summaryrefslogtreecommitdiff
path: root/0.4.3/hardening-patch-5.0.5-0.4.3.patch
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:35:52 +0200
committerjvoisin2019-10-13 12:35:52 +0200
commit7ce0f98b0be3ad15a664e506dff461cf6d633a69 (patch)
tree1aae4c7d8fa8ac62609824629db9ba46add728cc /0.4.3/hardening-patch-5.0.5-0.4.3.patch
parentd24fe97bf9a1614acf4e7431d17b762a73642e15 (diff)
Add more patches
Diffstat (limited to '0.4.3/hardening-patch-5.0.5-0.4.3.patch')
-rw-r--r--0.4.3/hardening-patch-5.0.5-0.4.3.patch7046
1 files changed, 7046 insertions, 0 deletions
diff --git a/0.4.3/hardening-patch-5.0.5-0.4.3.patch b/0.4.3/hardening-patch-5.0.5-0.4.3.patch
new file mode 100644
index 0000000..70c37a6
--- /dev/null
+++ b/0.4.3/hardening-patch-5.0.5-0.4.3.patch
@@ -0,0 +1,7046 @@
1diff -Nura php-5.0.5/acinclude.m4 hardening-patch-5.0.5-0.4.3/acinclude.m4
2--- php-5.0.5/acinclude.m4 2005-07-26 00:31:07.000000000 +0200
3+++ hardening-patch-5.0.5-0.4.3/acinclude.m4 2005-09-11 23:30:52.000000000 +0200
4@@ -1182,6 +1182,36 @@
5 fi
6 ])
7
8+dnl
9+dnl Check for broken realpath()
10+dnl
11+dnl realpath("/etc/hosts/../passwd",XXX) should not return
12+dnl "/etc/passwd"
13+dnl
14+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
15+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
16+ AC_TRY_RUN([
17+main() {
18+ char buf[4096+1];
19+ buf[0] = 0;
20+ realpath("/etc/hosts/../passwd", buf);
21+ exit(strcmp(buf, "/etc/passwd")==0);
22+}
23+ ],[
24+ ac_cv_broken_realpath=no
25+ ],[
26+ ac_cv_broken_realpath=yes
27+ ],[
28+ ac_cv_broken_realpath=no
29+ ])
30+ ])
31+ if test "$ac_cv_broken_realpath" = "yes"; then
32+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
33+ else
34+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
35+ fi
36+])
37+
38 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
39 dnl
40 dnl Basically sets up the link-stage for building module-name
41diff -Nura php-5.0.5/configure hardening-patch-5.0.5-0.4.3/configure
42--- php-5.0.5/configure 2005-09-05 13:16:17.000000000 +0200
43+++ hardening-patch-5.0.5-0.4.3/configure 2005-09-11 23:30:52.000000000 +0200
44@@ -404,6 +404,16 @@
45 ac_default_prefix=/usr/local
46 # Any additions from configure.in:
47 ac_help="$ac_help
48+ --disable-hardening-patch-mm-protect Disable the Memory Manager protection."
49+ac_help="$ac_help
50+ --disable-hardening-patch-ll-protect Disable the Linked List protection."
51+ac_help="$ac_help
52+ --disable-hardening-patch-inc-protect Disable include/require protection."
53+ac_help="$ac_help
54+ --disable-hardening-patch-fmt-protect Disable format string protection."
55+ac_help="$ac_help
56+ --disable-hardening-patch-hash-protect Disable Zend HashTable DTOR protection."
57+ac_help="$ac_help
58
59 SAPI modules:
60 "
61@@ -860,6 +870,8 @@
62 ac_help="$ac_help
63 --disable-tokenizer Disable tokenizer support"
64 ac_help="$ac_help
65+ --disable-varfilter Disable Hardening-Patch's variable filter"
66+ac_help="$ac_help
67 --enable-wddx Enable WDDX support."
68 ac_help="$ac_help
69 --disable-xml Disable XML support."
70@@ -2834,6 +2846,157 @@
71
72
73
74+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
75+if test "${enable_hardening_patch_mm_protect+set}" = set; then
76+ enableval="$enable_hardening_patch_mm_protect"
77+
78+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
79+
80+else
81+
82+ DO_HARDENING_PATCH_MM_PROTECT=yes
83+
84+fi
85+
86+
87+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
88+if test "${enable_hardening_patch_ll_protect+set}" = set; then
89+ enableval="$enable_hardening_patch_ll_protect"
90+
91+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
92+
93+else
94+
95+ DO_HARDENING_PATCH_LL_PROTECT=yes
96+
97+fi
98+
99+
100+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
101+if test "${enable_hardening_patch_inc_protect+set}" = set; then
102+ enableval="$enable_hardening_patch_inc_protect"
103+
104+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
105+
106+else
107+
108+ DO_HARDENING_PATCH_INC_PROTECT=yes
109+
110+fi
111+
112+
113+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
114+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
115+ enableval="$enable_hardening_patch_fmt_protect"
116+
117+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
118+
119+else
120+
121+ DO_HARDENING_PATCH_FMT_PROTECT=yes
122+
123+fi
124+
125+
126+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
127+if test "${enable_hardening_patch_hash_protect+set}" = set; then
128+ enableval="$enable_hardening_patch_hash_protect"
129+
130+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
131+
132+else
133+
134+ DO_HARDENING_PATCH_HASH_PROTECT=yes
135+
136+fi
137+
138+
139+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
140+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
141+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
142+
143+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
144+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
145+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
146+
147+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
148+echo "configure:2733: checking whether to protect include/require statements" >&5
149+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
150+
151+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
152+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
153+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
154+
155+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
156+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
157+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
158+
159+
160+cat >> confdefs.h <<\EOF
161+#define HARDENING_PATCH 1
162+EOF
163+
164+
165+
166+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
167+ cat >> confdefs.h <<\EOF
168+#define HARDENING_PATCH_MM_PROTECT 1
169+EOF
170+
171+else
172+ cat >> confdefs.h <<\EOF
173+#define HARDENING_PATCH_MM_PROTECT 0
174+EOF
175+
176+fi
177+
178+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
179+ cat >> confdefs.h <<\EOF
180+#define HARDENING_PATCH_LL_PROTECT 1
181+EOF
182+
183+else
184+ cat >> confdefs.h <<\EOF
185+#define HARDENING_PATCH_LL_PROTECT 0
186+EOF
187+
188+fi
189+
190+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
191+ cat >> confdefs.h <<\EOF
192+#define HARDENING_PATCH_INC_PROTECT 1
193+EOF
194+
195+else
196+ cat >> confdefs.h <<\EOF
197+#define HARDENING_PATCH_INC_PROTECT 0
198+EOF
199+
200+fi
201+
202+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
203+ cat >> confdefs.h <<\EOF
204+#define HARDENING_PATCH_FMT_PROTECT 1
205+EOF
206+
207+else
208+ cat >> confdefs.h <<\EOF
209+#define HARDENING_PATCH_FMT_PROTECT 0
210+EOF
211+
212+fi
213+
214+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
215+ cat >> confdefs.h <<\EOF
216+#define HARDENING_PATCH_HASH_PROTECT 1
217+EOF
218+
219+else
220+ cat >> confdefs.h <<\EOF
221+#define HARDENING_PATCH_HASH_PROTECT 0
222+EOF
223+
224+fi
225
226
227
228@@ -17473,6 +17636,62 @@
229 fi
230
231
232+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
233+echo "configure:14928: checking whether realpath is broken" >&5
234+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
235+ echo $ac_n "(cached) $ac_c" 1>&6
236+else
237+
238+ if test "$cross_compiling" = yes; then
239+
240+ ac_cv_broken_realpath=no
241+
242+else
243+ cat > conftest.$ac_ext <<EOF
244+#line 14939 "configure"
245+#include "confdefs.h"
246+
247+main() {
248+ char buf[4096+1];
249+ buf[0] = 0;
250+ realpath("/etc/hosts/../passwd", buf);
251+ exit(strcmp(buf, "/etc/passwd")==0);
252+}
253+
254+EOF
255+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
256+then
257+
258+ ac_cv_broken_realpath=no
259+
260+else
261+ echo "configure: failed program was:" >&5
262+ cat conftest.$ac_ext >&5
263+ rm -fr conftest*
264+
265+ ac_cv_broken_realpath=yes
266+
267+fi
268+rm -fr conftest*
269+fi
270+
271+
272+fi
273+
274+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
275+ if test "$ac_cv_broken_realpath" = "yes"; then
276+ cat >> confdefs.h <<\EOF
277+#define PHP_BROKEN_REALPATH 1
278+EOF
279+
280+ else
281+ cat >> confdefs.h <<\EOF
282+#define PHP_BROKEN_REALPATH 0
283+EOF
284+
285+ fi
286+
287+
288 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
289 echo "configure:17478: checking for declared timezone" >&5
290 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
291@@ -88634,7 +88853,7 @@
292 if test "$ac_cv_crypt_blowfish" = "yes"; then
293 ac_result=1
294 else
295- ac_result=0
296+ ac_result=1
297 fi
298 cat >> confdefs.h <<EOF
299 #define PHP_BLOWFISH_CRYPT $ac_result
300@@ -91230,7 +91449,7 @@
301 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
302 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
303 var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
304- filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c; do
305+ filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
306
307 IFS=.
308 set $ac_src
309@@ -91288,7 +91507,7 @@
310 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
311 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
312 var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
313- filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c; do
314+ filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
315
316 IFS=.
317 set $ac_src
318@@ -91480,7 +91699,7 @@
319 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
320 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
321 var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
322- filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c; do
323+ filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
324
325 IFS=.
326 set $ac_src
327@@ -91535,7 +91754,7 @@
328 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
329 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
330 var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
331- filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c; do
332+ filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c sha256.c crypt_blowfish.c ; do
333
334 IFS=.
335 set $ac_src
336@@ -95503,6 +95722,265 @@
337 fi
338
339
340+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
341+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
342+# Check whether --enable-varfilter or --disable-varfilter was given.
343+if test "${enable_varfilter+set}" = set; then
344+ enableval="$enable_varfilter"
345+ PHP_VARFILTER=$enableval
346+else
347+
348+ PHP_VARFILTER=yes
349+
350+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
351+ PHP_VARFILTER=$PHP_ENABLE_ALL
352+ fi
353+
354+fi
355+
356+
357+
358+ext_output="yes, shared"
359+ext_shared=yes
360+case $PHP_VARFILTER in
361+shared,*)
362+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
363+ ;;
364+shared)
365+ PHP_VARFILTER=yes
366+ ;;
367+no)
368+ ext_output=no
369+ ext_shared=no
370+ ;;
371+*)
372+ ext_output=yes
373+ ext_shared=no
374+ ;;
375+esac
376+
377+
378+
379+echo "$ac_t""$ext_output" 1>&6
380+
381+
382+
383+
384+if test "$PHP_VARFILTER" != "no"; then
385+ cat >> confdefs.h <<\EOF
386+#define HAVE_VARFILTER 1
387+EOF
388+
389+
390+ ext_builddir=ext/varfilter
391+ ext_srcdir=$abs_srcdir/ext/varfilter
392+
393+ ac_extra=
394+
395+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
396+
397+
398+
399+ case ext/varfilter in
400+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
401+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
402+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
403+ esac
404+
405+
406+
407+ b_c_pre=$php_c_pre
408+ b_cxx_pre=$php_cxx_pre
409+ b_c_meta=$php_c_meta
410+ b_cxx_meta=$php_cxx_meta
411+ b_c_post=$php_c_post
412+ b_cxx_post=$php_cxx_post
413+ b_lo=$php_lo
414+
415+
416+ old_IFS=$IFS
417+ for ac_src in varfilter.c; do
418+
419+ IFS=.
420+ set $ac_src
421+ ac_obj=$1
422+ IFS=$old_IFS
423+
424+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
425+
426+ case $ac_src in
427+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
428+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
429+ esac
430+
431+ cat >>Makefile.objects<<EOF
432+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
433+ $ac_comp
434+EOF
435+ done
436+
437+
438+ EXT_STATIC="$EXT_STATIC varfilter"
439+ if test "$ext_shared" != "nocli"; then
440+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
441+ fi
442+ else
443+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
444+
445+ case ext/varfilter in
446+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
447+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
448+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
449+ esac
450+
451+
452+
453+ b_c_pre=$shared_c_pre
454+ b_cxx_pre=$shared_cxx_pre
455+ b_c_meta=$shared_c_meta
456+ b_cxx_meta=$shared_cxx_meta
457+ b_c_post=$shared_c_post
458+ b_cxx_post=$shared_cxx_post
459+ b_lo=$shared_lo
460+
461+
462+ old_IFS=$IFS
463+ for ac_src in varfilter.c; do
464+
465+ IFS=.
466+ set $ac_src
467+ ac_obj=$1
468+ IFS=$old_IFS
469+
470+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
471+
472+ case $ac_src in
473+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
474+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
475+ esac
476+
477+ cat >>Makefile.objects<<EOF
478+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
479+ $ac_comp
480+EOF
481+ done
482+
483+
484+ install_modules="install-modules"
485+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
486+
487+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
488+
489+ cat >>Makefile.objects<<EOF
490+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
491+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
492+
493+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
494+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
495+
496+EOF
497+
498+ cat >> confdefs.h <<EOF
499+#define COMPILE_DL_VARFILTER 1
500+EOF
501+
502+ fi
503+ fi
504+
505+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
506+ if test "$PHP_SAPI" = "cgi"; then
507+
508+
509+ case ext/varfilter in
510+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
511+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
512+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
513+ esac
514+
515+
516+
517+ b_c_pre=$php_c_pre
518+ b_cxx_pre=$php_cxx_pre
519+ b_c_meta=$php_c_meta
520+ b_cxx_meta=$php_cxx_meta
521+ b_c_post=$php_c_post
522+ b_cxx_post=$php_cxx_post
523+ b_lo=$php_lo
524+
525+
526+ old_IFS=$IFS
527+ for ac_src in varfilter.c; do
528+
529+ IFS=.
530+ set $ac_src
531+ ac_obj=$1
532+ IFS=$old_IFS
533+
534+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
535+
536+ case $ac_src in
537+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
538+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
539+ esac
540+
541+ cat >>Makefile.objects<<EOF
542+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
543+ $ac_comp
544+EOF
545+ done
546+
547+
548+ EXT_STATIC="$EXT_STATIC varfilter"
549+ else
550+
551+
552+ case ext/varfilter in
553+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
554+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
555+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
556+ esac
557+
558+
559+
560+ b_c_pre=$php_c_pre
561+ b_cxx_pre=$php_cxx_pre
562+ b_c_meta=$php_c_meta
563+ b_cxx_meta=$php_cxx_meta
564+ b_c_post=$php_c_post
565+ b_cxx_post=$php_cxx_post
566+ b_lo=$php_lo
567+
568+
569+ old_IFS=$IFS
570+ for ac_src in varfilter.c; do
571+
572+ IFS=.
573+ set $ac_src
574+ ac_obj=$1
575+ IFS=$old_IFS
576+
577+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
578+
579+ case $ac_src in
580+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
581+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
582+ esac
583+
584+ cat >>Makefile.objects<<EOF
585+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
586+ $ac_comp
587+EOF
588+ done
589+
590+
591+ fi
592+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
593+ fi
594+
595+ BUILD_DIR="$BUILD_DIR $ext_builddir"
596+
597+
598+fi
599
600
601 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
602@@ -106554,7 +107032,7 @@
603 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
604 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
605 network.c php_open_temporary_file.c php_logos.c \
606- output.c ; do
607+ output.c hardening_patch.c ; do
608
609 IFS=.
610 set $ac_src
611@@ -106795,7 +107273,7 @@
612 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
613 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
614 zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
615- zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c; do
616+ zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c; do
617
618 IFS=.
619 set $ac_src
620diff -Nura php-5.0.5/configure.in hardening-patch-5.0.5-0.4.3/configure.in
621--- php-5.0.5/configure.in 2005-09-05 12:41:12.000000000 +0200
622+++ hardening-patch-5.0.5-0.4.3/configure.in 2005-09-11 23:30:52.000000000 +0200
623@@ -247,7 +247,7 @@
624 sinclude(Zend/acinclude.m4)
625 sinclude(Zend/Zend.m4)
626 sinclude(TSRM/tsrm.m4)
627-
628+sinclude(main/hardening_patch.m4)
629
630
631 divert(2)
632@@ -631,6 +631,7 @@
633 AC_FUNC_ALLOCA
634 dnl PHP_AC_BROKEN_SPRINTF
635 dnl PHP_AC_BROKEN_SNPRINTF
636+PHP_AC_BROKEN_REALPATH
637 PHP_DECLARED_TIMEZONE
638 PHP_TIME_R_TYPE
639 PHP_READDIR_R_TYPE
640@@ -1284,7 +1285,7 @@
641 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
642 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
643 network.c php_open_temporary_file.c php_logos.c \
644- output.c )
645+ output.c hardening_patch.c )
646
647 PHP_ADD_SOURCES(main/streams, streams.c cast.c memory.c filter.c \
648 plain_wrapper.c userspace.c transports.c xp_socket.c mmap.c)
649@@ -1311,7 +1312,7 @@
650 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
651 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
652 zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
653- zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c)
654+ zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c )
655
656 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
657 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c \
658diff -Nura php-5.0.5/ext/fbsql/php_fbsql.c hardening-patch-5.0.5-0.4.3/ext/fbsql/php_fbsql.c
659--- php-5.0.5/ext/fbsql/php_fbsql.c 2005-02-09 20:32:45.000000000 +0100
660+++ hardening-patch-5.0.5-0.4.3/ext/fbsql/php_fbsql.c 2005-09-11 23:30:52.000000000 +0200
661@@ -1852,8 +1852,24 @@
662 }
663 else if (fbcmdErrorsFound(md))
664 {
665+#if HARDENING_PATCH
666+ char* query_copy;
667+ int i;
668+#endif
669 FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
670 char* emg = fbcemdAllErrorMessages(emd);
671+#if HARDENING_PATCH
672+ query_copy=estrdup(query_copy);
673+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
674+ php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
675+ efree(query_copy);
676+ if (HG(hphp_sql_bailout_on_error)) {
677+ free(emg);
678+ fbcemdRelease(emd);
679+ result = 0;
680+ zend_bailout();
681+ }
682+#endif
683 if (FB_SQL_G(generateWarnings))
684 {
685 if (emg)
686diff -Nura php-5.0.5/ext/mysql/php_mysql.c hardening-patch-5.0.5-0.4.3/ext/mysql/php_mysql.c
687--- php-5.0.5/ext/mysql/php_mysql.c 2005-04-08 00:23:28.000000000 +0200
688+++ hardening-patch-5.0.5-0.4.3/ext/mysql/php_mysql.c 2005-09-11 23:30:52.000000000 +0200
689@@ -1224,6 +1224,8 @@
690 {
691 php_mysql_conn *mysql;
692 MYSQL_RES *mysql_result;
693+ char *copy_query;
694+ int i;
695
696 ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
697
698@@ -1274,6 +1276,13 @@
699 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
700 }
701 }
702+ copy_query = estrdup(Z_STRVAL_PP(query));
703+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
704+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
705+ efree(copy_query);
706+ if (HG(hphp_sql_bailout_on_error)) {
707+ zend_bailout();
708+ }
709 RETURN_FALSE;
710 }
711 #else
712@@ -1284,6 +1293,13 @@
713 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
714 }
715 }
716+ copy_query = estrdup(Z_STRVAL_PP(query));
717+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
718+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
719+ efree(copy_query);
720+ if (HG(hphp_sql_bailout_on_error)) {
721+ zend_bailout();
722+ }
723 RETURN_FALSE;
724 }
725 #endif
726diff -Nura php-5.0.5/ext/mysqli/mysqli_nonapi.c hardening-patch-5.0.5-0.4.3/ext/mysqli/mysqli_nonapi.c
727--- php-5.0.5/ext/mysqli/mysqli_nonapi.c 2005-08-06 18:56:06.000000000 +0200
728+++ hardening-patch-5.0.5-0.4.3/ext/mysqli/mysqli_nonapi.c 2005-09-11 23:30:52.000000000 +0200
729@@ -229,6 +229,17 @@
730 if (mysql_real_query(mysql->mysql, query, query_len)) {
731 char s_error[MYSQL_ERRMSG_SIZE], s_sqlstate[SQLSTATE_LENGTH+1];
732 unsigned int s_errno;
733+#if HARDENING_PATCH
734+ char *query_copy = estrdup(query);
735+ int i;
736+
737+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
738+ php_security_log(S_SQL, "MySQLi error: %s - query: %s", mysql->mysql->net.last_errno, query_copy);
739+ efree(query_copy);
740+ if (HG(hphp_sql_bailout_on_error)) {
741+ zend_bailout();
742+ }
743+#endif
744 MYSQLI_REPORT_MYSQL_ERROR(mysql->mysql);
745
746 /* we have to save error information, cause
747@@ -278,6 +289,17 @@
748 MYSQLI_DISABLE_MQ;
749
750 if (mysql_real_query(mysql->mysql, query, query_len)) {
751+#if HARDENING_PATCH
752+ char *query_copy = estrdup(query);
753+ int i;
754+
755+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
756+ php_security_log(S_SQL, "MySQLi error: %s - query: %s", mysql->mysql->net.last_errno, query_copy);
757+ efree(query_copy);
758+ if (HG(hphp_sql_bailout_on_error)) {
759+ zend_bailout();
760+ }
761+#endif
762 MYSQLI_REPORT_MYSQL_ERROR(mysql->mysql);
763 RETURN_FALSE;
764 }
765diff -Nura php-5.0.5/ext/pgsql/pgsql.c hardening-patch-5.0.5-0.4.3/ext/pgsql/pgsql.c
766--- php-5.0.5/ext/pgsql/pgsql.c 2005-07-05 14:47:06.000000000 +0200
767+++ hardening-patch-5.0.5-0.4.3/ext/pgsql/pgsql.c 2005-09-11 23:30:52.000000000 +0200
768@@ -1080,10 +1080,28 @@
769 case PGRES_EMPTY_QUERY:
770 case PGRES_BAD_RESPONSE:
771 case PGRES_NONFATAL_ERROR:
772- case PGRES_FATAL_ERROR:
773- PHP_PQ_ERROR("Query failed: %s", pgsql);
774- PQclear(pgsql_result);
775- RETURN_FALSE;
776+ case PGRES_FATAL_ERROR:
777+ {
778+#if HARDENING_PATCH
779+ int i;
780+ char *query_copy;
781+#endif
782+ char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
783+ PQclear(pgsql_result);
784+#if HARDENING_PATCH
785+ query_copy = estrdup(Z_STRVAL_PP(query));
786+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
787+ php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
788+ efree(query_copy);
789+ if (HG(hphp_sql_bailout_on_error)) {
790+ efree(msgbuf);
791+ zend_bailout();
792+ }
793+#endif
794+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
795+ efree(msgbuf);
796+ RETURN_FALSE;
797+ }
798 break;
799 case PGRES_COMMAND_OK: /* successful command that did not return rows */
800 default:
801diff -Nura php-5.0.5/ext/sqlite/sqlite.c hardening-patch-5.0.5-0.4.3/ext/sqlite/sqlite.c
802--- php-5.0.5/ext/sqlite/sqlite.c 2005-06-07 17:38:37.000000000 +0200
803+++ hardening-patch-5.0.5-0.4.3/ext/sqlite/sqlite.c 2005-09-11 23:30:52.000000000 +0200
804@@ -1481,6 +1481,19 @@
805 db->last_err_code = ret;
806
807 if (ret != SQLITE_OK) {
808+#if HARDENING_PATCH
809+ char *query_copy;
810+ int i;
811+
812+ query_copy = estrdup(sql);
813+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
814+ php_security_log(S_SQL, "SQLite error: %s - query: %s", errtext, query_copy);
815+ efree(query_copy);
816+ if (HG(hphp_sql_bailout_on_error)) {
817+ sqlite_freemem(errtext);
818+ zend_bailout();
819+ }
820+#endif
821 php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", errtext);
822 sqlite_freemem(errtext);
823 goto terminate;
824diff -Nura php-5.0.5/ext/standard/array.c hardening-patch-5.0.5-0.4.3/ext/standard/array.c
825--- php-5.0.5/ext/standard/array.c 2005-09-01 14:01:01.000000000 +0200
826+++ hardening-patch-5.0.5-0.4.3/ext/standard/array.c 2005-09-11 23:30:52.000000000 +0200
827@@ -1283,6 +1283,32 @@
828 }
829 }
830 }
831+
832+ if (var_name[0] == 'H') {
833+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
834+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
835+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
836+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
837+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
838+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
839+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
840+ (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
841+ return 0;
842+ }
843+ } else if (var_name[0] == '_') {
844+ if ((strcmp(var_name, "_COOKIE")==0)||
845+ (strcmp(var_name, "_ENV")==0)||
846+ (strcmp(var_name, "_FILES")==0)||
847+ (strcmp(var_name, "_GET")==0)||
848+ (strcmp(var_name, "_POST")==0)||
849+ (strcmp(var_name, "_REQUEST")==0)||
850+ (strcmp(var_name, "_SESSION")==0)||
851+ (strcmp(var_name, "_SERVER")==0)) {
852+ return 0;
853+ }
854+ } else if (strcmp(var_name, "GLOBALS")==0) {
855+ return 0;
856+ }
857
858 return 1;
859 }
860diff -Nura php-5.0.5/ext/standard/basic_functions.c hardening-patch-5.0.5-0.4.3/ext/standard/basic_functions.c
861--- php-5.0.5/ext/standard/basic_functions.c 2005-08-21 20:36:33.000000000 +0200
862+++ hardening-patch-5.0.5-0.4.3/ext/standard/basic_functions.c 2005-09-11 23:30:52.000000000 +0200
863@@ -142,12 +142,14 @@
864 typedef struct _php_shutdown_function_entry {
865 zval **arguments;
866 int arg_count;
867+ zend_bool created_by_eval;
868 } php_shutdown_function_entry;
869
870 typedef struct _user_tick_function_entry {
871 zval **arguments;
872 int arg_count;
873 int calling;
874+ zend_bool created_by_eval;
875 } user_tick_function_entry;
876
877 /* some prototypes for local functions */
878@@ -189,6 +191,8 @@
879 PHP_FE(get_html_translation_table, NULL)
880 PHP_FE(sha1, NULL)
881 PHP_FE(sha1_file, NULL)
882+ PHP_FE(sha256, NULL)
883+ PHP_FE(sha256_file, NULL)
884 PHP_NAMED_FE(md5,php_if_md5, NULL)
885 PHP_NAMED_FE(md5_file,php_if_md5_file, NULL)
886 PHP_NAMED_FE(crc32,php_if_crc32, NULL)
887@@ -616,7 +620,7 @@
888 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
889
890 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
891- PHP_FE(realpath, NULL)
892+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
893 #endif
894
895 #ifdef HAVE_FNMATCH
896@@ -2095,6 +2099,13 @@
897 {
898 zval retval;
899 char *function_name = NULL;
900+#if HARDENING_PATCH
901+ zend_uint orig_code_type = EG(in_code_type);
902+
903+ if (shutdown_function_entry->created_by_eval) {
904+ EG(in_code_type) = ZEND_EVAL_CODE;
905+ }
906+#endif
907
908 if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
909 php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
910@@ -2110,6 +2121,9 @@
911 if (function_name) {
912 efree(function_name);
913 }
914+#if HARDENING_PATCH
915+ EG(in_code_type) = orig_code_type;
916+#endif
917 return 0;
918 }
919
920@@ -2117,6 +2131,13 @@
921 {
922 zval retval;
923 zval *function = tick_fe->arguments[0];
924+#if HARDENING_PATCH
925+ zend_uint orig_code_type = EG(in_code_type);
926+
927+ if (tick_fe->created_by_eval) {
928+ EG(in_code_type) = ZEND_EVAL_CODE;
929+ }
930+#endif
931
932 /* Prevent reentrant calls to the same user ticks function */
933 if (! tick_fe->calling) {
934@@ -2148,6 +2169,9 @@
935
936 tick_fe->calling = 0;
937 }
938+#if HARDENING_PATCH
939+ EG(in_code_type) = orig_code_type;
940+#endif
941 }
942
943 static void run_user_tick_functions(int tick_count)
944@@ -2211,6 +2235,13 @@
945 }
946
947 shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval *), shutdown_function_entry.arg_count, 0);
948+#if HARDENING_PATCH
949+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
950+ shutdown_function_entry.created_by_eval = 1;
951+ } else {
952+ shutdown_function_entry.created_by_eval = 0;
953+ }
954+#endif
955
956 if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
957 RETURN_FALSE;
958@@ -2794,6 +2825,13 @@
959 }
960
961 tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
962+#if HARDENING_PATCH
963+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
964+ tick_fe.created_by_eval = 1;
965+ } else {
966+ tick_fe.created_by_eval = 0;
967+ }
968+#endif
969
970 if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
971 RETURN_FALSE;
972@@ -3082,6 +3120,35 @@
973 memcpy(new_key, prefix, prefix_len);
974 memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
975
976+ if (new_key[0] == 'H') {
977+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
978+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
979+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
980+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
981+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
982+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
983+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
984+ (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
985+ efree(new_key);
986+ return 0;
987+ }
988+ } else if (new_key[0] == '_') {
989+ if ((strcmp(new_key, "_COOKIE")==0)||
990+ (strcmp(new_key, "_ENV")==0)||
991+ (strcmp(new_key, "_FILES")==0)||
992+ (strcmp(new_key, "_GET")==0)||
993+ (strcmp(new_key, "_POST")==0)||
994+ (strcmp(new_key, "_REQUEST")==0)||
995+ (strcmp(new_key, "_SESSION")==0)||
996+ (strcmp(new_key, "_SERVER")==0)) {
997+ efree(new_key);
998+ return 0;
999+ }
1000+ } else if (strcmp(new_key, "GLOBALS")==0) {
1001+ efree(new_key);
1002+ return 0;
1003+ }
1004+
1005 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1006 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1007
1008diff -Nura php-5.0.5/ext/standard/config.m4 hardening-patch-5.0.5-0.4.3/ext/standard/config.m4
1009--- php-5.0.5/ext/standard/config.m4 2004-12-30 08:04:11.000000000 +0100
1010+++ hardening-patch-5.0.5-0.4.3/ext/standard/config.m4 2005-09-11 23:30:52.000000000 +0200
1011@@ -187,7 +187,7 @@
1012 if test "$ac_cv_crypt_blowfish" = "yes"; then
1013 ac_result=1
1014 else
1015- ac_result=0
1016+ ac_result=1
1017 fi
1018 AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
1019 ])
1020@@ -469,6 +469,6 @@
1021 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
1022 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
1023 var_unserializer.c ftok.c sha1.c user_filters.c uuencode.c \
1024- filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c)
1025+ filters.c proc_open.c sunfuncs.c streamsfuncs.c http.c sha256.c crypt_blowfish.c )
1026
1027 PHP_ADD_MAKEFILE_FRAGMENT
1028diff -Nura php-5.0.5/ext/standard/config.w32 hardening-patch-5.0.5-0.4.3/ext/standard/config.w32
1029--- php-5.0.5/ext/standard/config.w32 2003-12-06 17:04:33.000000000 +0100
1030+++ hardening-patch-5.0.5-0.4.3/ext/standard/config.w32 2005-09-11 23:30:52.000000000 +0200
1031@@ -14,5 +14,5 @@
1032 url_scanner_ex.c ftp_fopen_wrapper.c http_fopen_wrapper.c \
1033 php_fopen_wrapper.c credits.c css.c var_unserializer.c ftok.c sha1.c \
1034 user_filters.c uuencode.c filters.c proc_open.c sunfuncs.c \
1035- streamsfuncs.c http.c", false /* never shared */);
1036+ streamsfuncs.c http.c sha256.c crypt_blowfish.c", false /* never shared */);
1037
1038diff -Nura php-5.0.5/ext/standard/crypt_blowfish.c hardening-patch-5.0.5-0.4.3/ext/standard/crypt_blowfish.c
1039--- php-5.0.5/ext/standard/crypt_blowfish.c 1970-01-01 01:00:00.000000000 +0100
1040+++ hardening-patch-5.0.5-0.4.3/ext/standard/crypt_blowfish.c 2005-09-11 23:30:52.000000000 +0200
1041@@ -0,0 +1,748 @@
1042+/*
1043+ * This code comes from John the Ripper password cracker, with reentrant
1044+ * and crypt(3) interfaces added, but optimizations specific to password
1045+ * cracking removed.
1046+ *
1047+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
1048+ * placed in the public domain.
1049+ *
1050+ * There's absolutely no warranty.
1051+ *
1052+ * It is my intent that you should be able to use this on your system,
1053+ * as a part of a software package, or anywhere else to improve security,
1054+ * ensure compatibility, or for any other purpose. I would appreciate
1055+ * it if you give credit where it is due and keep your modifications in
1056+ * the public domain as well, but I don't require that in order to let
1057+ * you place this code and any modifications you make under a license
1058+ * of your choice.
1059+ *
1060+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
1061+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
1062+ * ideas. The password hashing algorithm was designed by David Mazieres
1063+ * <dm at lcs.mit.edu>.
1064+ *
1065+ * There's a paper on the algorithm that explains its design decisions:
1066+ *
1067+ * http://www.usenix.org/events/usenix99/provos.html
1068+ *
1069+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
1070+ * Blowfish library (I can't be sure if I would think of something if I
1071+ * hadn't seen his code).
1072+ */
1073+
1074+#include <string.h>
1075+
1076+#include <errno.h>
1077+#ifndef __set_errno
1078+#define __set_errno(val) errno = (val)
1079+#endif
1080+
1081+#undef __CONST
1082+#ifdef __GNUC__
1083+#define __CONST __const
1084+#else
1085+#define __CONST
1086+#endif
1087+
1088+#ifdef __i386__
1089+#define BF_ASM 0
1090+#define BF_SCALE 1
1091+#elif defined(__alpha__) || defined(__hppa__)
1092+#define BF_ASM 0
1093+#define BF_SCALE 1
1094+#else
1095+#define BF_ASM 0
1096+#define BF_SCALE 0
1097+#endif
1098+
1099+typedef unsigned int BF_word;
1100+
1101+/* Number of Blowfish rounds, this is also hardcoded into a few places */
1102+#define BF_N 16
1103+
1104+typedef BF_word BF_key[BF_N + 2];
1105+
1106+typedef struct {
1107+ BF_word S[4][0x100];
1108+ BF_key P;
1109+} BF_ctx;
1110+
1111+/*
1112+ * Magic IV for 64 Blowfish encryptions that we do at the end.
1113+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
1114+ */
1115+static BF_word BF_magic_w[6] = {
1116+ 0x4F727068, 0x65616E42, 0x65686F6C,
1117+ 0x64657253, 0x63727944, 0x6F756274
1118+};
1119+
1120+/*
1121+ * P-box and S-box tables initialized with digits of Pi.
1122+ */
1123+static BF_ctx BF_init_state = {
1124+ {
1125+ {
1126+ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
1127+ 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
1128+ 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
1129+ 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
1130+ 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
1131+ 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
1132+ 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
1133+ 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
1134+ 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
1135+ 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
1136+ 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
1137+ 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
1138+ 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
1139+ 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
1140+ 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
1141+ 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
1142+ 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
1143+ 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
1144+ 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
1145+ 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
1146+ 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
1147+ 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
1148+ 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
1149+ 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
1150+ 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
1151+ 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
1152+ 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
1153+ 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
1154+ 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
1155+ 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
1156+ 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
1157+ 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
1158+ 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
1159+ 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
1160+ 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
1161+ 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
1162+ 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
1163+ 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
1164+ 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
1165+ 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
1166+ 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
1167+ 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
1168+ 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
1169+ 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
1170+ 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
1171+ 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
1172+ 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
1173+ 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
1174+ 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
1175+ 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
1176+ 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
1177+ 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
1178+ 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
1179+ 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
1180+ 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
1181+ 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
1182+ 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
1183+ 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
1184+ 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
1185+ 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
1186+ 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
1187+ 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
1188+ 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
1189+ 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
1190+ }, {
1191+ 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
1192+ 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
1193+ 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
1194+ 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
1195+ 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
1196+ 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
1197+ 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
1198+ 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
1199+ 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
1200+ 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
1201+ 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
1202+ 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
1203+ 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
1204+ 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
1205+ 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
1206+ 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
1207+ 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
1208+ 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
1209+ 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
1210+ 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
1211+ 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
1212+ 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
1213+ 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
1214+ 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
1215+ 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
1216+ 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
1217+ 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
1218+ 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
1219+ 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
1220+ 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
1221+ 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
1222+ 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
1223+ 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
1224+ 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
1225+ 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
1226+ 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
1227+ 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
1228+ 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
1229+ 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
1230+ 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
1231+ 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
1232+ 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
1233+ 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
1234+ 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
1235+ 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
1236+ 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
1237+ 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
1238+ 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
1239+ 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
1240+ 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
1241+ 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
1242+ 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
1243+ 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
1244+ 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
1245+ 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
1246+ 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
1247+ 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
1248+ 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
1249+ 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
1250+ 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
1251+ 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
1252+ 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
1253+ 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
1254+ 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
1255+ }, {
1256+ 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
1257+ 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
1258+ 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
1259+ 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
1260+ 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
1261+ 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
1262+ 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
1263+ 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
1264+ 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
1265+ 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
1266+ 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
1267+ 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
1268+ 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
1269+ 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
1270+ 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
1271+ 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
1272+ 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
1273+ 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
1274+ 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
1275+ 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
1276+ 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
1277+ 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
1278+ 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
1279+ 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
1280+ 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
1281+ 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
1282+ 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
1283+ 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
1284+ 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
1285+ 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
1286+ 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
1287+ 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
1288+ 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
1289+ 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
1290+ 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
1291+ 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
1292+ 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
1293+ 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
1294+ 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
1295+ 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
1296+ 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
1297+ 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
1298+ 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
1299+ 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
1300+ 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
1301+ 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
1302+ 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
1303+ 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
1304+ 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
1305+ 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
1306+ 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
1307+ 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
1308+ 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
1309+ 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
1310+ 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
1311+ 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
1312+ 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
1313+ 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
1314+ 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
1315+ 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
1316+ 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
1317+ 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
1318+ 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
1319+ 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
1320+ }, {
1321+ 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
1322+ 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
1323+ 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
1324+ 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
1325+ 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
1326+ 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
1327+ 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
1328+ 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
1329+ 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
1330+ 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
1331+ 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
1332+ 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
1333+ 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
1334+ 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
1335+ 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
1336+ 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
1337+ 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
1338+ 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
1339+ 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
1340+ 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
1341+ 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
1342+ 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
1343+ 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
1344+ 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
1345+ 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
1346+ 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
1347+ 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
1348+ 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
1349+ 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
1350+ 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
1351+ 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
1352+ 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
1353+ 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
1354+ 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
1355+ 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
1356+ 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
1357+ 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
1358+ 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
1359+ 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
1360+ 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
1361+ 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
1362+ 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
1363+ 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
1364+ 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
1365+ 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
1366+ 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
1367+ 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
1368+ 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
1369+ 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
1370+ 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
1371+ 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
1372+ 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
1373+ 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
1374+ 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
1375+ 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
1376+ 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
1377+ 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
1378+ 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
1379+ 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
1380+ 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
1381+ 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
1382+ 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
1383+ 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
1384+ 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
1385+ }
1386+ }, {
1387+ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
1388+ 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
1389+ 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
1390+ 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
1391+ 0x9216d5d9, 0x8979fb1b
1392+ }
1393+};
1394+
1395+static unsigned char BF_itoa64[64 + 1] =
1396+ "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
1397+
1398+static unsigned char BF_atoi64[0x60] = {
1399+ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
1400+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
1401+ 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
1402+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
1403+ 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
1404+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
1405+};
1406+
1407+/*
1408+ * This may be optimized out if built with function inlining and no BF_ASM.
1409+ */
1410+static void clean(void *data, int size)
1411+{
1412+#if BF_ASM
1413+ extern void _BF_clean(void *data);
1414+#endif
1415+ memset(data, 0, size);
1416+#if BF_ASM
1417+ _BF_clean(data);
1418+#endif
1419+}
1420+
1421+#define BF_safe_atoi64(dst, src) \
1422+{ \
1423+ tmp = (unsigned char)(src); \
1424+ if (tmp == '$') break; \
1425+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
1426+ tmp = BF_atoi64[tmp]; \
1427+ if (tmp > 63) return -1; \
1428+ (dst) = tmp; \
1429+}
1430+
1431+static int BF_decode(BF_word *dst, __CONST char *src, int size)
1432+{
1433+ unsigned char *dptr = (unsigned char *)dst;
1434+ unsigned char *end = dptr + size;
1435+ unsigned char *sptr = (unsigned char *)src;
1436+ unsigned int tmp, c1, c2, c3, c4;
1437+
1438+ do {
1439+ BF_safe_atoi64(c1, *sptr++);
1440+ BF_safe_atoi64(c2, *sptr++);
1441+ *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
1442+ if (dptr >= end) break;
1443+
1444+ BF_safe_atoi64(c3, *sptr++);
1445+ *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
1446+ if (dptr >= end) break;
1447+
1448+ BF_safe_atoi64(c4, *sptr++);
1449+ *dptr++ = ((c3 & 0x03) << 6) | c4;
1450+ } while (dptr < end);
1451+
1452+ while (dptr < end)
1453+ *dptr++ = 0;
1454+
1455+ return 0;
1456+}
1457+
1458+static void BF_encode(char *dst, __CONST BF_word *src, int size)
1459+{
1460+ unsigned char *sptr = (unsigned char *)src;
1461+ unsigned char *end = sptr + size;
1462+ unsigned char *dptr = (unsigned char *)dst;
1463+ unsigned int c1, c2;
1464+
1465+ do {
1466+ c1 = *sptr++;
1467+ *dptr++ = BF_itoa64[c1 >> 2];
1468+ c1 = (c1 & 0x03) << 4;
1469+ if (sptr >= end) {
1470+ *dptr++ = BF_itoa64[c1];
1471+ break;
1472+ }
1473+
1474+ c2 = *sptr++;
1475+ c1 |= c2 >> 4;
1476+ *dptr++ = BF_itoa64[c1];
1477+ c1 = (c2 & 0x0f) << 2;
1478+ if (sptr >= end) {
1479+ *dptr++ = BF_itoa64[c1];
1480+ break;
1481+ }
1482+
1483+ c2 = *sptr++;
1484+ c1 |= c2 >> 6;
1485+ *dptr++ = BF_itoa64[c1];
1486+ *dptr++ = BF_itoa64[c2 & 0x3f];
1487+ } while (sptr < end);
1488+}
1489+
1490+static void BF_swap(BF_word *x, int count)
1491+{
1492+ static int endianness_check = 1;
1493+ char *is_little_endian = (char *)&endianness_check;
1494+ BF_word tmp;
1495+
1496+ if (*is_little_endian)
1497+ do {
1498+ tmp = *x;
1499+ tmp = (tmp << 16) | (tmp >> 16);
1500+ *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
1501+ } while (--count);
1502+}
1503+
1504+#if BF_SCALE
1505+/* Architectures which can shift addresses left by 2 bits with no extra cost */
1506+#define BF_ROUND(L, R, N) \
1507+ tmp1 = L & 0xFF; \
1508+ tmp2 = L >> 8; \
1509+ tmp2 &= 0xFF; \
1510+ tmp3 = L >> 16; \
1511+ tmp3 &= 0xFF; \
1512+ tmp4 = L >> 24; \
1513+ tmp1 = data.ctx.S[3][tmp1]; \
1514+ tmp2 = data.ctx.S[2][tmp2]; \
1515+ tmp3 = data.ctx.S[1][tmp3]; \
1516+ tmp3 += data.ctx.S[0][tmp4]; \
1517+ tmp3 ^= tmp2; \
1518+ R ^= data.ctx.P[N + 1]; \
1519+ tmp3 += tmp1; \
1520+ R ^= tmp3;
1521+#else
1522+/* Architectures with no complicated addressing modes supported */
1523+#define BF_INDEX(S, i) \
1524+ (*((BF_word *)(((unsigned char *)S) + (i))))
1525+#define BF_ROUND(L, R, N) \
1526+ tmp1 = L & 0xFF; \
1527+ tmp1 <<= 2; \
1528+ tmp2 = L >> 6; \
1529+ tmp2 &= 0x3FC; \
1530+ tmp3 = L >> 14; \
1531+ tmp3 &= 0x3FC; \
1532+ tmp4 = L >> 22; \
1533+ tmp4 &= 0x3FC; \
1534+ tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
1535+ tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
1536+ tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
1537+ tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
1538+ tmp3 ^= tmp2; \
1539+ R ^= data.ctx.P[N + 1]; \
1540+ tmp3 += tmp1; \
1541+ R ^= tmp3;
1542+#endif
1543+
1544+/*
1545+ * Encrypt one block, BF_N is hardcoded here.
1546+ */
1547+#define BF_ENCRYPT \
1548+ L ^= data.ctx.P[0]; \
1549+ BF_ROUND(L, R, 0); \
1550+ BF_ROUND(R, L, 1); \
1551+ BF_ROUND(L, R, 2); \
1552+ BF_ROUND(R, L, 3); \
1553+ BF_ROUND(L, R, 4); \
1554+ BF_ROUND(R, L, 5); \
1555+ BF_ROUND(L, R, 6); \
1556+ BF_ROUND(R, L, 7); \
1557+ BF_ROUND(L, R, 8); \
1558+ BF_ROUND(R, L, 9); \
1559+ BF_ROUND(L, R, 10); \
1560+ BF_ROUND(R, L, 11); \
1561+ BF_ROUND(L, R, 12); \
1562+ BF_ROUND(R, L, 13); \
1563+ BF_ROUND(L, R, 14); \
1564+ BF_ROUND(R, L, 15); \
1565+ tmp4 = R; \
1566+ R = L; \
1567+ L = tmp4 ^ data.ctx.P[BF_N + 1];
1568+
1569+#if BF_ASM
1570+#define BF_body() \
1571+ _BF_body_r(&data.ctx);
1572+#else
1573+#define BF_body() \
1574+ L = R = 0; \
1575+ ptr = data.ctx.P; \
1576+ do { \
1577+ ptr += 2; \
1578+ BF_ENCRYPT; \
1579+ *(ptr - 2) = L; \
1580+ *(ptr - 1) = R; \
1581+ } while (ptr < &data.ctx.P[BF_N + 2]); \
1582+\
1583+ ptr = data.ctx.S[0]; \
1584+ do { \
1585+ ptr += 2; \
1586+ BF_ENCRYPT; \
1587+ *(ptr - 2) = L; \
1588+ *(ptr - 1) = R; \
1589+ } while (ptr < &data.ctx.S[3][0xFF]);
1590+#endif
1591+
1592+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
1593+{
1594+ __CONST char *ptr = key;
1595+ int i, j;
1596+ BF_word tmp;
1597+
1598+ for (i = 0; i < BF_N + 2; i++) {
1599+ tmp = 0;
1600+ for (j = 0; j < 4; j++) {
1601+ tmp <<= 8;
1602+ tmp |= *ptr;
1603+
1604+ if (!*ptr) ptr = key; else ptr++;
1605+ }
1606+
1607+ expanded[i] = tmp;
1608+ initial[i] = BF_init_state.P[i] ^ tmp;
1609+ }
1610+}
1611+
1612+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
1613+ char *output, int size)
1614+{
1615+#if BF_ASM
1616+ extern void _BF_body_r(BF_ctx *ctx);
1617+#endif
1618+ struct {
1619+ BF_ctx ctx;
1620+ BF_key expanded_key;
1621+ union {
1622+ BF_word salt[4];
1623+ BF_word output[6];
1624+ } binary;
1625+ } data;
1626+ BF_word L, R;
1627+ BF_word tmp1, tmp2, tmp3, tmp4;
1628+ BF_word *ptr;
1629+ BF_word count;
1630+ int i;
1631+
1632+ if (size < 7 + 22 + 31 + 1) {
1633+ __set_errno(ERANGE);
1634+ return NULL;
1635+ }
1636+
1637+ if (setting[0] != '$' ||
1638+ setting[1] != '2' ||
1639+ setting[2] != 'a' ||
1640+ setting[3] != '$' ||
1641+ setting[4] < '0' || setting[4] > '3' ||
1642+ setting[5] < '0' || setting[5] > '9' ||
1643+ setting[6] != '$') {
1644+ __set_errno(EINVAL);
1645+ return NULL;
1646+ }
1647+
1648+ count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
1649+ if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
1650+ clean(data.binary.salt, sizeof(data.binary.salt));
1651+ __set_errno(EINVAL);
1652+ return NULL;
1653+ }
1654+
1655+ BF_swap(data.binary.salt, 4);
1656+
1657+ BF_set_key(key, data.expanded_key, data.ctx.P);
1658+
1659+ memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
1660+
1661+ L = R = 0;
1662+ for (i = 0; i < BF_N + 2; i += 2) {
1663+ L ^= data.binary.salt[i & 2];
1664+ R ^= data.binary.salt[(i & 2) + 1];
1665+ BF_ENCRYPT;
1666+ data.ctx.P[i] = L;
1667+ data.ctx.P[i + 1] = R;
1668+ }
1669+
1670+ ptr = data.ctx.S[0];
1671+ do {
1672+ ptr += 4;
1673+ L ^= data.binary.salt[(BF_N + 2) & 3];
1674+ R ^= data.binary.salt[(BF_N + 3) & 3];
1675+ BF_ENCRYPT;
1676+ *(ptr - 4) = L;
1677+ *(ptr - 3) = R;
1678+
1679+ L ^= data.binary.salt[(BF_N + 4) & 3];
1680+ R ^= data.binary.salt[(BF_N + 5) & 3];
1681+ BF_ENCRYPT;
1682+ *(ptr - 2) = L;
1683+ *(ptr - 1) = R;
1684+ } while (ptr < &data.ctx.S[3][0xFF]);
1685+
1686+ do {
1687+ data.ctx.P[0] ^= data.expanded_key[0];
1688+ data.ctx.P[1] ^= data.expanded_key[1];
1689+ data.ctx.P[2] ^= data.expanded_key[2];
1690+ data.ctx.P[3] ^= data.expanded_key[3];
1691+ data.ctx.P[4] ^= data.expanded_key[4];
1692+ data.ctx.P[5] ^= data.expanded_key[5];
1693+ data.ctx.P[6] ^= data.expanded_key[6];
1694+ data.ctx.P[7] ^= data.expanded_key[7];
1695+ data.ctx.P[8] ^= data.expanded_key[8];
1696+ data.ctx.P[9] ^= data.expanded_key[9];
1697+ data.ctx.P[10] ^= data.expanded_key[10];
1698+ data.ctx.P[11] ^= data.expanded_key[11];
1699+ data.ctx.P[12] ^= data.expanded_key[12];
1700+ data.ctx.P[13] ^= data.expanded_key[13];
1701+ data.ctx.P[14] ^= data.expanded_key[14];
1702+ data.ctx.P[15] ^= data.expanded_key[15];
1703+ data.ctx.P[16] ^= data.expanded_key[16];
1704+ data.ctx.P[17] ^= data.expanded_key[17];
1705+
1706+ BF_body();
1707+
1708+ tmp1 = data.binary.salt[0];
1709+ tmp2 = data.binary.salt[1];
1710+ tmp3 = data.binary.salt[2];
1711+ tmp4 = data.binary.salt[3];
1712+ data.ctx.P[0] ^= tmp1;
1713+ data.ctx.P[1] ^= tmp2;
1714+ data.ctx.P[2] ^= tmp3;
1715+ data.ctx.P[3] ^= tmp4;
1716+ data.ctx.P[4] ^= tmp1;
1717+ data.ctx.P[5] ^= tmp2;
1718+ data.ctx.P[6] ^= tmp3;
1719+ data.ctx.P[7] ^= tmp4;
1720+ data.ctx.P[8] ^= tmp1;
1721+ data.ctx.P[9] ^= tmp2;
1722+ data.ctx.P[10] ^= tmp3;
1723+ data.ctx.P[11] ^= tmp4;
1724+ data.ctx.P[12] ^= tmp1;
1725+ data.ctx.P[13] ^= tmp2;
1726+ data.ctx.P[14] ^= tmp3;
1727+ data.ctx.P[15] ^= tmp4;
1728+ data.ctx.P[16] ^= tmp1;
1729+ data.ctx.P[17] ^= tmp2;
1730+
1731+ BF_body();
1732+ } while (--count);
1733+
1734+ for (i = 0; i < 6; i += 2) {
1735+ L = BF_magic_w[i];
1736+ R = BF_magic_w[i + 1];
1737+
1738+ count = 64;
1739+ do {
1740+ BF_ENCRYPT;
1741+ } while (--count);
1742+
1743+ data.binary.output[i] = L;
1744+ data.binary.output[i + 1] = R;
1745+ }
1746+
1747+ memcpy(output, setting, 7 + 22 - 1);
1748+ output[7 + 22 - 1] = BF_itoa64[(int)
1749+ BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
1750+
1751+/* This has to be bug-compatible with the original implementation, so
1752+ * only encode 23 of the 24 bytes. :-) */
1753+ BF_swap(data.binary.output, 6);
1754+ BF_encode(&output[7 + 22], data.binary.output, 23);
1755+ output[7 + 22 + 31] = '\0';
1756+
1757+/* Overwrite the most obvious sensitive data we have on the stack. Note
1758+ * that this does not guarantee there's no sensitive data left on the
1759+ * stack and/or in registers; I'm not aware of portable code that does. */
1760+ clean(&data, sizeof(data));
1761+
1762+ return output;
1763+}
1764+
1765+char *_crypt_gensalt_blowfish_rn(unsigned long count,
1766+ __CONST char *input, int size, char *output, int output_size)
1767+{
1768+ if (size < 16 || output_size < 7 + 22 + 1 ||
1769+ (count && (count < 4 || count > 31))) {
1770+ if (output_size > 0) output[0] = '\0';
1771+ __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
1772+ return NULL;
1773+ }
1774+
1775+ if (!count) count = 5;
1776+
1777+ output[0] = '$';
1778+ output[1] = '2';
1779+ output[2] = 'a';
1780+ output[3] = '$';
1781+ output[4] = '0' + count / 10;
1782+ output[5] = '0' + count % 10;
1783+ output[6] = '$';
1784+
1785+ BF_encode(&output[7], (BF_word *)input, 16);
1786+ output[7 + 22] = '\0';
1787+
1788+ return output;
1789+}
1790diff -Nura php-5.0.5/ext/standard/crypt.c hardening-patch-5.0.5-0.4.3/ext/standard/crypt.c
1791--- php-5.0.5/ext/standard/crypt.c 2004-02-12 20:05:41.000000000 +0100
1792+++ hardening-patch-5.0.5-0.4.3/ext/standard/crypt.c 2005-09-12 18:13:10.000000000 +0200
1793@@ -100,6 +100,8 @@
1794 return SUCCESS;
1795 }
1796
1797+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
1798+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
1799
1800 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
1801
1802@@ -135,7 +137,14 @@
1803
1804 /* The automatic salt generation only covers standard DES and md5-crypt */
1805 if(!*salt) {
1806-#if PHP_MD5_CRYPT
1807+#if PHP_BLOWFISH_CRYPT
1808+ char randat[16];
1809+ int i;
1810+
1811+ for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
1812+
1813+ _crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
1814+#elif PHP_MD5_CRYPT
1815 strcpy(salt, "$1$");
1816 php_to64(&salt[3], PHP_CRYPT_RAND, 4);
1817 php_to64(&salt[7], PHP_CRYPT_RAND, 4);
1818@@ -145,8 +154,24 @@
1819 salt[2] = '\0';
1820 #endif
1821 }
1822-
1823- RETVAL_STRING(crypt(str, salt), 1);
1824+
1825+ if (salt[0] == '$' &&
1826+ salt[1] == '2' &&
1827+ salt[2] == 'a' &&
1828+ salt[3] == '$' &&
1829+ salt[4] >= '0' && salt[4] <= '3' &&
1830+ salt[5] >= '0' && salt[5] <= '9' &&
1831+ salt[6] == '$') {
1832+
1833+ char output[PHP_MAX_SALT_LEN+1];
1834+
1835+ output[0] = 0;
1836+ _crypt_blowfish_rn(str, salt, output, sizeof(output));
1837+ RETVAL_STRING(output, 1);
1838+
1839+ } else {
1840+ RETVAL_STRING(crypt(str, salt), 1);
1841+ }
1842 }
1843 /* }}} */
1844 #endif
1845diff -Nura php-5.0.5/ext/standard/dl.c hardening-patch-5.0.5-0.4.3/ext/standard/dl.c
1846--- php-5.0.5/ext/standard/dl.c 2005-05-04 15:48:01.000000000 +0200
1847+++ hardening-patch-5.0.5-0.4.3/ext/standard/dl.c 2005-09-11 23:30:52.000000000 +0200
1848@@ -159,8 +159,35 @@
1849 RETURN_FALSE;
1850 }
1851 module_entry = get_module();
1852+
1853+ /* check if Hardening-Patch is installed */
1854+ if (module_entry->zend_api < 1000000000) {
1855+ php_error_docref(NULL TSRMLS_CC, error_type,
1856+ "%s: Unable to initialize module\n"
1857+ "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
1858+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
1859+ "These options need to match\n",
1860+ module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
1861+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
1862+ DL_UNLOAD(handle);
1863+ RETURN_FALSE;
1864+ }
1865+
1866+ /* check if correct Hardening-Patch is installed */
1867+ if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
1868+ php_error_docref(NULL TSRMLS_CC, error_type,
1869+ "%s: Unable to initialize module\n"
1870+ "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
1871+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
1872+ "These options need to match\n",
1873+ module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
1874+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
1875+ DL_UNLOAD(handle);
1876+ RETURN_FALSE;
1877+ }
1878+
1879 if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
1880- || (module_entry->zend_api != ZEND_MODULE_API_NO)) {
1881+ || (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
1882 /* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
1883 struct pre_4_1_0_module_entry {
1884 char *name;
1885@@ -194,7 +221,7 @@
1886 zts = ((struct pre_4_1_0_module_entry *)module_entry)->zts;
1887 } else {
1888 name = module_entry->name;
1889- zend_api = module_entry->zend_api;
1890+ zend_api = module_entry->real_zend_api;
1891 zend_debug = module_entry->zend_debug;
1892 zts = module_entry->zts;
1893 }
1894diff -Nura php-5.0.5/ext/standard/file.c hardening-patch-5.0.5-0.4.3/ext/standard/file.c
1895--- php-5.0.5/ext/standard/file.c 2005-04-06 15:59:48.000000000 +0200
1896+++ hardening-patch-5.0.5-0.4.3/ext/standard/file.c 2005-09-11 23:30:52.000000000 +0200
1897@@ -2044,7 +2044,7 @@
1898 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1899 /* {{{ proto string realpath(string path)
1900 Return the resolved path */
1901-PHP_FUNCTION(realpath)
1902+PHP_FUNCTION(real_path)
1903 {
1904 zval **path;
1905 char resolved_path_buff[MAXPATHLEN];
1906diff -Nura php-5.0.5/ext/standard/file.h hardening-patch-5.0.5-0.4.3/ext/standard/file.h
1907--- php-5.0.5/ext/standard/file.h 2005-07-15 11:29:18.000000000 +0200
1908+++ hardening-patch-5.0.5-0.4.3/ext/standard/file.h 2005-09-11 23:30:52.000000000 +0200
1909@@ -60,7 +60,7 @@
1910 PHP_FUNCTION(fd_set);
1911 PHP_FUNCTION(fd_isset);
1912 #if (!defined(__BEOS__) && HAVE_REALPATH) || defined(ZTS)
1913-PHP_FUNCTION(realpath);
1914+PHP_FUNCTION(real_path);
1915 PHP_FUNCTION(fnmatch);
1916 #endif
1917 PHP_NAMED_FUNCTION(php_if_ftruncate);
1918diff -Nura php-5.0.5/ext/standard/head.c hardening-patch-5.0.5-0.4.3/ext/standard/head.c
1919--- php-5.0.5/ext/standard/head.c 2005-06-28 16:49:14.000000000 +0200
1920+++ hardening-patch-5.0.5-0.4.3/ext/standard/head.c 2005-09-11 23:30:52.000000000 +0200
1921@@ -40,10 +40,31 @@
1922 {
1923 zend_bool rep = 1;
1924 sapi_header_line ctr = {0};
1925+#if HARDENING_PATCH
1926+ int i;
1927+#endif
1928
1929 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
1930 &ctr.line_len, &rep, &ctr.response_code) == FAILURE)
1931 return;
1932+
1933+#if HARDENING_PATCH
1934+ if (!HG(hphp_multiheader)) {
1935+ for (i=0; i<ctr.line_len; i++) {
1936+ if (ctr.line[i]==0) {
1937+ php_security_log(S_MISC, "header(): headerline truncated by an ASCII-NUL char");
1938+ ctr.line_len=i;
1939+ break;
1940+ } else if (ctr.line[i]=='\n') {
1941+ if (i>0 && (i<ctr.line_len-1) && (ctr.line[i+1]==' ' || ctr.line[i+1]=='\t')) {
1942+ continue;
1943+ }
1944+ php_security_log(S_MISC, "header(): headerline contains more than one header");
1945+ ctr.line_len=i;
1946+ }
1947+ }
1948+ }
1949+#endif
1950
1951 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
1952 }
1953diff -Nura php-5.0.5/ext/standard/info.c hardening-patch-5.0.5-0.4.3/ext/standard/info.c
1954--- php-5.0.5/ext/standard/info.c 2005-08-16 02:25:46.000000000 +0200
1955+++ hardening-patch-5.0.5-0.4.3/ext/standard/info.c 2005-09-11 23:30:52.000000000 +0200
1956@@ -409,7 +409,7 @@
1957
1958 if (flag & PHP_INFO_GENERAL) {
1959 char *zend_version = get_zend_version();
1960- char temp_api[10];
1961+ char temp_api[11];
1962 char *logo_guid;
1963
1964 php_uname = php_get_uname('a');
1965@@ -432,11 +432,22 @@
1966 PUTS("\" alt=\"PHP Logo\" /></a>");
1967 }
1968
1969+#if HARDENING_PATCH
1970+ if (!sapi_module.phpinfo_as_text) {
1971+ php_printf("<h1 class=\"p\">PHP Version %s with Hardening-Patch %s</h1>\n", PHP_VERSION, HARDENING_PATCH_VERSION);
1972+ } else {
1973+ char temp_ver[40];
1974+
1975+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENING_PATCH_VERSION);
1976+ php_info_print_table_row(2, "PHP/Hardening-Patch Version", temp_ver);
1977+ }
1978+#else
1979 if (!sapi_module.phpinfo_as_text) {
1980 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
1981 } else {
1982 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
1983- }
1984+ }
1985+#endif
1986 php_info_print_box_end();
1987 php_info_print_table_start();
1988 php_info_print_table_row(2, "System", php_uname );
1989diff -Nura php-5.0.5/ext/standard/php_standard.h hardening-patch-5.0.5-0.4.3/ext/standard/php_standard.h
1990--- php-5.0.5/ext/standard/php_standard.h 2004-01-08 18:32:51.000000000 +0100
1991+++ hardening-patch-5.0.5-0.4.3/ext/standard/php_standard.h 2005-09-11 23:30:52.000000000 +0200
1992@@ -28,6 +28,7 @@
1993 #include "php_mail.h"
1994 #include "md5.h"
1995 #include "sha1.h"
1996+#include "sha256.h"
1997 #include "html.h"
1998 #include "exec.h"
1999 #include "file.h"
2000diff -Nura php-5.0.5/ext/standard/sha256.c hardening-patch-5.0.5-0.4.3/ext/standard/sha256.c
2001--- php-5.0.5/ext/standard/sha256.c 1970-01-01 01:00:00.000000000 +0100
2002+++ hardening-patch-5.0.5-0.4.3/ext/standard/sha256.c 2005-09-11 23:30:52.000000000 +0200
2003@@ -0,0 +1,398 @@
2004+/*
2005+ +----------------------------------------------------------------------+
2006+ | PHP Version 5 |
2007+ +----------------------------------------------------------------------+
2008+ | Copyright (c) 1997-2004 The PHP Group |
2009+ +----------------------------------------------------------------------+
2010+ | This source file is subject to version 3.0 of the PHP license, |
2011+ | that is bundled with this package in the file LICENSE, and is |
2012+ | available through the world-wide-web at the following url: |
2013+ | http://www.php.net/license/3_0.txt. |
2014+ | If you did not receive a copy of the PHP license and are unable to |
2015+ | obtain it through the world-wide-web, please send a note to |
2016+ | license@php.net so we can mail you a copy immediately. |
2017+ +----------------------------------------------------------------------+
2018+ | Author: Stefan Esser <sesser@php.net> |
2019+ +----------------------------------------------------------------------+
2020+*/
2021+
2022+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
2023+
2024+#include <stdio.h>
2025+#include "php.h"
2026+
2027+/* This code is heavily based on the PHP md5/sha1 implementations */
2028+
2029+#include "sha256.h"
2030+
2031+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
2032+{
2033+ int i;
2034+
2035+ for (i = 0; i < 32; i++) {
2036+ sprintf(sha256str, "%02x", digest[i]);
2037+ sha256str += 2;
2038+ }
2039+
2040+ *sha256str = '\0';
2041+}
2042+
2043+/* {{{ proto string sha256(string str [, bool raw_output])
2044+ Calculate the sha256 hash of a string */
2045+PHP_FUNCTION(sha256)
2046+{
2047+ char *arg;
2048+ int arg_len;
2049+ zend_bool raw_output = 0;
2050+ char sha256str[65];
2051+ PHP_SHA256_CTX context;
2052+ unsigned char digest[32];
2053+
2054+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2055+ return;
2056+ }
2057+
2058+ sha256str[0] = '\0';
2059+ PHP_SHA256Init(&context);
2060+ PHP_SHA256Update(&context, arg, arg_len);
2061+ PHP_SHA256Final(digest, &context);
2062+ if (raw_output) {
2063+ RETURN_STRINGL(digest, 32, 1);
2064+ } else {
2065+ make_sha256_digest(sha256str, digest);
2066+ RETVAL_STRING(sha256str, 1);
2067+ }
2068+
2069+}
2070+
2071+/* }}} */
2072+
2073+/* {{{ proto string sha256_file(string filename [, bool raw_output])
2074+ Calculate the sha256 hash of given filename */
2075+PHP_FUNCTION(sha256_file)
2076+{
2077+ char *arg;
2078+ int arg_len;
2079+ zend_bool raw_output = 0;
2080+ char sha256str[65];
2081+ unsigned char buf[1024];
2082+ unsigned char digest[32];
2083+ PHP_SHA256_CTX context;
2084+ int n;
2085+ FILE *fp;
2086+
2087+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2088+ return;
2089+ }
2090+
2091+ if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
2092+ RETURN_FALSE;
2093+ }
2094+
2095+ if (php_check_open_basedir(arg TSRMLS_CC)) {
2096+ RETURN_FALSE;
2097+ }
2098+
2099+ if ((fp = VCWD_FOPEN(arg, "rb")) == NULL) {
2100+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open file");
2101+ RETURN_FALSE;
2102+ }
2103+
2104+ PHP_SHA256Init(&context);
2105+
2106+ while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
2107+ PHP_SHA256Update(&context, buf, n);
2108+ }
2109+
2110+ PHP_SHA256Final(digest, &context);
2111+
2112+ if (ferror(fp)) {
2113+ fclose(fp);
2114+ RETURN_FALSE;
2115+ }
2116+
2117+ fclose(fp);
2118+
2119+ if (raw_output) {
2120+ RETURN_STRINGL(digest, 32, 1);
2121+ } else {
2122+ make_sha256_digest(sha256str, digest);
2123+ RETVAL_STRING(sha256str, 1);
2124+ }
2125+}
2126+/* }}} */
2127+
2128+
2129+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
2130+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
2131+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
2132+
2133+static unsigned char PADDING[64] =
2134+{
2135+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2136+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2137+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2138+};
2139+
2140+/* F, G, H and I are basic SHA256 functions.
2141+ */
2142+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
2143+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
2144+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
2145+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
2146+
2147+/* ROTATE_RIGHT rotates x right n bits.
2148+ */
2149+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
2150+
2151+/* W[i]
2152+ */
2153+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
2154+ tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
2155+ (x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) )
2156+
2157+/* ROUND function of sha256
2158+ */
2159+
2160+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
2161+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
2162+ (h) = F((a)) + G((a), (b), (c)) + t1; \
2163+ (d) += t1; \
2164+ }
2165+
2166+
2167+/* {{{ PHP_SHA256Init
2168+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
2169+ */
2170+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX * context)
2171+{
2172+ context->count[0] = context->count[1] = 0;
2173+ /* Load magic initialization constants.
2174+ */
2175+ context->state[0] = 0x6a09e667;
2176+ context->state[1] = 0xbb67ae85;
2177+ context->state[2] = 0x3c6ef372;
2178+ context->state[3] = 0xa54ff53a;
2179+ context->state[4] = 0x510e527f;
2180+ context->state[5] = 0x9b05688c;
2181+ context->state[6] = 0x1f83d9ab;
2182+ context->state[7] = 0x5be0cd19;
2183+}
2184+/* }}} */
2185+
2186+/* {{{ PHP_SHA256Update
2187+ SHA256 block update operation. Continues an SHA256 message-digest
2188+ operation, processing another message block, and updating the
2189+ context.
2190+ */
2191+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
2192+ unsigned int inputLen)
2193+{
2194+ unsigned int i, index, partLen;
2195+
2196+ /* Compute number of bytes mod 64 */
2197+ index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
2198+
2199+ /* Update number of bits */
2200+ if ((context->count[0] += ((php_uint32) inputLen << 3))
2201+ < ((php_uint32) inputLen << 3))
2202+ context->count[1]++;
2203+ context->count[1] += ((php_uint32) inputLen >> 29);
2204+
2205+ partLen = 64 - index;
2206+
2207+ /* Transform as many times as possible.
2208+ */
2209+ if (inputLen >= partLen) {
2210+ memcpy
2211+ ((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
2212+ SHA256Transform(context->state, context->buffer);
2213+
2214+ for (i = partLen; i + 63 < inputLen; i += 64)
2215+ SHA256Transform(context->state, &input[i]);
2216+
2217+ index = 0;
2218+ } else
2219+ i = 0;
2220+
2221+ /* Buffer remaining input */
2222+ memcpy
2223+ ((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
2224+ inputLen - i);
2225+}
2226+/* }}} */
2227+
2228+/* {{{ PHP_SHA256Final
2229+ SHA256 finalization. Ends an SHA256 message-digest operation, writing the
2230+ the message digest and zeroizing the context.
2231+ */
2232+PHPAPI void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
2233+{
2234+ unsigned char bits[8];
2235+ unsigned int index, padLen;
2236+
2237+ /* Save number of bits */
2238+ bits[7] = context->count[0] & 0xFF;
2239+ bits[6] = (context->count[0] >> 8) & 0xFF;
2240+ bits[5] = (context->count[0] >> 16) & 0xFF;
2241+ bits[4] = (context->count[0] >> 24) & 0xFF;
2242+ bits[3] = context->count[1] & 0xFF;
2243+ bits[2] = (context->count[1] >> 8) & 0xFF;
2244+ bits[1] = (context->count[1] >> 16) & 0xFF;
2245+ bits[0] = (context->count[1] >> 24) & 0xFF;
2246+
2247+ /* Pad out to 56 mod 64.
2248+ */
2249+ index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
2250+ padLen = (index < 56) ? (56 - index) : (120 - index);
2251+ PHP_SHA256Update(context, PADDING, padLen);
2252+
2253+ /* Append length (before padding) */
2254+ PHP_SHA256Update(context, bits, 8);
2255+
2256+ /* Store state in digest */
2257+ SHA256Encode(digest, context->state, 32);
2258+
2259+ /* Zeroize sensitive information.
2260+ */
2261+ memset((unsigned char*) context, 0, sizeof(*context));
2262+}
2263+/* }}} */
2264+
2265+/* {{{ SHA256Transform
2266+ * SHA256 basic transformation. Transforms state based on block.
2267+ */
2268+static void SHA256Transform(state, block)
2269+php_uint32 state[8];
2270+const unsigned char block[64];
2271+{
2272+ php_uint32 a = state[0], b = state[1], c = state[2];
2273+ php_uint32 d = state[3], e = state[4], f = state[5];
2274+ php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
2275+
2276+ SHA256Decode(x, block, 64);
2277+
2278+ ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
2279+ ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
2280+ ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
2281+ ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
2282+ ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
2283+ ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
2284+ ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
2285+ ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
2286+ ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
2287+ ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
2288+ ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
2289+ ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
2290+ ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
2291+ ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
2292+ ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
2293+ ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
2294+ ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
2295+ ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
2296+ ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
2297+ ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
2298+ ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
2299+ ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
2300+ ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
2301+ ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
2302+ ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
2303+ ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
2304+ ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
2305+ ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
2306+ ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
2307+ ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
2308+ ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
2309+ ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
2310+ ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
2311+ ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
2312+ ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
2313+ ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
2314+ ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
2315+ ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
2316+ ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
2317+ ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
2318+ ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
2319+ ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
2320+ ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
2321+ ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
2322+ ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
2323+ ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
2324+ ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
2325+ ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
2326+ ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
2327+ ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
2328+ ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
2329+ ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
2330+ ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
2331+ ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
2332+ ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
2333+ ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
2334+ ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
2335+ ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
2336+ ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
2337+ ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
2338+ ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
2339+ ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
2340+ ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
2341+ ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
2342+
2343+ state[0] += a;
2344+ state[1] += b;
2345+ state[2] += c;
2346+ state[3] += d;
2347+ state[4] += e;
2348+ state[5] += f;
2349+ state[6] += g;
2350+ state[7] += h;
2351+
2352+ /* Zeroize sensitive information. */
2353+ memset((unsigned char*) x, 0, sizeof(x));
2354+}
2355+/* }}} */
2356+
2357+/* {{{ SHA256Encode
2358+ Encodes input (php_uint32) into output (unsigned char). Assumes len is
2359+ a multiple of 4.
2360+ */
2361+static void SHA256Encode(output, input, len)
2362+unsigned char *output;
2363+php_uint32 *input;
2364+unsigned int len;
2365+{
2366+ unsigned int i, j;
2367+
2368+ for (i = 0, j = 0; j < len; i++, j += 4) {
2369+ output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
2370+ output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
2371+ output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
2372+ output[j + 3] = (unsigned char) (input[i] & 0xff);
2373+ }
2374+}
2375+/* }}} */
2376+
2377+/* {{{ SHA256Decode
2378+ Decodes input (unsigned char) into output (php_uint32). Assumes len is
2379+ a multiple of 4.
2380+ */
2381+static void SHA256Decode(output, input, len)
2382+php_uint32 *output;
2383+const unsigned char *input;
2384+unsigned int len;
2385+{
2386+ unsigned int i, j;
2387+
2388+ for (i = 0, j = 0; j < len; i++, j += 4)
2389+ output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
2390+ (((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
2391+}
2392+/* }}} */
2393+
2394+/*
2395+ * Local variables:
2396+ * tab-width: 4
2397+ * c-basic-offset: 4
2398+ * End:
2399+ * vim600: sw=4 ts=4 fdm=marker
2400+ * vim<600: sw=4 ts=4
2401+ */
2402diff -Nura php-5.0.5/ext/standard/sha256.h hardening-patch-5.0.5-0.4.3/ext/standard/sha256.h
2403--- php-5.0.5/ext/standard/sha256.h 1970-01-01 01:00:00.000000000 +0100
2404+++ hardening-patch-5.0.5-0.4.3/ext/standard/sha256.h 2005-09-11 23:30:52.000000000 +0200
2405@@ -0,0 +1,40 @@
2406+/*
2407+ +----------------------------------------------------------------------+
2408+ | PHP Version 5 |
2409+ +----------------------------------------------------------------------+
2410+ | Copyright (c) 1997-2004 The PHP Group |
2411+ +----------------------------------------------------------------------+
2412+ | This source file is subject to version 3.0 of the PHP license, |
2413+ | that is bundled with this package in the file LICENSE, and is |
2414+ | available through the world-wide-web at the following url: |
2415+ | http://www.php.net/license/3_0.txt. |
2416+ | If you did not receive a copy of the PHP license and are unable to |
2417+ | obtain it through the world-wide-web, please send a note to |
2418+ | license@php.net so we can mail you a copy immediately. |
2419+ +----------------------------------------------------------------------+
2420+ | Author: Stefan Esser <sesser@php.net> |
2421+ +----------------------------------------------------------------------+
2422+*/
2423+
2424+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
2425+
2426+#ifndef SHA256_H
2427+#define SHA256_H
2428+
2429+#include "ext/standard/basic_functions.h"
2430+
2431+/* SHA1 context. */
2432+typedef struct {
2433+ php_uint32 state[8]; /* state (ABCD) */
2434+ php_uint32 count[2]; /* number of bits, modulo 2^64 (lsb first) */
2435+ unsigned char buffer[64]; /* input buffer */
2436+} PHP_SHA256_CTX;
2437+
2438+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX *);
2439+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
2440+PHPAPI void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
2441+
2442+PHP_FUNCTION(sha256);
2443+PHP_FUNCTION(sha256_file);
2444+
2445+#endif
2446diff -Nura php-5.0.5/ext/standard/syslog.c hardening-patch-5.0.5-0.4.3/ext/standard/syslog.c
2447--- php-5.0.5/ext/standard/syslog.c 2005-07-15 11:29:19.000000000 +0200
2448+++ hardening-patch-5.0.5-0.4.3/ext/standard/syslog.c 2005-09-11 23:30:52.000000000 +0200
2449@@ -42,6 +42,7 @@
2450 */
2451 PHP_MINIT_FUNCTION(syslog)
2452 {
2453+#if !HARDENING_PATCH
2454 /* error levels */
2455 REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
2456 REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
2457@@ -97,7 +98,7 @@
2458 /* AIX doesn't have LOG_PERROR */
2459 REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
2460 #endif
2461-
2462+#endif
2463 return SUCCESS;
2464 }
2465 /* }}} */
2466diff -Nura php-5.0.5/ext/varfilter/config.m4 hardening-patch-5.0.5-0.4.3/ext/varfilter/config.m4
2467--- php-5.0.5/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
2468+++ hardening-patch-5.0.5-0.4.3/ext/varfilter/config.m4 2005-09-11 23:30:52.000000000 +0200
2469@@ -0,0 +1,11 @@
2470+dnl
2471+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
2472+dnl
2473+
2474+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
2475+[ --disable-varfilter Disable Hardening-Patch's variable filter], yes)
2476+
2477+if test "$PHP_VARFILTER" != "no"; then
2478+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
2479+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
2480+fi
2481diff -Nura php-5.0.5/ext/varfilter/CREDITS hardening-patch-5.0.5-0.4.3/ext/varfilter/CREDITS
2482--- php-5.0.5/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
2483+++ hardening-patch-5.0.5-0.4.3/ext/varfilter/CREDITS 2005-09-11 23:30:52.000000000 +0200
2484@@ -0,0 +1,2 @@
2485+varfilter
2486+Stefan Esser
2487\ Kein Zeilenumbruch am Dateiende.
2488diff -Nura php-5.0.5/ext/varfilter/php_varfilter.h hardening-patch-5.0.5-0.4.3/ext/varfilter/php_varfilter.h
2489--- php-5.0.5/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
2490+++ hardening-patch-5.0.5-0.4.3/ext/varfilter/php_varfilter.h 2005-09-12 00:03:50.000000000 +0200
2491@@ -0,0 +1,112 @@
2492+/*
2493+ +----------------------------------------------------------------------+
2494+ | Hardened-PHP Project's varfilter extension |
2495+ +----------------------------------------------------------------------+
2496+ | Copyright (c) 2004-2005 Stefan Esser |
2497+ +----------------------------------------------------------------------+
2498+ | This source file is subject to version 2.02 of the PHP license, |
2499+ | that is bundled with this package in the file LICENSE, and is |
2500+ | available at through the world-wide-web at |
2501+ | http://www.php.net/license/2_02.txt. |
2502+ | If you did not receive a copy of the PHP license and are unable to |
2503+ | obtain it through the world-wide-web, please send a note to |
2504+ | license@php.net so we can mail you a copy immediately. |
2505+ +----------------------------------------------------------------------+
2506+ | Author: Stefan Esser <sesser@hardened-php.net> |
2507+ +----------------------------------------------------------------------+
2508+
2509+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
2510+*/
2511+
2512+#ifndef PHP_VARFILTER_H
2513+#define PHP_VARFILTER_H
2514+
2515+extern zend_module_entry varfilter_module_entry;
2516+#define phpext_varfilter_ptr &varfilter_module_entry
2517+
2518+#ifdef PHP_WIN32
2519+#define PHP_VARFILTER_API __declspec(dllexport)
2520+#else
2521+#define PHP_VARFILTER_API
2522+#endif
2523+
2524+#ifdef ZTS
2525+#include "TSRM.h"
2526+#endif
2527+
2528+#include "SAPI.h"
2529+
2530+#include "php_variables.h"
2531+
2532+
2533+PHP_MINIT_FUNCTION(varfilter);
2534+PHP_MSHUTDOWN_FUNCTION(varfilter);
2535+PHP_RINIT_FUNCTION(varfilter);
2536+PHP_RSHUTDOWN_FUNCTION(varfilter);
2537+PHP_MINFO_FUNCTION(varfilter);
2538+
2539+
2540+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
2541+/* request variables */
2542+ long max_request_variables;
2543+ long cur_request_variables;
2544+ long max_varname_length;
2545+ long max_totalname_length;
2546+ long max_value_length;
2547+ long max_array_depth;
2548+ long max_array_index_length;
2549+/* cookie variables */
2550+ long max_cookie_vars;
2551+ long cur_cookie_vars;
2552+ long max_cookie_name_length;
2553+ long max_cookie_totalname_length;
2554+ long max_cookie_value_length;
2555+ long max_cookie_array_depth;
2556+ long max_cookie_array_index_length;
2557+/* get variables */
2558+ long max_get_vars;
2559+ long cur_get_vars;
2560+ long max_get_name_length;
2561+ long max_get_totalname_length;
2562+ long max_get_value_length;
2563+ long max_get_array_depth;
2564+ long max_get_array_index_length;
2565+/* post variables */
2566+ long max_post_vars;
2567+ long cur_post_vars;
2568+ long max_post_name_length;
2569+ long max_post_totalname_length;
2570+ long max_post_value_length;
2571+ long max_post_array_depth;
2572+ long max_post_array_index_length;
2573+/* fileupload */
2574+ long max_uploads;
2575+ long cur_uploads;
2576+ zend_bool disallow_elf_files;
2577+ char *verification_script;
2578+
2579+ZEND_END_MODULE_GLOBALS(varfilter)
2580+
2581+
2582+#ifdef ZTS
2583+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
2584+#else
2585+#define VARFILTER_G(v) (varfilter_globals.v)
2586+#endif
2587+
2588+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
2589+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
2590+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
2591+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
2592+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
2593+
2594+#endif /* PHP_VARFILTER_H */
2595+
2596+
2597+/*
2598+ * Local variables:
2599+ * tab-width: 4
2600+ * c-basic-offset: 4
2601+ * indent-tabs-mode: t
2602+ * End:
2603+ */
2604diff -Nura php-5.0.5/ext/varfilter/varfilter.c hardening-patch-5.0.5-0.4.3/ext/varfilter/varfilter.c
2605--- php-5.0.5/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
2606+++ hardening-patch-5.0.5-0.4.3/ext/varfilter/varfilter.c 2005-09-12 00:02:31.000000000 +0200
2607@@ -0,0 +1,726 @@
2608+/*
2609+ +----------------------------------------------------------------------+
2610+ | Hardened-PHP Project's varfilter extension |
2611+ +----------------------------------------------------------------------+
2612+ | Copyright (c) 2004-2005 Stefan Esser |
2613+ +----------------------------------------------------------------------+
2614+ | This source file is subject to version 2.02 of the PHP license, |
2615+ | that is bundled with this package in the file LICENSE, and is |
2616+ | available at through the world-wide-web at |
2617+ | http://www.php.net/license/2_02.txt. |
2618+ | If you did not receive a copy of the PHP license and are unable to |
2619+ | obtain it through the world-wide-web, please send a note to |
2620+ | license@php.net so we can mail you a copy immediately. |
2621+ +----------------------------------------------------------------------+
2622+ | Author: Stefan Esser <sesser@hardened-php.net> |
2623+ +----------------------------------------------------------------------+
2624+
2625+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
2626+*/
2627+
2628+#ifdef HAVE_CONFIG_H
2629+#include "config.h"
2630+#endif
2631+
2632+#include "php.h"
2633+#include "php_ini.h"
2634+#include "ext/standard/info.h"
2635+#include "php_varfilter.h"
2636+#include "hardening_patch.h"
2637+
2638+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
2639+
2640+/* True global resources - no need for thread safety here */
2641+static int le_varfilter;
2642+
2643+/* {{{ varfilter_module_entry
2644+ */
2645+zend_module_entry varfilter_module_entry = {
2646+#if ZEND_MODULE_API_NO >= 20010901
2647+ STANDARD_MODULE_HEADER,
2648+#endif
2649+ "varfilter",
2650+ NULL,
2651+ PHP_MINIT(varfilter),
2652+ PHP_MSHUTDOWN(varfilter),
2653+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
2654+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
2655+ PHP_MINFO(varfilter),
2656+#if ZEND_MODULE_API_NO >= 20010901
2657+ "0.3.2", /* Replace with version number for your extension */
2658+#endif
2659+ STANDARD_MODULE_PROPERTIES
2660+};
2661+/* }}} */
2662+
2663+#ifdef COMPILE_DL_VARFILTER
2664+ZEND_GET_MODULE(varfilter)
2665+#endif
2666+
2667+/* {{{ PHP_INI
2668+ */
2669+PHP_INI_BEGIN()
2670+ /* for backward compatibility */
2671+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
2672+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
2673+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
2674+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
2675+ STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
2676+ STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
2677+
2678+ STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
2679+ STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
2680+ STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
2681+ STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
2682+ STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
2683+ STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
2684+
2685+ STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
2686+ STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
2687+ STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
2688+ STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
2689+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
2690+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
2691+
2692+ STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
2693+ STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
2694+ STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
2695+ STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
2696+ STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
2697+ STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
2698+
2699+ STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
2700+ STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
2701+ STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
2702+ STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
2703+ STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
2704+ STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
2705+
2706+ STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
2707+ STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
2708+ STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
2709+
2710+
2711+PHP_INI_END()
2712+/* }}} */
2713+
2714+/* {{{ php_varfilter_init_globals
2715+ */
2716+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
2717+{
2718+ varfilter_globals->max_request_variables = 200;
2719+ varfilter_globals->max_varname_length = 64;
2720+ varfilter_globals->max_value_length = 10000;
2721+ varfilter_globals->max_array_depth = 100;
2722+ varfilter_globals->max_totalname_length = 256;
2723+ varfilter_globals->max_array_index_length = 64;
2724+
2725+ varfilter_globals->max_cookie_vars = 100;
2726+ varfilter_globals->max_cookie_name_length = 64;
2727+ varfilter_globals->max_cookie_totalname_length = 256;
2728+ varfilter_globals->max_cookie_value_length = 10000;
2729+ varfilter_globals->max_cookie_array_depth = 100;
2730+ varfilter_globals->max_cookie_array_index_length = 64;
2731+
2732+ varfilter_globals->max_get_vars = 100;
2733+ varfilter_globals->max_get_name_length = 64;
2734+ varfilter_globals->max_get_totalname_length = 256;
2735+ varfilter_globals->max_get_value_length = 512;
2736+ varfilter_globals->max_get_array_depth = 50;
2737+ varfilter_globals->max_get_array_index_length = 64;
2738+
2739+ varfilter_globals->max_post_vars = 200;
2740+ varfilter_globals->max_post_name_length = 64;
2741+ varfilter_globals->max_post_totalname_length = 256;
2742+ varfilter_globals->max_post_value_length = 65000;
2743+ varfilter_globals->max_post_array_depth = 100;
2744+ varfilter_globals->max_post_array_index_length = 64;
2745+
2746+ varfilter_globals->max_uploads = 25;
2747+ varfilter_globals->disallow_elf_files = 1;
2748+ varfilter_globals->verification_script = NULL;
2749+}
2750+/* }}} */
2751+
2752+/* {{{ PHP_MINIT_FUNCTION
2753+ */
2754+PHP_MINIT_FUNCTION(varfilter)
2755+{
2756+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
2757+ REGISTER_INI_ENTRIES();
2758+
2759+ sapi_register_input_filter(varfilter_input_filter);
2760+ sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
2761+ sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
2762+ sapi_register_upload_content_filter(varfilter_upload_content_filter);
2763+ sapi_register_post_upload_filter(varfilter_post_upload_filter);
2764+
2765+ return SUCCESS;
2766+}
2767+/* }}} */
2768+
2769+/* {{{ PHP_MSHUTDOWN_FUNCTION
2770+ */
2771+PHP_MSHUTDOWN_FUNCTION(varfilter)
2772+{
2773+ UNREGISTER_INI_ENTRIES();
2774+
2775+ return SUCCESS;
2776+}
2777+/* }}} */
2778+
2779+/* Remove if there's nothing to do at request start */
2780+/* {{{ PHP_RINIT_FUNCTION
2781+ */
2782+PHP_RINIT_FUNCTION(varfilter)
2783+{
2784+ VARFILTER_G(cur_request_variables) = 0;
2785+ VARFILTER_G(cur_get_vars) = 0;
2786+ VARFILTER_G(cur_post_vars) = 0;
2787+ VARFILTER_G(cur_cookie_vars) = 0;
2788+
2789+ VARFILTER_G(cur_uploads) = 0;
2790+
2791+ return SUCCESS;
2792+}
2793+/* }}} */
2794+
2795+/* Remove if there's nothing to do at request end */
2796+/* {{{ PHP_RSHUTDOWN_FUNCTION
2797+ */
2798+PHP_RSHUTDOWN_FUNCTION(varfilter)
2799+{
2800+ return SUCCESS;
2801+}
2802+/* }}} */
2803+
2804+/* {{{ PHP_MINFO_FUNCTION
2805+ */
2806+PHP_MINFO_FUNCTION(varfilter)
2807+{
2808+ php_info_print_table_start();
2809+ php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
2810+ php_info_print_table_end();
2811+
2812+ DISPLAY_INI_ENTRIES();
2813+}
2814+/* }}} */
2815+
2816+/* {{{ normalize_varname
2817+ */
2818+static void normalize_varname(char *varname)
2819+{
2820+ char *s=varname, *index=NULL, *indexend=NULL, *p;
2821+
2822+ /* overjump leading space */
2823+ while (*s == ' ') {
2824+ s++;
2825+ }
2826+
2827+ /* and remove it */
2828+ if (s != varname) {
2829+ memmove(varname, s, strlen(s)+1);
2830+ }
2831+
2832+ for (p=varname; *p && *p != '['; p++) {
2833+ switch(*p) {
2834+ case ' ':
2835+ case '.':
2836+ *p='_';
2837+ break;
2838+ }
2839+ }
2840+
2841+ /* find index */
2842+ index = strchr(varname, '[');
2843+ if (index) {
2844+ index++;
2845+ s=index;
2846+ } else {
2847+ return;
2848+ }
2849+
2850+ /* done? */
2851+ while (index) {
2852+
2853+ while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
2854+ index++;
2855+ }
2856+ indexend = strchr(index, ']');
2857+ indexend = indexend ? indexend + 1 : index + strlen(index);
2858+
2859+ if (s != index) {
2860+ memmove(s, index, strlen(index)+1);
2861+ s += indexend-index;
2862+ } else {
2863+ s = indexend;
2864+ }
2865+
2866+ if (*s == '[') {
2867+ s++;
2868+ index = s;
2869+ } else {
2870+ index = NULL;
2871+ }
2872+ }
2873+ *s++='\0';
2874+}
2875+/* }}} */
2876+
2877+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
2878+ */
2879+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
2880+{
2881+ char *index, *prev_index = NULL, *var;
2882+ unsigned int var_len, total_len, depth = 0;
2883+
2884+ var = estrdup(varname);
2885+
2886+ /* Normalize the variable name */
2887+ normalize_varname(var);
2888+
2889+ /* Find length of variable name */
2890+ index = strchr(var, '[');
2891+ total_len = strlen(var);
2892+ var_len = index ? index-var : total_len;
2893+
2894+ /* Drop this variable if it exceeds the varname/total length limit */
2895+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
2896+ php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
2897+ goto return_failure;
2898+ }
2899+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
2900+ php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
2901+ goto return_failure;
2902+ }
2903+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
2904+ php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
2905+ goto return_failure;
2906+ }
2907+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
2908+ php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
2909+ goto return_failure;
2910+ }
2911+
2912+ /* Find out array depth */
2913+ while (index) {
2914+ unsigned int index_length;
2915+
2916+ depth++;
2917+ index = strchr(index+1, '[');
2918+
2919+ if (prev_index) {
2920+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
2921+
2922+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
2923+ php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
2924+ goto return_failure;
2925+ }
2926+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
2927+ php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
2928+ goto return_failure;
2929+ }
2930+ prev_index = index;
2931+ }
2932+
2933+ }
2934+
2935+ /* Drop this variable if it exceeds the array depth limit */
2936+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
2937+ php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
2938+ goto return_failure;
2939+ }
2940+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
2941+ php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
2942+ goto return_failure;
2943+ }
2944+
2945+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
2946+ /* This is to protect several silly scripts that do globalizing themself */
2947+
2948+ switch (var_len) {
2949+ case 18:
2950+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
2951+ break;
2952+ case 17:
2953+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
2954+ break;
2955+ case 16:
2956+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
2957+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
2958+ break;
2959+ case 15:
2960+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
2961+ break;
2962+ case 14:
2963+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
2964+ break;
2965+ case 13:
2966+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
2967+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
2968+ break;
2969+ case 8:
2970+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
2971+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
2972+ break;
2973+ case 7:
2974+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
2975+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
2976+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
2977+ break;
2978+ case 6:
2979+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
2980+ break;
2981+ case 5:
2982+ if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
2983+ break;
2984+ case 4:
2985+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
2986+ if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
2987+ break;
2988+ }
2989+
2990+ efree(var);
2991+ return SUCCESS;
2992+protected_varname2:
2993+ php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
2994+return_failure:
2995+ efree(var);
2996+ return FAILURE;
2997+}
2998+/* }}} */
2999+
3000+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
3001+ */
3002+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
3003+{
3004+ /* Drop this fileupload if the limit is reached */
3005+ if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
3006+ php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
3007+ return FAILURE;
3008+ }
3009+
3010+ return SUCCESS;
3011+}
3012+/* }}} */
3013+
3014+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
3015+ */
3016+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
3017+{
3018+
3019+ if (VARFILTER_G(disallow_elf_files)) {
3020+
3021+ if (offset == 0 && buffer_len > 10) {
3022+
3023+ if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
3024+ php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
3025+ return FAILURE;
3026+ }
3027+ }
3028+
3029+ }
3030+
3031+ return SUCCESS;
3032+}
3033+/* }}} */
3034+
3035+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
3036+ */
3037+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
3038+{
3039+ int retval = SUCCESS;
3040+
3041+ if (VARFILTER_G(verification_script)) {
3042+ char cmd[8192];
3043+ FILE *in;
3044+ int first=1;
3045+
3046+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
3047+
3048+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
3049+ php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
3050+ return FAILURE;
3051+ }
3052+
3053+ retval = FAILURE;
3054+
3055+ /* read and forget the result */
3056+ while (1) {
3057+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
3058+ if (readbytes<=0) {
3059+ break;
3060+ }
3061+ if (first) {
3062+ retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
3063+ first = 0;
3064+ }
3065+ }
3066+ pclose(in);
3067+ }
3068+
3069+ if (retval != SUCCESS) {
3070+ php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
3071+ return FAILURE;
3072+ }
3073+
3074+ VARFILTER_G(cur_uploads)++;
3075+ return SUCCESS;
3076+}
3077+/* }}} */
3078+
3079+/* {{{ SAPI_INPUT_FILTER_FUNC
3080+ */
3081+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
3082+{
3083+ char *index, *prev_index = NULL;
3084+ unsigned int var_len, total_len, depth = 0;
3085+
3086+ /* Drop this variable if the limit is reached */
3087+ if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
3088+ php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
3089+ return 0;
3090+ }
3091+ switch (arg) {
3092+ case PARSE_GET:
3093+ if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
3094+ php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
3095+ return 0;
3096+ }
3097+ break;
3098+ case PARSE_COOKIE:
3099+ if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
3100+ php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
3101+ return 0;
3102+ }
3103+ break;
3104+ case PARSE_POST:
3105+ if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
3106+ php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
3107+ return 0;
3108+ }
3109+ break;
3110+ }
3111+
3112+
3113+ /* Drop this variable if it exceeds the value length limit */
3114+ if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
3115+ php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
3116+ return 0;
3117+ }
3118+ switch (arg) {
3119+ case PARSE_GET:
3120+ if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
3121+ php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
3122+ return 0;
3123+ }
3124+ break;
3125+ case PARSE_COOKIE:
3126+ if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
3127+ php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
3128+ return 0;
3129+ }
3130+ break;
3131+ case PARSE_POST:
3132+ if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
3133+ php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
3134+ return 0;
3135+ }
3136+ break;
3137+ }
3138+
3139+ /* Normalize the variable name */
3140+ normalize_varname(var);
3141+
3142+ /* Find length of variable name */
3143+ index = strchr(var, '[');
3144+ total_len = strlen(var);
3145+ var_len = index ? index-var : total_len;
3146+
3147+ /* Drop this variable if it exceeds the varname/total length limit */
3148+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3149+ php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
3150+ return 0;
3151+ }
3152+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3153+ php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
3154+ return 0;
3155+ }
3156+ switch (arg) {
3157+ case PARSE_GET:
3158+ if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
3159+ php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
3160+ return 0;
3161+ }
3162+ if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
3163+ php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
3164+ return 0;
3165+ }
3166+ break;
3167+ case PARSE_COOKIE:
3168+ if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
3169+ php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
3170+ return 0;
3171+ }
3172+ if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
3173+ php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
3174+ return 0;
3175+ }
3176+ break;
3177+ case PARSE_POST:
3178+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
3179+ php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
3180+ return 0;
3181+ }
3182+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
3183+ php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
3184+ return 0;
3185+ }
3186+ break;
3187+ }
3188+
3189+ /* Find out array depth */
3190+ while (index) {
3191+ unsigned int index_length;
3192+
3193+ depth++;
3194+ index = strchr(index+1, '[');
3195+
3196+ if (prev_index) {
3197+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
3198+
3199+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
3200+ php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
3201+ return 0;
3202+ }
3203+ switch (arg) {
3204+ case PARSE_GET:
3205+ if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
3206+ php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
3207+ return 0;
3208+ }
3209+ break;
3210+ case PARSE_COOKIE:
3211+ if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
3212+ php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
3213+ return 0;
3214+ }
3215+ break;
3216+ case PARSE_POST:
3217+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
3218+ php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
3219+ return 0;
3220+ }
3221+ break;
3222+ }
3223+ prev_index = index;
3224+ }
3225+
3226+ }
3227+
3228+ /* Drop this variable if it exceeds the array depth limit */
3229+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
3230+ php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
3231+ return 0;
3232+ }
3233+ switch (arg) {
3234+ case PARSE_GET:
3235+ if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
3236+ php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
3237+ return 0;
3238+ }
3239+ break;
3240+ case PARSE_COOKIE:
3241+ if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
3242+ php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
3243+ return 0;
3244+ }
3245+ break;
3246+ case PARSE_POST:
3247+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
3248+ php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
3249+ return 0;
3250+ }
3251+ break;
3252+ }
3253+
3254+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
3255+ /* This is to protect several silly scripts that do globalizing themself */
3256+
3257+ switch (var_len) {
3258+ case 18:
3259+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
3260+ break;
3261+ case 17:
3262+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
3263+ break;
3264+ case 16:
3265+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
3266+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
3267+ break;
3268+ case 15:
3269+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
3270+ break;
3271+ case 14:
3272+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
3273+ break;
3274+ case 13:
3275+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
3276+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
3277+ break;
3278+ case 8:
3279+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
3280+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
3281+ break;
3282+ case 7:
3283+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
3284+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
3285+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
3286+ break;
3287+ case 6:
3288+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
3289+ break;
3290+ case 5:
3291+ if (memcmp(var, "_POST", 5)==0) goto protected_varname;
3292+ break;
3293+ case 4:
3294+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
3295+ if (memcmp(var, "_GET", 4)==0) goto protected_varname;
3296+ break;
3297+ }
3298+
3299+ /* Okay let PHP register this variable */
3300+ VARFILTER_G(cur_request_variables)++;
3301+ switch (arg) {
3302+ case PARSE_GET:
3303+ VARFILTER_G(cur_get_vars)++;
3304+ break;
3305+ case PARSE_COOKIE:
3306+ VARFILTER_G(cur_cookie_vars)++;
3307+ break;
3308+ case PARSE_POST:
3309+ VARFILTER_G(cur_post_vars)++;
3310+ break;
3311+ }
3312+
3313+ if (new_val_len) {
3314+ *new_val_len = val_len;
3315+ }
3316+
3317+ return 1;
3318+protected_varname:
3319+ php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
3320+ return 0;
3321+}
3322+/* }}} */
3323+
3324+/*
3325+ * Local variables:
3326+ * tab-width: 4
3327+ * c-basic-offset: 4
3328+ * End:
3329+ * vim600: noet sw=4 ts=4 fdm=marker
3330+ * vim<600: noet sw=4 ts=4
3331+ */
3332+
3333+
3334diff -Nura php-5.0.5/main/fopen_wrappers.c hardening-patch-5.0.5-0.4.3/main/fopen_wrappers.c
3335--- php-5.0.5/main/fopen_wrappers.c 2005-07-16 14:14:44.000000000 +0200
3336+++ hardening-patch-5.0.5-0.4.3/main/fopen_wrappers.c 2005-09-11 23:30:52.000000000 +0200
3337@@ -155,6 +155,21 @@
3338 char *pathbuf;
3339 char *ptr;
3340 char *end;
3341+ char path_copy[MAXPATHLEN];
3342+ int path_len;
3343+
3344+ /* Special case path ends with a trailing slash */
3345+ path_len = strlen(path);
3346+ if (path_len >= MAXPATHLEN) {
3347+ errno = EPERM; /* we deny permission to open it */
3348+ return -1;
3349+ }
3350+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
3351+ memcpy(path_copy, path, path_len+1);
3352+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
3353+ path_copy[path_len] = '\0';
3354+ path = (const char *)&path_copy;
3355+ }
3356
3357 pathbuf = estrdup(PG(open_basedir));
3358
3359diff -Nura php-5.0.5/main/hardened_globals.h hardening-patch-5.0.5-0.4.3/main/hardened_globals.h
3360--- php-5.0.5/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
3361+++ hardening-patch-5.0.5-0.4.3/main/hardened_globals.h 2005-09-12 17:03:36.000000000 +0200
3362@@ -0,0 +1,62 @@
3363+/*
3364+ +----------------------------------------------------------------------+
3365+ | Hardening-Patch for PHP |
3366+ +----------------------------------------------------------------------+
3367+ | Copyright (c) 2004-2005 Stefan Esser |
3368+ +----------------------------------------------------------------------+
3369+ | This source file is subject to version 2.02 of the PHP license, |
3370+ | that is bundled with this package in the file LICENSE, and is |
3371+ | available at through the world-wide-web at |
3372+ | http://www.php.net/license/2_02.txt. |
3373+ | If you did not receive a copy of the PHP license and are unable to |
3374+ | obtain it through the world-wide-web, please send a note to |
3375+ | license@php.net so we can mail you a copy immediately. |
3376+ +----------------------------------------------------------------------+
3377+ | Author: Stefan Esser <sesser@hardened-php.net> |
3378+ +----------------------------------------------------------------------+
3379+ */
3380+
3381+#ifndef HARDENED_GLOBALS_H
3382+#define HARDENED_GLOBALS_H
3383+
3384+typedef struct _hardened_globals hardened_globals_struct;
3385+
3386+#ifdef ZTS
3387+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
3388+extern int hardened_globals_id;
3389+#else
3390+# define HG(v) (hardened_globals.v)
3391+extern struct _hardened_globals hardened_globals;
3392+#endif
3393+
3394+
3395+struct _hardened_globals {
3396+#if HARDENING_PATCH_MM_PROTECT
3397+ unsigned int canary_1;
3398+ unsigned int canary_2;
3399+#endif
3400+#if HARDENING_PATCH_LL_PROTECT
3401+ unsigned int canary_3;
3402+ unsigned int canary_4;
3403+ unsigned int ll_canary_inited;
3404+#endif
3405+ zend_bool hphp_sql_bailout_on_error;
3406+ zend_bool hphp_multiheader;
3407+ HashTable *eval_whitelist;
3408+ HashTable *eval_blacklist;
3409+ HashTable *func_whitelist;
3410+ HashTable *func_blacklist;
3411+ HashTable *include_whitelist;
3412+ HashTable *include_blacklist;
3413+ unsigned int dummy;
3414+};
3415+
3416+
3417+#endif /* HARDENED_GLOBALS_H */
3418+
3419+/*
3420+ * Local variables:
3421+ * tab-width: 4
3422+ * c-basic-offset: 4
3423+ * End:
3424+ */
3425diff -Nura php-5.0.5/main/hardening_patch.c hardening-patch-5.0.5-0.4.3/main/hardening_patch.c
3426--- php-5.0.5/main/hardening_patch.c 1970-01-01 01:00:00.000000000 +0100
3427+++ hardening-patch-5.0.5-0.4.3/main/hardening_patch.c 2005-09-12 18:09:56.000000000 +0200
3428@@ -0,0 +1,424 @@
3429+/*
3430+ +----------------------------------------------------------------------+
3431+ | Hardening Patch for PHP |
3432+ +----------------------------------------------------------------------+
3433+ | Copyright (c) 2004-2005 Stefan Esser |
3434+ +----------------------------------------------------------------------+
3435+ | This source file is subject to version 2.02 of the PHP license, |
3436+ | that is bundled with this package in the file LICENSE, and is |
3437+ | available at through the world-wide-web at |
3438+ | http://www.php.net/license/2_02.txt. |
3439+ | If you did not receive a copy of the PHP license and are unable to |
3440+ | obtain it through the world-wide-web, please send a note to |
3441+ | license@php.net so we can mail you a copy immediately. |
3442+ +----------------------------------------------------------------------+
3443+ | Author: Stefan Esser <sesser@hardened-php.net> |
3444+ +----------------------------------------------------------------------+
3445+ */
3446+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
3447+
3448+#include "php.h"
3449+
3450+#include <stdio.h>
3451+#include <stdlib.h>
3452+
3453+#if HAVE_UNISTD_H
3454+#include <unistd.h>
3455+#endif
3456+#include "SAPI.h"
3457+#include "php_globals.h"
3458+
3459+#if HARDENING_PATCH
3460+
3461+#ifdef HAVE_SYS_SOCKET_H
3462+#include <sys/socket.h>
3463+#endif
3464+
3465+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
3466+#undef AF_UNIX
3467+#endif
3468+
3469+#if defined(AF_UNIX)
3470+#include <sys/un.h>
3471+#endif
3472+
3473+#define SYSLOG_PATH "/dev/log"
3474+
3475+#include "snprintf.h"
3476+
3477+#include "hardening_patch.h"
3478+
3479+#ifdef ZTS
3480+#include "hardened_globals.h"
3481+int hardened_globals_id;
3482+#else
3483+struct _hardened_globals hardened_globals;
3484+#endif
3485+
3486+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
3487+{
3488+ memset(hardened_globals, 0, sizeof(*hardened_globals));
3489+}
3490+
3491+
3492+PHPAPI void hardened_startup()
3493+{
3494+#ifdef ZTS
3495+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
3496+#else
3497+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
3498+#endif
3499+}
3500+
3501+char *loglevel2string(int loglevel)
3502+{
3503+ switch (loglevel) {
3504+ case S_FILES:
3505+ return "FILES";
3506+ case S_INCLUDE:
3507+ return "INCLUDE";
3508+ case S_MEMORY:
3509+ return "MEMORY";
3510+ case S_MISC:
3511+ return "MISC";
3512+ case S_SQL:
3513+ return "SQL";
3514+ case S_EXECUTOR:
3515+ return "EXECUTOR";
3516+ case S_VARS:
3517+ return "VARS";
3518+ default:
3519+ return "UNKNOWN";
3520+ }
3521+}
3522+
3523+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
3524+{
3525+#if defined(AF_UNIX)
3526+ int s, r, i=0;
3527+ struct sockaddr_un saun;
3528+ char buf[4096+64];
3529+ char error[4096+100];
3530+ char *ip_address;
3531+ char *fname;
3532+ int lineno;
3533+ va_list ap;
3534+ TSRMLS_FETCH();
3535+
3536+ if (EG(hphp_log_use_x_forwarded_for)) {
3537+ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
3538+ if (ip_address == NULL) {
3539+ ip_address = "X-FORWARDED-FOR not set";
3540+ }
3541+ } else {
3542+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
3543+ if (ip_address == NULL) {
3544+ ip_address = "REMOTE_ADDR not set";
3545+ }
3546+ }
3547+
3548+
3549+ va_start(ap, fmt);
3550+ ap_php_vsnprintf(error, sizeof(error), fmt, ap);
3551+ va_end(ap);
3552+ while (error[i]) {
3553+ if (error[i] < 32) error[i] = '.';
3554+ i++;
3555+ }
3556+
3557+ if (zend_is_executing(TSRMLS_C)) {
3558+ lineno = zend_get_executed_lineno(TSRMLS_C);
3559+ fname = zend_get_executed_filename(TSRMLS_C);
3560+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
3561+ } else {
3562+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
3563+ if (fname==NULL) {
3564+ fname = "unknown";
3565+ }
3566+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
3567+ }
3568+
3569+ /* Syslog-Logging disabled? */
3570+ if ((EG(hphp_log_syslog) & loglevel)==0) {
3571+ goto log_sapi;
3572+ }
3573+
3574+ ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
3575+
3576+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
3577+ if (s == -1) {
3578+ goto log_sapi;
3579+ }
3580+
3581+ memset(&saun, 0, sizeof(saun));
3582+ saun.sun_family = AF_UNIX;
3583+ strcpy(saun.sun_path, SYSLOG_PATH);
3584+ /*saun.sun_len = sizeof(saun);*/
3585+
3586+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
3587+ if (r) {
3588+ close(s);
3589+ s = socket(AF_UNIX, SOCK_STREAM, 0);
3590+ if (s == -1) {
3591+ goto log_sapi;
3592+ }
3593+
3594+ memset(&saun, 0, sizeof(saun));
3595+ saun.sun_family = AF_UNIX;
3596+ strcpy(saun.sun_path, SYSLOG_PATH);
3597+ /*saun.sun_len = sizeof(saun);*/
3598+
3599+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
3600+ if (r) {
3601+ close(s);
3602+ goto log_sapi;
3603+ }
3604+ }
3605+ send(s, error, strlen(error), 0);
3606+
3607+ close(s);
3608+
3609+log_sapi:
3610+ /* SAPI Logging activated? */
3611+ if ((EG(hphp_log_syslog) & loglevel)!=0) {
3612+ sapi_module.log_message(buf);
3613+ }
3614+
3615+log_script:
3616+ /* script logging activaed? */
3617+ if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
3618+ char cmd[8192], *cmdpos, *bufpos;
3619+ FILE *in;
3620+ int space;
3621+
3622+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
3623+ space = sizeof(cmd) - strlen(cmd);
3624+ cmdpos = cmd + strlen(cmd);
3625+ bufpos = buf;
3626+ if (space <= 1) return;
3627+ while (space > 2 && *bufpos) {
3628+ if (*bufpos == '\'') {
3629+ if (space<=5) break;
3630+ *cmdpos++ = '\'';
3631+ *cmdpos++ = '\\';
3632+ *cmdpos++ = '\'';
3633+ *cmdpos++ = '\'';
3634+ bufpos++;
3635+ space-=4;
3636+ } else {
3637+ *cmdpos++ = *bufpos++;
3638+ space--;
3639+ }
3640+ }
3641+ *cmdpos++ = '\'';
3642+ *cmdpos = 0;
3643+
3644+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
3645+ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
3646+ return;
3647+ }
3648+ /* read and forget the result */
3649+ while (1) {
3650+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
3651+ if (readbytes<=0) {
3652+ break;
3653+ }
3654+ }
3655+ pclose(in);
3656+ }
3657+
3658+#endif
3659+}
3660+#endif
3661+
3662+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
3663+
3664+/* will be replaced later with more compatible method */
3665+PHPAPI unsigned int php_canary()
3666+{
3667+ time_t t;
3668+ unsigned int canary;
3669+ int fd;
3670+
3671+ fd = open("/dev/urandom", 0);
3672+ if (fd != -1) {
3673+ int r = read(fd, &canary, sizeof(canary));
3674+ close(fd);
3675+ if (r == sizeof(canary)) {
3676+ return (canary);
3677+ }
3678+ }
3679+ /* not good but we never want to do this */
3680+ time(&t);
3681+ canary = *(unsigned int *)&t + getpid() << 16;
3682+ return (canary);
3683+}
3684+#endif
3685+
3686+#if HARDENING_PATCH_INC_PROTECT
3687+
3688+PHPAPI int php_is_valid_include(zval *z)
3689+{
3690+ char *filename;
3691+ int len, i;
3692+ TSRMLS_FETCH();
3693+
3694+ /* must be of type string */
3695+ if (z->type != IS_STRING || z->value.str.val == NULL) {
3696+ return (0);
3697+ }
3698+
3699+ /* short cut */
3700+ filename = z->value.str.val;
3701+ len = z->value.str.len;
3702+
3703+ /* 1. must be shorter than MAXPATHLEN */
3704+ if (len > MAXPATHLEN) {
3705+ char *fname = estrndup(filename, len);
3706+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
3707+ php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
3708+ efree(fname);
3709+ return (0);
3710+ }
3711+
3712+ /* 2. must not be cutted */
3713+ if (len != strlen(filename)) {
3714+ char *fname = estrndup(filename, len);
3715+ for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
3716+ php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
3717+ efree(fname);
3718+ return (0);
3719+ }
3720+
3721+ /* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
3722+ if (strstr(filename, "://")) {
3723+ char *fname = estrndup(filename, len);
3724+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
3725+
3726+ /* no black or whitelist then disallow all */
3727+ if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
3728+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
3729+ efree(fname);
3730+ return (0);
3731+ }
3732+
3733+ /* whitelist is stronger than blacklist */
3734+ if (HG(include_whitelist)) {
3735+ char *s, *t, *h, *index;
3736+ uint indexlen;
3737+ ulong numindex;
3738+
3739+ s = filename;
3740+
3741+ do {
3742+ zend_bool isOk = 0;
3743+ int tlen;
3744+
3745+ t = h = strstr(s, "://");
3746+ if (h == NULL) break;
3747+
3748+
3749+ while (t > s && (isalpha(t[-1]) || t[-1]=='_')) {
3750+ t--;
3751+ }
3752+
3753+ tlen = strlen(t);
3754+
3755+ zend_hash_internal_pointer_reset(HG(include_whitelist));
3756+ do {
3757+ int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
3758+
3759+ if (r==HASH_KEY_NON_EXISTANT) {
3760+ break;
3761+ }
3762+ if (r==HASH_KEY_IS_STRING) {
3763+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
3764+ if (strncmp(t, index, indexlen-1)==0) {
3765+ isOk = 1;
3766+ break;
3767+ }
3768+ }
3769+ }
3770+
3771+ zend_hash_move_forward(HG(include_whitelist));
3772+ } while (1);
3773+
3774+ /* not found in whitelist */
3775+ if (!isOk) {
3776+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
3777+ efree(fname);
3778+ return 0;
3779+ }
3780+
3781+ s = h + 3;
3782+ } while (1);
3783+ } else {
3784+ /* okay then handle the blacklist */
3785+ char *s, *t, *h, *index;
3786+ uint indexlen;
3787+ ulong numindex;
3788+
3789+ s = filename;
3790+
3791+ do {
3792+ int tlen;
3793+
3794+ t = h = strstr(s, "://");
3795+ if (h == NULL) break;
3796+
3797+
3798+ while (t > s) {
3799+ if (isalpha(t[-1]) || t[-1]=='_') t--;
3800+ }
3801+
3802+ tlen = strlen(t);
3803+
3804+ zend_hash_internal_pointer_reset(HG(include_blacklist));
3805+ do {
3806+ int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
3807+
3808+ if (r==HASH_KEY_NON_EXISTANT) {
3809+ break;
3810+ }
3811+ if (r==HASH_KEY_IS_STRING) {
3812+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
3813+ if (strncmp(t, index, indexlen-1)==0) {
3814+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
3815+ efree(fname);
3816+ return 0;
3817+ }
3818+ }
3819+ }
3820+
3821+ zend_hash_move_forward(HG(include_blacklist));
3822+ } while (1);
3823+
3824+ s = h + 3;
3825+ } while (1);
3826+ }
3827+
3828+ efree(fname);
3829+ }
3830+
3831+ /* 4. must not be an uploaded file */
3832+ if (SG(rfc1867_uploaded_files)) {
3833+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
3834+ php_security_log(S_INCLUDE, "Include filename is an uploaded file");
3835+ return (0);
3836+ }
3837+ }
3838+
3839+ /* passed all tests */
3840+ return (1);
3841+}
3842+
3843+#endif
3844+
3845+/*
3846+ * Local variables:
3847+ * tab-width: 4
3848+ * c-basic-offset: 4
3849+ * End:
3850+ * vim600: sw=4 ts=4 fdm=marker
3851+ * vim<600: sw=4 ts=4
3852+ */
3853diff -Nura php-5.0.5/main/hardening_patch.h hardening-patch-5.0.5-0.4.3/main/hardening_patch.h
3854--- php-5.0.5/main/hardening_patch.h 1970-01-01 01:00:00.000000000 +0100
3855+++ hardening-patch-5.0.5-0.4.3/main/hardening_patch.h 2005-09-11 23:43:23.000000000 +0200
3856@@ -0,0 +1,46 @@
3857+/*
3858+ +----------------------------------------------------------------------+
3859+ | Hardening Patch for PHP |
3860+ +----------------------------------------------------------------------+
3861+ | Copyright (c) 2004-2005 Stefan Esser |
3862+ +----------------------------------------------------------------------+
3863+ | This source file is subject to version 2.02 of the PHP license, |
3864+ | that is bundled with this package in the file LICENSE, and is |
3865+ | available at through the world-wide-web at |
3866+ | http://www.php.net/license/2_02.txt. |
3867+ | If you did not receive a copy of the PHP license and are unable to |
3868+ | obtain it through the world-wide-web, please send a note to |
3869+ | license@php.net so we can mail you a copy immediately. |
3870+ +----------------------------------------------------------------------+
3871+ | Author: Stefan Esser <sesser@hardened-php.net> |
3872+ +----------------------------------------------------------------------+
3873+ */
3874+
3875+#ifndef HARDENING_PATCH_H
3876+#define HARDENING_PATCH_H
3877+
3878+#include "zend.h"
3879+
3880+#if HARDENING_PATCH
3881+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
3882+PHPAPI void hardened_startup();
3883+#define HARDENING_PATCH_VERSION "0.4.3"
3884+
3885+#endif
3886+
3887+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
3888+PHPAPI unsigned int php_canary();
3889+#endif
3890+
3891+#if HARDENING_PATCH_INC_PROTECT
3892+PHPAPI int php_is_valid_include(zval *z);
3893+#endif
3894+
3895+#endif /* HARDENING_PATCH_H */
3896+
3897+/*
3898+ * Local variables:
3899+ * tab-width: 4
3900+ * c-basic-offset: 4
3901+ * End:
3902+ */
3903diff -Nura php-5.0.5/main/hardening_patch.m4 hardening-patch-5.0.5-0.4.3/main/hardening_patch.m4
3904--- php-5.0.5/main/hardening_patch.m4 1970-01-01 01:00:00.000000000 +0100
3905+++ hardening-patch-5.0.5-0.4.3/main/hardening_patch.m4 2005-09-11 23:30:52.000000000 +0200
3906@@ -0,0 +1,95 @@
3907+dnl
3908+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
3909+dnl
3910+dnl This file contains Hardening Patch for PHP specific autoconf functions.
3911+dnl
3912+
3913+AC_ARG_ENABLE(hardening-patch-mm-protect,
3914+[ --disable-hardening-patch-mm-protect Disable the Memory Manager protection.],[
3915+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
3916+],[
3917+ DO_HARDENING_PATCH_MM_PROTECT=yes
3918+])
3919+
3920+AC_ARG_ENABLE(hardening-patch-ll-protect,
3921+[ --disable-hardening-patch-ll-protect Disable the Linked List protection.],[
3922+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
3923+],[
3924+ DO_HARDENING_PATCH_LL_PROTECT=yes
3925+])
3926+
3927+AC_ARG_ENABLE(hardening-patch-inc-protect,
3928+[ --disable-hardening-patch-inc-protect Disable include/require protection.],[
3929+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
3930+],[
3931+ DO_HARDENING_PATCH_INC_PROTECT=yes
3932+])
3933+
3934+AC_ARG_ENABLE(hardening-patch-fmt-protect,
3935+[ --disable-hardening-patch-fmt-protect Disable format string protection.],[
3936+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
3937+],[
3938+ DO_HARDENING_PATCH_FMT_PROTECT=yes
3939+])
3940+
3941+AC_ARG_ENABLE(hardening-patch-hash-protect,
3942+[ --disable-hardening-patch-hash-protect Disable HashTable destructor protection.],[
3943+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
3944+],[
3945+ DO_HARDENING_PATCH_HASH_PROTECT=yes
3946+])
3947+
3948+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
3949+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
3950+
3951+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
3952+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
3953+
3954+AC_MSG_CHECKING(whether to protect include/require statements)
3955+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
3956+
3957+AC_MSG_CHECKING(whether to protect PHP Format String functions)
3958+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
3959+
3960+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
3961+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
3962+
3963+
3964+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3965+
3966+
3967+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
3968+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3969+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
3970+else
3971+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
3972+fi
3973+
3974+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
3975+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3976+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
3977+else
3978+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
3979+fi
3980+
3981+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
3982+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3983+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
3984+else
3985+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
3986+fi
3987+
3988+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
3989+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3990+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
3991+else
3992+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
3993+fi
3994+
3995+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
3996+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
3997+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
3998+else
3999+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
4000+fi
4001+
4002diff -Nura php-5.0.5/main/main.c hardening-patch-5.0.5-0.4.3/main/main.c
4003--- php-5.0.5/main/main.c 2005-08-16 20:11:34.000000000 +0200
4004+++ hardening-patch-5.0.5-0.4.3/main/main.c 2005-09-11 23:30:52.000000000 +0200
4005@@ -85,6 +85,10 @@
4006
4007 #include "SAPI.h"
4008 #include "rfc1867.h"
4009+#if HARDENING_PATCH
4010+#include "hardened_globals.h"
4011+#endif
4012+
4013 /* }}} */
4014
4015 #ifndef ZTS
4016@@ -109,10 +113,33 @@
4017 */
4018 static PHP_INI_MH(OnChangeMemoryLimit)
4019 {
4020+#if HARDENING_PATCH
4021+ long orig_memory_limit;
4022+
4023+ if (entry->modified) {
4024+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
4025+ } else {
4026+ orig_memory_limit = 1<<30;
4027+ }
4028+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
4029+ orig_memory_limit = 1<<30;
4030+ }
4031+#endif
4032 if (new_value) {
4033 PG(memory_limit) = zend_atoi(new_value, new_value_length);
4034+#if HARDENING_PATCH
4035+ if (PG(memory_limit) > orig_memory_limit) {
4036+ PG(memory_limit) = orig_memory_limit;
4037+ php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
4038+ return FAILURE;
4039+ }
4040+#endif
4041 } else {
4042+#if HARDENING_PATCH
4043+ PG(memory_limit) = orig_memory_limit;
4044+#else
4045 PG(memory_limit) = 1<<30; /* effectively, no limit */
4046+#endif
4047 }
4048 return zend_set_memory_limit(PG(memory_limit));
4049 }
4050@@ -1322,6 +1349,10 @@
4051 tsrm_ls = ts_resource(0);
4052 #endif
4053
4054+#if HARDENING_PATCH
4055+ hardened_startup();
4056+#endif
4057+
4058 module_shutdown = 0;
4059 module_startup = 1;
4060 sapi_initialize_empty_request(TSRMLS_C);
4061@@ -1335,6 +1366,12 @@
4062
4063 php_output_startup();
4064
4065+#if HARDENING_PATCH_INC_PROTECT
4066+ zuf.is_valid_include = php_is_valid_include;
4067+#endif
4068+#if HARDENING_PATCH
4069+ zuf.security_log_function = php_security_log;
4070+#endif
4071 zuf.error_function = php_error_cb;
4072 zuf.printf_function = php_printf;
4073 zuf.write_function = php_body_write_wrapper;
4074@@ -1438,6 +1475,10 @@
4075 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
4076 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
4077 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
4078+#if HARDENING_PATCH
4079+ REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
4080+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
4081+#endif
4082 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
4083 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
4084 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
4085diff -Nura php-5.0.5/main/php_config.h.in hardening-patch-5.0.5-0.4.3/main/php_config.h.in
4086--- php-5.0.5/main/php_config.h.in 2005-09-05 13:16:27.000000000 +0200
4087+++ hardening-patch-5.0.5-0.4.3/main/php_config.h.in 2005-09-11 23:30:52.000000000 +0200
4088@@ -752,6 +752,39 @@
4089 /* Enabling BIND8 compatibility for Panther */
4090 #undef BIND_8_COMPAT
4091
4092+/* Hardening-Patch for PHP */
4093+#undef HARDENING_PATCH
4094+
4095+/* Memory Manager Protection */
4096+#undef HARDENING_PATCH_MM_PROTECT
4097+
4098+/* Memory Manager Protection */
4099+#undef HARDENING_PATCH_MM_PROTECT
4100+
4101+/* Linked List Protection */
4102+#undef HARDENING_PATCH_LL_PROTECT
4103+
4104+/* Linked List Protection */
4105+#undef HARDENING_PATCH_LL_PROTECT
4106+
4107+/* Include/Require Protection */
4108+#undef HARDENING_PATCH_INC_PROTECT
4109+
4110+/* Include/Require Protection */
4111+#undef HARDENING_PATCH_INC_PROTECT
4112+
4113+/* Fmt String Protection */
4114+#undef HARDENING_PATCH_FMT_PROTECT
4115+
4116+/* Fmt String Protection */
4117+#undef HARDENING_PATCH_FMT_PROTECT
4118+
4119+/* HashTable DTOR Protection */
4120+#undef HARDENING_PATCH_HASH_PROTECT
4121+
4122+/* HashTable DTOR Protection */
4123+#undef HARDENING_PATCH_HASH_PROTECT
4124+
4125 /* Whether you have AOLserver */
4126 #undef HAVE_AOLSERVER
4127
4128@@ -1083,6 +1116,12 @@
4129 /* Define if you have the getaddrinfo function */
4130 #undef HAVE_GETADDRINFO
4131
4132+/* Whether realpath is broken */
4133+#undef PHP_BROKEN_REALPATH
4134+
4135+/* Whether realpath is broken */
4136+#undef PHP_BROKEN_REALPATH
4137+
4138 /* Whether system headers declare timezone */
4139 #undef HAVE_DECLARED_TIMEZONE
4140
4141diff -Nura php-5.0.5/main/php.h hardening-patch-5.0.5-0.4.3/main/php.h
4142--- php-5.0.5/main/php.h 2005-06-29 08:41:15.000000000 +0200
4143+++ hardening-patch-5.0.5-0.4.3/main/php.h 2005-09-11 23:30:52.000000000 +0200
4144@@ -35,11 +35,19 @@
4145 #include "zend_qsort.h"
4146 #include "php_compat.h"
4147
4148+
4149 #include "zend_API.h"
4150
4151 #undef sprintf
4152 #define sprintf php_sprintf
4153
4154+#if HARDENING_PATCH
4155+#if HAVE_REALPATH
4156+#undef realpath
4157+#define realpath php_realpath
4158+#endif
4159+#endif
4160+
4161 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
4162 #undef PHP_DEBUG
4163 #define PHP_DEBUG ZEND_DEBUG
4164@@ -330,6 +338,7 @@
4165 #define PHP_FUNCTION ZEND_FUNCTION
4166 #define PHP_METHOD ZEND_METHOD
4167
4168+#define PHP_STATIC_FE ZEND_STATIC_FE
4169 #define PHP_NAMED_FE ZEND_NAMED_FE
4170 #define PHP_FE ZEND_FE
4171 #define PHP_FALIAS ZEND_FALIAS
4172@@ -435,6 +444,10 @@
4173 #endif
4174 #endif /* !XtOffsetOf */
4175
4176+#if HARDENING_PATCH
4177+#include "hardening_patch.h"
4178+#endif
4179+
4180 #endif
4181
4182 /*
4183diff -Nura php-5.0.5/main/php_variables.c hardening-patch-5.0.5-0.4.3/main/php_variables.c
4184--- php-5.0.5/main/php_variables.c 2005-09-01 21:15:51.000000000 +0200
4185+++ hardening-patch-5.0.5-0.4.3/main/php_variables.c 2005-09-11 23:30:52.000000000 +0200
4186@@ -514,7 +514,7 @@
4187 */
4188 static inline void php_register_server_variables(TSRMLS_D)
4189 {
4190- zval *array_ptr=NULL;
4191+ zval *array_ptr=NULL, *vptr;
4192 /* turn off magic_quotes while importing server variables */
4193 int magic_quotes_gpc = PG(magic_quotes_gpc);
4194
4195@@ -530,6 +530,16 @@
4196 /* Server variables */
4197 if (sapi_module.register_server_variables) {
4198 sapi_module.register_server_variables(array_ptr TSRMLS_CC);
4199+ if (zend_hash_find(array_ptr->value.ht, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), (void **)&vptr)==SUCCESS) {
4200+ char *str;
4201+ if (vptr->type != IS_STRING) {
4202+ str = "Array";
4203+ } else {
4204+ str = vptr->value.str.val;
4205+ }
4206+ php_security_log(S_VARS, "Attacker tried to overwrite HTTP_RAW_POST_DATA with '%s' through a HTTP header", str);
4207+ zend_hash_del(array_ptr->value.ht, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"));
4208+ }
4209 }
4210
4211 /* PHP Authentication support */
4212diff -Nura php-5.0.5/main/rfc1867.c hardening-patch-5.0.5-0.4.3/main/rfc1867.c
4213--- php-5.0.5/main/rfc1867.c 2005-07-13 22:51:12.000000000 +0200
4214+++ hardening-patch-5.0.5-0.4.3/main/rfc1867.c 2005-09-11 23:58:14.000000000 +0200
4215@@ -132,6 +132,7 @@
4216 #define UPLOAD_ERROR_D 4 /* No file uploaded */
4217 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
4218 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
4219+#define UPLOAD_ERROR_X 32 /* Filter forbids fileupload */
4220
4221 void php_rfc1867_register_constants(TSRMLS_D)
4222 {
4223@@ -142,6 +143,7 @@
4224 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
4225 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
4226 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
4227+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
4228 }
4229
4230 static void normalize_protected_variable(char *varname TSRMLS_DC)
4231@@ -854,6 +856,7 @@
4232 char buff[FILLUNIT];
4233 char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
4234 int blen=0, wlen=0;
4235+ unsigned long offset;
4236
4237 zend_llist_clean(&header);
4238
4239@@ -970,7 +973,11 @@
4240 tmp++;
4241 }
4242 }
4243-
4244+
4245+ if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
4246+ skip_upload = 1;
4247+ }
4248+
4249 total_bytes = cancel_upload = 0;
4250
4251 if (!skip_upload) {
4252@@ -994,6 +1001,11 @@
4253 cancel_upload = UPLOAD_ERROR_D;
4254 }
4255
4256+ if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
4257+ cancel_upload = UPLOAD_ERROR_X;
4258+ }
4259+
4260+ offset = 0;
4261 end = 0;
4262 while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
4263 {
4264@@ -1008,6 +1020,10 @@
4265 #endif
4266 cancel_upload = UPLOAD_ERROR_B;
4267 } else if (blen > 0) {
4268+ if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
4269+ cancel_upload = UPLOAD_ERROR_X;
4270+ }
4271+
4272 wlen = write(fd, buff, blen);
4273
4274 if (wlen < blen) {
4275@@ -1036,6 +1052,10 @@
4276 }
4277 #endif
4278
4279+ if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
4280+ cancel_upload = UPLOAD_ERROR_X;
4281+ }
4282+
4283 if (cancel_upload) {
4284 if (temp_filename) {
4285 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
4286diff -Nura php-5.0.5/main/SAPI.c hardening-patch-5.0.5-0.4.3/main/SAPI.c
4287--- php-5.0.5/main/SAPI.c 2005-02-22 15:46:15.000000000 +0100
4288+++ hardening-patch-5.0.5-0.4.3/main/SAPI.c 2005-09-12 00:00:07.000000000 +0200
4289@@ -821,6 +821,36 @@
4290 zend_hash_del(&known_post_content_types, post_entry->content_type, post_entry->content_type_len+1);
4291 }
4292
4293+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
4294+{
4295+ sapi_module.input_filter = input_filter;
4296+ return SUCCESS;
4297+}
4298+
4299+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
4300+{
4301+ sapi_module.upload_varname_filter = upload_varname_filter;
4302+ return SUCCESS;
4303+}
4304+
4305+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
4306+{
4307+ sapi_module.pre_upload_filter = pre_upload_filter;
4308+ return SUCCESS;
4309+}
4310+
4311+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
4312+{
4313+ sapi_module.upload_content_filter = upload_content_filter;
4314+ return SUCCESS;
4315+}
4316+
4317+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
4318+{
4319+ sapi_module.post_upload_filter = post_upload_filter;
4320+ return SUCCESS;
4321+}
4322+
4323
4324 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D))
4325 {
4326@@ -835,11 +865,6 @@
4327 return SUCCESS;
4328 }
4329
4330-SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
4331-{
4332- sapi_module.input_filter = input_filter;
4333- return SUCCESS;
4334-}
4335
4336 SAPI_API int sapi_flush(TSRMLS_D)
4337 {
4338diff -Nura php-5.0.5/main/SAPI.h hardening-patch-5.0.5-0.4.3/main/SAPI.h
4339--- php-5.0.5/main/SAPI.h 2004-01-08 18:33:04.000000000 +0100
4340+++ hardening-patch-5.0.5-0.4.3/main/SAPI.h 2005-09-12 00:29:07.000000000 +0200
4341@@ -103,9 +103,10 @@
4342 char *current_user;
4343 int current_user_length;
4344
4345- /* this is necessary for CLI module */
4346- int argc;
4347- char **argv;
4348+ /* this is necessary for CLI module */
4349+ int argc;
4350+ char **argv;
4351+
4352 } sapi_request_info;
4353
4354
4355@@ -183,6 +184,10 @@
4356 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
4357 SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
4358
4359+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
4360+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
4361+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
4362+
4363 SAPI_API int sapi_flush(TSRMLS_D);
4364 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
4365 SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC);
4366@@ -245,6 +250,11 @@
4367 int (*get_target_gid)(gid_t * TSRMLS_DC);
4368
4369 unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
4370+
4371+ unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
4372+ unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
4373+ unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
4374+ unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
4375
4376 void (*ini_defaults)(HashTable *configuration_hash);
4377 int phpinfo_as_text;
4378@@ -270,7 +280,11 @@
4379
4380 #define SAPI_DEFAULT_MIMETYPE "text/html"
4381 #define SAPI_DEFAULT_CHARSET ""
4382+#if HARDENING_PATCH
4383+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
4384+#else
4385 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
4386+#endif
4387
4388 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
4389 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
4390@@ -278,6 +292,11 @@
4391 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
4392 #define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
4393
4394+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
4395+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
4396+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
4397+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
4398+
4399 BEGIN_EXTERN_C()
4400 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
4401 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
4402diff -Nura php-5.0.5/main/snprintf.c hardening-patch-5.0.5-0.4.3/main/snprintf.c
4403--- php-5.0.5/main/snprintf.c 2004-11-16 00:14:40.000000000 +0100
4404+++ hardening-patch-5.0.5-0.4.3/main/snprintf.c 2005-09-11 23:30:52.000000000 +0200
4405@@ -1013,7 +1013,11 @@
4406
4407
4408 case 'n':
4409+#if HARDENING_PATCH_FMT_PROTECT
4410+ php_security_log(S_MISC, "'n' specifier within format string");
4411+#else
4412 *(va_arg(ap, int *)) = cc;
4413+#endif
4414 break;
4415
4416 /*
4417diff -Nura php-5.0.5/main/spprintf.c hardening-patch-5.0.5-0.4.3/main/spprintf.c
4418--- php-5.0.5/main/spprintf.c 2004-04-16 01:04:49.000000000 +0200
4419+++ hardening-patch-5.0.5-0.4.3/main/spprintf.c 2005-09-11 23:30:52.000000000 +0200
4420@@ -630,7 +630,11 @@
4421
4422
4423 case 'n':
4424+#if HARDENING_PATCH_FMT_PROTECT
4425+ php_security_log(S_MISC, "'n' specifier within format string");
4426+#else
4427 *(va_arg(ap, int *)) = xbuf->len;
4428+#endif
4429 break;
4430
4431 /*
4432diff -Nura php-5.0.5/php.ini-dist hardening-patch-5.0.5-0.4.3/php.ini-dist
4433--- php-5.0.5/php.ini-dist 2005-05-05 14:33:56.000000000 +0200
4434+++ hardening-patch-5.0.5-0.4.3/php.ini-dist 2005-09-12 23:47:08.000000000 +0200
4435@@ -1197,6 +1197,197 @@
4436 ; instead of original one.
4437 soap.wsdl_cache_ttl=86400
4438
4439+[hardening-patch]
4440+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4441+; Hardening-Patch's logging ;
4442+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4443+
4444+;
4445+; hphp.log.syslog - Configures level for alerts reported through syslog
4446+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
4447+; hphp.log.script - Configures level for alerts reported through external script
4448+;
4449+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
4450+; Or each number up to get desired Hardening-Patch's reporting level
4451+;
4452+; S_ALL - All alerts
4453+; S_MEMORY - All canary violations and the safe unlink protection use this class
4454+; S_VARS - All variable filters trigger this class
4455+; S_FILES - All violation of uploaded files filter use this class
4456+; S_INCLUDE - The protection against malicious include filenames use this class
4457+; S_SQL - Failed SQL queries in MySQL are logged with this class
4458+; S_EXECUTOR - The execution depth protection uses this logging class
4459+; S_MISC - All other log messages (f.e. format string protection) use this class
4460+;
4461+; Example:
4462+;
4463+; - Report all alerts (except memory alerts) to the SAPI errorlog,
4464+; memory alerts through syslog and SQL+Include alerts fo the script
4465+;
4466+;hphp.log.syslog = S_MEMORY
4467+;hphp.log.sapi = S_ALL & ~S_MEMORY
4468+;hphp.log.script = S_INCLUDE | S_SQL
4469+;
4470+; Syslog logging:
4471+;
4472+; - Facility configuration: one of the following facilities
4473+;
4474+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
4475+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
4476+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
4477+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
4478+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
4479+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
4480+; LOG_PERROR
4481+;
4482+; - Priority configuration: one of the followinf priorities
4483+;
4484+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
4485+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
4486+;
4487+hphp.log.syslog.priority = LOG_ALERT
4488+hphp.log.syslog.facility = LOG_USER
4489+;
4490+; Script logging:
4491+;
4492+;hphp.log.script.name = /home/hphp/log_script
4493+;
4494+; Alert configuration:
4495+;
4496+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
4497+;
4498+;hphp.log.use-x-forwarded-for = On
4499+;
4500+
4501+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4502+; Hardening-Patch's Executor options ;
4503+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4504+
4505+; Execution depth limit
4506+;hphp.executor.max_depth = 8000
4507+
4508+; White-/blacklist for function calls during normal execution
4509+;hphp.executor.func.whitelist = ord,chr
4510+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
4511+
4512+; White-/blacklist for function calls during eval() execution
4513+;hphp.executor.eval.whitelist = ord,chr
4514+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
4515+
4516+; White-/blacklist for URLs allowes in include filenames
4517+;
4518+; - When both options are not set all URLs are forbidden
4519+;
4520+; - When both options are set whitelist is taken and blacklist ignored
4521+;
4522+; - An entry in the lists is either a URL sheme like: http, https
4523+; or the beginning of an URL like: php://input
4524+;
4525+;hphp.executor.include.whitelist = cookietest
4526+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
4527+
4528+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4529+; Hardening-Patch's REQUEST variable filters ;
4530+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4531+
4532+; Limits the number of REQUEST variables
4533+hphp.request.max_vars = 200
4534+
4535+; Limits the length of variable names (without indices)
4536+hphp.request.max_varname_length = 64
4537+
4538+; Limits the length of complete variable names (with indices)
4539+hphp.request.max_totalname_length = 256
4540+
4541+; Limits the length of array indices
4542+hphp.request.max_array_index_length = 64
4543+
4544+; Limits the depth of arrays
4545+hphp.request.max_array_depth = 100
4546+
4547+; Limits the length of variable values
4548+hphp.request.max_value_length = 65000
4549+
4550+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4551+; Hardening-Patch's COOKIE variable filters ;
4552+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4553+
4554+; Limits the number of COOKIE variables
4555+hphp.cookie.max_vars = 100
4556+
4557+; Limits the length of variable names (without indices)
4558+hphp.cookie.max_name_length = 64
4559+
4560+; Limits the length of complete variable names (with indices)
4561+hphp.cookie.max_totalname_length = 256
4562+
4563+; Limits the length of array indices
4564+hphp.cookie.max_array_index_length = 64
4565+
4566+; Limits the depth of arrays
4567+hphp.cookie.max_array_depth = 100
4568+
4569+; Limits the length of variable values
4570+hphp.cookie.max_value_length = 10000
4571+
4572+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4573+; Hardening-Patch's GET variable filters ;
4574+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4575+
4576+; Limits the number of COOKIE variables
4577+hphp.get.max_vars = 100
4578+
4579+; Limits the length of variable names (without indices)
4580+hphp.get.max_name_length = 64
4581+
4582+; Limits the length of complete variable names (with indices)
4583+hphp.get.max_totalname_length = 256
4584+
4585+; Limits the length of array indices
4586+hphp.get.max_array_index_length = 64
4587+
4588+; Limits the depth of arrays
4589+hphp.get.max_array_depth = 50
4590+
4591+; Limits the length of variable values
4592+hphp.get.max_value_length = 512
4593+
4594+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4595+; Hardening-Patch's POST variable filters ;
4596+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4597+
4598+; Limits the number of POST variables
4599+hphp.post.max_vars = 200
4600+
4601+; Limits the length of variable names (without indices)
4602+hphp.post.max_name_length = 64
4603+
4604+; Limits the length of complete variable names (with indices)
4605+hphp.post.max_totalname_length = 256
4606+
4607+; Limits the length of array indices
4608+hphp.post.max_array_index_length = 64
4609+
4610+; Limits the depth of arrays
4611+hphp.post.max_array_depth = 100
4612+
4613+; Limits the length of variable values
4614+hphp.post.max_value_length = 65000
4615+
4616+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4617+; Hardening-Patch's fileupload variable filters ;
4618+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4619+
4620+; Limits the number of uploadable files
4621+hphp.upload.max_uploads = 25
4622+
4623+; Filter out the upload of ELF executables
4624+hphp.upload.disallow_elf_files = On
4625+
4626+; External filterscript for upload verification
4627+;hphp.upload.verification_script = /home/hphp/verify_script
4628+
4629+
4630 ; Local Variables:
4631 ; tab-width: 4
4632 ; End:
4633diff -Nura php-5.0.5/php.ini-recommended hardening-patch-5.0.5-0.4.3/php.ini-recommended
4634--- php-5.0.5/php.ini-recommended 2005-05-05 14:33:56.000000000 +0200
4635+++ hardening-patch-5.0.5-0.4.3/php.ini-recommended 2005-09-12 23:53:06.000000000 +0200
4636@@ -1255,6 +1255,196 @@
4637 ; instead of original one.
4638 soap.wsdl_cache_ttl=86400
4639
4640+[hardening-patch]
4641+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4642+; Hardening-Patch's logging ;
4643+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4644+
4645+;
4646+; hphp.log.syslog - Configures level for alerts reported through syslog
4647+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
4648+; hphp.log.script - Configures level for alerts reported through external script
4649+;
4650+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
4651+; Or each number up to get desired Hardening-Patch's reporting level
4652+;
4653+; S_ALL - All alerts
4654+; S_MEMORY - All canary violations and the safe unlink protection use this class
4655+; S_VARS - All variable filters trigger this class
4656+; S_FILES - All violation of uploaded files filter use this class
4657+; S_INCLUDE - The protection against malicious include filenames use this class
4658+; S_SQL - Failed SQL queries in MySQL are logged with this class
4659+; S_EXECUTOR - The execution depth protection uses this logging class
4660+; S_MISC - All other log messages (f.e. format string protection) use this class
4661+;
4662+; Example:
4663+;
4664+; - Report all alerts (except memory alerts) to the SAPI errorlog,
4665+; memory alerts through syslog and SQL+Include alerts fo the script
4666+;
4667+;hphp.log.syslog = S_MEMORY
4668+;hphp.log.sapi = S_ALL & ~S_MEMORY
4669+;hphp.log.script = S_INCLUDE | S_SQL
4670+;
4671+; Syslog logging:
4672+;
4673+; - Facility configuration: one of the following facilities
4674+;
4675+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
4676+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
4677+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
4678+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
4679+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
4680+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
4681+; LOG_PERROR
4682+;
4683+; - Priority configuration: one of the followinf priorities
4684+;
4685+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
4686+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
4687+;
4688+hphp.log.syslog.priority = LOG_ALERT
4689+hphp.log.syslog.facility = LOG_USER
4690+;
4691+; Script logging:
4692+;
4693+;hphp.log.script.name = /home/hphp/log_script
4694+;
4695+; Alert configuration:
4696+;
4697+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
4698+;
4699+;hphp.log.use-x-forwarded-for = On
4700+;
4701+
4702+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4703+; Hardening-Patch's Executor options ;
4704+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4705+
4706+; Execution depth limit
4707+;hphp.executor.max_depth = 8000
4708+
4709+; White-/blacklist for function calls during normal execution
4710+;hphp.executor.func.whitelist = ord,chr
4711+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
4712+
4713+; White-/blacklist for function calls during eval() execution
4714+;hphp.executor.eval.whitelist = ord,chr
4715+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
4716+
4717+; White-/blacklist for URLs allowes in include filenames
4718+;
4719+; - When both options are not set all URLs are forbidden
4720+;
4721+; - When both options are set whitelist is taken and blacklist ignored
4722+;
4723+; - An entry in the lists is either a URL sheme like: http, https
4724+; or the beginning of an URL like: php://input
4725+;
4726+;hphp.executor.include.whitelist = cookietest
4727+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
4728+
4729+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4730+; Hardening-Patch's REQUEST variable filters ;
4731+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4732+
4733+; Limits the number of REQUEST variables
4734+hphp.request.max_vars = 200
4735+
4736+; Limits the length of variable names (without indices)
4737+hphp.request.max_varname_length = 64
4738+
4739+; Limits the length of complete variable names (with indices)
4740+hphp.request.max_totalname_length = 256
4741+
4742+; Limits the length of array indices
4743+hphp.request.max_array_index_length = 64
4744+
4745+; Limits the depth of arrays
4746+hphp.request.max_array_depth = 100
4747+
4748+; Limits the length of variable values
4749+hphp.request.max_value_length = 65000
4750+
4751+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4752+; Hardening-Patch's COOKIE variable filters ;
4753+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4754+
4755+; Limits the number of COOKIE variables
4756+hphp.cookie.max_vars = 100
4757+
4758+; Limits the length of variable names (without indices)
4759+hphp.cookie.max_name_length = 64
4760+
4761+; Limits the length of complete variable names (with indices)
4762+hphp.cookie.max_totalname_length = 256
4763+
4764+; Limits the length of array indices
4765+hphp.cookie.max_array_index_length = 64
4766+
4767+; Limits the depth of arrays
4768+hphp.cookie.max_array_depth = 100
4769+
4770+; Limits the length of variable values
4771+hphp.cookie.max_value_length = 10000
4772+
4773+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4774+; Hardening-Patch's GET variable filters ;
4775+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4776+
4777+; Limits the number of COOKIE variables
4778+hphp.get.max_vars = 100
4779+
4780+; Limits the length of variable names (without indices)
4781+hphp.get.max_name_length = 64
4782+
4783+; Limits the length of complete variable names (with indices)
4784+hphp.get.max_totalname_length = 256
4785+
4786+; Limits the length of array indices
4787+hphp.get.max_array_index_length = 64
4788+
4789+; Limits the depth of arrays
4790+hphp.get.max_array_depth = 50
4791+
4792+; Limits the length of variable values
4793+hphp.get.max_value_length = 512
4794+
4795+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4796+; Hardening-Patch's POST variable filters ;
4797+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4798+
4799+; Limits the number of POST variables
4800+hphp.post.max_vars = 200
4801+
4802+; Limits the length of variable names (without indices)
4803+hphp.post.max_name_length = 64
4804+
4805+; Limits the length of complete variable names (with indices)
4806+hphp.post.max_totalname_length = 256
4807+
4808+; Limits the length of array indices
4809+hphp.post.max_array_index_length = 64
4810+
4811+; Limits the depth of arrays
4812+hphp.post.max_array_depth = 100
4813+
4814+; Limits the length of variable values
4815+hphp.post.max_value_length = 65000
4816+
4817+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4818+; Hardening-Patch's fileupload variable filters ;
4819+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
4820+
4821+; Limits the number of uploadable files
4822+hphp.upload.max_uploads = 25
4823+
4824+; Filter out the upload of ELF executables
4825+hphp.upload.disallow_elf_files = On
4826+
4827+; External filterscript for upload verification
4828+;hphp.upload.verification_script = /home/hphp/verify_script
4829+
4830 ; Local Variables:
4831 ; tab-width: 4
4832 ; End:
4833diff -Nura php-5.0.5/sapi/apache/mod_php5.c hardening-patch-5.0.5-0.4.3/sapi/apache/mod_php5.c
4834--- php-5.0.5/sapi/apache/mod_php5.c 2005-08-01 10:12:42.000000000 +0200
4835+++ hardening-patch-5.0.5-0.4.3/sapi/apache/mod_php5.c 2005-09-11 23:30:52.000000000 +0200
4836@@ -455,7 +455,7 @@
4837 sapi_apache_get_fd,
4838 sapi_apache_force_http_10,
4839 sapi_apache_get_target_uid,
4840- sapi_apache_get_target_gid
4841+ sapi_apache_get_target_gid,
4842 };
4843 /* }}} */
4844
4845@@ -907,7 +907,11 @@
4846 {
4847 TSRMLS_FETCH();
4848 if (PG(expose_php)) {
4849+#if HARDENING_PATCH
4850+ ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
4851+#else
4852 ap_add_version_component("PHP/" PHP_VERSION);
4853+#endif
4854 }
4855 }
4856 #endif
4857diff -Nura php-5.0.5/sapi/apache2filter/sapi_apache2.c hardening-patch-5.0.5-0.4.3/sapi/apache2filter/sapi_apache2.c
4858--- php-5.0.5/sapi/apache2filter/sapi_apache2.c 2005-07-16 14:30:10.000000000 +0200
4859+++ hardening-patch-5.0.5-0.4.3/sapi/apache2filter/sapi_apache2.c 2005-09-11 23:30:52.000000000 +0200
4860@@ -562,7 +562,11 @@
4861 {
4862 TSRMLS_FETCH();
4863 if (PG(expose_php)) {
4864+#if HARDENING_PATCH
4865+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
4866+#else
4867 ap_add_version_component(p, "PHP/" PHP_VERSION);
4868+#endif
4869 }
4870 }
4871
4872diff -Nura php-5.0.5/sapi/apache2handler/sapi_apache2.c hardening-patch-5.0.5-0.4.3/sapi/apache2handler/sapi_apache2.c
4873--- php-5.0.5/sapi/apache2handler/sapi_apache2.c 2005-09-02 15:51:26.000000000 +0200
4874+++ hardening-patch-5.0.5-0.4.3/sapi/apache2handler/sapi_apache2.c 2005-09-11 23:30:52.000000000 +0200
4875@@ -333,7 +333,11 @@
4876 {
4877 TSRMLS_FETCH();
4878 if (PG(expose_php)) {
4879+#if HARDENING_PATCH
4880+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
4881+#else
4882 ap_add_version_component(p, "PHP/" PHP_VERSION);
4883+#endif
4884 }
4885 }
4886
4887diff -Nura php-5.0.5/sapi/cgi/cgi_main.c hardening-patch-5.0.5-0.4.3/sapi/cgi/cgi_main.c
4888--- php-5.0.5/sapi/cgi/cgi_main.c 2005-04-28 16:24:21.000000000 +0200
4889+++ hardening-patch-5.0.5-0.4.3/sapi/cgi/cgi_main.c 2005-09-11 23:30:52.000000000 +0200
4890@@ -1419,11 +1419,19 @@
4891 SG(headers_sent) = 1;
4892 SG(request_info).no_headers = 1;
4893 }
4894+#if HARDENING_PATCH
4895+#if ZEND_DEBUG
4896+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4897+#else
4898+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4899+#endif
4900+#else
4901 #if ZEND_DEBUG
4902 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4903 #else
4904 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4905 #endif
4906+#endif
4907 php_end_ob_buffers(1 TSRMLS_CC);
4908 exit(1);
4909 break;
4910diff -Nura php-5.0.5/sapi/cli/php_cli.c hardening-patch-5.0.5-0.4.3/sapi/cli/php_cli.c
4911--- php-5.0.5/sapi/cli/php_cli.c 2005-03-22 16:09:20.000000000 +0100
4912+++ hardening-patch-5.0.5-0.4.3/sapi/cli/php_cli.c 2005-09-11 23:30:52.000000000 +0200
4913@@ -694,11 +694,19 @@
4914 if (php_request_startup(TSRMLS_C)==FAILURE) {
4915 goto err;
4916 }
4917+#if HARDENING_PATCH
4918+#if ZEND_DEBUG
4919+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4920+#else
4921+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4922+#endif
4923+#else
4924 #if ZEND_DEBUG
4925 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4926 #else
4927 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
4928 #endif
4929+#endif
4930 php_end_ob_buffers(1 TSRMLS_CC);
4931 exit_status=1;
4932 goto out;
4933diff -Nura php-5.0.5/TSRM/TSRM.h hardening-patch-5.0.5-0.4.3/TSRM/TSRM.h
4934--- php-5.0.5/TSRM/TSRM.h 2005-03-11 12:12:07.000000000 +0100
4935+++ hardening-patch-5.0.5-0.4.3/TSRM/TSRM.h 2005-09-11 23:30:52.000000000 +0200
4936@@ -33,6 +33,13 @@
4937 # define TSRM_API
4938 #endif
4939
4940+#if HARDENING_PATCH
4941+# if HAVE_REALPATH
4942+# undef realpath
4943+# define realpath php_realpath
4944+# endif
4945+#endif
4946+
4947 /* Only compile multi-threading functions if we're in ZTS mode */
4948 #ifdef ZTS
4949
4950@@ -88,6 +95,7 @@
4951
4952 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
4953
4954+
4955 #ifdef __cplusplus
4956 extern "C" {
4957 #endif
4958diff -Nura php-5.0.5/TSRM/tsrm_virtual_cwd.c hardening-patch-5.0.5-0.4.3/TSRM/tsrm_virtual_cwd.c
4959--- php-5.0.5/TSRM/tsrm_virtual_cwd.c 2005-07-16 13:50:59.000000000 +0200
4960+++ hardening-patch-5.0.5-0.4.3/TSRM/tsrm_virtual_cwd.c 2005-09-11 23:30:52.000000000 +0200
4961@@ -184,6 +184,165 @@
4962 return p;
4963 }
4964
4965+#if HARDENING_PATCH
4966+CWD_API char *php_realpath(const char *path, char *resolved)
4967+{
4968+ struct stat sb;
4969+ char *p, *q, *s;
4970+ size_t left_len, resolved_len;
4971+ unsigned symlinks;
4972+ int serrno, slen;
4973+ int is_dir = 1;
4974+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
4975+
4976+ serrno = errno;
4977+ symlinks = 0;
4978+ if (path[0] == '/') {
4979+ resolved[0] = '/';
4980+ resolved[1] = '\0';
4981+ if (path[1] == '\0')
4982+ return (resolved);
4983+ resolved_len = 1;
4984+ left_len = strlcpy(left, path + 1, sizeof(left));
4985+ } else {
4986+ if (getcwd(resolved, PATH_MAX) == NULL) {
4987+ strlcpy(resolved, ".", PATH_MAX);
4988+ return (NULL);
4989+ }
4990+ resolved_len = strlen(resolved);
4991+ left_len = strlcpy(left, path, sizeof(left));
4992+ }
4993+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
4994+ errno = ENAMETOOLONG;
4995+ return (NULL);
4996+ }
4997+
4998+ /*
4999+ * Iterate over path components in `left'.
5000+ */
5001+ while (left_len != 0) {
5002+ /*
5003+ * Extract the next path component and adjust `left'
5004+ * and its length.
5005+ */
5006+ p = strchr(left, '/');
5007+ s = p ? p : left + left_len;
5008+ if (s - left >= sizeof(next_token)) {
5009+ errno = ENAMETOOLONG;
5010+ return (NULL);
5011+ }
5012+ memcpy(next_token, left, s - left);
5013+ next_token[s - left] = '\0';
5014+ left_len -= s - left;
5015+ if (p != NULL)
5016+ memmove(left, s + 1, left_len + 1);
5017+ if (resolved[resolved_len - 1] != '/') {
5018+ if (resolved_len + 1 >= PATH_MAX) {
5019+ errno = ENAMETOOLONG;
5020+ return (NULL);
5021+ }
5022+ resolved[resolved_len++] = '/';
5023+ resolved[resolved_len] = '\0';
5024+ }
5025+ if (next_token[0] == '\0')
5026+ continue;
5027+ else if (strcmp(next_token, ".") == 0)
5028+ continue;
5029+ else if (strcmp(next_token, "..") == 0) {
5030+ /*
5031+ * Strip the last path component except when we have
5032+ * single "/"
5033+ */
5034+ if (!is_dir) {
5035+ errno = ENOENT;
5036+ return (NULL);
5037+ }
5038+ if (resolved_len > 1) {
5039+ resolved[resolved_len - 1] = '\0';
5040+ q = strrchr(resolved, '/');
5041+ *q = '\0';
5042+ resolved_len = q - resolved;
5043+ }
5044+ continue;
5045+ }
5046+
5047+ /*
5048+ * Append the next path component and lstat() it. If
5049+ * lstat() fails we still can return successfully if
5050+ * there are no more path components left.
5051+ */
5052+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
5053+ if (resolved_len >= PATH_MAX) {
5054+ errno = ENAMETOOLONG;
5055+ return (NULL);
5056+ }
5057+ if (lstat(resolved, &sb) != 0) {
5058+ if (errno == ENOENT && p == NULL) {
5059+ errno = serrno;
5060+ return (resolved);
5061+ }
5062+ return (NULL);
5063+ }
5064+ if (S_ISLNK(sb.st_mode)) {
5065+ if (symlinks++ > MAXSYMLINKS) {
5066+ errno = ELOOP;
5067+ return (NULL);
5068+ }
5069+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
5070+ if (slen < 0)
5071+ return (NULL);
5072+ symlink[slen] = '\0';
5073+ if (symlink[0] == '/') {
5074+ resolved[1] = 0;
5075+ resolved_len = 1;
5076+ } else if (resolved_len > 1) {
5077+ /* Strip the last path component. */
5078+ resolved[resolved_len - 1] = '\0';
5079+ q = strrchr(resolved, '/');
5080+ *q = '\0';
5081+ resolved_len = q - resolved;
5082+ }
5083+
5084+ /*
5085+ * If there are any path components left, then
5086+ * append them to symlink. The result is placed
5087+ * in `left'.
5088+ */
5089+ if (p != NULL) {
5090+ if (symlink[slen - 1] != '/') {
5091+ if (slen + 1 >= sizeof(symlink)) {
5092+ errno = ENAMETOOLONG;
5093+ return (NULL);
5094+ }
5095+ symlink[slen] = '/';
5096+ symlink[slen + 1] = 0;
5097+ }
5098+ left_len = strlcat(symlink, left, sizeof(left));
5099+ if (left_len >= sizeof(left)) {
5100+ errno = ENAMETOOLONG;
5101+ return (NULL);
5102+ }
5103+ }
5104+ left_len = strlcpy(left, symlink, sizeof(left));
5105+ } else {
5106+ if (S_ISDIR(sb.st_mode)) {
5107+ is_dir = 1;
5108+ } else {
5109+ is_dir = 0;
5110+ }
5111+ }
5112+ }
5113+
5114+ /*
5115+ * Remove trailing slash except when the resolved pathname
5116+ * is a single "/".
5117+ */
5118+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
5119+ resolved[resolved_len - 1] = '\0';
5120+ return (resolved);
5121+}
5122+#endif
5123+
5124 CWD_API void virtual_cwd_startup(void)
5125 {
5126 char cwd[MAXPATHLEN];
5127@@ -321,8 +480,7 @@
5128 path = resolved_path;
5129 path_length = strlen(path);
5130 } else {
5131- /* disable for now
5132- return 1; */
5133+ return 1;
5134 }
5135 }
5136 } else { /* Concat current directory with relative path and then run realpath() on it */
5137@@ -348,9 +506,8 @@
5138 path = resolved_path;
5139 path_length = strlen(path);
5140 } else {
5141- /* disable for now
5142 free(tmp);
5143- return 1; */
5144+ return 1;
5145 }
5146 }
5147 free(tmp);
5148diff -Nura php-5.0.5/TSRM/tsrm_virtual_cwd.h hardening-patch-5.0.5-0.4.3/TSRM/tsrm_virtual_cwd.h
5149--- php-5.0.5/TSRM/tsrm_virtual_cwd.h 2005-07-16 13:50:59.000000000 +0200
5150+++ hardening-patch-5.0.5-0.4.3/TSRM/tsrm_virtual_cwd.h 2005-09-11 23:30:52.000000000 +0200
5151@@ -126,6 +126,22 @@
5152
5153 typedef int (*verify_path_func)(const cwd_state *);
5154
5155+#ifndef HAVE_STRLCPY
5156+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
5157+#undef strlcpy
5158+#define strlcpy php_strlcpy
5159+#endif
5160+
5161+#ifndef HAVE_STRLCAT
5162+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
5163+#undef strlcat
5164+#define strlcat php_strlcat
5165+#endif
5166+
5167+
5168+#if HARDENING_PATCH
5169+CWD_API char *php_realpath(const char *path, char *resolved);
5170+#endif
5171 CWD_API void virtual_cwd_startup(void);
5172 CWD_API void virtual_cwd_shutdown(void);
5173 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
5174diff -Nura php-5.0.5/Zend/zend_alloc.c hardening-patch-5.0.5-0.4.3/Zend/zend_alloc.c
5175--- php-5.0.5/Zend/zend_alloc.c 2005-08-18 17:14:23.000000000 +0200
5176+++ hardening-patch-5.0.5-0.4.3/Zend/zend_alloc.c 2005-09-11 23:30:52.000000000 +0200
5177@@ -64,6 +64,11 @@
5178 # define END_MAGIC_SIZE 0
5179 #endif
5180
5181+#if HARDENING_PATCH_MM_PROTECT
5182+# define CANARY_SIZE sizeof(unsigned int)
5183+#else
5184+# define CANARY_SIZE 0
5185+#endif
5186
5187 # if MEMORY_LIMIT
5188 # if ZEND_DEBUG
5189@@ -105,9 +110,17 @@
5190 if (p==AG(head)) { \
5191 AG(head) = p->pNext; \
5192 } else { \
5193+ if (p != p->pLast->pNext) { \
5194+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
5195+ exit(1); \
5196+ } \
5197 p->pLast->pNext = p->pNext; \
5198 } \
5199 if (p->pNext) { \
5200+ if (p != p->pNext->pLast) { \
5201+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
5202+ exit(1); \
5203+ } \
5204 p->pNext->pLast = p->pLast; \
5205 }
5206 #else
5207@@ -146,6 +159,12 @@
5208 DECLARE_CACHE_VARS();
5209 TSRMLS_FETCH();
5210
5211+#if HARDENING_PATCH_MM_PROTECT
5212+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
5213+ zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
5214+ exit(1);
5215+ }
5216+#endif
5217 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
5218
5219 #if !ZEND_DISABLE_MEMORY_CACHE
5220@@ -164,6 +183,10 @@
5221 AG(cache_stats)[CACHE_INDEX][1]++;
5222 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
5223 #endif
5224+#if HARDENING_PATCH_MM_PROTECT
5225+ p->canary = HG(canary_1);
5226+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
5227+#endif
5228 p->cached = 0;
5229 p->size = size;
5230 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
5231@@ -180,7 +203,7 @@
5232 AG(allocated_memory_peak) = AG(allocated_memory);
5233 }
5234 #endif
5235- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
5236+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
5237 #if !ZEND_DISABLE_MEMORY_CACHE
5238 }
5239 #endif
5240@@ -212,7 +235,10 @@
5241 # endif
5242 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
5243 #endif
5244-
5245+#if HARDENING_PATCH_MM_PROTECT
5246+ p->canary = HG(canary_1);
5247+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
5248+#endif
5249 HANDLE_UNBLOCK_INTERRUPTIONS();
5250 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
5251 }
5252@@ -240,6 +266,10 @@
5253 }
5254 }
5255
5256+
5257+#if HARDENING_PATCH
5258+ zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
5259+#endif
5260 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%zd * %zd + %zd)", nmemb, size, offset);
5261 return 0;
5262 }
5263@@ -248,9 +278,25 @@
5264
5265 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
5266 {
5267+#if HARDENING_PATCH_MM_PROTECT
5268+ unsigned int canary_2;
5269+#endif
5270 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
5271 DECLARE_CACHE_VARS();
5272 TSRMLS_FETCH();
5273+
5274+#if HARDENING_PATCH_MM_PROTECT
5275+ if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
5276+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
5277+ if (canary_2 != HG(canary_2)) {
5278+efree_canary_mismatch:
5279+ zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
5280+ exit(1);
5281+ }
5282+ /* to catch double efree()s */
5283+ memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
5284+ p->canary = 0;
5285+#endif
5286
5287 #if defined(ZTS) && TSRM_DEBUG
5288 if (p->thread_id != tsrm_thread_id()) {
5289@@ -292,23 +338,35 @@
5290
5291 ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
5292 {
5293- void *p;
5294- int final_size = size*nmemb;
5295+ char *p;
5296+ size_t _size = nmemb * size;
5297+
5298+ if (nmemb && (_size/nmemb!=size)) {
5299+#if HARDENING_PATCH
5300+ zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
5301+#endif
5302+ fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
5303+#if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
5304+ kill(getpid(), SIGSEGV);
5305+#else
5306+ exit(1);
5307+#endif
5308+ }
5309
5310- HANDLE_BLOCK_INTERRUPTIONS();
5311- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
5312- if (!p) {
5313- HANDLE_UNBLOCK_INTERRUPTIONS();
5314- return (void *) p;
5315+ p = (char *) _emalloc(_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
5316+ if (p) {
5317+ memset(p, 0, _size);
5318 }
5319- memset(p, 0, final_size);
5320- HANDLE_UNBLOCK_INTERRUPTIONS();
5321- return p;
5322+
5323+ return ((void *)p);
5324 }
5325
5326
5327 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
5328 {
5329+#if HARDENING_PATCH_MM_PROTECT
5330+ unsigned int canary_2;
5331+#endif
5332 zend_mem_header *p;
5333 zend_mem_header *orig;
5334 DECLARE_CACHE_VARS();
5335@@ -320,6 +378,16 @@
5336
5337 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
5338
5339+#if HARDENING_PATCH_MM_PROTECT
5340+ if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
5341+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
5342+ if (canary_2 != HG(canary_2)) {
5343+erealloc_canary_mismatch:
5344+ zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
5345+ exit(1);
5346+ }
5347+#endif
5348+
5349 #if defined(ZTS) && TSRM_DEBUG
5350 if (p->thread_id != tsrm_thread_id()) {
5351 void *new_p;
5352@@ -343,7 +411,7 @@
5353 }
5354 #endif
5355 REMOVE_POINTER_FROM_LIST(p);
5356- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
5357+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
5358 if (!p) {
5359 if (!allow_failure) {
5360 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
5361@@ -365,6 +433,9 @@
5362 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
5363 #endif
5364
5365+#if HARDENING_PATCH_MM_PROTECT
5366+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
5367+#endif
5368 p->size = size;
5369
5370 HANDLE_UNBLOCK_INTERRUPTIONS();
5371@@ -439,6 +510,10 @@
5372 {
5373 AG(head) = NULL;
5374
5375+#if HARDENING_PATCH_MM_PROTECT
5376+ HG(canary_1) = zend_canary();
5377+ HG(canary_2) = zend_canary();
5378+#endif
5379 #if MEMORY_LIMIT
5380 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
5381 AG(allocated_memory) = 0;
5382diff -Nura php-5.0.5/Zend/zend_alloc.h hardening-patch-5.0.5-0.4.3/Zend/zend_alloc.h
5383--- php-5.0.5/Zend/zend_alloc.h 2005-06-07 15:37:13.000000000 +0200
5384+++ hardening-patch-5.0.5-0.4.3/Zend/zend_alloc.h 2005-09-11 23:30:52.000000000 +0200
5385@@ -35,6 +35,9 @@
5386 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
5387
5388 typedef struct _zend_mem_header {
5389+#if HARDENING_PATCH_MM_PROTECT
5390+ unsigned int canary;
5391+#endif
5392 #if ZEND_DEBUG
5393 long magic;
5394 char *filename;
5395diff -Nura php-5.0.5/Zend/zend_API.h hardening-patch-5.0.5-0.4.3/Zend/zend_API.h
5396--- php-5.0.5/Zend/zend_API.h 2005-06-27 19:42:06.000000000 +0200
5397+++ hardening-patch-5.0.5-0.4.3/Zend/zend_API.h 2005-09-11 23:30:52.000000000 +0200
5398@@ -47,6 +47,7 @@
5399 #define ZEND_METHOD(classname, name) ZEND_NAMED_FUNCTION(ZEND_FN(classname##_##name))
5400
5401 #define ZEND_FENTRY(zend_name, name, arg_info, flags) { #zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), flags },
5402+#define ZEND_STATIC_FE(zend_name, name, arg_info) { zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), 0 },
5403
5404 #define ZEND_NAMED_FE(zend_name, name, arg_info) ZEND_FENTRY(zend_name, name, arg_info, 0)
5405 #define ZEND_FE(name, arg_info) ZEND_FENTRY(name, ZEND_FN(name), arg_info, 0)
5406diff -Nura php-5.0.5/Zend/zend_builtin_functions.c hardening-patch-5.0.5-0.4.3/Zend/zend_builtin_functions.c
5407--- php-5.0.5/Zend/zend_builtin_functions.c 2005-06-27 19:42:06.000000000 +0200
5408+++ hardening-patch-5.0.5-0.4.3/Zend/zend_builtin_functions.c 2005-09-11 23:30:52.000000000 +0200
5409@@ -52,6 +52,9 @@
5410 static ZEND_FUNCTION(crash);
5411 #endif
5412 #endif
5413+#if HARDENING_PATCH_MM_PROTECT_DEBUG
5414+static ZEND_FUNCTION(heap_overflow);
5415+#endif
5416 static ZEND_FUNCTION(get_included_files);
5417 static ZEND_FUNCTION(is_subclass_of);
5418 static ZEND_FUNCTION(is_a);
5419@@ -111,6 +114,9 @@
5420 ZEND_FE(crash, NULL)
5421 #endif
5422 #endif
5423+#if HARDENING_PATCH_MM_PROTECT_DEBUG
5424+ ZEND_FE(heap_overflow, NULL)
5425+#endif
5426 ZEND_FE(get_included_files, NULL)
5427 ZEND_FALIAS(get_required_files, get_included_files, NULL)
5428 ZEND_FE(is_subclass_of, NULL)
5429@@ -991,6 +997,19 @@
5430
5431 #endif /* ZEND_DEBUG */
5432
5433+
5434+#if HARDENING_PATCH_MM_PROTECT_DEBUG
5435+ZEND_FUNCTION(heap_overflow)
5436+{
5437+ char *nowhere = emalloc(10);
5438+
5439+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
5440+
5441+ efree(nowhere);
5442+}
5443+#endif
5444+
5445+
5446 /* {{{ proto array get_included_files(void)
5447 Returns an array with the file names that were include_once()'d */
5448 ZEND_FUNCTION(get_included_files)
5449diff -Nura php-5.0.5/Zend/zend.c hardening-patch-5.0.5-0.4.3/Zend/zend.c
5450--- php-5.0.5/Zend/zend.c 2005-07-22 09:33:27.000000000 +0200
5451+++ hardening-patch-5.0.5-0.4.3/Zend/zend.c 2005-09-12 17:02:36.000000000 +0200
5452@@ -54,6 +54,12 @@
5453 ZEND_API void (*zend_unblock_interruptions)(void);
5454 ZEND_API void (*zend_ticks_function)(int ticks);
5455 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
5456+#if HARDENING_PATCH
5457+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
5458+#endif
5459+#if HARDENING_PATCH_INC_PROTECT
5460+ZEND_API int (*zend_is_valid_include)(zval *z);
5461+#endif
5462 int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
5463
5464 void (*zend_on_timeout)(int seconds TSRMLS_DC);
5465@@ -72,9 +78,391 @@
5466 return SUCCESS;
5467 }
5468
5469+#if HARDENING_PATCH
5470+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
5471+{
5472+ if (!new_value) {
5473+ EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
5474+ } else {
5475+ EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
5476+ }
5477+ return SUCCESS;
5478+}
5479+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
5480+{
5481+ if (!new_value) {
5482+ EG(hphp_log_syslog_facility) = LOG_USER;
5483+ } else {
5484+ EG(hphp_log_syslog_facility) = atoi(new_value);
5485+ }
5486+ return SUCCESS;
5487+}
5488+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
5489+{
5490+ if (!new_value) {
5491+ EG(hphp_log_syslog_priority) = LOG_ALERT;
5492+ } else {
5493+ EG(hphp_log_syslog_priority) = atoi(new_value);
5494+ }
5495+ return SUCCESS;
5496+}
5497+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
5498+{
5499+ if (!new_value) {
5500+ EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
5501+ } else {
5502+ EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
5503+ }
5504+ return SUCCESS;
5505+}
5506+static ZEND_INI_MH(OnUpdateHPHP_log_script)
5507+{
5508+ if (!new_value) {
5509+ EG(hphp_log_script) = S_ALL & ~S_MEMORY;
5510+ } else {
5511+ EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
5512+ }
5513+ return SUCCESS;
5514+}
5515+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
5516+{
5517+ if (!new_value) {
5518+ EG(hphp_log_scriptname) = NULL;
5519+ } else {
5520+ if (EG(hphp_log_scriptname)) {
5521+ pefree(EG(hphp_log_scriptname),1);
5522+ }
5523+ EG(hphp_log_scriptname) = pestrdup(new_value,1);
5524+ }
5525+ return SUCCESS;
5526+}
5527+
5528+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
5529+{
5530+ char *s = NULL, *e, *val;
5531+ unsigned long dummy = 1;
5532+
5533+ if (!new_value) {
5534+include_whitelist_destroy:
5535+ if (HG(include_whitelist)) {
5536+ zend_hash_destroy(HG(include_whitelist));
5537+ efree(HG(include_whitelist));
5538+ }
5539+ HG(include_whitelist) = NULL;
5540+ return SUCCESS;
5541+ }
5542+ if (!(*new_value)) {
5543+ goto include_whitelist_destroy;
5544+ }
5545+
5546+ ALLOC_HASHTABLE(HG(include_whitelist));
5547+ zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 0);
5548+
5549+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5550+ e = val;
5551+
5552+ while (*e) {
5553+ switch (*e) {
5554+ case ' ':
5555+ case ',':
5556+ if (s) {
5557+ *e = '\0';
5558+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5559+ s = NULL;
5560+ }
5561+ break;
5562+ default:
5563+ if (!s) {
5564+ s = e;
5565+ }
5566+ break;
5567+ }
5568+ e++;
5569+ }
5570+ if (s) {
5571+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5572+ }
5573+ efree(val);
5574+
5575+ return SUCCESS;
5576+}
5577+
5578+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
5579+{
5580+ char *s = NULL, *e, *val;
5581+ unsigned long dummy = 1;
5582+
5583+ if (!new_value) {
5584+include_blacklist_destroy:
5585+ if (HG(include_blacklist)) {
5586+ zend_hash_destroy(HG(include_blacklist));
5587+ efree(HG(include_blacklist));
5588+ }
5589+ HG(include_blacklist) = NULL;
5590+ return SUCCESS;
5591+ }
5592+ if (!(*new_value)) {
5593+ goto include_blacklist_destroy;
5594+ }
5595+
5596+ ALLOC_HASHTABLE(HG(include_blacklist));
5597+ zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 0);
5598+
5599+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5600+ e = val;
5601+
5602+ while (*e) {
5603+ switch (*e) {
5604+ case ' ':
5605+ case ',':
5606+ if (s) {
5607+ *e = '\0';
5608+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5609+ s = NULL;
5610+ }
5611+ break;
5612+ default:
5613+ if (!s) {
5614+ s = e;
5615+ }
5616+ break;
5617+ }
5618+ e++;
5619+ }
5620+ if (s) {
5621+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5622+ }
5623+ efree(val);
5624+
5625+ return SUCCESS;
5626+}
5627+
5628+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
5629+{
5630+ char *s = NULL, *e, *val;
5631+ unsigned long dummy = 1;
5632+
5633+ if (!new_value) {
5634+eval_whitelist_destroy:
5635+ if (HG(eval_whitelist)) {
5636+ zend_hash_destroy(HG(eval_whitelist));
5637+ efree(HG(eval_whitelist));
5638+ }
5639+ HG(eval_whitelist) = NULL;
5640+ return SUCCESS;
5641+ }
5642+ if (!(*new_value)) {
5643+ goto eval_whitelist_destroy;
5644+ }
5645+
5646+ ALLOC_HASHTABLE(HG(eval_whitelist));
5647+ zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 0);
5648+
5649+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5650+ e = val;
5651+
5652+ while (*e) {
5653+ switch (*e) {
5654+ case ' ':
5655+ case ',':
5656+ if (s) {
5657+ *e = '\0';
5658+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5659+ s = NULL;
5660+ }
5661+ break;
5662+ default:
5663+ if (!s) {
5664+ s = e;
5665+ }
5666+ break;
5667+ }
5668+ e++;
5669+ }
5670+ if (s) {
5671+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5672+ }
5673+ efree(val);
5674+
5675+ return SUCCESS;
5676+}
5677+
5678+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
5679+{
5680+ char *s = NULL, *e, *val;
5681+ unsigned long dummy = 1;
5682+
5683+ if (!new_value) {
5684+eval_blacklist_destroy:
5685+ if (HG(eval_blacklist)) {
5686+ zend_hash_destroy(HG(eval_blacklist));
5687+ efree(HG(eval_blacklist));
5688+ }
5689+ HG(eval_blacklist) = NULL;
5690+ return SUCCESS;
5691+ }
5692+ if (!(*new_value)) {
5693+ goto eval_blacklist_destroy;
5694+ }
5695+
5696+ ALLOC_HASHTABLE(HG(eval_blacklist));
5697+ zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 0);
5698+
5699+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5700+ e = val;
5701+
5702+ while (*e) {
5703+ switch (*e) {
5704+ case ' ':
5705+ case ',':
5706+ if (s) {
5707+ *e = '\0';
5708+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5709+ s = NULL;
5710+ }
5711+ break;
5712+ default:
5713+ if (!s) {
5714+ s = e;
5715+ }
5716+ break;
5717+ }
5718+ e++;
5719+ }
5720+ if (s) {
5721+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5722+ }
5723+ efree(val);
5724+
5725+
5726+ return SUCCESS;
5727+}
5728+
5729+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
5730+{
5731+ char *s = NULL, *e, *val;
5732+ unsigned long dummy = 1;
5733+
5734+ if (!new_value) {
5735+func_whitelist_destroy:
5736+ if (HG(func_whitelist)) {
5737+ zend_hash_destroy(HG(func_whitelist));
5738+ efree(HG(func_whitelist));
5739+ }
5740+ HG(func_whitelist) = NULL;
5741+ return SUCCESS;
5742+ }
5743+ if (!(*new_value)) {
5744+ goto func_whitelist_destroy;
5745+ }
5746+
5747+ ALLOC_HASHTABLE(HG(func_whitelist));
5748+ zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 0);
5749+
5750+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5751+ e = val;
5752+
5753+ while (*e) {
5754+ switch (*e) {
5755+ case ' ':
5756+ case ',':
5757+ if (s) {
5758+ *e = '\0';
5759+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5760+ s = NULL;
5761+ }
5762+ break;
5763+ default:
5764+ if (!s) {
5765+ s = e;
5766+ }
5767+ break;
5768+ }
5769+ e++;
5770+ }
5771+ if (s) {
5772+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5773+ }
5774+ efree(val);
5775+
5776+ return SUCCESS;
5777+}
5778+
5779+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
5780+{
5781+ char *s = NULL, *e, *val;
5782+ unsigned long dummy = 1;
5783+
5784+ if (!new_value) {
5785+func_blacklist_destroy:
5786+ if (HG(func_blacklist)) {
5787+ zend_hash_destroy(HG(func_blacklist));
5788+ efree(HG(func_blacklist));
5789+ }
5790+ HG(func_blacklist) = NULL;
5791+ return SUCCESS;
5792+ }
5793+ if (!(*new_value)) {
5794+ goto func_blacklist_destroy;
5795+ }
5796+
5797+ ALLOC_HASHTABLE(HG(func_blacklist));
5798+ zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 0);
5799+
5800+ val = zend_str_tolower_dup(new_value, strlen(new_value));
5801+ e = val;
5802+
5803+ while (*e) {
5804+ switch (*e) {
5805+ case ' ':
5806+ case ',':
5807+ if (s) {
5808+ *e = '\0';
5809+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5810+ s = NULL;
5811+ }
5812+ break;
5813+ default:
5814+ if (!s) {
5815+ s = e;
5816+ }
5817+ break;
5818+ }
5819+ e++;
5820+ }
5821+ if (s) {
5822+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
5823+ }
5824+ efree(val);
5825+
5826+
5827+ return SUCCESS;
5828+}
5829+
5830+#endif
5831
5832 ZEND_INI_BEGIN()
5833 ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting)
5834+#if HARDENING_PATCH
5835+ ZEND_INI_ENTRY("hphp.log.syslog", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog)
5836+ ZEND_INI_ENTRY("hphp.log.syslog.facility", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_facility)
5837+ ZEND_INI_ENTRY("hphp.log.syslog.priority", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_priority)
5838+ ZEND_INI_ENTRY("hphp.log.sapi", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_sapi)
5839+ ZEND_INI_ENTRY("hphp.log.script", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_script)
5840+ ZEND_INI_ENTRY("hphp.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_scriptname)
5841+ STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for", "0", ZEND_INI_SYSTEM, OnUpdateBool, hphp_log_use_x_forwarded_for, zend_executor_globals, executor_globals)
5842+
5843+ ZEND_INI_ENTRY("hphp.executor.include.whitelist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_whitelist)
5844+ ZEND_INI_ENTRY("hphp.executor.include.blacklist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_blacklist)
5845+ ZEND_INI_ENTRY("hphp.executor.eval.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_whitelist)
5846+ ZEND_INI_ENTRY("hphp.executor.eval.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_blacklist)
5847+ ZEND_INI_ENTRY("hphp.executor.func.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_whitelist)
5848+ ZEND_INI_ENTRY("hphp.executor.func.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_blacklist)
5849+
5850+ STD_ZEND_INI_ENTRY("hphp.executor.max_depth", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
5851+ STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_sql_bailout_on_error, hardened_globals_struct, hardened_globals)
5852+ STD_ZEND_INI_BOOLEAN("hphp.multiheader", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_multiheader, hardened_globals_struct, hardened_globals)
5853+#endif
5854 STD_ZEND_INI_BOOLEAN("zend.ze1_compatibility_mode", "0", ZEND_INI_ALL, OnUpdateBool, ze1_compatibility_mode, zend_executor_globals, executor_globals)
5855 ZEND_INI_END()
5856
5857@@ -476,6 +864,7 @@
5858 EG(user_error_handler) = NULL;
5859 EG(user_exception_handler) = NULL;
5860 EG(in_execution) = 0;
5861+ EG(in_code_type) = 0;
5862 EG(in_autoload) = NULL;
5863 EG(current_execute_data) = NULL;
5864 EG(current_module) = NULL;
5865@@ -545,6 +934,14 @@
5866 extern zend_scanner_globals language_scanner_globals;
5867 #endif
5868
5869+ /* Set up Hardening-Patch utility functions first */
5870+#if HARDENING_PATCH
5871+ zend_security_log = utility_functions->security_log_function;
5872+#endif
5873+#if HARDENING_PATCH_INC_PROTECT
5874+ zend_is_valid_include = utility_functions->is_valid_include;
5875+#endif
5876+
5877 #ifdef ZTS
5878 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
5879 #else
5880@@ -747,6 +1144,7 @@
5881 }
5882 CG(unclean_shutdown) = 1;
5883 CG(in_compilation) = EG(in_execution) = 0;
5884+ EG(in_code_type) = 0;
5885 EG(current_execute_data) = NULL;
5886 longjmp(EG(bailout), FAILURE);
5887 }
5888diff -Nura php-5.0.5/Zend/zend_canary.c hardening-patch-5.0.5-0.4.3/Zend/zend_canary.c
5889--- php-5.0.5/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
5890+++ hardening-patch-5.0.5-0.4.3/Zend/zend_canary.c 2005-09-11 23:30:52.000000000 +0200
5891@@ -0,0 +1,58 @@
5892+/*
5893+ +----------------------------------------------------------------------+
5894+ | Hardening-Patch for PHP |
5895+ +----------------------------------------------------------------------+
5896+ | Copyright (c) 2004-2005 Stefan Esser |
5897+ +----------------------------------------------------------------------+
5898+ | This source file is subject to version 2.02 of the PHP license, |
5899+ | that is bundled with this package in the file LICENSE, and is |
5900+ | available at through the world-wide-web at |
5901+ | http://www.php.net/license/2_02.txt. |
5902+ | If you did not receive a copy of the PHP license and are unable to |
5903+ | obtain it through the world-wide-web, please send a note to |
5904+ | license@php.net so we can mail you a copy immediately. |
5905+ +----------------------------------------------------------------------+
5906+ | Author: Stefan Esser <sesser@hardened-php.net> |
5907+ +----------------------------------------------------------------------+
5908+ */
5909+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
5910+
5911+#include "zend.h"
5912+
5913+#include <stdio.h>
5914+#include <stdlib.h>
5915+
5916+
5917+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
5918+
5919+/* will be replaced later with more compatible method */
5920+ZEND_API unsigned int zend_canary()
5921+{
5922+ time_t t;
5923+ unsigned int canary;
5924+ int fd;
5925+
5926+ fd = open("/dev/urandom", 0);
5927+ if (fd != -1) {
5928+ int r = read(fd, &canary, sizeof(canary));
5929+ close(fd);
5930+ if (r == sizeof(canary)) {
5931+ return (canary);
5932+ }
5933+ }
5934+ /* not good but we never want to do this */
5935+ time(&t);
5936+ canary = *(unsigned int *)&t + getpid() << 16;
5937+ return (canary);
5938+}
5939+#endif
5940+
5941+
5942+/*
5943+ * Local variables:
5944+ * tab-width: 4
5945+ * c-basic-offset: 4
5946+ * End:
5947+ * vim600: sw=4 ts=4 fdm=marker
5948+ * vim<600: sw=4 ts=4
5949+ */
5950diff -Nura php-5.0.5/Zend/zend_compile.c hardening-patch-5.0.5-0.4.3/Zend/zend_compile.c
5951--- php-5.0.5/Zend/zend_compile.c 2005-07-19 09:33:24.000000000 +0200
5952+++ hardening-patch-5.0.5-0.4.3/Zend/zend_compile.c 2005-09-11 23:30:52.000000000 +0200
5953@@ -979,6 +979,13 @@
5954 op_array.prototype = NULL;
5955
5956 op_array.line_start = zend_get_compiled_lineno(TSRMLS_C);
5957+#if HARDENING_PATCH
5958+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
5959+ op_array.created_by_eval = 1;
5960+ } else {
5961+ op_array.created_by_eval = 0;
5962+ }
5963+#endif
5964
5965 if (is_method) {
5966 char *short_class_name = CG(active_class_entry)->name;
5967diff -Nura php-5.0.5/Zend/zend_compile.h hardening-patch-5.0.5-0.4.3/Zend/zend_compile.h
5968--- php-5.0.5/Zend/zend_compile.h 2005-06-24 10:45:43.000000000 +0200
5969+++ hardening-patch-5.0.5-0.4.3/Zend/zend_compile.h 2005-09-11 23:30:52.000000000 +0200
5970@@ -203,6 +203,9 @@
5971 zend_uint doc_comment_len;
5972
5973 void *reserved[ZEND_MAX_RESERVED_RESOURCES];
5974+#if HARDENING_PATCH
5975+ zend_bool created_by_eval;
5976+#endif
5977 };
5978
5979
5980@@ -281,6 +284,8 @@
5981 zval *object;
5982 union _temp_variable *Ts;
5983 zend_bool original_in_execution;
5984+ zend_uint original_in_code_type;
5985+ zend_uint execute_depth;
5986 zend_class_entry *calling_scope;
5987 struct _zend_execute_data *prev_execute_data;
5988 };
5989@@ -774,6 +779,7 @@
5990 #define ZEND_OVERLOADED_FUNCTION 3
5991 #define ZEND_EVAL_CODE 4
5992 #define ZEND_OVERLOADED_FUNCTION_TEMPORARY 5
5993+#define ZEND_SANDBOX_CODE 6
5994
5995 #define ZEND_INTERNAL_CLASS 1
5996 #define ZEND_USER_CLASS 2
5997diff -Nura php-5.0.5/Zend/zend_constants.c hardening-patch-5.0.5-0.4.3/Zend/zend_constants.c
5998--- php-5.0.5/Zend/zend_constants.c 2004-07-13 21:22:11.000000000 +0200
5999+++ hardening-patch-5.0.5-0.4.3/Zend/zend_constants.c 2005-09-11 23:30:52.000000000 +0200
6000@@ -107,6 +107,73 @@
6001 REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
6002
6003 REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
6004+#if HARDENING_PATCH
6005+ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
6006+ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
6007+ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
6008+ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
6009+ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
6010+ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
6011+ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
6012+ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
6013+ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
6014+
6015+ /* error levels */
6016+ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
6017+ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
6018+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
6019+ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT);
6020+ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
6021+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
6022+ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
6023+ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
6024+ /* facility: type of program logging the message */
6025+ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
6026+ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
6027+ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
6028+ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
6029+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
6030+ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
6031+ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
6032+#ifdef LOG_NEWS
6033+ /* No LOG_NEWS on HP-UX */
6034+ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
6035+#endif
6036+#ifdef LOG_UUCP
6037+ /* No LOG_UUCP on HP-UX */
6038+ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
6039+#endif
6040+#ifdef LOG_CRON
6041+ /* apparently some systems don't have this one */
6042+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
6043+#endif
6044+#ifdef LOG_AUTHPRIV
6045+ /* AIX doesn't have LOG_AUTHPRIV */
6046+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
6047+#endif
6048+#if !defined(PHP_WIN32) && !defined(NETWARE)
6049+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
6050+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
6051+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
6052+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
6053+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
6054+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
6055+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
6056+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
6057+#endif
6058+ /* options */
6059+ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
6060+ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
6061+ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
6062+ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
6063+#ifdef LOG_NOWAIT
6064+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
6065+#endif
6066+#ifdef LOG_PERROR
6067+ /* AIX doesn't have LOG_PERROR */
6068+ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
6069+#endif
6070+#endif
6071
6072 /* true/false constants */
6073 {
6074diff -Nura php-5.0.5/Zend/zend_errors.h hardening-patch-5.0.5-0.4.3/Zend/zend_errors.h
6075--- php-5.0.5/Zend/zend_errors.h 2004-01-08 18:31:47.000000000 +0100
6076+++ hardening-patch-5.0.5-0.4.3/Zend/zend_errors.h 2005-09-12 18:12:35.000000000 +0200
6077@@ -38,6 +38,18 @@
6078 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
6079 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
6080
6081+#if HARDENING_PATCH
6082+#define S_MEMORY (1<<0L)
6083+#define S_VARS (1<<1L)
6084+#define S_FILES (1<<2L)
6085+#define S_INCLUDE (1<<3L)
6086+#define S_SQL (1<<4L)
6087+#define S_EXECUTOR (1<<5L)
6088+#define S_MISC (1<<30L)
6089+#define S_INTERNAL (1<<29L)
6090+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MISC | S_SQL | S_EXECUTOR)
6091+#endif
6092+
6093 #endif /* ZEND_ERRORS_H */
6094
6095 /*
6096diff -Nura php-5.0.5/Zend/zend_execute_API.c hardening-patch-5.0.5-0.4.3/Zend/zend_execute_API.c
6097--- php-5.0.5/Zend/zend_execute_API.c 2005-09-02 09:46:39.000000000 +0200
6098+++ hardening-patch-5.0.5-0.4.3/Zend/zend_execute_API.c 2005-09-11 23:30:52.000000000 +0200
6099@@ -137,6 +137,7 @@
6100 EG(class_table) = CG(class_table);
6101
6102 EG(in_execution) = 0;
6103+ EG(in_code_type) = 0;
6104 EG(in_autoload) = NULL;
6105
6106 zend_ptr_stack_init(&EG(argument_stack));
6107@@ -725,6 +726,39 @@
6108 if (zend_hash_find(fci->function_table, function_name_lc, fci->function_name->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
6109 EX(function_state).function = NULL;
6110 }
6111+#if HARDENING_PATCH
6112+ else {
6113+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
6114+ if (HG(eval_whitelist) != NULL) {
6115+ if (!zend_hash_exists(HG(eval_whitelist), function_name_lc, fci->function_name->value.str.len+1)) {
6116+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_lc);
6117+ efree(function_name_lc);
6118+ zend_bailout();
6119+ }
6120+ } else if (HG(eval_blacklist) != NULL) {
6121+ if (zend_hash_exists(HG(eval_blacklist), function_name_lc, fci->function_name->value.str.len+1)) {
6122+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_lc);
6123+ efree(function_name_lc);
6124+ zend_bailout();
6125+ }
6126+ }
6127+ }
6128+
6129+ if (HG(func_whitelist) != NULL) {
6130+ if (!zend_hash_exists(HG(func_whitelist), function_name_lc, fci->function_name->value.str.len+1)) {
6131+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_lc);
6132+ efree(function_name_lc);
6133+ zend_bailout();
6134+ }
6135+ } else if (HG(func_blacklist) != NULL) {
6136+ if (zend_hash_exists(HG(func_blacklist), function_name_lc, fci->function_name->value.str.len+1)) {
6137+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_lc);
6138+ efree(function_name_lc);
6139+ zend_bailout();
6140+ }
6141+ }
6142+ }
6143+#endif
6144 efree(function_name_lc);
6145 }
6146
6147@@ -999,7 +1033,7 @@
6148 return retval;
6149 }
6150
6151-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
6152+ZEND_API int zend_eval_string_ex_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
6153 {
6154 zval pv;
6155 zend_op_array *new_op_array;
6156@@ -1032,6 +1066,7 @@
6157 zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
6158 zend_op **original_opline_ptr = EG(opline_ptr);
6159
6160+ new_op_array->type = type;
6161 EG(return_value_ptr_ptr) = &local_retval_ptr;
6162 EG(active_op_array) = new_op_array;
6163 EG(no_extensions)=1;
6164@@ -1066,6 +1101,12 @@
6165 }
6166
6167
6168+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
6169+{
6170+ return (zend_eval_string_ex_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
6171+}
6172+
6173+
6174 ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int handle_exceptions TSRMLS_DC)
6175 {
6176 int result;
6177diff -Nura php-5.0.5/Zend/zend_execute.c hardening-patch-5.0.5-0.4.3/Zend/zend_execute.c
6178--- php-5.0.5/Zend/zend_execute.c 2005-09-01 15:21:56.000000000 +0200
6179+++ hardening-patch-5.0.5-0.4.3/Zend/zend_execute.c 2005-09-11 23:30:52.000000000 +0200
6180@@ -1374,6 +1374,7 @@
6181 efree(EX(Ts)); \
6182 } \
6183 EG(in_execution) = EX(original_in_execution); \
6184+ EG(in_code_type) = EX(original_in_code_type); \
6185 EG(current_execute_data) = EX(prev_execute_data); \
6186 return 1; /* CHECK_ME */
6187
6188@@ -1400,6 +1401,16 @@
6189 EX(original_in_execution) = EG(in_execution);
6190 EX(prev_execute_data) = EG(current_execute_data);
6191 EG(current_execute_data) = &execute_data;
6192+#if HARDENING_PATCH
6193+ EX(execute_depth) = 0;
6194+
6195+ if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval)&& EG(in_code_type) != ZEND_SANDBOX_CODE) {
6196+ EG(in_code_type) = ZEND_EVAL_CODE;
6197+ } else if (op_array->type == ZEND_SANDBOX_CODE) {
6198+ EG(in_code_type) = ZEND_SANDBOX_CODE;
6199+ op_array->type = ZEND_EVAL_CODE;
6200+ }
6201+#endif
6202
6203 EG(in_execution) = 1;
6204 if (op_array->start_op) {
6205@@ -1426,6 +1437,19 @@
6206 EX(function_state).function_symbol_table = NULL;
6207 #endif
6208
6209+#if HARDENING_PATCH
6210+ if (EX(prev_execute_data) == NULL) {
6211+ EX(execute_depth) = 0;
6212+ } else {
6213+ EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
6214+ }
6215+
6216+ if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
6217+ zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
6218+ zend_bailout();
6219+ }
6220+#endif
6221+
6222 while (1) {
6223 #ifdef ZEND_WIN32
6224 if (EG(timed_out)) {
6225@@ -2680,6 +2704,37 @@
6226 efree(lcname);
6227 zend_error(E_ERROR, "Call to undefined function %s()", function_name_strval);
6228 }
6229+#if HARDENING_PATCH
6230+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
6231+ if (HG(eval_whitelist) != NULL) {
6232+ if (!zend_hash_exists(HG(eval_whitelist), lcname, function_name_strlen+1)) {
6233+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", lcname);
6234+ efree(lcname);
6235+ zend_bailout();
6236+ }
6237+ } else if (HG(eval_blacklist) != NULL) {
6238+ if (zend_hash_exists(HG(eval_blacklist), lcname, function_name_strlen+1)) {
6239+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", lcname);
6240+ efree(lcname);
6241+ zend_bailout();
6242+ }
6243+ }
6244+ }
6245+
6246+ if (HG(func_whitelist) != NULL) {
6247+ if (!zend_hash_exists(HG(func_whitelist), lcname, function_name_strlen+1)) {
6248+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", lcname);
6249+ efree(lcname);
6250+ zend_bailout();
6251+ }
6252+ } else if (HG(func_blacklist) != NULL) {
6253+ if (zend_hash_exists(HG(func_blacklist), lcname, function_name_strlen+1)) {
6254+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", lcname);
6255+ efree(lcname);
6256+ zend_bailout();
6257+ }
6258+ }
6259+#endif
6260
6261 efree(lcname);
6262 if (!is_const) {
6263@@ -2886,6 +2941,34 @@
6264 if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
6265 zend_error(E_ERROR, "Unknown function: %s()\n", fname->value.str.val);
6266 }
6267+#if HARDENING_PATCH
6268+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
6269+ if (HG(eval_whitelist) != NULL) {
6270+ if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
6271+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
6272+ zend_bailout();
6273+ }
6274+ } else if (HG(eval_blacklist) != NULL) {
6275+ if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
6276+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
6277+ zend_bailout();
6278+ }
6279+ }
6280+ }
6281+
6282+ if (HG(func_whitelist) != NULL) {
6283+ if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
6284+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
6285+ zend_bailout();
6286+ }
6287+ } else if (HG(func_blacklist) != NULL) {
6288+ if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
6289+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
6290+ zend_bailout();
6291+ }
6292+ }
6293+#endif
6294+
6295 EX(object) = NULL;
6296 EX(calling_scope) = EX(function_state).function->common.scope;
6297
6298@@ -3573,7 +3656,12 @@
6299 int dummy = 1;
6300 zend_file_handle file_handle;
6301
6302+#if HARDENING_PATCH_INC_PROTECT
6303+ if (zend_is_valid_include(inc_filename)
6304+ && (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
6305+#else
6306 if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
6307+#endif
6308
6309 if (!file_handle.opened_path) {
6310 file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
6311@@ -3598,6 +3686,11 @@
6312 break;
6313 case ZEND_INCLUDE:
6314 case ZEND_REQUIRE:
6315+#if HARDENING_PATCH_INC_PROTECT
6316+ if (!zend_is_valid_include(inc_filename)) {
6317+ break;
6318+ }
6319+#endif
6320 new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
6321 break;
6322 case ZEND_EVAL: {
6323diff -Nura php-5.0.5/Zend/zend_extensions.c hardening-patch-5.0.5-0.4.3/Zend/zend_extensions.c
6324--- php-5.0.5/Zend/zend_extensions.c 2004-01-08 18:31:47.000000000 +0100
6325+++ hardening-patch-5.0.5-0.4.3/Zend/zend_extensions.c 2005-09-11 23:30:52.000000000 +0200
6326@@ -55,23 +55,44 @@
6327 return FAILURE;
6328 }
6329
6330+ /* check if module is compiled against Hardening-Patch */
6331+ if (extension_version_info->zend_extension_api_no < 1000000000) {
6332+ fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
6333+ "The Hardening-Patch version %d is installed.\n\n",
6334+ new_extension->name,
6335+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
6336+ DL_UNLOAD(handle);
6337+ return FAILURE;
6338+ }
6339+
6340+
6341+ /* check if module is compiled against correct Hardening-Patch version */
6342+ if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
6343+ fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
6344+ "The Hardening-Patch version %d is installed.\n\n",
6345+ new_extension->name,
6346+ extension_version_info->zend_extension_api_no,
6347+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
6348+ DL_UNLOAD(handle);
6349+ return FAILURE;
6350+ }
6351
6352 /* allow extension to proclaim compatibility with any Zend version */
6353- if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
6354- if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
6355+ if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
6356+ if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
6357 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
6358 "The Zend Engine API version %d which is installed, is outdated.\n\n",
6359 new_extension->name,
6360- extension_version_info->zend_extension_api_no,
6361+ extension_version_info->real_zend_extension_api_no,
6362 ZEND_EXTENSION_API_NO);
6363 DL_UNLOAD(handle);
6364 return FAILURE;
6365- } else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
6366+ } else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
6367 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
6368 "The Zend Engine API version %d which is installed, is newer.\n"
6369 "Contact %s at %s for a later version of %s.\n\n",
6370 new_extension->name,
6371- extension_version_info->zend_extension_api_no,
6372+ extension_version_info->real_zend_extension_api_no,
6373 ZEND_EXTENSION_API_NO,
6374 new_extension->author,
6375 new_extension->URL,
6376diff -Nura php-5.0.5/Zend/zend_extensions.h hardening-patch-5.0.5-0.4.3/Zend/zend_extensions.h
6377--- php-5.0.5/Zend/zend_extensions.h 2004-11-25 21:26:48.000000000 +0100
6378+++ hardening-patch-5.0.5-0.4.3/Zend/zend_extensions.h 2005-09-11 23:30:52.000000000 +0200
6379@@ -24,9 +24,11 @@
6380
6381 #include "zend_compile.h"
6382
6383-/* The first number is the engine version and the rest is the date.
6384+/* The first API number is a flag saying that Hardening-Patch is used.
6385+ * The second number is the engine version and the date.
6386 * This way engine 2 API no. is always greater than engine 1 API no..
6387 */
6388+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO 1002050805
6389 #define ZEND_EXTENSION_API_NO 220040412
6390
6391 typedef struct _zend_extension_version_info {
6392@@ -34,6 +36,7 @@
6393 char *required_zend_version;
6394 unsigned char thread_safe;
6395 unsigned char debug;
6396+ int real_zend_extension_api_no;
6397 } zend_extension_version_info;
6398
6399
6400@@ -101,7 +104,7 @@
6401
6402
6403 #define ZEND_EXTENSION() \
6404- ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
6405+ ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
6406
6407 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
6408 #define COMPAT_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
6409diff -Nura php-5.0.5/Zend/zend_globals.h hardening-patch-5.0.5-0.4.3/Zend/zend_globals.h
6410--- php-5.0.5/Zend/zend_globals.h 2004-11-04 00:14:31.000000000 +0100
6411+++ hardening-patch-5.0.5-0.4.3/Zend/zend_globals.h 2005-09-11 23:30:52.000000000 +0200
6412@@ -174,6 +174,16 @@
6413
6414 int error_reporting;
6415 int orig_error_reporting;
6416+#if HARDENING_PATCH
6417+ int hphp_log_syslog;
6418+ int hphp_log_syslog_facility;
6419+ int hphp_log_syslog_priority;
6420+ int hphp_log_sapi;
6421+ int hphp_log_script;
6422+ char *hphp_log_scriptname;
6423+ zend_bool hphp_log_use_x_forwarded_for;
6424+ long hphp_executor_max_depth;
6425+#endif
6426 int exit_status;
6427
6428 zend_op_array *active_op_array;
6429@@ -191,6 +201,7 @@
6430 int ticks_count;
6431
6432 zend_bool in_execution;
6433+ zend_uint in_code_type;
6434 HashTable *in_autoload;
6435 zend_bool bailout_set;
6436 zend_bool full_tables_cleanup;
6437diff -Nura php-5.0.5/Zend/zend.h hardening-patch-5.0.5-0.4.3/Zend/zend.h
6438--- php-5.0.5/Zend/zend.h 2005-08-25 19:41:08.000000000 +0200
6439+++ hardening-patch-5.0.5-0.4.3/Zend/zend.h 2005-09-11 23:30:52.000000000 +0200
6440@@ -290,6 +290,7 @@
6441 /* Variable information */
6442 zvalue_value value; /* value */
6443 zend_uint refcount;
6444+ zend_ushort flags;
6445 zend_uchar type; /* active type */
6446 zend_uchar is_ref;
6447 };
6448@@ -359,6 +360,12 @@
6449 void (*on_timeout)(int seconds TSRMLS_DC);
6450 int (*stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
6451 int (*vspprintf_function)(char **pbuf, size_t max_len, const char *format, va_list ap);
6452+#if HARDENING_PATCH
6453+ void (*security_log_function)(int loglevel, char *fmt, ...);
6454+#endif
6455+#if HARDENING_PATCH_INC_PROTECT
6456+ int (*is_valid_include)(zval *z);
6457+#endif
6458 } zend_utility_functions;
6459
6460
6461@@ -497,6 +504,16 @@
6462 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
6463 extern ZEND_API int (*zend_stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
6464 extern int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
6465+#if HARDENING_PATCH
6466+extern ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
6467+#endif
6468+#if HARDENING_PATCH_INC_PROTECT
6469+extern ZEND_API int (*zend_is_valid_include)(zval *z);
6470+#endif
6471+
6472+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
6473+ZEND_API unsigned int zend_canary(void);
6474+#endif
6475
6476
6477 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
6478@@ -621,6 +638,11 @@
6479 #define ZEND_MAX_RESERVED_RESOURCES 4
6480
6481
6482+#if HARDENING_PATCH
6483+#include "hardened_globals.h"
6484+#include "php_syslog.h"
6485+#endif
6486+
6487 #endif /* ZEND_H */
6488
6489 /*
6490diff -Nura php-5.0.5/Zend/zend_hash.c hardening-patch-5.0.5-0.4.3/Zend/zend_hash.c
6491--- php-5.0.5/Zend/zend_hash.c 2005-04-25 08:11:00.000000000 +0200
6492+++ hardening-patch-5.0.5-0.4.3/Zend/zend_hash.c 2005-09-11 23:30:52.000000000 +0200
6493@@ -21,6 +21,18 @@
6494
6495 #include "zend.h"
6496
6497+#if HARDENING_PATCH_HASH_PROTECT
6498+ unsigned int zend_hash_canary = 0x1234567;
6499+ zend_bool zend_hash_canary_inited = 0;
6500+#endif
6501+
6502+#define CHECK_HASH_CANARY(hash) \
6503+ if (zend_hash_canary != (hash)->canary) { \
6504+ zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
6505+ exit(1); \
6506+ }
6507+
6508+
6509 #define CONNECT_TO_BUCKET_DLLIST(element, list_head) \
6510 (element)->pNext = (list_head); \
6511 (element)->pLast = NULL; \
6512@@ -138,6 +150,9 @@
6513 {
6514 uint i = 3;
6515 Bucket **tmp;
6516+#if HARDENING_PATCH_HASH_PROTECT
6517+ TSRMLS_FETCH();
6518+#endif
6519
6520 SET_INCONSISTENT(HT_OK);
6521
6522@@ -147,6 +162,13 @@
6523
6524 ht->nTableSize = 1 << i;
6525 ht->nTableMask = ht->nTableSize - 1;
6526+#if HARDENING_PATCH_HASH_PROTECT
6527+ if (zend_hash_canary_inited==0) {
6528+ zend_hash_canary = zend_canary();
6529+ zend_hash_canary_inited = 1;
6530+ }
6531+ ht->canary = zend_hash_canary;
6532+#endif
6533 ht->pDestructor = pDestructor;
6534 ht->arBuckets = NULL;
6535 ht->pListHead = NULL;
6536@@ -226,6 +248,9 @@
6537 }
6538 #endif
6539 if (ht->pDestructor) {
6540+#if HARDENING_PATCH_HASH_PROTECT
6541+ CHECK_HASH_CANARY(ht);
6542+#endif
6543 ht->pDestructor(p->pData);
6544 }
6545 UPDATE_DATA(ht, p, pData, nDataSize);
6546@@ -291,6 +316,9 @@
6547 }
6548 #endif
6549 if (ht->pDestructor) {
6550+#if HARDENING_PATCH_HASH_PROTECT
6551+ CHECK_HASH_CANARY(ht);
6552+#endif
6553 ht->pDestructor(p->pData);
6554 }
6555 UPDATE_DATA(ht, p, pData, nDataSize);
6556@@ -366,6 +394,9 @@
6557 }
6558 #endif
6559 if (ht->pDestructor) {
6560+#if HARDENING_PATCH_HASH_PROTECT
6561+ CHECK_HASH_CANARY(ht);
6562+#endif
6563 ht->pDestructor(p->pData);
6564 }
6565 UPDATE_DATA(ht, p, pData, nDataSize);
6566@@ -414,7 +445,7 @@
6567 IS_CONSISTENT(ht);
6568
6569 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
6570- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
6571+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
6572 if (t) {
6573 HANDLE_BLOCK_INTERRUPTIONS();
6574 ht->arBuckets = t;
6575@@ -424,6 +455,7 @@
6576 HANDLE_UNBLOCK_INTERRUPTIONS();
6577 return SUCCESS;
6578 }
6579+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
6580 return FAILURE;
6581 }
6582 return SUCCESS;
6583@@ -487,6 +519,9 @@
6584 ht->pInternalPointer = p->pListNext;
6585 }
6586 if (ht->pDestructor) {
6587+#if HARDENING_PATCH_HASH_PROTECT
6588+ CHECK_HASH_CANARY(ht);
6589+#endif
6590 ht->pDestructor(p->pData);
6591 }
6592 if (!p->pDataPtr) {
6593@@ -516,6 +551,9 @@
6594 q = p;
6595 p = p->pListNext;
6596 if (ht->pDestructor) {
6597+#if HARDENING_PATCH_HASH_PROTECT
6598+ CHECK_HASH_CANARY(ht);
6599+#endif
6600 ht->pDestructor(q->pData);
6601 }
6602 if (!q->pDataPtr && q->pData) {
6603@@ -542,6 +580,9 @@
6604 q = p;
6605 p = p->pListNext;
6606 if (ht->pDestructor) {
6607+#if HARDENING_PATCH_HASH_PROTECT
6608+ CHECK_HASH_CANARY(ht);
6609+#endif
6610 ht->pDestructor(q->pData);
6611 }
6612 if (!q->pDataPtr && q->pData) {
6613@@ -571,6 +612,9 @@
6614 HANDLE_BLOCK_INTERRUPTIONS();
6615
6616 if (ht->pDestructor) {
6617+#if HARDENING_PATCH_HASH_PROTECT
6618+ CHECK_HASH_CANARY(ht);
6619+#endif
6620 ht->pDestructor(p->pData);
6621 }
6622 if (!p->pDataPtr) {
6623diff -Nura php-5.0.5/Zend/zend_hash.h hardening-patch-5.0.5-0.4.3/Zend/zend_hash.h
6624--- php-5.0.5/Zend/zend_hash.h 2004-01-08 18:31:47.000000000 +0100
6625+++ hardening-patch-5.0.5-0.4.3/Zend/zend_hash.h 2005-09-11 23:30:52.000000000 +0200
6626@@ -58,6 +58,9 @@
6627 } Bucket;
6628
6629 typedef struct _hashtable {
6630+#if HARDENING_PATCH_HASH_PROTECT
6631+ unsigned int canary;
6632+#endif
6633 uint nTableSize;
6634 uint nTableMask;
6635 uint nNumOfElements;
6636diff -Nura php-5.0.5/Zend/zend_language_scanner.l hardening-patch-5.0.5-0.4.3/Zend/zend_language_scanner.l
6637--- php-5.0.5/Zend/zend_language_scanner.l 2005-06-09 10:54:24.000000000 +0200
6638+++ hardening-patch-5.0.5-0.4.3/Zend/zend_language_scanner.l 2005-09-11 23:30:52.000000000 +0200
6639@@ -386,6 +386,13 @@
6640 compilation_successful=0;
6641 } else {
6642 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
6643+#if HARDENING_PATCH
6644+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
6645+ op_array->created_by_eval = 1;
6646+ } else {
6647+ op_array->created_by_eval = 0;
6648+ }
6649+#endif
6650 CG(in_compilation) = 1;
6651 CG(active_op_array) = op_array;
6652 compiler_result = zendparse(TSRMLS_C);
6653diff -Nura php-5.0.5/Zend/zend_language_scanner.c hardening-patch-5.0.5-0.4.3/Zend/zend_language_scanner.c
6654--- php-5.0.5/Zend/zend_language_scanner.c 2005-09-05 13:16:27.000000000 +0200
6655+++ hardening-patch-5.0.5-0.4.3/Zend/zend_language_scanner.c 2005-09-11 23:30:52.000000000 +0200
6656@@ -3153,6 +3153,13 @@
6657 compilation_successful=0;
6658 } else {
6659 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
6660+#if HARDENING_PATCH
6661+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
6662+ op_array->created_by_eval = 1;
6663+ } else {
6664+ op_array->created_by_eval = 0;
6665+ }
6666+#endif
6667 CG(in_compilation) = 1;
6668 CG(active_op_array) = op_array;
6669 compiler_result = zendparse(TSRMLS_C);
6670diff -Nura php-5.0.5/Zend/zend_llist.c hardening-patch-5.0.5-0.4.3/Zend/zend_llist.c
6671--- php-5.0.5/Zend/zend_llist.c 2004-01-08 18:31:47.000000000 +0100
6672+++ hardening-patch-5.0.5-0.4.3/Zend/zend_llist.c 2005-09-11 23:30:52.000000000 +0200
6673@@ -22,9 +22,34 @@
6674 #include "zend.h"
6675 #include "zend_llist.h"
6676 #include "zend_qsort.h"
6677+#include "zend_globals.h"
6678+
6679+#define CHECK_LIST_CANARY(list) \
6680+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
6681+ zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
6682+ exit(1); \
6683+ }
6684+
6685+#define CHECK_LISTELEMENT_CANARY(elem) \
6686+ if (HG(canary_3) != (elem)->canary) { \
6687+ zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
6688+ exit(1); \
6689+ }
6690+
6691
6692 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
6693 {
6694+#if HARDENING_PATCH_LL_PROTECT
6695+ TSRMLS_FETCH();
6696+
6697+ if (!HG(ll_canary_inited)) {
6698+ HG(canary_3) = zend_canary();
6699+ HG(canary_4) = zend_canary();
6700+ HG(ll_canary_inited) = 1;
6701+ }
6702+ l->canary_h = HG(canary_3);
6703+ l->canary_t = HG(canary_4);
6704+#endif
6705 l->head = NULL;
6706 l->tail = NULL;
6707 l->count = 0;
6708@@ -38,6 +63,11 @@
6709 {
6710 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
6711
6712+#if HARDENING_PATCH_LL_PROTECT
6713+ TSRMLS_FETCH();
6714+ CHECK_LIST_CANARY(l)
6715+ tmp->canary = HG(canary_3);
6716+#endif
6717 tmp->prev = l->tail;
6718 tmp->next = NULL;
6719 if (l->tail) {
6720@@ -56,6 +86,11 @@
6721 {
6722 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
6723
6724+#if HARDENING_PATCH_LL_PROTECT
6725+ TSRMLS_FETCH();
6726+ CHECK_LIST_CANARY(l)
6727+ tmp->canary = HG(canary_3);
6728+#endif
6729 tmp->next = l->head;
6730 tmp->prev = NULL;
6731 if (l->head) {
6732@@ -93,10 +128,20 @@
6733 zend_llist_element *current=l->head;
6734 zend_llist_element *next;
6735
6736+#if HARDENING_PATCH_LL_PROTECT
6737+ TSRMLS_FETCH();
6738+ CHECK_LIST_CANARY(l)
6739+#endif
6740 while (current) {
6741+#if HARDENING_PATCH_LL_PROTECT
6742+ CHECK_LISTELEMENT_CANARY(current)
6743+#endif
6744 next = current->next;
6745 if (compare(current->data, element)) {
6746 DEL_LLIST_ELEMENT(current, l);
6747+#if HARDENING_PATCH_LL_PROTECT
6748+ current->canary = 0;
6749+#endif
6750 break;
6751 }
6752 current = next;
6753@@ -108,7 +153,14 @@
6754 {
6755 zend_llist_element *current=l->head, *next;
6756
6757+#if HARDENING_PATCH_LL_PROTECT
6758+ TSRMLS_FETCH();
6759+ CHECK_LIST_CANARY(l)
6760+#endif
6761 while (current) {
6762+#if HARDENING_PATCH_LL_PROTECT
6763+ CHECK_LISTELEMENT_CANARY(current)
6764+#endif
6765 next = current->next;
6766 if (l->dtor) {
6767 l->dtor(current->data);
6768@@ -133,7 +185,14 @@
6769 zend_llist_element *old_tail;
6770 void *data;
6771
6772+#if HARDENING_PATCH_LL_PROTECT
6773+ TSRMLS_FETCH();
6774+ CHECK_LIST_CANARY(l)
6775+#endif
6776 if ((old_tail = l->tail)) {
6777+#if HARDENING_PATCH_LL_PROTECT
6778+ CHECK_LISTELEMENT_CANARY(old_tail)
6779+#endif
6780 if (l->tail->prev) {
6781 l->tail->prev->next = NULL;
6782 }
6783@@ -159,9 +218,16 @@
6784 {
6785 zend_llist_element *ptr;
6786
6787+#if HARDENING_PATCH_LL_PROTECT
6788+ TSRMLS_FETCH();
6789+ CHECK_LIST_CANARY(src)
6790+#endif
6791 zend_llist_init(dst, src->size, src->dtor, src->persistent);
6792 ptr = src->head;
6793 while (ptr) {
6794+#if HARDENING_PATCH_LL_PROTECT
6795+ CHECK_LISTELEMENT_CANARY(ptr)
6796+#endif
6797 zend_llist_add_element(dst, ptr->data);
6798 ptr = ptr->next;
6799 }
6800@@ -172,11 +238,21 @@
6801 {
6802 zend_llist_element *element, *next;
6803
6804+#if HARDENING_PATCH_LL_PROTECT
6805+ TSRMLS_FETCH();
6806+ CHECK_LIST_CANARY(l)
6807+#endif
6808 element=l->head;
6809 while (element) {
6810+#if HARDENING_PATCH_LL_PROTECT
6811+ CHECK_LISTELEMENT_CANARY(element)
6812+#endif
6813 next = element->next;
6814 if (func(element->data)) {
6815 DEL_LLIST_ELEMENT(element, l);
6816+#if HARDENING_PATCH_LL_PROTECT
6817+ element->canary = 0;
6818+#endif
6819 }
6820 element = next;
6821 }
6822@@ -187,7 +263,13 @@
6823 {
6824 zend_llist_element *element;
6825
6826+#if HARDENING_PATCH_LL_PROTECT
6827+ CHECK_LIST_CANARY(l)
6828+#endif
6829 for (element=l->head; element; element=element->next) {
6830+#if HARDENING_PATCH_LL_PROTECT
6831+ CHECK_LISTELEMENT_CANARY(element)
6832+#endif
6833 func(element->data TSRMLS_CC);
6834 }
6835 }
6836@@ -199,6 +281,9 @@
6837 zend_llist_element **elements;
6838 zend_llist_element *element, **ptr;
6839
6840+#if HARDENING_PATCH_LL_PROTECT
6841+ CHECK_LIST_CANARY(l)
6842+#endif
6843 if (l->count <= 0) {
6844 return;
6845 }
6846@@ -208,6 +293,9 @@
6847 ptr = &elements[0];
6848
6849 for (element=l->head; element; element=element->next) {
6850+#if HARDENING_PATCH_LL_PROTECT
6851+ CHECK_LISTELEMENT_CANARY(element)
6852+#endif
6853 *ptr++ = element;
6854 }
6855
6856@@ -230,7 +318,13 @@
6857 {
6858 zend_llist_element *element;
6859
6860+#if HARDENING_PATCH_LL_PROTECT
6861+ CHECK_LIST_CANARY(l)
6862+#endif
6863 for (element=l->head; element; element=element->next) {
6864+#if HARDENING_PATCH_LL_PROTECT
6865+ CHECK_LISTELEMENT_CANARY(element)
6866+#endif
6867 func(element->data, arg TSRMLS_CC);
6868 }
6869 }
6870@@ -241,8 +335,14 @@
6871 zend_llist_element *element;
6872 va_list args;
6873
6874+#if HARDENING_PATCH_LL_PROTECT
6875+ CHECK_LIST_CANARY(l)
6876+#endif
6877 va_start(args, num_args);
6878 for (element=l->head; element; element=element->next) {
6879+#if HARDENING_PATCH_LL_PROTECT
6880+ CHECK_LISTELEMENT_CANARY(element)
6881+#endif
6882 func(element->data, num_args, args TSRMLS_CC);
6883 }
6884 va_end(args);
6885@@ -251,6 +351,10 @@
6886
6887 ZEND_API int zend_llist_count(zend_llist *l)
6888 {
6889+#if HARDENING_PATCH_LL_PROTECT
6890+ TSRMLS_FETCH();
6891+ CHECK_LIST_CANARY(l)
6892+#endif
6893 return l->count;
6894 }
6895
6896@@ -259,8 +363,15 @@
6897 {
6898 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
6899
6900+#if HARDENING_PATCH_LL_PROTECT
6901+ TSRMLS_FETCH();
6902+ CHECK_LIST_CANARY(l)
6903+#endif
6904 *current = l->head;
6905 if (*current) {
6906+#if HARDENING_PATCH_LL_PROTECT
6907+ CHECK_LISTELEMENT_CANARY(*current)
6908+#endif
6909 return (*current)->data;
6910 } else {
6911 return NULL;
6912@@ -272,8 +383,15 @@
6913 {
6914 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
6915
6916+#if HARDENING_PATCH_LL_PROTECT
6917+ TSRMLS_FETCH();
6918+ CHECK_LIST_CANARY(l)
6919+#endif
6920 *current = l->tail;
6921 if (*current) {
6922+#if HARDENING_PATCH_LL_PROTECT
6923+ CHECK_LISTELEMENT_CANARY(*current)
6924+#endif
6925 return (*current)->data;
6926 } else {
6927 return NULL;
6928@@ -285,9 +403,19 @@
6929 {
6930 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
6931
6932+#if HARDENING_PATCH_LL_PROTECT
6933+ TSRMLS_FETCH();
6934+ CHECK_LIST_CANARY(l)
6935+#endif
6936 if (*current) {
6937+#if HARDENING_PATCH_LL_PROTECT
6938+ CHECK_LISTELEMENT_CANARY(*current)
6939+#endif
6940 *current = (*current)->next;
6941 if (*current) {
6942+#if HARDENING_PATCH_LL_PROTECT
6943+ CHECK_LISTELEMENT_CANARY(*current)
6944+#endif
6945 return (*current)->data;
6946 }
6947 }
6948@@ -299,9 +427,19 @@
6949 {
6950 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
6951
6952+#if HARDENING_PATCH_LL_PROTECT
6953+ TSRMLS_FETCH();
6954+ CHECK_LIST_CANARY(l)
6955+#endif
6956 if (*current) {
6957+#if HARDENING_PATCH_LL_PROTECT
6958+ CHECK_LISTELEMENT_CANARY(*current)
6959+#endif
6960 *current = (*current)->prev;
6961 if (*current) {
6962+#if HARDENING_PATCH_LL_PROTECT
6963+ CHECK_LISTELEMENT_CANARY(*current)
6964+#endif
6965 return (*current)->data;
6966 }
6967 }
6968diff -Nura php-5.0.5/Zend/zend_llist.h hardening-patch-5.0.5-0.4.3/Zend/zend_llist.h
6969--- php-5.0.5/Zend/zend_llist.h 2004-01-08 18:31:47.000000000 +0100
6970+++ hardening-patch-5.0.5-0.4.3/Zend/zend_llist.h 2005-09-11 23:30:52.000000000 +0200
6971@@ -23,6 +23,9 @@
6972 #define ZEND_LLIST_H
6973
6974 typedef struct _zend_llist_element {
6975+#if HARDENING_PATCH_LL_PROTECT
6976+ unsigned int canary;
6977+#endif
6978 struct _zend_llist_element *next;
6979 struct _zend_llist_element *prev;
6980 char data[1]; /* Needs to always be last in the struct */
6981@@ -35,6 +38,9 @@
6982 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
6983
6984 typedef struct _zend_llist {
6985+#if HARDENING_PATCH_LL_PROTECT
6986+ unsigned int canary_h; /* head */
6987+#endif
6988 zend_llist_element *head;
6989 zend_llist_element *tail;
6990 size_t count;
6991@@ -42,6 +48,9 @@
6992 llist_dtor_func_t dtor;
6993 unsigned char persistent;
6994 zend_llist_element *traverse_ptr;
6995+#if HARDENING_PATCH_LL_PROTECT
6996+ unsigned int canary_t; /* tail */
6997+#endif
6998 } zend_llist;
6999
7000 typedef zend_llist_element* zend_llist_position;
7001diff -Nura php-5.0.5/Zend/zend_modules.h hardening-patch-5.0.5-0.4.3/Zend/zend_modules.h
7002--- php-5.0.5/Zend/zend_modules.h 2005-03-16 00:47:12.000000000 +0100
7003+++ hardening-patch-5.0.5-0.4.3/Zend/zend_modules.h 2005-09-12 22:59:59.000000000 +0200
7004@@ -38,6 +38,7 @@
7005 extern struct _zend_arg_info fourth_arg_force_ref[5];
7006 extern struct _zend_arg_info all_args_by_ref[1];
7007
7008+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1002050912
7009 #define ZEND_MODULE_API_NO 20041030
7010 #ifdef ZTS
7011 #define USING_ZTS 1
7012@@ -45,10 +46,10 @@
7013 #define USING_ZTS 0
7014 #endif
7015
7016-#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS, NULL
7017-#define ZE2_STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS, ini_entries
7018+#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS, NULL
7019+#define ZE2_STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS, ini_entries
7020
7021-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
7022+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
7023
7024 #define STANDARD_MODULE_PROPERTIES \
7025 NULL, STANDARD_MODULE_PROPERTIES_EX
7026@@ -81,6 +82,7 @@
7027 unsigned char type;
7028 void *handle;
7029 int module_number;
7030+ unsigned int real_zend_api;
7031 };
7032
7033
7034diff -Nura php-5.0.5/Zend/zend_opcode.c hardening-patch-5.0.5-0.4.3/Zend/zend_opcode.c
7035--- php-5.0.5/Zend/zend_opcode.c 2004-06-06 10:37:12.000000000 +0200
7036+++ hardening-patch-5.0.5-0.4.3/Zend/zend_opcode.c 2005-09-11 23:30:52.000000000 +0200
7037@@ -92,6 +92,9 @@
7038 op_array->uses_this = 0;
7039
7040 op_array->start_op = NULL;
7041+#if HARDENING_PATCH
7042+ op_array->created_by_eval = 0;
7043+#endif
7044
7045 zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
7046 }