04-07 02:08:26.000000000 +0200
3127@@ -77,6 +77,7 @@
3128 sapi_register_post_entries(php_post_entries);
3129 sapi_register_default_post_reader(php_default_post_reader);
3130 sapi_register_treat_data(php_default_treat_data);
3131+ sapi_register_input_filter(php_default_input_filter);
3132 return SUCCESS;
3133 }
3134 /* }}} */
3135diff -Nur php-4.3.11/main/php_variables.c hardened-php-4.3.11-0.2.7/main/php_variables.c
3136--- php-4.3.11/main/php_variables.c 2004-10-18 17:08:46.000000000 +0200
3137+++ hardened-php-4.3.11-0.2.7/main/php_variables.c 2005-04-07 02:08:26.000000000 +0200
3138@@ -211,17 +211,28 @@
3139 while (var) {
3140 val = strchr(var, '=');
3141 if (val) { /* have a value */
3142- int val_len;
3143+ unsigned int val_len, new_val_len;
3144
3145 *val++ = '\0';
3146 php_url_decode(var, strlen(var));
3147 val_len = php_url_decode(val, strlen(val));
3148- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
3149+ val = estrndup(val, val_len);
3150+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3151+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3152+ }
3153+ efree(val);
3154 }
3155 var = php_strtok_r(NULL, "&", &strtok_buf);
3156 }
3157 }
3158
3159+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
3160+{
3161+ /* TODO: check .ini setting here and apply user-defined input filter */
3162+ *new_val_len = val_len;
3163+ return 1;
3164+}
3165+
3166 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
3167 {
3168 char *res = NULL, *var, *val, *separator=NULL;
3169@@ -299,15 +310,26 @@
3170 while (var) {
3171 val = strchr(var, '=');
3172 if (val) { /* have a value */
3173- int val_len;
3174+ unsigned int val_len, new_val_len;
3175
3176 *val++ = '\0';
3177 php_url_decode(var, strlen(var));
3178 val_len = php_url_decode(val, strlen(val));
3179- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
3180+ val = estrndup(val, val_len);
3181+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3182+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3183+ }
3184+ efree(val);
3185 } else {
3186+ unsigned int val_len, new_val_len;
3187+
3188 php_url_decode(var, strlen(var));
3189- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
3190+ val_len = 0;
3191+ val = estrndup("", 0);
3192+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
3193+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
3194+ }
3195+ efree(val);
3196 }
3197 var = php_strtok_r(NULL, separator, &strtok_buf);
3198 }
3199diff -Nur php-4.3.11/main/rfc1867.c hardened-php-4.3.11-0.2.7/main/rfc1867.c
3200--- php-4.3.11/main/rfc1867.c 2005-02-15 01:28:39.000000000 +0100
3201+++ hardened-php-4.3.11-0.2.7/main/rfc1867.c 2005-04-07 02:08:26.000000000 +0200
3202@@ -891,21 +891,24 @@
3203 if (!filename && param) {
3204
3205 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
3206+ unsigned int new_val_len; /* Dummy variable */
3207
3208 if (!value) {
3209 value = estrdup("");
3210 }
3211
3212+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
3213 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
3214- if (php_mb_encoding_translation(TSRMLS_C)) {
3215- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
3216- &num_vars, &num_vars_max TSRMLS_CC);
3217- } else {
3218- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3219- }
3220+ if (php_mb_encoding_translation(TSRMLS_C)) {
3221+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
3222+ &num_vars, &num_vars_max TSRMLS_CC);
3223+ } else {
3224+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3225+ }
3226 #else
3227- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3228+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
3229 #endif
3230+ }
3231 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
3232 max_file_size = atol(value);
3233 }
3234diff -Nur php-4.3.11/main/snprintf.c hardened-php-4.3.11-0.2.7/main/snprintf.c
3235--- php-4.3.11/main/snprintf.c 2004-11-16 00:27:26.000000000 +0100
3236+++ hardened-php-4.3.11-0.2.7/main/snprintf.c 2005-04-07 02:08:26.000000000 +0200
3237@@ -850,7 +850,11 @@
3238
3239
3240 case 'n':
3241+#if HARDENED_PHP_FMT_PROTECT
3242+ php_security_log("'n' specifier within format string");
3243+#else
3244 *(va_arg(ap, int *)) = cc;
3245+#endif
3246 break;
3247
3248 /*
3249diff -Nur php-4.3.11/main/spprintf.c hardened-php-4.3.11-0.2.7/main/spprintf.c
3250--- php-4.3.11/main/spprintf.c 2003-09-29 03:09:36.000000000 +0200
3251+++ hardened-php-4.3.11-0.2.7/main/spprintf.c 2005-04-07 02:08:26.000000000 +0200
3252@@ -531,7 +531,11 @@
3253
3254
3255 case 'n':
3256+#if HARDENED_PHP_FMT_PROTECT
3257+ php_security_log("'n' specifier within format string");
3258+#else
3259 *(va_arg(ap, int *)) = cc;
3260+#endif
3261 break;
3262
3263 /*
3264diff -Nur php-4.3.11/php.ini-dist hardened-php-4.3.11-0.2.7/php.ini-dist
3265--- php-4.3.11/php.ini-dist 2005-02-14 09:26:10.000000000 +0100
3266+++ hardened-php-4.3.11-0.2.7/php.ini-dist 2005-04-07 02:08:26.000000000 +0200
3267@@ -1109,6 +1109,23 @@
3268 ;exif.decode_jis_motorola = JIS
3269 ;exif.decode_jis_intel = JIS
3270
3271+[varfilter]
3272+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3273+; Hardened-PHP's variable filter
3274+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3275+
3276+; Maximum number of input variables per request
3277+varfilter.max_request_variables = 200
3278+
3279+; Maximum characters in input variable names
3280+varfilter.max_varname_length = 64
3281+
3282+; Maximum length of input variable values
3283+varfilter.max_value_length = 10000
3284+
3285+; Maximum depth of input variable arrays
3286+varfilter.max_array_depth = 100
3287+
3288 ; Local Variables:
3289 ; tab-width: 4
3290 ; End:
3291diff -Nur php-4.3.11/php.ini-recommended hardened-php-4.3.11-0.2.7/php.ini-recommended
3292--- php-4.3.11/php.ini-recommended 2005-02-14 09:26:10.000000000 +0100
3293+++ hardened-php-4.3.11-0.2.7/php.ini-recommended 2005-04-07 02:08:26.000000000 +0200
3294@@ -1107,6 +1107,23 @@
3295 ;exif.decode_jis_motorola = JIS
3296 ;exif.decode_jis_intel = JIS
3297
3298+[varfilter]
3299+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3300+; Hardened-PHP's variable filter
3301+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
3302+
3303+; Maximum number of input variables per request
3304+varfilter.max_request_variables = 200
3305+
3306+; Maximum characters in input variable names
3307+varfilter.max_varname_length = 64
3308+
3309+; Maximum length of input variable values
3310+varfilter.max_value_length = 10000
3311+
3312+; Maximum depth of input variable arrays
3313+varfilter.max_array_depth = 100
3314+
3315 ; Local Variables:
3316 ; tab-width: 4
3317 ; End:
3318diff -Nur php-4.3.11/sapi/apache/mod_php4.c hardened-php-4.3.11-0.2.7/sapi/apache/mod_php4.c
3319--- php-4.3.11/sapi/apache/mod_php4.c 2004-07-21 18:25:28.000000000 +0200
3320+++ hardened-php-4.3.11-0.2.7/sapi/apache/mod_php4.c 2005-04-07 02:08:26.000000000 +0200
3321@@ -446,7 +446,7 @@
3322 sapi_apache_get_fd,
3323 sapi_apache_force_http_10,
3324 sapi_apache_get_target_uid,
3325- sapi_apache_get_target_gid
3326+ sapi_apache_get_target_gid,
3327 };
3328 /* }}} */
3329
3330@@ -892,7 +892,11 @@
3331 {
3332 TSRMLS_FETCH();
3333 if (PG(expose_php)) {
3334+#if HARDENED_PHP
3335+ ap_add_version_component("Hardened-PHP/" PHP_VERSION);
3336+#else
3337 ap_add_version_component("PHP/" PHP_VERSION);
3338+#endif
3339 }
3340 }
3341 #endif
3342diff -Nur php-4.3.11/sapi/apache2filter/sapi_apache2.c hardened-php-4.3.11-0.2.7/sapi/apache2filter/sapi_apache2.c
3343--- php-4.3.11/sapi/apache2filter/sapi_apache2.c 2005-01-07 07:28:36.000000000 +0100
3344+++ hardened-php-4.3.11-0.2.7/sapi/apache2filter/sapi_apache2.c 2005-04-07 02:08:26.000000000 +0200
3345@@ -563,7 +563,11 @@
3346 {
3347 TSRMLS_FETCH();
3348 if (PG(expose_php)) {
3349+#if HARDENED_PHP
3350+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3351+#else
3352 ap_add_version_component(p, "PHP/" PHP_VERSION);
3353+#endif
3354 }
3355 }
3356
3357diff -Nur php-4.3.11/sapi/apache2handler/sapi_apache2.c hardened-php-4.3.11-0.2.7/sapi/apache2handler/sapi_apache2.c
3358--- php-4.3.11/sapi/apache2handler/sapi_apache2.c 2005-03-10 12:39:04.000000000 +0100
3359+++ hardened-php-4.3.11-0.2.7/sapi/apache2handler/sapi_apache2.c 2005-04-07 02:08:26.000000000 +0200
3360@@ -345,7 +345,11 @@
3361 {
3362 TSRMLS_FETCH();
3363 if (PG(expose_php)) {
3364+#if HARDENED_PHP
3365+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3366+#else
3367 ap_add_version_component(p, "PHP/" PHP_VERSION);
3368+#endif
3369 }
3370 }
3371
3372diff -Nur php-4.3.11/sapi/cgi/cgi_main.c hardened-php-4.3.11-0.2.7/sapi/cgi/cgi_main.c
3373--- php-4.3.11/sapi/cgi/cgi_main.c 2005-02-11 03:12:30.000000000 +0100
3374+++ hardened-php-4.3.11-0.2.7/sapi/cgi/cgi_main.c 2005-04-07 02:08:26.000000000 +0200
3375@@ -1435,11 +1435,19 @@
3376 SG(headers_sent) = 1;
3377 SG(request_info).no_headers = 1;
3378 }
3379+#if HARDENED_PHP
3380+#if ZEND_DEBUG
3381+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3382+#else
3383+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3384+#endif
3385+#else
3386 #if ZEND_DEBUG
3387 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3388 #else
3389 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3390 #endif
3391+#endif
3392 php_end_ob_buffers(1 TSRMLS_CC);
3393 exit(1);
3394 break;
3395diff -Nur php-4.3.11/sapi/cli/php_cli.c hardened-php-4.3.11-0.2.7/sapi/cli/php_cli.c
3396--- php-4.3.11/sapi/cli/php_cli.c 2005-03-22 16:09:36.000000000 +0100
3397+++ hardened-php-4.3.11-0.2.7/sapi/cli/php_cli.c 2005-04-07 02:08:26.000000000 +0200
3398@@ -652,11 +652,19 @@
3399 if (php_request_startup(TSRMLS_C)==FAILURE) {
3400 goto err;
3401 }
3402+#if HARDENED_PHP
3403+#if ZEND_DEBUG
3404+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3405+#else
3406+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3407+#endif
3408+#else
3409 #if ZEND_DEBUG
3410 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3411 #else
3412 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3413 #endif
3414+#endif
3415 php_end_ob_buffers(1 TSRMLS_CC);
3416 exit_status=1;
3417 goto out;