summaryrefslogtreecommitdiff
path: root/0.4.6
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:57:37 +0200
committerjvoisin2019-10-13 12:57:37 +0200
commit5fea1ebe59050ca0bc8de210e93e8fb4ae6cd8c8 (patch)
tree32a7da950a47305fdc5753a3eeae0b500c6b3a04 /0.4.6
parentad5a70c7aedd0a78de0915b6434a76a4976528c0 (diff)
Add more patches
Diffstat (limited to '0.4.6')
-rw-r--r--0.4.6/hardening-patch-4.4.1-0.4.6.patch8089
1 files changed, 8089 insertions, 0 deletions
diff --git a/0.4.6/hardening-patch-4.4.1-0.4.6.patch b/0.4.6/hardening-patch-4.4.1-0.4.6.patch
new file mode 100644
index 0000000..804d9a6
--- /dev/null
+++ b/0.4.6/hardening-patch-4.4.1-0.4.6.patch
@@ -0,0 +1,8089 @@
1diff -Nura php-4.4.1/acinclude.m4 hardening-patch-4.4.1-0.4.6/acinclude.m4
2--- php-4.4.1/acinclude.m4 2005-09-23 11:20:22.000000000 +0200
3+++ hardening-patch-4.4.1-0.4.6/acinclude.m4 2005-11-05 13:04:08.000000000 +0100
4@@ -1182,6 +1182,36 @@
5 fi
6 ])
7
8+dnl
9+dnl Check for broken realpath()
10+dnl
11+dnl realpath("/etc/hosts/../passwd",XXX) should not return
12+dnl "/etc/passwd"
13+dnl
14+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
15+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
16+ AC_TRY_RUN([
17+main() {
18+ char buf[4096+1];
19+ buf[0] = 0;
20+ realpath("/etc/hosts/../passwd", buf);
21+ exit(strcmp(buf, "/etc/passwd")==0);
22+}
23+ ],[
24+ ac_cv_broken_realpath=no
25+ ],[
26+ ac_cv_broken_realpath=yes
27+ ],[
28+ ac_cv_broken_realpath=no
29+ ])
30+ ])
31+ if test "$ac_cv_broken_realpath" = "yes"; then
32+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
33+ else
34+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
35+ fi
36+])
37+
38 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
39 dnl
40 dnl Basically sets up the link-stage for building module-name
41diff -Nura php-4.4.1/configure hardening-patch-4.4.1-0.4.6/configure
42--- php-4.4.1/configure 2005-10-30 12:06:37.000000000 +0100
43+++ hardening-patch-4.4.1-0.4.6/configure 2005-11-05 13:04:08.000000000 +0100
44@@ -395,6 +395,16 @@
45 ac_default_prefix=/usr/local
46 # Any additions from configure.in:
47 ac_help="$ac_help
48+ --disable-hardening-patch-mm-protect Disable the Memory Manager protection."
49+ac_help="$ac_help
50+ --disable-hardening-patch-ll-protect Disable the Linked List protection."
51+ac_help="$ac_help
52+ --disable-hardening-patch-inc-protect Disable include/require protection."
53+ac_help="$ac_help
54+ --disable-hardening-patch-fmt-protect Disable format string protection."
55+ac_help="$ac_help
56+ --disable-hardening-patch-hash-protect Disable Zend HashTable DTOR protection."
57+ac_help="$ac_help
58
59 SAPI modules:
60 "
61@@ -847,6 +857,8 @@
62 ac_help="$ac_help
63 --disable-tokenizer Disable tokenizer support"
64 ac_help="$ac_help
65+ --disable-varfilter Disable Hardening-Patch's variable filter"
66+ac_help="$ac_help
67 --enable-wddx Enable WDDX support."
68 ac_help="$ac_help
69 --disable-xml Disable XML support using bundled expat lib"
70@@ -2828,6 +2840,157 @@
71
72
73
74+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
75+if test "${enable_hardening_patch_mm_protect+set}" = set; then
76+ enableval="$enable_hardening_patch_mm_protect"
77+
78+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
79+
80+else
81+
82+ DO_HARDENING_PATCH_MM_PROTECT=yes
83+
84+fi
85+
86+
87+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
88+if test "${enable_hardening_patch_ll_protect+set}" = set; then
89+ enableval="$enable_hardening_patch_ll_protect"
90+
91+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
92+
93+else
94+
95+ DO_HARDENING_PATCH_LL_PROTECT=yes
96+
97+fi
98+
99+
100+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
101+if test "${enable_hardening_patch_inc_protect+set}" = set; then
102+ enableval="$enable_hardening_patch_inc_protect"
103+
104+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
105+
106+else
107+
108+ DO_HARDENING_PATCH_INC_PROTECT=yes
109+
110+fi
111+
112+
113+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
114+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
115+ enableval="$enable_hardening_patch_fmt_protect"
116+
117+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
118+
119+else
120+
121+ DO_HARDENING_PATCH_FMT_PROTECT=yes
122+
123+fi
124+
125+
126+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
127+if test "${enable_hardening_patch_hash_protect+set}" = set; then
128+ enableval="$enable_hardening_patch_hash_protect"
129+
130+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
131+
132+else
133+
134+ DO_HARDENING_PATCH_HASH_PROTECT=yes
135+
136+fi
137+
138+
139+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
140+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
141+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
142+
143+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
144+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
145+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
146+
147+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
148+echo "configure:2733: checking whether to protect include/require statements" >&5
149+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
150+
151+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
152+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
153+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
154+
155+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
156+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
157+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
158+
159+
160+cat >> confdefs.h <<\EOF
161+#define HARDENING_PATCH 1
162+EOF
163+
164+
165+
166+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
167+ cat >> confdefs.h <<\EOF
168+#define HARDENING_PATCH_MM_PROTECT 1
169+EOF
170+
171+else
172+ cat >> confdefs.h <<\EOF
173+#define HARDENING_PATCH_MM_PROTECT 0
174+EOF
175+
176+fi
177+
178+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
179+ cat >> confdefs.h <<\EOF
180+#define HARDENING_PATCH_LL_PROTECT 1
181+EOF
182+
183+else
184+ cat >> confdefs.h <<\EOF
185+#define HARDENING_PATCH_LL_PROTECT 0
186+EOF
187+
188+fi
189+
190+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
191+ cat >> confdefs.h <<\EOF
192+#define HARDENING_PATCH_INC_PROTECT 1
193+EOF
194+
195+else
196+ cat >> confdefs.h <<\EOF
197+#define HARDENING_PATCH_INC_PROTECT 0
198+EOF
199+
200+fi
201+
202+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
203+ cat >> confdefs.h <<\EOF
204+#define HARDENING_PATCH_FMT_PROTECT 1
205+EOF
206+
207+else
208+ cat >> confdefs.h <<\EOF
209+#define HARDENING_PATCH_FMT_PROTECT 0
210+EOF
211+
212+fi
213+
214+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
215+ cat >> confdefs.h <<\EOF
216+#define HARDENING_PATCH_HASH_PROTECT 1
217+EOF
218+
219+else
220+ cat >> confdefs.h <<\EOF
221+#define HARDENING_PATCH_HASH_PROTECT 0
222+EOF
223+
224+fi
225
226
227
228@@ -15903,6 +16066,62 @@
229 fi
230
231
232+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
233+echo "configure:14928: checking whether realpath is broken" >&5
234+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
235+ echo $ac_n "(cached) $ac_c" 1>&6
236+else
237+
238+ if test "$cross_compiling" = yes; then
239+
240+ ac_cv_broken_realpath=no
241+
242+else
243+ cat > conftest.$ac_ext <<EOF
244+#line 14939 "configure"
245+#include "confdefs.h"
246+
247+main() {
248+ char buf[4096+1];
249+ buf[0] = 0;
250+ realpath("/etc/hosts/../passwd", buf);
251+ exit(strcmp(buf, "/etc/passwd")==0);
252+}
253+
254+EOF
255+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
256+then
257+
258+ ac_cv_broken_realpath=no
259+
260+else
261+ echo "configure: failed program was:" >&5
262+ cat conftest.$ac_ext >&5
263+ rm -fr conftest*
264+
265+ ac_cv_broken_realpath=yes
266+
267+fi
268+rm -fr conftest*
269+fi
270+
271+
272+fi
273+
274+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
275+ if test "$ac_cv_broken_realpath" = "yes"; then
276+ cat >> confdefs.h <<\EOF
277+#define PHP_BROKEN_REALPATH 1
278+EOF
279+
280+ else
281+ cat >> confdefs.h <<\EOF
282+#define PHP_BROKEN_REALPATH 0
283+EOF
284+
285+ fi
286+
287+
288 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
289 echo "configure:15908: checking for declared timezone" >&5
290 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
291@@ -86368,7 +86587,7 @@
292 if test "$ac_cv_crypt_blowfish" = "yes"; then
293 ac_result=1
294 else
295- ac_result=0
296+ ac_result=1
297 fi
298 cat >> confdefs.h <<EOF
299 #define PHP_BLOWFISH_CRYPT $ac_result
300@@ -87070,7 +87289,7 @@
301 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
302 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
303 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
304- var_unserializer.c ftok.c aggregation.c sha1.c ; do
305+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
306
307 IFS=.
308 set $ac_src
309@@ -87125,7 +87344,7 @@
310 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
311 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
312 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
313- var_unserializer.c ftok.c aggregation.c sha1.c ; do
314+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
315
316 IFS=.
317 set $ac_src
318@@ -87251,7 +87470,7 @@
319 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
320 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
321 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
322- var_unserializer.c ftok.c aggregation.c sha1.c ; do
323+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
324
325 IFS=.
326 set $ac_src
327@@ -87303,7 +87522,7 @@
328 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
329 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
330 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
331- var_unserializer.c ftok.c aggregation.c sha1.c ; do
332+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
333
334 IFS=.
335 set $ac_src
336@@ -90774,6 +90993,265 @@
337 fi
338
339
340+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
341+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
342+# Check whether --enable-varfilter or --disable-varfilter was given.
343+if test "${enable_varfilter+set}" = set; then
344+ enableval="$enable_varfilter"
345+ PHP_VARFILTER=$enableval
346+else
347+
348+ PHP_VARFILTER=yes
349+
350+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
351+ PHP_VARFILTER=$PHP_ENABLE_ALL
352+ fi
353+
354+fi
355+
356+
357+
358+ext_output="yes, shared"
359+ext_shared=yes
360+case $PHP_VARFILTER in
361+shared,*)
362+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
363+ ;;
364+shared)
365+ PHP_VARFILTER=yes
366+ ;;
367+no)
368+ ext_output=no
369+ ext_shared=no
370+ ;;
371+*)
372+ ext_output=yes
373+ ext_shared=no
374+ ;;
375+esac
376+
377+
378+
379+echo "$ac_t""$ext_output" 1>&6
380+
381+
382+
383+
384+if test "$PHP_VARFILTER" != "no"; then
385+ cat >> confdefs.h <<\EOF
386+#define HAVE_VARFILTER 1
387+EOF
388+
389+
390+ ext_builddir=ext/varfilter
391+ ext_srcdir=$abs_srcdir/ext/varfilter
392+
393+ ac_extra=
394+
395+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
396+
397+
398+
399+ case ext/varfilter in
400+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
401+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
402+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
403+ esac
404+
405+
406+
407+ b_c_pre=$php_c_pre
408+ b_cxx_pre=$php_cxx_pre
409+ b_c_meta=$php_c_meta
410+ b_cxx_meta=$php_cxx_meta
411+ b_c_post=$php_c_post
412+ b_cxx_post=$php_cxx_post
413+ b_lo=$php_lo
414+
415+
416+ old_IFS=$IFS
417+ for ac_src in varfilter.c; do
418+
419+ IFS=.
420+ set $ac_src
421+ ac_obj=$1
422+ IFS=$old_IFS
423+
424+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
425+
426+ case $ac_src in
427+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
428+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
429+ esac
430+
431+ cat >>Makefile.objects<<EOF
432+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
433+ $ac_comp
434+EOF
435+ done
436+
437+
438+ EXT_STATIC="$EXT_STATIC varfilter"
439+ if test "$ext_shared" != "nocli"; then
440+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
441+ fi
442+ else
443+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
444+
445+ case ext/varfilter in
446+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
447+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
448+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
449+ esac
450+
451+
452+
453+ b_c_pre=$shared_c_pre
454+ b_cxx_pre=$shared_cxx_pre
455+ b_c_meta=$shared_c_meta
456+ b_cxx_meta=$shared_cxx_meta
457+ b_c_post=$shared_c_post
458+ b_cxx_post=$shared_cxx_post
459+ b_lo=$shared_lo
460+
461+
462+ old_IFS=$IFS
463+ for ac_src in varfilter.c; do
464+
465+ IFS=.
466+ set $ac_src
467+ ac_obj=$1
468+ IFS=$old_IFS
469+
470+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
471+
472+ case $ac_src in
473+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
474+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
475+ esac
476+
477+ cat >>Makefile.objects<<EOF
478+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
479+ $ac_comp
480+EOF
481+ done
482+
483+
484+ install_modules="install-modules"
485+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
486+
487+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
488+
489+ cat >>Makefile.objects<<EOF
490+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
491+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
492+
493+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
494+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
495+
496+EOF
497+
498+ cat >> confdefs.h <<EOF
499+#define COMPILE_DL_VARFILTER 1
500+EOF
501+
502+ fi
503+ fi
504+
505+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
506+ if test "$PHP_SAPI" = "cgi"; then
507+
508+
509+ case ext/varfilter in
510+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
511+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
512+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
513+ esac
514+
515+
516+
517+ b_c_pre=$php_c_pre
518+ b_cxx_pre=$php_cxx_pre
519+ b_c_meta=$php_c_meta
520+ b_cxx_meta=$php_cxx_meta
521+ b_c_post=$php_c_post
522+ b_cxx_post=$php_cxx_post
523+ b_lo=$php_lo
524+
525+
526+ old_IFS=$IFS
527+ for ac_src in varfilter.c; do
528+
529+ IFS=.
530+ set $ac_src
531+ ac_obj=$1
532+ IFS=$old_IFS
533+
534+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
535+
536+ case $ac_src in
537+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
538+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
539+ esac
540+
541+ cat >>Makefile.objects<<EOF
542+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
543+ $ac_comp
544+EOF
545+ done
546+
547+
548+ EXT_STATIC="$EXT_STATIC varfilter"
549+ else
550+
551+
552+ case ext/varfilter in
553+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
554+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
555+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
556+ esac
557+
558+
559+
560+ b_c_pre=$php_c_pre
561+ b_cxx_pre=$php_cxx_pre
562+ b_c_meta=$php_c_meta
563+ b_cxx_meta=$php_cxx_meta
564+ b_c_post=$php_c_post
565+ b_cxx_post=$php_cxx_post
566+ b_lo=$php_lo
567+
568+
569+ old_IFS=$IFS
570+ for ac_src in varfilter.c; do
571+
572+ IFS=.
573+ set $ac_src
574+ ac_obj=$1
575+ IFS=$old_IFS
576+
577+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
578+
579+ case $ac_src in
580+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
581+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
582+ esac
583+
584+ cat >>Makefile.objects<<EOF
585+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
586+ $ac_comp
587+EOF
588+ done
589+
590+
591+ fi
592+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
593+ fi
594+
595+ BUILD_DIR="$BUILD_DIR $ext_builddir"
596+
597+
598+fi
599
600
601 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
602@@ -103822,7 +104300,7 @@
603 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
604 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
605 streams.c network.c php_open_temporary_file.c php_logos.c \
606- output.c memory_streams.c user_streams.c; do
607+ output.c memory_streams.c user_streams.c hardening_patch.c; do
608
609 IFS=.
610 set $ac_src
611@@ -104007,7 +104485,7 @@
612 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
613 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
614 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
615- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
616+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
617
618 IFS=.
619 set $ac_src
620diff -Nura php-4.4.1/configure.in hardening-patch-4.4.1-0.4.6/configure.in
621--- php-4.4.1/configure.in 2005-10-26 09:58:22.000000000 +0200
622+++ hardening-patch-4.4.1-0.4.6/configure.in 2005-11-05 13:04:08.000000000 +0100
623@@ -247,7 +247,7 @@
624 sinclude(Zend/acinclude.m4)
625 sinclude(Zend/Zend.m4)
626 sinclude(TSRM/tsrm.m4)
627-
628+sinclude(main/hardening_patch.m4)
629
630
631 divert(2)
632@@ -621,6 +621,7 @@
633 AC_FUNC_ALLOCA
634 dnl PHP_AC_BROKEN_SPRINTF
635 dnl PHP_AC_BROKEN_SNPRINTF
636+PHP_AC_BROKEN_REALPATH
637 PHP_DECLARED_TIMEZONE
638 PHP_TIME_R_TYPE
639 PHP_READDIR_R_TYPE
640@@ -1260,7 +1261,7 @@
641 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
642 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
643 streams.c network.c php_open_temporary_file.c php_logos.c \
644- output.c memory_streams.c user_streams.c)
645+ output.c memory_streams.c user_streams.c hardening_patch.c)
646 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
647 case $host_alias in
648 *netware*)
649@@ -1281,7 +1282,7 @@
650 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
651 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
652 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
653- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
654+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
655
656 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
657 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
658diff -Nura php-4.4.1/ext/curl/curl.c hardening-patch-4.4.1-0.4.6/ext/curl/curl.c
659--- php-4.4.1/ext/curl/curl.c 2005-10-17 04:42:51.000000000 +0200
660+++ hardening-patch-4.4.1-0.4.6/ext/curl/curl.c 2005-11-05 13:04:08.000000000 +0100
661@@ -76,7 +76,7 @@
662 RETURN_FALSE; \
663 } \
664 \
665- if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
666+ if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
667 (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
668 ) { \
669 php_url_free(tmp_url); \
670diff -Nura php-4.4.1/ext/fbsql/php_fbsql.c hardening-patch-4.4.1-0.4.6/ext/fbsql/php_fbsql.c
671--- php-4.4.1/ext/fbsql/php_fbsql.c 2005-02-09 20:33:32.000000000 +0100
672+++ hardening-patch-4.4.1-0.4.6/ext/fbsql/php_fbsql.c 2005-11-05 13:04:08.000000000 +0100
673@@ -1797,8 +1797,24 @@
674 }
675 else if (fbcmdErrorsFound(md))
676 {
677+#if HARDENING_PATCH
678+ char* query_copy;
679+ int i;
680+#endif
681 FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
682 char* emg = fbcemdAllErrorMessages(emd);
683+#if HARDENING_PATCH
684+ query_copy=estrdup(query_copy);
685+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
686+ php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
687+ efree(query_copy);
688+ if (HG(hphp_sql_bailout_on_error)) {
689+ free(emg);
690+ fbcemdRelease(emd);
691+ result = 0;
692+ zend_bailout();
693+ }
694+#endif
695 if (FB_SQL_G(generateWarnings))
696 {
697 if (emg)
698diff -Nura php-4.4.1/ext/gd/gd.c hardening-patch-4.4.1-0.4.6/ext/gd/gd.c
699--- php-4.4.1/ext/gd/gd.c 2005-10-06 22:44:52.000000000 +0200
700+++ hardening-patch-4.4.1-0.4.6/ext/gd/gd.c 2005-11-05 13:04:08.000000000 +0100
701@@ -3742,13 +3742,13 @@
702 }
703
704 /* Check origin file */
705- if (!fn_org || fn_org == empty_string || php_check_open_basedir(fn_org TSRMLS_CC)) {
706+ if (!fn_org || fn_org == empty_string || php_check_open_basedir(fn_org TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn_org, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
707 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid origin filename '%s'", fn_org);
708 RETURN_FALSE;
709 }
710
711 /* Check destination file */
712- if (!fn_dest || fn_dest == empty_string || php_check_open_basedir(fn_dest TSRMLS_CC)) {
713+ if (!fn_dest || fn_dest == empty_string || php_check_open_basedir(fn_dest TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn_dest, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
714 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid destination filename '%s'", fn_dest);
715 RETURN_FALSE;
716 }
717diff -Nura php-4.4.1/ext/mbstring/mbstring.c hardening-patch-4.4.1-0.4.6/ext/mbstring/mbstring.c
718--- php-4.4.1/ext/mbstring/mbstring.c 2005-09-21 15:19:19.000000000 +0200
719+++ hardening-patch-4.4.1-0.4.6/ext/mbstring/mbstring.c 2005-11-05 13:04:08.000000000 +0100
720@@ -1488,6 +1488,7 @@
721 char *strtok_buf = NULL, **val_list;
722 zval *array_ptr = (zval *) arg;
723 int n, num, val_len, *len_list;
724+ unsigned int new_val_len;
725 enum mbfl_no_encoding from_encoding;
726 mbfl_string string, resvar, resval;
727 mbfl_encoding_detector *identd = NULL;
728@@ -1610,8 +1611,14 @@
729 val_len = len_list[n];
730 }
731 n++;
732- /* add variable to symbol table */
733- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
734+ /* we need val to be emalloc()ed */
735+ val = estrndup(val, val_len);
736+ if (sapi_module.input_filter(info->data_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
737+ /* add variable to symbol table */
738+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
739+ }
740+ efree(val);
741+
742 if (convd != NULL){
743 mbfl_string_clear(&resvar);
744 mbfl_string_clear(&resval);
745diff -Nura php-4.4.1/ext/mysql/php_mysql.c hardening-patch-4.4.1-0.4.6/ext/mysql/php_mysql.c
746--- php-4.4.1/ext/mysql/php_mysql.c 2005-04-08 00:23:01.000000000 +0200
747+++ hardening-patch-4.4.1-0.4.6/ext/mysql/php_mysql.c 2005-11-05 13:04:08.000000000 +0100
748@@ -1218,6 +1218,8 @@
749 {
750 php_mysql_conn *mysql;
751 MYSQL_RES *mysql_result;
752+ char *copy_query;
753+ int i;
754
755 ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
756
757@@ -1268,6 +1270,13 @@
758 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
759 }
760 }
761+ copy_query = estrdup(Z_STRVAL_PP(query));
762+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
763+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
764+ efree(copy_query);
765+ if (HG(hphp_sql_bailout_on_error)) {
766+ zend_bailout();
767+ }
768 RETURN_FALSE;
769 }
770 #else
771@@ -1275,12 +1284,20 @@
772 /* check possible error */
773 if (MySG(trace_mode)){
774 if (mysql_errno(&mysql->conn)){
775- php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, mysql_error(&mysql->conn));
776+ php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
777 }
778 }
779+ copy_query = estrdup(Z_STRVAL_PP(query));
780+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
781+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
782+ efree(copy_query);
783+ if (HG(hphp_sql_bailout_on_error)) {
784+ zend_bailout();
785+ }
786 RETURN_FALSE;
787 }
788 #endif
789+
790 if(use_store == MYSQL_USE_RESULT) {
791 mysql_result=mysql_use_result(&mysql->conn);
792 } else {
793diff -Nura php-4.4.1/ext/pgsql/pgsql.c hardening-patch-4.4.1-0.4.6/ext/pgsql/pgsql.c
794--- php-4.4.1/ext/pgsql/pgsql.c 2005-07-05 14:50:03.000000000 +0200
795+++ hardening-patch-4.4.1-0.4.6/ext/pgsql/pgsql.c 2005-11-05 13:04:08.000000000 +0100
796@@ -1001,10 +1001,28 @@
797 case PGRES_EMPTY_QUERY:
798 case PGRES_BAD_RESPONSE:
799 case PGRES_NONFATAL_ERROR:
800- case PGRES_FATAL_ERROR:
801- PHP_PQ_ERROR("Query failed: %s", pgsql);
802- PQclear(pgsql_result);
803- RETURN_FALSE;
804+ case PGRES_FATAL_ERROR:
805+ {
806+#if HARDENING_PATCH
807+ int i;
808+ char *query_copy;
809+#endif
810+ char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
811+ PQclear(pgsql_result);
812+#if HARDENING_PATCH
813+ query_copy = estrdup(Z_STRVAL_PP(query));
814+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
815+ php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
816+ efree(query_copy);
817+ if (HG(hphp_sql_bailout_on_error)) {
818+ efree(msgbuf);
819+ zend_bailout();
820+ }
821+#endif
822+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
823+ efree(msgbuf);
824+ RETURN_FALSE;
825+ }
826 break;
827 case PGRES_COMMAND_OK: /* successful command that did not return rows */
828 default:
829diff -Nura php-4.4.1/ext/session/mod_files.c hardening-patch-4.4.1-0.4.6/ext/session/mod_files.c
830--- php-4.4.1/ext/session/mod_files.c 2005-07-25 16:06:17.000000000 +0200
831+++ hardening-patch-4.4.1-0.4.6/ext/session/mod_files.c 2005-11-26 00:29:06.000000000 +0100
832@@ -389,6 +389,34 @@
833 return SUCCESS;
834 }
835
836+PS_VALIDATE_SID_FUNC(files)
837+{
838+ char buf[MAXPATHLEN];
839+ int fd;
840+ PS_FILES_DATA;
841+
842+ if (!ps_files_valid_key(key)) {
843+ return FAILURE;
844+ }
845+
846+ if (!PS(use_strict_mode)) {
847+ return SUCCESS;
848+ }
849+
850+ if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
851+ return FAILURE;
852+ }
853+
854+ fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, 0600);
855+
856+ if (fd != -1) {
857+ close(fd);
858+ return SUCCESS;
859+ }
860+
861+ return FAILURE;
862+}
863+
864 /*
865 * Local variables:
866 * tab-width: 4
867diff -Nura php-4.4.1/ext/session/mod_mm.c hardening-patch-4.4.1-0.4.6/ext/session/mod_mm.c
868--- php-4.4.1/ext/session/mod_mm.c 2004-06-30 03:12:09.000000000 +0200
869+++ hardening-patch-4.4.1-0.4.6/ext/session/mod_mm.c 2005-11-26 00:14:31.000000000 +0100
870@@ -425,6 +425,42 @@
871 return SUCCESS;
872 }
873
874+PS_VALIDATE_SID_FUNC(mm)
875+{
876+ PS_MM_DATA;
877+ ps_sd *sd;
878+ const char *p;
879+ char c;
880+ int ret = SUCCESS;
881+
882+ for (p = key; (c = *p); p++) {
883+ /* valid characters are a..z,A..Z,0..9 */
884+ if (!((c >= 'a' && c <= 'z')
885+ || (c >= 'A' && c <= 'Z')
886+ || (c >= '0' && c <= '9')
887+ || c == ','
888+ || c == '-')) {
889+ return FAILURE;
890+ }
891+ }
892+
893+ if (!PS(use_strict_mode)) {
894+ return SUCCESS;
895+ }
896+
897+ mm_lock(data->mm, MM_LOCK_RD);
898+
899+ sd = ps_sd_lookup(data, key, 0);
900+ if (sd) {
901+ mm_unlock(data->mm);
902+ return SUCCESS;
903+ }
904+
905+ mm_unlock(data->mm);
906+
907+ return FAILURE;
908+}
909+
910 #endif
911
912 /*
913diff -Nura php-4.4.1/ext/session/mod_user.c hardening-patch-4.4.1-0.4.6/ext/session/mod_user.c
914--- php-4.4.1/ext/session/mod_user.c 2002-12-31 17:35:20.000000000 +0100
915+++ hardening-patch-4.4.1-0.4.6/ext/session/mod_user.c 2005-11-26 00:14:31.000000000 +0100
916@@ -23,7 +23,7 @@
917 #include "mod_user.h"
918
919 ps_module ps_mod_user = {
920- PS_MOD(user)
921+ PS_MOD_SID(user)
922 };
923
924 #define SESS_ZVAL_LONG(val, a) \
925@@ -174,6 +174,83 @@
926 FINISH;
927 }
928
929+PS_CREATE_SID_FUNC(user)
930+{
931+ int i;
932+ char *val = NULL;
933+ zval *retval;
934+ ps_user *mdata = PS_GET_MOD_DATA();
935+
936+ if (!mdata)
937+ return estrndup("", 0);
938+
939+ if (PSF(create) == NULL || ZVAL_IS_NULL(PSF(create))) {
940+ return php_session_create_id(mod_data, newlen TSRMLS_CC);
941+ }
942+ retval = ps_call_handler(PSF(create), 0, NULL TSRMLS_CC);
943+
944+ if (retval) {
945+ if (Z_TYPE_P(retval) == IS_STRING) {
946+ val = estrndup(Z_STRVAL_P(retval), Z_STRLEN_P(retval));
947+ } else {
948+ val = estrndup("", 0);
949+ }
950+ zval_ptr_dtor(&retval);
951+ } else {
952+ val = estrndup("", 0);
953+ }
954+
955+ return val;
956+}
957+
958+static int ps_user_valid_key(const char *key TSRMLS_DC)
959+{
960+ size_t len;
961+ const char *p;
962+ char c;
963+ int ret = SUCCESS;
964+
965+ for (p = key; (c = *p); p++) {
966+ /* valid characters are a..z,A..Z,0..9 */
967+ if (!((c >= 'a' && c <= 'z')
968+ || (c >= 'A' && c <= 'Z')
969+ || (c >= '0' && c <= '9')
970+ || c == ','
971+ || c == '-')) {
972+ ret = FAILURE;
973+ break;
974+ }
975+ }
976+
977+ len = p - key;
978+
979+ if (len == 0)
980+ ret = FAILURE;
981+
982+ return ret;
983+}
984+
985+PS_VALIDATE_SID_FUNC(user)
986+{
987+ zval *args[1];
988+ STDVARS;
989+
990+ if (PSF(validate) == NULL || ZVAL_IS_NULL(PSF(validate))) {
991+ return ps_user_valid_key(key TSRMLS_CC);
992+ }
993+ SESS_ZVAL_STRING(key, args[0]);
994+
995+ retval = ps_call_handler(PSF(validate), 1, args TSRMLS_CC);
996+
997+ if (retval) {
998+ convert_to_long(retval);
999+ ret = Z_LVAL_P(retval) ? SUCCESS : FAILURE;
1000+ zval_ptr_dtor(&retval);
1001+ }
1002+
1003+ return ret;
1004+}
1005+
1006 /*
1007 * Local variables:
1008 * tab-width: 4
1009diff -Nura php-4.4.1/ext/session/mod_user.h hardening-patch-4.4.1-0.4.6/ext/session/mod_user.h
1010--- php-4.4.1/ext/session/mod_user.h 2005-02-13 18:54:56.000000000 +0100
1011+++ hardening-patch-4.4.1-0.4.6/ext/session/mod_user.h 2005-11-26 00:14:31.000000000 +0100
1012@@ -22,7 +22,7 @@
1013 #define MOD_USER_H
1014
1015 typedef union {
1016- zval *names[6];
1017+ zval *names[8];
1018 struct {
1019 zval *ps_open;
1020 zval *ps_close;
1021@@ -30,6 +30,8 @@
1022 zval *ps_write;
1023 zval *ps_destroy;
1024 zval *ps_gc;
1025+ zval *ps_create;
1026+ zval *ps_validate;
1027 } name;
1028 } ps_user;
1029
1030diff -Nura php-4.4.1/ext/session/php_session.h hardening-patch-4.4.1-0.4.6/ext/session/php_session.h
1031--- php-4.4.1/ext/session/php_session.h 2005-02-13 18:54:56.000000000 +0100
1032+++ hardening-patch-4.4.1-0.4.6/ext/session/php_session.h 2005-11-26 00:15:31.000000000 +0100
1033@@ -23,7 +23,7 @@
1034
1035 #include "ext/standard/php_var.h"
1036
1037-#define PHP_SESSION_API 20020330
1038+#define PHP_SESSION_API 20051121
1039
1040 #define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
1041 #define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
1042@@ -32,6 +32,7 @@
1043 #define PS_DESTROY_ARGS void **mod_data, const char *key TSRMLS_DC
1044 #define PS_GC_ARGS void **mod_data, int maxlifetime, int *nrdels TSRMLS_DC
1045 #define PS_CREATE_SID_ARGS void **mod_data, int *newlen TSRMLS_DC
1046+#define PS_VALIDATE_SID_ARGS void **mod_data, const char *key TSRMLS_DC
1047
1048 /* default create id function */
1049 char *php_session_create_id(PS_CREATE_SID_ARGS);
1050@@ -45,6 +46,7 @@
1051 int (*s_destroy)(PS_DESTROY_ARGS);
1052 int (*s_gc)(PS_GC_ARGS);
1053 char *(*s_create_sid)(PS_CREATE_SID_ARGS);
1054+ int (*s_validate_sid)(PS_VALIDATE_SID_ARGS);
1055 } ps_module;
1056
1057 #define PS_GET_MOD_DATA() *mod_data
1058@@ -57,6 +59,7 @@
1059 #define PS_DESTROY_FUNC(x) int ps_delete_##x(PS_DESTROY_ARGS)
1060 #define PS_GC_FUNC(x) int ps_gc_##x(PS_GC_ARGS)
1061 #define PS_CREATE_SID_FUNC(x) char *ps_create_sid_##x(PS_CREATE_SID_ARGS)
1062+#define PS_VALIDATE_SID_FUNC(x) int ps_validate_sid_##x(PS_VALIDATE_SID_ARGS)
1063
1064 #define PS_FUNCS(x) \
1065 PS_OPEN_FUNC(x); \
1066@@ -65,11 +68,12 @@
1067 PS_WRITE_FUNC(x); \
1068 PS_DESTROY_FUNC(x); \
1069 PS_GC_FUNC(x); \
1070- PS_CREATE_SID_FUNC(x)
1071+ PS_CREATE_SID_FUNC(x); \
1072+ PS_VALIDATE_SID_FUNC(x)
1073
1074 #define PS_MOD(x) \
1075 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1076- ps_delete_##x, ps_gc_##x, php_session_create_id
1077+ ps_delete_##x, ps_gc_##x, php_session_create_id, ps_validate_sid_##x
1078
1079 /* SID enabled module handler definitions */
1080 #define PS_FUNCS_SID(x) \
1081@@ -79,11 +83,12 @@
1082 PS_WRITE_FUNC(x); \
1083 PS_DESTROY_FUNC(x); \
1084 PS_GC_FUNC(x); \
1085- PS_CREATE_SID_FUNC(x)
1086+ PS_CREATE_SID_FUNC(x); \
1087+ PS_VALIDATE_SID(x)
1088
1089 #define PS_MOD_SID(x) \
1090 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1091- ps_delete_##x, ps_gc_##x, ps_create_sid_##x
1092+ ps_delete_##x, ps_gc_##x, ps_create_sid_##x, ps_validate_sid_##x
1093
1094 typedef enum {
1095 php_session_disabled,
1096@@ -120,6 +125,7 @@
1097 zend_bool use_only_cookies;
1098 zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
1099 zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
1100+ zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */
1101 int send_cookie;
1102 int define_sid;
1103 } php_ps_globals;
1104diff -Nura php-4.4.1/ext/session/session.c hardening-patch-4.4.1-0.4.6/ext/session/session.c
1105--- php-4.4.1/ext/session/session.c 2005-09-23 10:16:01.000000000 +0200
1106+++ hardening-patch-4.4.1-0.4.6/ext/session/session.c 2005-11-26 00:25:26.000000000 +0100
1107@@ -155,6 +155,7 @@
1108 STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals)
1109 STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals)
1110 STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
1111+ STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals)
1112 STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
1113 STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
1114 STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals)
1115@@ -637,6 +638,15 @@
1116 return;
1117 }
1118
1119+ /* If there is an ID, use session module to verify it */
1120+ if (PS(id)) {
1121+ if (PS(mod)->s_validate_sid(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1122+ efree(PS(id));
1123+ PS(id) = NULL;
1124+ PS(send_cookie) = 1;
1125+ }
1126+ }
1127+
1128 /* If there is no ID, use session module to create one */
1129 if (!PS(id))
1130 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1131@@ -1256,22 +1266,31 @@
1132 }
1133 /* }}} */
1134
1135-/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc)
1136+/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc[, string create, string validate])
1137 Sets user-level functions */
1138 PHP_FUNCTION(session_set_save_handler)
1139 {
1140- zval **args[6];
1141- int i;
1142+ zval **args[8];
1143+ int i, numargs;
1144 ps_user *mdata;
1145 char *name;
1146
1147+ numargs = ZEND_NUM_ARGS();
1148+ args[6] = NULL;
1149+ args[7] = NULL;
1150+
1151+ if (numargs < 6 || numargs > 8 || zend_get_parameters_array_ex(numargs, args) == FAILURE)
1152+ WRONG_PARAM_COUNT;
1153 if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
1154 WRONG_PARAM_COUNT;
1155
1156 if (PS(session_status) != php_session_none)
1157 RETURN_FALSE;
1158
1159- for (i = 0; i < 6; i++) {
1160+ for (i = 0; i < 8; i++) {
1161+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1162+ continue;
1163+ }
1164 if (!zend_is_callable(*args[i], 0, &name)) {
1165 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
1166 efree(name);
1167@@ -1284,7 +1303,11 @@
1168
1169 mdata = emalloc(sizeof(*mdata));
1170
1171- for (i = 0; i < 6; i++) {
1172+ for (i = 0; i < 8; i++) {
1173+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1174+ mdata->names[i] = NULL;
1175+ continue;
1176+ }
1177 ZVAL_ADDREF(*args[i]);
1178 mdata->names[i] = *args[i];
1179 }
1180@@ -1345,8 +1368,20 @@
1181 Update the current session id with a newly generated one. */
1182 PHP_FUNCTION(session_regenerate_id)
1183 {
1184+ zend_bool del_ses = 0;
1185+
1186+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &del_ses) == FAILURE) {
1187+ WRONG_PARAM_COUNT;
1188+ }
1189+
1190 if (PS(session_status) == php_session_active) {
1191- if (PS(id)) efree(PS(id));
1192+ if (PS(id)) {
1193+ if (del_ses && PS(mod)->s_destroy(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1194+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Session object destruction failed");
1195+ RETURN_FALSE;
1196+ }
1197+ efree(PS(id));
1198+ }
1199
1200 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1201
1202diff -Nura php-4.4.1/ext/session/tests/014.phpt hardening-patch-4.4.1-0.4.6/ext/session/tests/014.phpt
1203--- php-4.4.1/ext/session/tests/014.phpt 2002-11-26 00:19:18.000000000 +0100
1204+++ hardening-patch-4.4.1-0.4.6/ext/session/tests/014.phpt 2005-11-26 00:33:45.000000000 +0100
1205@@ -5,6 +5,7 @@
1206 --INI--
1207 session.use_trans_sid=1
1208 session.use_cookies=0
1209+session.use_strict_mode=0
1210 session.cache_limiter=
1211 register_globals=1
1212 session.bug_compat_42=1
1213diff -Nura php-4.4.1/ext/session/tests/015.phpt hardening-patch-4.4.1-0.4.6/ext/session/tests/015.phpt
1214--- php-4.4.1/ext/session/tests/015.phpt 2002-11-26 00:19:19.000000000 +0100
1215+++ hardening-patch-4.4.1-0.4.6/ext/session/tests/015.phpt 2005-11-26 00:33:53.000000000 +0100
1216@@ -5,6 +5,7 @@
1217 --INI--
1218 session.use_trans_sid=1
1219 session.use_cookies=0
1220+session.use_strict_mode=0
1221 session.cache_limiter=
1222 arg_separator.output=&
1223 session.name=PHPSESSID
1224diff -Nura php-4.4.1/ext/session/tests/018.phpt hardening-patch-4.4.1-0.4.6/ext/session/tests/018.phpt
1225--- php-4.4.1/ext/session/tests/018.phpt 2002-11-26 00:19:19.000000000 +0100
1226+++ hardening-patch-4.4.1-0.4.6/ext/session/tests/018.phpt 2005-11-26 00:34:04.000000000 +0100
1227@@ -4,6 +4,7 @@
1228 <?php include('skipif.inc'); ?>
1229 --INI--
1230 session.use_cookies=0
1231+session.use_strict_mode=0
1232 session.cache_limiter=
1233 session.use_trans_sid=1
1234 session.name=PHPSESSID
1235diff -Nura php-4.4.1/ext/session/tests/020.phpt hardening-patch-4.4.1-0.4.6/ext/session/tests/020.phpt
1236--- php-4.4.1/ext/session/tests/020.phpt 2002-11-26 00:19:19.000000000 +0100
1237+++ hardening-patch-4.4.1-0.4.6/ext/session/tests/020.phpt 2005-11-26 00:34:18.000000000 +0100
1238@@ -4,6 +4,7 @@
1239 <?php include('skipif.inc'); ?>
1240 --INI--
1241 session.use_cookies=0
1242+session.use_strict_mode=0
1243 session.cache_limiter=
1244 session.use_trans_sid=1
1245 arg_separator.output=&amp;
1246diff -Nura php-4.4.1/ext/session/tests/021.phpt hardening-patch-4.4.1-0.4.6/ext/session/tests/021.phpt
1247--- php-4.4.1/ext/session/tests/021.phpt 2002-11-26 00:19:19.000000000 +0100
1248+++ hardening-patch-4.4.1-0.4.6/ext/session/tests/021.phpt 2005-11-26 00:34:24.000000000 +0100
1249@@ -4,6 +4,7 @@
1250 <?php include('skipif.inc'); ?>
1251 --INI--
1252 session.use_cookies=0
1253+session.use_strict_mode=0
1254 session.cache_limiter=
1255 session.use_trans_sid=1
1256 url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
1257diff -Nura php-4.4.1/ext/standard/array.c hardening-patch-4.4.1-0.4.6/ext/standard/array.c
1258--- php-4.4.1/ext/standard/array.c 2005-10-03 16:05:07.000000000 +0200
1259+++ hardening-patch-4.4.1-0.4.6/ext/standard/array.c 2005-11-05 13:04:08.000000000 +0100
1260@@ -1162,6 +1162,32 @@
1261 }
1262 }
1263 }
1264+
1265+ if (var_name[0] == 'H') {
1266+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
1267+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
1268+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
1269+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
1270+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
1271+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
1272+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
1273+ (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
1274+ return 0;
1275+ }
1276+ } else if (var_name[0] == '_') {
1277+ if ((strcmp(var_name, "_COOKIE")==0)||
1278+ (strcmp(var_name, "_ENV")==0)||
1279+ (strcmp(var_name, "_FILES")==0)||
1280+ (strcmp(var_name, "_GET")==0)||
1281+ (strcmp(var_name, "_POST")==0)||
1282+ (strcmp(var_name, "_REQUEST")==0)||
1283+ (strcmp(var_name, "_SESSION")==0)||
1284+ (strcmp(var_name, "_SERVER")==0)) {
1285+ return 0;
1286+ }
1287+ } else if (strcmp(var_name, "GLOBALS")==0) {
1288+ return 0;
1289+ }
1290
1291 return 1;
1292 }
1293diff -Nura php-4.4.1/ext/standard/basic_functions.c hardening-patch-4.4.1-0.4.6/ext/standard/basic_functions.c
1294--- php-4.4.1/ext/standard/basic_functions.c 2005-09-29 18:31:48.000000000 +0200
1295+++ hardening-patch-4.4.1-0.4.6/ext/standard/basic_functions.c 2005-11-05 13:04:08.000000000 +0100
1296@@ -107,12 +107,14 @@
1297 typedef struct _php_shutdown_function_entry {
1298 zval **arguments;
1299 int arg_count;
1300+ zend_bool created_by_eval;
1301 } php_shutdown_function_entry;
1302
1303 typedef struct _user_tick_function_entry {
1304 zval **arguments;
1305 int arg_count;
1306 int calling;
1307+ zend_bool created_by_eval;
1308 } user_tick_function_entry;
1309
1310 /* some prototypes for local functions */
1311@@ -295,6 +297,8 @@
1312 PHP_FE(get_html_translation_table, NULL)
1313 PHP_FE(sha1, NULL)
1314 PHP_FE(sha1_file, NULL)
1315+ PHP_FE(sha256, NULL)
1316+ PHP_FE(sha256_file, NULL)
1317 PHP_NAMED_FE(md5,php_if_md5, NULL)
1318 PHP_NAMED_FE(md5_file,php_if_md5_file, NULL)
1319 PHP_NAMED_FE(crc32,php_if_crc32, NULL)
1320@@ -676,7 +680,7 @@
1321 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
1322
1323 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1324- PHP_FE(realpath, NULL)
1325+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
1326 #endif
1327
1328 #ifdef HAVE_FNMATCH
1329@@ -2093,6 +2097,13 @@
1330 {
1331 zval retval;
1332 char *function_name = NULL;
1333+#if HARDENING_PATCH
1334+ zend_uint orig_code_type = EG(in_code_type);
1335+
1336+ if (shutdown_function_entry->created_by_eval) {
1337+ EG(in_code_type) = ZEND_EVAL_CODE;
1338+ }
1339+#endif
1340
1341 if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
1342 php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
1343@@ -2108,6 +2119,9 @@
1344 if (function_name) {
1345 efree(function_name);
1346 }
1347+#if HARDENING_PATCH
1348+ EG(in_code_type) = orig_code_type;
1349+#endif
1350 return 0;
1351 }
1352
1353@@ -2115,6 +2129,13 @@
1354 {
1355 zval retval;
1356 zval *function = tick_fe->arguments[0];
1357+#if HARDENING_PATCH
1358+ zend_uint orig_code_type = EG(in_code_type);
1359+
1360+ if (tick_fe->created_by_eval) {
1361+ EG(in_code_type) = ZEND_EVAL_CODE;
1362+ }
1363+#endif
1364
1365 /* Prevent reentrant calls to the same user ticks function */
1366 if (! tick_fe->calling) {
1367@@ -2146,6 +2167,9 @@
1368
1369 tick_fe->calling = 0;
1370 }
1371+#if HARDENING_PATCH
1372+ EG(in_code_type) = orig_code_type;
1373+#endif
1374 }
1375
1376 static void run_user_tick_functions(int tick_count)
1377@@ -2213,6 +2237,13 @@
1378 if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
1379 RETURN_FALSE;
1380 }
1381+#if HARDENING_PATCH
1382+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1383+ shutdown_function_entry.created_by_eval = 1;
1384+ } else {
1385+ shutdown_function_entry.created_by_eval = 0;
1386+ }
1387+#endif
1388
1389 /* Prevent entering of anything but valid callback (syntax check only!) */
1390 if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
1391@@ -2750,6 +2781,13 @@
1392 }
1393
1394 tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
1395+#if HARDENING_PATCH
1396+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1397+ tick_fe.created_by_eval = 1;
1398+ } else {
1399+ tick_fe.created_by_eval = 0;
1400+ }
1401+#endif
1402
1403 if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
1404 RETURN_FALSE;
1405@@ -3047,6 +3085,35 @@
1406 new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
1407 }
1408
1409+ if (new_key[0] == 'H') {
1410+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
1411+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
1412+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
1413+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
1414+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
1415+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
1416+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
1417+ (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
1418+ efree(new_key);
1419+ return 0;
1420+ }
1421+ } else if (new_key[0] == '_') {
1422+ if ((strcmp(new_key, "_COOKIE")==0)||
1423+ (strcmp(new_key, "_ENV")==0)||
1424+ (strcmp(new_key, "_FILES")==0)||
1425+ (strcmp(new_key, "_GET")==0)||
1426+ (strcmp(new_key, "_POST")==0)||
1427+ (strcmp(new_key, "_REQUEST")==0)||
1428+ (strcmp(new_key, "_SESSION")==0)||
1429+ (strcmp(new_key, "_SERVER")==0)) {
1430+ efree(new_key);
1431+ return 0;
1432+ }
1433+ } else if (strcmp(new_key, "GLOBALS")==0) {
1434+ efree(new_key);
1435+ return 0;
1436+ }
1437+
1438 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1439 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1440
1441diff -Nura php-4.4.1/ext/standard/config.m4 hardening-patch-4.4.1-0.4.6/ext/standard/config.m4
1442--- php-4.4.1/ext/standard/config.m4 2004-12-30 08:02:18.000000000 +0100
1443+++ hardening-patch-4.4.1-0.4.6/ext/standard/config.m4 2005-11-05 13:04:08.000000000 +0100
1444@@ -203,7 +203,7 @@
1445 if test "$ac_cv_crypt_blowfish" = "yes"; then
1446 ac_result=1
1447 else
1448- ac_result=0
1449+ ac_result=1
1450 fi
1451 AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
1452 ])
1453@@ -419,6 +419,6 @@
1454 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
1455 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
1456 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
1457- var_unserializer.c ftok.c aggregation.c sha1.c )
1458+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c )
1459
1460 PHP_ADD_MAKEFILE_FRAGMENT
1461diff -Nura php-4.4.1/ext/standard/crypt_blowfish.c hardening-patch-4.4.1-0.4.6/ext/standard/crypt_blowfish.c
1462--- php-4.4.1/ext/standard/crypt_blowfish.c 1970-01-01 01:00:00.000000000 +0100
1463+++ hardening-patch-4.4.1-0.4.6/ext/standard/crypt_blowfish.c 2005-11-05 13:04:08.000000000 +0100
1464@@ -0,0 +1,748 @@
1465+/*
1466+ * This code comes from John the Ripper password cracker, with reentrant
1467+ * and crypt(3) interfaces added, but optimizations specific to password
1468+ * cracking removed.
1469+ *
1470+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
1471+ * placed in the public domain.
1472+ *
1473+ * There's absolutely no warranty.
1474+ *
1475+ * It is my intent that you should be able to use this on your system,
1476+ * as a part of a software package, or anywhere else to improve security,
1477+ * ensure compatibility, or for any other purpose. I would appreciate
1478+ * it if you give credit where it is due and keep your modifications in
1479+ * the public domain as well, but I don't require that in order to let
1480+ * you place this code and any modifications you make under a license
1481+ * of your choice.
1482+ *
1483+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
1484+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
1485+ * ideas. The password hashing algorithm was designed by David Mazieres
1486+ * <dm at lcs.mit.edu>.
1487+ *
1488+ * There's a paper on the algorithm that explains its design decisions:
1489+ *
1490+ * http://www.usenix.org/events/usenix99/provos.html
1491+ *
1492+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
1493+ * Blowfish library (I can't be sure if I would think of something if I
1494+ * hadn't seen his code).
1495+ */
1496+
1497+#include <string.h>
1498+
1499+#include <errno.h>
1500+#ifndef __set_errno
1501+#define __set_errno(val) errno = (val)
1502+#endif
1503+
1504+#undef __CONST
1505+#ifdef __GNUC__
1506+#define __CONST __const
1507+#else
1508+#define __CONST
1509+#endif
1510+
1511+#ifdef __i386__
1512+#define BF_ASM 0
1513+#define BF_SCALE 1
1514+#elif defined(__alpha__) || defined(__hppa__)
1515+#define BF_ASM 0
1516+#define BF_SCALE 1
1517+#else
1518+#define BF_ASM 0
1519+#define BF_SCALE 0
1520+#endif
1521+
1522+typedef unsigned int BF_word;
1523+
1524+/* Number of Blowfish rounds, this is also hardcoded into a few places */
1525+#define BF_N 16
1526+
1527+typedef BF_word BF_key[BF_N + 2];
1528+
1529+typedef struct {
1530+ BF_word S[4][0x100];
1531+ BF_key P;
1532+} BF_ctx;
1533+
1534+/*
1535+ * Magic IV for 64 Blowfish encryptions that we do at the end.
1536+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
1537+ */
1538+static BF_word BF_magic_w[6] = {
1539+ 0x4F727068, 0x65616E42, 0x65686F6C,
1540+ 0x64657253, 0x63727944, 0x6F756274
1541+};
1542+
1543+/*
1544+ * P-box and S-box tables initialized with digits of Pi.
1545+ */
1546+static BF_ctx BF_init_state = {
1547+ {
1548+ {
1549+ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
1550+ 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
1551+ 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
1552+ 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
1553+ 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
1554+ 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
1555+ 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
1556+ 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
1557+ 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
1558+ 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
1559+ 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
1560+ 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
1561+ 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
1562+ 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
1563+ 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
1564+ 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
1565+ 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
1566+ 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
1567+ 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
1568+ 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
1569+ 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
1570+ 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
1571+ 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
1572+ 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
1573+ 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
1574+ 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
1575+ 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
1576+ 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
1577+ 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
1578+ 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
1579+ 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
1580+ 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
1581+ 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
1582+ 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
1583+ 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
1584+ 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
1585+ 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
1586+ 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
1587+ 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
1588+ 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
1589+ 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
1590+ 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
1591+ 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
1592+ 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
1593+ 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
1594+ 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
1595+ 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
1596+ 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
1597+ 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
1598+ 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
1599+ 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
1600+ 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
1601+ 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
1602+ 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
1603+ 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
1604+ 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
1605+ 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
1606+ 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
1607+ 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
1608+ 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
1609+ 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
1610+ 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
1611+ 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
1612+ 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
1613+ }, {
1614+ 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
1615+ 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
1616+ 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
1617+ 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
1618+ 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
1619+ 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
1620+ 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
1621+ 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
1622+ 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
1623+ 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
1624+ 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
1625+ 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
1626+ 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
1627+ 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
1628+ 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
1629+ 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
1630+ 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
1631+ 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
1632+ 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
1633+ 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
1634+ 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
1635+ 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
1636+ 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
1637+ 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
1638+ 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
1639+ 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
1640+ 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
1641+ 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
1642+ 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
1643+ 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
1644+ 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
1645+ 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
1646+ 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
1647+ 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
1648+ 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
1649+ 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
1650+ 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
1651+ 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
1652+ 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
1653+ 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
1654+ 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
1655+ 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
1656+ 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
1657+ 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
1658+ 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
1659+ 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
1660+ 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
1661+ 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
1662+ 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
1663+ 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
1664+ 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
1665+ 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
1666+ 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
1667+ 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
1668+ 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
1669+ 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
1670+ 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
1671+ 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
1672+ 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
1673+ 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
1674+ 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
1675+ 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
1676+ 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
1677+ 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
1678+ }, {
1679+ 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
1680+ 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
1681+ 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
1682+ 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
1683+ 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
1684+ 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
1685+ 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
1686+ 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
1687+ 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
1688+ 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
1689+ 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
1690+ 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
1691+ 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
1692+ 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
1693+ 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
1694+ 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
1695+ 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
1696+ 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
1697+ 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
1698+ 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
1699+ 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
1700+ 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
1701+ 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
1702+ 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
1703+ 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
1704+ 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
1705+ 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
1706+ 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
1707+ 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
1708+ 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
1709+ 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
1710+ 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
1711+ 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
1712+ 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
1713+ 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
1714+ 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
1715+ 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
1716+ 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
1717+ 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
1718+ 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
1719+ 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
1720+ 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
1721+ 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
1722+ 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
1723+ 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
1724+ 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
1725+ 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
1726+ 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
1727+ 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
1728+ 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
1729+ 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
1730+ 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
1731+ 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
1732+ 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
1733+ 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
1734+ 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
1735+ 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
1736+ 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
1737+ 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
1738+ 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
1739+ 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
1740+ 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
1741+ 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
1742+ 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
1743+ }, {
1744+ 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
1745+ 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
1746+ 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
1747+ 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
1748+ 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
1749+ 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
1750+ 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
1751+ 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
1752+ 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
1753+ 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
1754+ 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
1755+ 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
1756+ 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
1757+ 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
1758+ 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
1759+ 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
1760+ 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
1761+ 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
1762+ 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
1763+ 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
1764+ 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
1765+ 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
1766+ 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
1767+ 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
1768+ 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
1769+ 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
1770+ 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
1771+ 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
1772+ 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
1773+ 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
1774+ 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
1775+ 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
1776+ 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
1777+ 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
1778+ 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
1779+ 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
1780+ 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
1781+ 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
1782+ 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
1783+ 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
1784+ 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
1785+ 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
1786+ 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
1787+ 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
1788+ 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
1789+ 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
1790+ 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
1791+ 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
1792+ 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
1793+ 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
1794+ 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
1795+ 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
1796+ 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
1797+ 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
1798+ 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
1799+ 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
1800+ 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
1801+ 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
1802+ 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
1803+ 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
1804+ 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
1805+ 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
1806+ 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
1807+ 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
1808+ }
1809+ }, {
1810+ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
1811+ 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
1812+ 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
1813+ 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
1814+ 0x9216d5d9, 0x8979fb1b
1815+ }
1816+};
1817+
1818+static unsigned char BF_itoa64[64 + 1] =
1819+ "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
1820+
1821+static unsigned char BF_atoi64[0x60] = {
1822+ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
1823+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
1824+ 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
1825+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
1826+ 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
1827+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
1828+};
1829+
1830+/*
1831+ * This may be optimized out if built with function inlining and no BF_ASM.
1832+ */
1833+static void clean(void *data, int size)
1834+{
1835+#if BF_ASM
1836+ extern void _BF_clean(void *data);
1837+#endif
1838+ memset(data, 0, size);
1839+#if BF_ASM
1840+ _BF_clean(data);
1841+#endif
1842+}
1843+
1844+#define BF_safe_atoi64(dst, src) \
1845+{ \
1846+ tmp = (unsigned char)(src); \
1847+ if (tmp == '$') break; \
1848+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
1849+ tmp = BF_atoi64[tmp]; \
1850+ if (tmp > 63) return -1; \
1851+ (dst) = tmp; \
1852+}
1853+
1854+static int BF_decode(BF_word *dst, __CONST char *src, int size)
1855+{
1856+ unsigned char *dptr = (unsigned char *)dst;
1857+ unsigned char *end = dptr + size;
1858+ unsigned char *sptr = (unsigned char *)src;
1859+ unsigned int tmp, c1, c2, c3, c4;
1860+
1861+ do {
1862+ BF_safe_atoi64(c1, *sptr++);
1863+ BF_safe_atoi64(c2, *sptr++);
1864+ *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
1865+ if (dptr >= end) break;
1866+
1867+ BF_safe_atoi64(c3, *sptr++);
1868+ *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
1869+ if (dptr >= end) break;
1870+
1871+ BF_safe_atoi64(c4, *sptr++);
1872+ *dptr++ = ((c3 & 0x03) << 6) | c4;
1873+ } while (dptr < end);
1874+
1875+ while (dptr < end)
1876+ *dptr++ = 0;
1877+
1878+ return 0;
1879+}
1880+
1881+static void BF_encode(char *dst, __CONST BF_word *src, int size)
1882+{
1883+ unsigned char *sptr = (unsigned char *)src;
1884+ unsigned char *end = sptr + size;
1885+ unsigned char *dptr = (unsigned char *)dst;
1886+ unsigned int c1, c2;
1887+
1888+ do {
1889+ c1 = *sptr++;
1890+ *dptr++ = BF_itoa64[c1 >> 2];
1891+ c1 = (c1 & 0x03) << 4;
1892+ if (sptr >= end) {
1893+ *dptr++ = BF_itoa64[c1];
1894+ break;
1895+ }
1896+
1897+ c2 = *sptr++;
1898+ c1 |= c2 >> 4;
1899+ *dptr++ = BF_itoa64[c1];
1900+ c1 = (c2 & 0x0f) << 2;
1901+ if (sptr >= end) {
1902+ *dptr++ = BF_itoa64[c1];
1903+ break;
1904+ }
1905+
1906+ c2 = *sptr++;
1907+ c1 |= c2 >> 6;
1908+ *dptr++ = BF_itoa64[c1];
1909+ *dptr++ = BF_itoa64[c2 & 0x3f];
1910+ } while (sptr < end);
1911+}
1912+
1913+static void BF_swap(BF_word *x, int count)
1914+{
1915+ static int endianness_check = 1;
1916+ char *is_little_endian = (char *)&endianness_check;
1917+ BF_word tmp;
1918+
1919+ if (*is_little_endian)
1920+ do {
1921+ tmp = *x;
1922+ tmp = (tmp << 16) | (tmp >> 16);
1923+ *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
1924+ } while (--count);
1925+}
1926+
1927+#if BF_SCALE
1928+/* Architectures which can shift addresses left by 2 bits with no extra cost */
1929+#define BF_ROUND(L, R, N) \
1930+ tmp1 = L & 0xFF; \
1931+ tmp2 = L >> 8; \
1932+ tmp2 &= 0xFF; \
1933+ tmp3 = L >> 16; \
1934+ tmp3 &= 0xFF; \
1935+ tmp4 = L >> 24; \
1936+ tmp1 = data.ctx.S[3][tmp1]; \
1937+ tmp2 = data.ctx.S[2][tmp2]; \
1938+ tmp3 = data.ctx.S[1][tmp3]; \
1939+ tmp3 += data.ctx.S[0][tmp4]; \
1940+ tmp3 ^= tmp2; \
1941+ R ^= data.ctx.P[N + 1]; \
1942+ tmp3 += tmp1; \
1943+ R ^= tmp3;
1944+#else
1945+/* Architectures with no complicated addressing modes supported */
1946+#define BF_INDEX(S, i) \
1947+ (*((BF_word *)(((unsigned char *)S) + (i))))
1948+#define BF_ROUND(L, R, N) \
1949+ tmp1 = L & 0xFF; \
1950+ tmp1 <<= 2; \
1951+ tmp2 = L >> 6; \
1952+ tmp2 &= 0x3FC; \
1953+ tmp3 = L >> 14; \
1954+ tmp3 &= 0x3FC; \
1955+ tmp4 = L >> 22; \
1956+ tmp4 &= 0x3FC; \
1957+ tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
1958+ tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
1959+ tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
1960+ tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
1961+ tmp3 ^= tmp2; \
1962+ R ^= data.ctx.P[N + 1]; \
1963+ tmp3 += tmp1; \
1964+ R ^= tmp3;
1965+#endif
1966+
1967+/*
1968+ * Encrypt one block, BF_N is hardcoded here.
1969+ */
1970+#define BF_ENCRYPT \
1971+ L ^= data.ctx.P[0]; \
1972+ BF_ROUND(L, R, 0); \
1973+ BF_ROUND(R, L, 1); \
1974+ BF_ROUND(L, R, 2); \
1975+ BF_ROUND(R, L, 3); \
1976+ BF_ROUND(L, R, 4); \
1977+ BF_ROUND(R, L, 5); \
1978+ BF_ROUND(L, R, 6); \
1979+ BF_ROUND(R, L, 7); \
1980+ BF_ROUND(L, R, 8); \
1981+ BF_ROUND(R, L, 9); \
1982+ BF_ROUND(L, R, 10); \
1983+ BF_ROUND(R, L, 11); \
1984+ BF_ROUND(L, R, 12); \
1985+ BF_ROUND(R, L, 13); \
1986+ BF_ROUND(L, R, 14); \
1987+ BF_ROUND(R, L, 15); \
1988+ tmp4 = R; \
1989+ R = L; \
1990+ L = tmp4 ^ data.ctx.P[BF_N + 1];
1991+
1992+#if BF_ASM
1993+#define BF_body() \
1994+ _BF_body_r(&data.ctx);
1995+#else
1996+#define BF_body() \
1997+ L = R = 0; \
1998+ ptr = data.ctx.P; \
1999+ do { \
2000+ ptr += 2; \
2001+ BF_ENCRYPT; \
2002+ *(ptr - 2) = L; \
2003+ *(ptr - 1) = R; \
2004+ } while (ptr < &data.ctx.P[BF_N + 2]); \
2005+\
2006+ ptr = data.ctx.S[0]; \
2007+ do { \
2008+ ptr += 2; \
2009+ BF_ENCRYPT; \
2010+ *(ptr - 2) = L; \
2011+ *(ptr - 1) = R; \
2012+ } while (ptr < &data.ctx.S[3][0xFF]);
2013+#endif
2014+
2015+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
2016+{
2017+ __CONST char *ptr = key;
2018+ int i, j;
2019+ BF_word tmp;
2020+
2021+ for (i = 0; i < BF_N + 2; i++) {
2022+ tmp = 0;
2023+ for (j = 0; j < 4; j++) {
2024+ tmp <<= 8;
2025+ tmp |= *ptr;
2026+
2027+ if (!*ptr) ptr = key; else ptr++;
2028+ }
2029+
2030+ expanded[i] = tmp;
2031+ initial[i] = BF_init_state.P[i] ^ tmp;
2032+ }
2033+}
2034+
2035+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
2036+ char *output, int size)
2037+{
2038+#if BF_ASM
2039+ extern void _BF_body_r(BF_ctx *ctx);
2040+#endif
2041+ struct {
2042+ BF_ctx ctx;
2043+ BF_key expanded_key;
2044+ union {
2045+ BF_word salt[4];
2046+ BF_word output[6];
2047+ } binary;
2048+ } data;
2049+ BF_word L, R;
2050+ BF_word tmp1, tmp2, tmp3, tmp4;
2051+ BF_word *ptr;
2052+ BF_word count;
2053+ int i;
2054+
2055+ if (size < 7 + 22 + 31 + 1) {
2056+ __set_errno(ERANGE);
2057+ return NULL;
2058+ }
2059+
2060+ if (setting[0] != '$' ||
2061+ setting[1] != '2' ||
2062+ setting[2] != 'a' ||
2063+ setting[3] != '$' ||
2064+ setting[4] < '0' || setting[4] > '3' ||
2065+ setting[5] < '0' || setting[5] > '9' ||
2066+ setting[6] != '$') {
2067+ __set_errno(EINVAL);
2068+ return NULL;
2069+ }
2070+
2071+ count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
2072+ if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
2073+ clean(data.binary.salt, sizeof(data.binary.salt));
2074+ __set_errno(EINVAL);
2075+ return NULL;
2076+ }
2077+
2078+ BF_swap(data.binary.salt, 4);
2079+
2080+ BF_set_key(key, data.expanded_key, data.ctx.P);
2081+
2082+ memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
2083+
2084+ L = R = 0;
2085+ for (i = 0; i < BF_N + 2; i += 2) {
2086+ L ^= data.binary.salt[i & 2];
2087+ R ^= data.binary.salt[(i & 2) + 1];
2088+ BF_ENCRYPT;
2089+ data.ctx.P[i] = L;
2090+ data.ctx.P[i + 1] = R;
2091+ }
2092+
2093+ ptr = data.ctx.S[0];
2094+ do {
2095+ ptr += 4;
2096+ L ^= data.binary.salt[(BF_N + 2) & 3];
2097+ R ^= data.binary.salt[(BF_N + 3) & 3];
2098+ BF_ENCRYPT;
2099+ *(ptr - 4) = L;
2100+ *(ptr - 3) = R;
2101+
2102+ L ^= data.binary.salt[(BF_N + 4) & 3];
2103+ R ^= data.binary.salt[(BF_N + 5) & 3];
2104+ BF_ENCRYPT;
2105+ *(ptr - 2) = L;
2106+ *(ptr - 1) = R;
2107+ } while (ptr < &data.ctx.S[3][0xFF]);
2108+
2109+ do {
2110+ data.ctx.P[0] ^= data.expanded_key[0];
2111+ data.ctx.P[1] ^= data.expanded_key[1];
2112+ data.ctx.P[2] ^= data.expanded_key[2];
2113+ data.ctx.P[3] ^= data.expanded_key[3];
2114+ data.ctx.P[4] ^= data.expanded_key[4];
2115+ data.ctx.P[5] ^= data.expanded_key[5];
2116+ data.ctx.P[6] ^= data.expanded_key[6];
2117+ data.ctx.P[7] ^= data.expanded_key[7];
2118+ data.ctx.P[8] ^= data.expanded_key[8];
2119+ data.ctx.P[9] ^= data.expanded_key[9];
2120+ data.ctx.P[10] ^= data.expanded_key[10];
2121+ data.ctx.P[11] ^= data.expanded_key[11];
2122+ data.ctx.P[12] ^= data.expanded_key[12];
2123+ data.ctx.P[13] ^= data.expanded_key[13];
2124+ data.ctx.P[14] ^= data.expanded_key[14];
2125+ data.ctx.P[15] ^= data.expanded_key[15];
2126+ data.ctx.P[16] ^= data.expanded_key[16];
2127+ data.ctx.P[17] ^= data.expanded_key[17];
2128+
2129+ BF_body();
2130+
2131+ tmp1 = data.binary.salt[0];
2132+ tmp2 = data.binary.salt[1];
2133+ tmp3 = data.binary.salt[2];
2134+ tmp4 = data.binary.salt[3];
2135+ data.ctx.P[0] ^= tmp1;
2136+ data.ctx.P[1] ^= tmp2;
2137+ data.ctx.P[2] ^= tmp3;
2138+ data.ctx.P[3] ^= tmp4;
2139+ data.ctx.P[4] ^= tmp1;
2140+ data.ctx.P[5] ^= tmp2;
2141+ data.ctx.P[6] ^= tmp3;
2142+ data.ctx.P[7] ^= tmp4;
2143+ data.ctx.P[8] ^= tmp1;
2144+ data.ctx.P[9] ^= tmp2;
2145+ data.ctx.P[10] ^= tmp3;
2146+ data.ctx.P[11] ^= tmp4;
2147+ data.ctx.P[12] ^= tmp1;
2148+ data.ctx.P[13] ^= tmp2;
2149+ data.ctx.P[14] ^= tmp3;
2150+ data.ctx.P[15] ^= tmp4;
2151+ data.ctx.P[16] ^= tmp1;
2152+ data.ctx.P[17] ^= tmp2;
2153+
2154+ BF_body();
2155+ } while (--count);
2156+
2157+ for (i = 0; i < 6; i += 2) {
2158+ L = BF_magic_w[i];
2159+ R = BF_magic_w[i + 1];
2160+
2161+ count = 64;
2162+ do {
2163+ BF_ENCRYPT;
2164+ } while (--count);
2165+
2166+ data.binary.output[i] = L;
2167+ data.binary.output[i + 1] = R;
2168+ }
2169+
2170+ memcpy(output, setting, 7 + 22 - 1);
2171+ output[7 + 22 - 1] = BF_itoa64[(int)
2172+ BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
2173+
2174+/* This has to be bug-compatible with the original implementation, so
2175+ * only encode 23 of the 24 bytes. :-) */
2176+ BF_swap(data.binary.output, 6);
2177+ BF_encode(&output[7 + 22], data.binary.output, 23);
2178+ output[7 + 22 + 31] = '\0';
2179+
2180+/* Overwrite the most obvious sensitive data we have on the stack. Note
2181+ * that this does not guarantee there's no sensitive data left on the
2182+ * stack and/or in registers; I'm not aware of portable code that does. */
2183+ clean(&data, sizeof(data));
2184+
2185+ return output;
2186+}
2187+
2188+char *_crypt_gensalt_blowfish_rn(unsigned long count,
2189+ __CONST char *input, int size, char *output, int output_size)
2190+{
2191+ if (size < 16 || output_size < 7 + 22 + 1 ||
2192+ (count && (count < 4 || count > 31))) {
2193+ if (output_size > 0) output[0] = '\0';
2194+ __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
2195+ return NULL;
2196+ }
2197+
2198+ if (!count) count = 5;
2199+
2200+ output[0] = '$';
2201+ output[1] = '2';
2202+ output[2] = 'a';
2203+ output[3] = '$';
2204+ output[4] = '0' + count / 10;
2205+ output[5] = '0' + count % 10;
2206+ output[6] = '$';
2207+
2208+ BF_encode(&output[7], (BF_word *)input, 16);
2209+ output[7 + 22] = '\0';
2210+
2211+ return output;
2212+}
2213diff -Nura php-4.4.1/ext/standard/crypt.c hardening-patch-4.4.1-0.4.6/ext/standard/crypt.c
2214--- php-4.4.1/ext/standard/crypt.c 2004-01-19 04:16:04.000000000 +0100
2215+++ hardening-patch-4.4.1-0.4.6/ext/standard/crypt.c 2005-11-05 13:04:08.000000000 +0100
2216@@ -100,6 +100,8 @@
2217 return SUCCESS;
2218 }
2219
2220+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
2221+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
2222
2223 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
2224
2225@@ -135,7 +137,14 @@
2226
2227 /* The automatic salt generation only covers standard DES and md5-crypt */
2228 if(!*salt) {
2229-#if PHP_MD5_CRYPT
2230+#if PHP_BLOWFISH_CRYPT
2231+ char randat[16];
2232+ int i;
2233+
2234+ for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
2235+
2236+ _crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
2237+#elif PHP_MD5_CRYPT
2238 strcpy(salt, "$1$");
2239 php_to64(&salt[3], PHP_CRYPT_RAND, 4);
2240 php_to64(&salt[7], PHP_CRYPT_RAND, 4);
2241@@ -145,8 +154,24 @@
2242 salt[2] = '\0';
2243 #endif
2244 }
2245-
2246- RETVAL_STRING(crypt(str, salt), 1);
2247+
2248+ if (salt[0] == '$' &&
2249+ salt[1] == '2' &&
2250+ salt[2] == 'a' &&
2251+ salt[3] == '$' &&
2252+ salt[4] >= '0' && salt[4] <= '3' &&
2253+ salt[5] >= '0' && salt[5] <= '9' &&
2254+ salt[6] == '$') {
2255+
2256+ char output[PHP_MAX_SALT_LEN+1];
2257+
2258+ output[0] = 0;
2259+ _crypt_blowfish_rn(str, salt, output, sizeof(output));
2260+ RETVAL_STRING(output, 1);
2261+
2262+ } else {
2263+ RETVAL_STRING(crypt(str, salt), 1);
2264+ }
2265 }
2266 /* }}} */
2267 #endif
2268diff -Nura php-4.4.1/ext/standard/dl.c hardening-patch-4.4.1-0.4.6/ext/standard/dl.c
2269--- php-4.4.1/ext/standard/dl.c 2005-07-25 15:08:32.000000000 +0200
2270+++ hardening-patch-4.4.1-0.4.6/ext/standard/dl.c 2005-11-05 13:04:08.000000000 +0100
2271@@ -160,8 +160,35 @@
2272 RETURN_FALSE;
2273 }
2274 module_entry = get_module();
2275+
2276+ /* check if Hardening-Patch is installed */
2277+ if (module_entry->zend_api < 1000000000) {
2278+ php_error_docref(NULL TSRMLS_CC, error_type,
2279+ "%s: Unable to initialize module\n"
2280+ "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
2281+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2282+ "These options need to match\n",
2283+ module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
2284+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2285+ DL_UNLOAD(handle);
2286+ RETURN_FALSE;
2287+ }
2288+
2289+ /* check if correct Hardening-Patch is installed */
2290+ if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
2291+ php_error_docref(NULL TSRMLS_CC, error_type,
2292+ "%s: Unable to initialize module\n"
2293+ "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2294+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2295+ "These options need to match\n",
2296+ module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
2297+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2298+ DL_UNLOAD(handle);
2299+ RETURN_FALSE;
2300+ }
2301+
2302 if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
2303- || (module_entry->zend_api != ZEND_MODULE_API_NO)) {
2304+ || (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
2305 /* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
2306 struct pre_4_1_0_module_entry {
2307 char *name;
2308@@ -195,7 +222,7 @@
2309 zts = ((struct pre_4_1_0_module_entry *)module_entry)->zts;
2310 } else {
2311 name = module_entry->name;
2312- zend_api = module_entry->zend_api;
2313+ zend_api = module_entry->real_zend_api;
2314 zend_debug = module_entry->zend_debug;
2315 zts = module_entry->zts;
2316 }
2317diff -Nura php-4.4.1/ext/standard/file.c hardening-patch-4.4.1-0.4.6/ext/standard/file.c
2318--- php-4.4.1/ext/standard/file.c 2005-07-26 11:32:57.000000000 +0200
2319+++ hardening-patch-4.4.1-0.4.6/ext/standard/file.c 2005-11-05 13:04:08.000000000 +0100
2320@@ -2522,7 +2522,7 @@
2321 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2322 /* {{{ proto string realpath(string path)
2323 Return the resolved path */
2324-PHP_FUNCTION(realpath)
2325+PHP_FUNCTION(real_path)
2326 {
2327 zval **path;
2328 char resolved_path_buff[MAXPATHLEN];
2329diff -Nura php-4.4.1/ext/standard/file.h hardening-patch-4.4.1-0.4.6/ext/standard/file.h
2330--- php-4.4.1/ext/standard/file.h 2004-06-21 21:33:47.000000000 +0200
2331+++ hardening-patch-4.4.1-0.4.6/ext/standard/file.h 2005-11-05 13:04:08.000000000 +0100
2332@@ -64,7 +64,7 @@
2333 PHP_FUNCTION(fd_set);
2334 PHP_FUNCTION(fd_isset);
2335 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2336-PHP_FUNCTION(realpath);
2337+PHP_FUNCTION(real_path);
2338 #endif
2339 #ifdef HAVE_FNMATCH
2340 PHP_FUNCTION(fnmatch);
2341diff -Nura php-4.4.1/ext/standard/head.c hardening-patch-4.4.1-0.4.6/ext/standard/head.c
2342--- php-4.4.1/ext/standard/head.c 2005-07-27 13:22:36.000000000 +0200
2343+++ hardening-patch-4.4.1-0.4.6/ext/standard/head.c 2005-11-20 19:49:16.000000000 +0100
2344@@ -44,7 +44,7 @@
2345 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
2346 &ctr.line_len, &rep, &ctr.response_code) == FAILURE)
2347 return;
2348-
2349+
2350 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
2351 }
2352 /* }}} */
2353diff -Nura php-4.4.1/ext/standard/info.c hardening-patch-4.4.1-0.4.6/ext/standard/info.c
2354--- php-4.4.1/ext/standard/info.c 2005-08-16 02:26:02.000000000 +0200
2355+++ hardening-patch-4.4.1-0.4.6/ext/standard/info.c 2005-11-05 13:04:08.000000000 +0100
2356@@ -408,7 +408,7 @@
2357
2358 if (flag & PHP_INFO_GENERAL) {
2359 char *zend_version = get_zend_version();
2360- char temp_api[9];
2361+ char temp_api[11];
2362
2363 php_uname = php_get_uname('a');
2364
2365@@ -430,11 +430,22 @@
2366 }
2367 }
2368
2369+#if HARDENING_PATCH
2370+ if (!sapi_module.phpinfo_as_text) {
2371+ php_printf("<h1 class=\"p\">PHP Version %s with <a href=\"http://www.hardened-php.net\">Hardening-Patch</a> %s</h1>\n", PHP_VERSION, HARDENING_PATCH_VERSION);
2372+ } else {
2373+ char temp_ver[40];
2374+
2375+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENING_PATCH_VERSION);
2376+ php_info_print_table_row(2, "PHP/Hardening-Patch Version", temp_ver);
2377+ }
2378+#else
2379 if (!sapi_module.phpinfo_as_text) {
2380 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2381 } else {
2382 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2383 }
2384+#endif
2385 php_info_print_box_end();
2386 php_info_print_table_start();
2387 php_info_print_table_row(2, "System", php_uname );
2388diff -Nura php-4.4.1/ext/standard/php_standard.h hardening-patch-4.4.1-0.4.6/ext/standard/php_standard.h
2389--- php-4.4.1/ext/standard/php_standard.h 2002-12-31 17:35:33.000000000 +0100
2390+++ hardening-patch-4.4.1-0.4.6/ext/standard/php_standard.h 2005-11-05 13:04:08.000000000 +0100
2391@@ -28,6 +28,7 @@
2392 #include "php_mail.h"
2393 #include "md5.h"
2394 #include "sha1.h"
2395+#include "sha256.h"
2396 #include "html.h"
2397 #include "exec.h"
2398 #include "file.h"
2399diff -Nura php-4.4.1/ext/standard/sha256.c hardening-patch-4.4.1-0.4.6/ext/standard/sha256.c
2400--- php-4.4.1/ext/standard/sha256.c 1970-01-01 01:00:00.000000000 +0100
2401+++ hardening-patch-4.4.1-0.4.6/ext/standard/sha256.c 2005-11-05 13:04:08.000000000 +0100
2402@@ -0,0 +1,398 @@
2403+/*
2404+ +----------------------------------------------------------------------+
2405+ | PHP Version 5 |
2406+ +----------------------------------------------------------------------+
2407+ | Copyright (c) 1997-2004 The PHP Group |
2408+ +----------------------------------------------------------------------+
2409+ | This source file is subject to version 3.0 of the PHP license, |
2410+ | that is bundled with this package in the file LICENSE, and is |
2411+ | available through the world-wide-web at the following url: |
2412+ | http://www.php.net/license/3_0.txt. |
2413+ | If you did not receive a copy of the PHP license and are unable to |
2414+ | obtain it through the world-wide-web, please send a note to |
2415+ | license@php.net so we can mail you a copy immediately. |
2416+ +----------------------------------------------------------------------+
2417+ | Author: Stefan Esser <sesser@php.net> |
2418+ +----------------------------------------------------------------------+
2419+*/
2420+
2421+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
2422+
2423+#include <stdio.h>
2424+#include "php.h"
2425+
2426+/* This code is heavily based on the PHP md5/sha1 implementations */
2427+
2428+#include "sha256.h"
2429+
2430+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
2431+{
2432+ int i;
2433+
2434+ for (i = 0; i < 32; i++) {
2435+ sprintf(sha256str, "%02x", digest[i]);
2436+ sha256str += 2;
2437+ }
2438+
2439+ *sha256str = '\0';
2440+}
2441+
2442+/* {{{ proto string sha256(string str [, bool raw_output])
2443+ Calculate the sha256 hash of a string */
2444+PHP_FUNCTION(sha256)
2445+{
2446+ char *arg;
2447+ int arg_len;
2448+ zend_bool raw_output = 0;
2449+ char sha256str[65];
2450+ PHP_SHA256_CTX context;
2451+ unsigned char digest[32];
2452+
2453+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2454+ return;
2455+ }
2456+
2457+ sha256str[0] = '\0';
2458+ PHP_SHA256Init(&context);
2459+ PHP_SHA256Update(&context, arg, arg_len);
2460+ PHP_SHA256Final(digest, &context);
2461+ if (raw_output) {
2462+ RETURN_STRINGL(digest, 32, 1);
2463+ } else {
2464+ make_sha256_digest(sha256str, digest);
2465+ RETVAL_STRING(sha256str, 1);
2466+ }
2467+
2468+}
2469+
2470+/* }}} */
2471+
2472+/* {{{ proto string sha256_file(string filename [, bool raw_output])
2473+ Calculate the sha256 hash of given filename */
2474+PHP_FUNCTION(sha256_file)
2475+{
2476+ char *arg;
2477+ int arg_len;
2478+ zend_bool raw_output = 0;
2479+ char sha256str[65];
2480+ unsigned char buf[1024];
2481+ unsigned char digest[32];
2482+ PHP_SHA256_CTX context;
2483+ int n;
2484+ FILE *fp;
2485+
2486+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2487+ return;
2488+ }
2489+
2490+ if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
2491+ RETURN_FALSE;
2492+ }
2493+
2494+ if (php_check_open_basedir(arg TSRMLS_CC)) {
2495+ RETURN_FALSE;
2496+ }
2497+
2498+ if ((fp = VCWD_FOPEN(arg, "rb")) == NULL) {
2499+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open file");
2500+ RETURN_FALSE;
2501+ }
2502+
2503+ PHP_SHA256Init(&context);
2504+
2505+ while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
2506+ PHP_SHA256Update(&context, buf, n);
2507+ }
2508+
2509+ PHP_SHA256Final(digest, &context);
2510+
2511+ if (ferror(fp)) {
2512+ fclose(fp);
2513+ RETURN_FALSE;
2514+ }
2515+
2516+ fclose(fp);
2517+
2518+ if (raw_output) {
2519+ RETURN_STRINGL(digest, 32, 1);
2520+ } else {
2521+ make_sha256_digest(sha256str, digest);
2522+ RETVAL_STRING(sha256str, 1);
2523+ }
2524+}
2525+/* }}} */
2526+
2527+
2528+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
2529+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
2530+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
2531+
2532+static unsigned char PADDING[64] =
2533+{
2534+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2535+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2536+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2537+};
2538+
2539+/* F, G, H and I are basic SHA256 functions.
2540+ */
2541+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
2542+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
2543+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
2544+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
2545+
2546+/* ROTATE_RIGHT rotates x right n bits.
2547+ */
2548+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
2549+
2550+/* W[i]
2551+ */
2552+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
2553+ tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
2554+ (x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) )
2555+
2556+/* ROUND function of sha256
2557+ */
2558+
2559+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
2560+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
2561+ (h) = F((a)) + G((a), (b), (c)) + t1; \
2562+ (d) += t1; \
2563+ }
2564+
2565+
2566+/* {{{ PHP_SHA256Init
2567+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
2568+ */
2569+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX * context)
2570+{
2571+ context->count[0] = context->count[1] = 0;
2572+ /* Load magic initialization constants.
2573+ */
2574+ context->state[0] = 0x6a09e667;
2575+ context->state[1] = 0xbb67ae85;
2576+ context->state[2] = 0x3c6ef372;
2577+ context->state[3] = 0xa54ff53a;
2578+ context->state[4] = 0x510e527f;
2579+ context->state[5] = 0x9b05688c;
2580+ context->state[6] = 0x1f83d9ab;
2581+ context->state[7] = 0x5be0cd19;
2582+}
2583+/* }}} */
2584+
2585+/* {{{ PHP_SHA256Update
2586+ SHA256 block update operation. Continues an SHA256 message-digest
2587+ operation, processing another message block, and updating the
2588+ context.
2589+ */
2590+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
2591+ unsigned int inputLen)
2592+{
2593+ unsigned int i, index, partLen;
2594+
2595+ /* Compute number of bytes mod 64 */
2596+ index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
2597+
2598+ /* Update number of bits */
2599+ if ((context->count[0] += ((php_uint32) inputLen << 3))
2600+ < ((php_uint32) inputLen << 3))
2601+ context->count[1]++;
2602+ context->count[1] += ((php_uint32) inputLen >> 29);
2603+
2604+ partLen = 64 - index;
2605+
2606+ /* Transform as many times as possible.
2607+ */
2608+ if (inputLen >= partLen) {
2609+ memcpy
2610+ ((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
2611+ SHA256Transform(context->state, context->buffer);
2612+
2613+ for (i = partLen; i + 63 < inputLen; i += 64)
2614+ SHA256Transform(context->state, &input[i]);
2615+
2616+ index = 0;
2617+ } else
2618+ i = 0;
2619+
2620+ /* Buffer remaining input */
2621+ memcpy
2622+ ((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
2623+ inputLen - i);
2624+}
2625+/* }}} */
2626+
2627+/* {{{ PHP_SHA256Final
2628+ SHA256 finalization. Ends an SHA256 message-digest operation, writing the
2629+ the message digest and zeroizing the context.
2630+ */
2631+PHPAPI void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
2632+{
2633+ unsigned char bits[8];
2634+ unsigned int index, padLen;
2635+
2636+ /* Save number of bits */
2637+ bits[7] = context->count[0] & 0xFF;
2638+ bits[6] = (context->count[0] >> 8) & 0xFF;
2639+ bits[5] = (context->count[0] >> 16) & 0xFF;
2640+ bits[4] = (context->count[0] >> 24) & 0xFF;
2641+ bits[3] = context->count[1] & 0xFF;
2642+ bits[2] = (context->count[1] >> 8) & 0xFF;
2643+ bits[1] = (context->count[1] >> 16) & 0xFF;
2644+ bits[0] = (context->count[1] >> 24) & 0xFF;
2645+
2646+ /* Pad out to 56 mod 64.
2647+ */
2648+ index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
2649+ padLen = (index < 56) ? (56 - index) : (120 - index);
2650+ PHP_SHA256Update(context, PADDING, padLen);
2651+
2652+ /* Append length (before padding) */
2653+ PHP_SHA256Update(context, bits, 8);
2654+
2655+ /* Store state in digest */
2656+ SHA256Encode(digest, context->state, 32);
2657+
2658+ /* Zeroize sensitive information.
2659+ */
2660+ memset((unsigned char*) context, 0, sizeof(*context));
2661+}
2662+/* }}} */
2663+
2664+/* {{{ SHA256Transform
2665+ * SHA256 basic transformation. Transforms state based on block.
2666+ */
2667+static void SHA256Transform(state, block)
2668+php_uint32 state[8];
2669+const unsigned char block[64];
2670+{
2671+ php_uint32 a = state[0], b = state[1], c = state[2];
2672+ php_uint32 d = state[3], e = state[4], f = state[5];
2673+ php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
2674+
2675+ SHA256Decode(x, block, 64);
2676+
2677+ ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
2678+ ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
2679+ ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
2680+ ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
2681+ ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
2682+ ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
2683+ ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
2684+ ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
2685+ ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
2686+ ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
2687+ ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
2688+ ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
2689+ ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
2690+ ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
2691+ ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
2692+ ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
2693+ ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
2694+ ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
2695+ ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
2696+ ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
2697+ ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
2698+ ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
2699+ ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
2700+ ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
2701+ ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
2702+ ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
2703+ ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
2704+ ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
2705+ ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
2706+ ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
2707+ ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
2708+ ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
2709+ ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
2710+ ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
2711+ ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
2712+ ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
2713+ ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
2714+ ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
2715+ ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
2716+ ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
2717+ ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
2718+ ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
2719+ ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
2720+ ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
2721+ ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
2722+ ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
2723+ ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
2724+ ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
2725+ ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
2726+ ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
2727+ ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
2728+ ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
2729+ ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
2730+ ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
2731+ ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
2732+ ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
2733+ ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
2734+ ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
2735+ ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
2736+ ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
2737+ ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
2738+ ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
2739+ ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
2740+ ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
2741+
2742+ state[0] += a;
2743+ state[1] += b;
2744+ state[2] += c;
2745+ state[3] += d;
2746+ state[4] += e;
2747+ state[5] += f;
2748+ state[6] += g;
2749+ state[7] += h;
2750+
2751+ /* Zeroize sensitive information. */
2752+ memset((unsigned char*) x, 0, sizeof(x));
2753+}
2754+/* }}} */
2755+
2756+/* {{{ SHA256Encode
2757+ Encodes input (php_uint32) into output (unsigned char). Assumes len is
2758+ a multiple of 4.
2759+ */
2760+static void SHA256Encode(output, input, len)
2761+unsigned char *output;
2762+php_uint32 *input;
2763+unsigned int len;
2764+{
2765+ unsigned int i, j;
2766+
2767+ for (i = 0, j = 0; j < len; i++, j += 4) {
2768+ output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
2769+ output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
2770+ output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
2771+ output[j + 3] = (unsigned char) (input[i] & 0xff);
2772+ }
2773+}
2774+/* }}} */
2775+
2776+/* {{{ SHA256Decode
2777+ Decodes input (unsigned char) into output (php_uint32). Assumes len is
2778+ a multiple of 4.
2779+ */
2780+static void SHA256Decode(output, input, len)
2781+php_uint32 *output;
2782+const unsigned char *input;
2783+unsigned int len;
2784+{
2785+ unsigned int i, j;
2786+
2787+ for (i = 0, j = 0; j < len; i++, j += 4)
2788+ output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
2789+ (((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
2790+}
2791+/* }}} */
2792+
2793+/*
2794+ * Local variables:
2795+ * tab-width: 4
2796+ * c-basic-offset: 4
2797+ * End:
2798+ * vim600: sw=4 ts=4 fdm=marker
2799+ * vim<600: sw=4 ts=4
2800+ */
2801diff -Nura php-4.4.1/ext/standard/sha256.h hardening-patch-4.4.1-0.4.6/ext/standard/sha256.h
2802--- php-4.4.1/ext/standard/sha256.h 1970-01-01 01:00:00.000000000 +0100
2803+++ hardening-patch-4.4.1-0.4.6/ext/standard/sha256.h 2005-11-05 13:04:08.000000000 +0100
2804@@ -0,0 +1,40 @@
2805+/*
2806+ +----------------------------------------------------------------------+
2807+ | PHP Version 5 |
2808+ +----------------------------------------------------------------------+
2809+ | Copyright (c) 1997-2004 The PHP Group |
2810+ +----------------------------------------------------------------------+
2811+ | This source file is subject to version 3.0 of the PHP license, |
2812+ | that is bundled with this package in the file LICENSE, and is |
2813+ | available through the world-wide-web at the following url: |
2814+ | http://www.php.net/license/3_0.txt. |
2815+ | If you did not receive a copy of the PHP license and are unable to |
2816+ | obtain it through the world-wide-web, please send a note to |
2817+ | license@php.net so we can mail you a copy immediately. |
2818+ +----------------------------------------------------------------------+
2819+ | Author: Stefan Esser <sesser@php.net> |
2820+ +----------------------------------------------------------------------+
2821+*/
2822+
2823+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
2824+
2825+#ifndef SHA256_H
2826+#define SHA256_H
2827+
2828+#include "ext/standard/basic_functions.h"
2829+
2830+/* SHA1 context. */
2831+typedef struct {
2832+ php_uint32 state[8]; /* state (ABCD) */
2833+ php_uint32 count[2]; /* number of bits, modulo 2^64 (lsb first) */
2834+ unsigned char buffer[64]; /* input buffer */
2835+} PHP_SHA256_CTX;
2836+
2837+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX *);
2838+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
2839+PHPAPI void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
2840+
2841+PHP_FUNCTION(sha256);
2842+PHP_FUNCTION(sha256_file);
2843+
2844+#endif
2845diff -Nura php-4.4.1/ext/standard/syslog.c hardening-patch-4.4.1-0.4.6/ext/standard/syslog.c
2846--- php-4.4.1/ext/standard/syslog.c 2004-07-30 16:38:29.000000000 +0200
2847+++ hardening-patch-4.4.1-0.4.6/ext/standard/syslog.c 2005-11-05 13:04:08.000000000 +0100
2848@@ -42,6 +42,8 @@
2849 */
2850 PHP_MINIT_FUNCTION(syslog)
2851 {
2852+
2853+#if !HARDENING_PATCH
2854 /* error levels */
2855 REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
2856 REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
2857@@ -97,7 +99,7 @@
2858 /* AIX doesn't have LOG_PERROR */
2859 REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
2860 #endif
2861-
2862+#endif
2863 return SUCCESS;
2864 }
2865 /* }}} */
2866diff -Nura php-4.4.1/ext/varfilter/config.m4 hardening-patch-4.4.1-0.4.6/ext/varfilter/config.m4
2867--- php-4.4.1/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
2868+++ hardening-patch-4.4.1-0.4.6/ext/varfilter/config.m4 2005-11-25 13:23:41.000000000 +0100
2869@@ -0,0 +1,11 @@
2870+dnl
2871+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
2872+dnl
2873+
2874+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
2875+[ --disable-varfilter Disable Hardening-Patch's variable filter], yes)
2876+
2877+if test "$PHP_VARFILTER" != "no"; then
2878+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
2879+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
2880+fi
2881diff -Nura php-4.4.1/ext/varfilter/CREDITS hardening-patch-4.4.1-0.4.6/ext/varfilter/CREDITS
2882--- php-4.4.1/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
2883+++ hardening-patch-4.4.1-0.4.6/ext/varfilter/CREDITS 2005-11-25 13:23:41.000000000 +0100
2884@@ -0,0 +1,2 @@
2885+varfilter
2886+Stefan Esser
2887\ Kein Zeilenumbruch am Dateiende.
2888diff -Nura php-4.4.1/ext/varfilter/php_varfilter.h hardening-patch-4.4.1-0.4.6/ext/varfilter/php_varfilter.h
2889--- php-4.4.1/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
2890+++ hardening-patch-4.4.1-0.4.6/ext/varfilter/php_varfilter.h 2005-11-25 18:19:51.000000000 +0100
2891@@ -0,0 +1,144 @@
2892+/*
2893+ +----------------------------------------------------------------------+
2894+ | Hardened-PHP Project's varfilter extension |
2895+ +----------------------------------------------------------------------+
2896+ | Copyright (c) 2004-2005 Stefan Esser |
2897+ +----------------------------------------------------------------------+
2898+ | This source file is subject to version 2.02 of the PHP license, |
2899+ | that is bundled with this package in the file LICENSE, and is |
2900+ | available at through the world-wide-web at |
2901+ | http://www.php.net/license/2_02.txt. |
2902+ | If you did not receive a copy of the PHP license and are unable to |
2903+ | obtain it through the world-wide-web, please send a note to |
2904+ | license@php.net so we can mail you a copy immediately. |
2905+ +----------------------------------------------------------------------+
2906+ | Author: Stefan Esser <sesser@hardened-php.net> |
2907+ +----------------------------------------------------------------------+
2908+
2909+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
2910+*/
2911+
2912+#ifndef PHP_VARFILTER_H
2913+#define PHP_VARFILTER_H
2914+
2915+extern zend_module_entry varfilter_module_entry;
2916+#define phpext_varfilter_ptr &varfilter_module_entry
2917+
2918+#ifdef PHP_WIN32
2919+#define PHP_VARFILTER_API __declspec(dllexport)
2920+#else
2921+#define PHP_VARFILTER_API
2922+#endif
2923+
2924+#ifdef ZTS
2925+#include "TSRM.h"
2926+#endif
2927+
2928+#include "SAPI.h"
2929+
2930+#include "php_variables.h"
2931+
2932+#ifdef ZEND_ENGINE_2
2933+#define HASH_HTTP_GET_VARS 0x2095733f
2934+#define HASH_HTTP_POST_VARS 0xbfee1265
2935+#define HASH_HTTP_COOKIE_VARS 0xaaca9d99
2936+#define HASH_HTTP_ENV_VARS 0x1fe186a8
2937+#define HASH_HTTP_SERVER_VARS 0xc987afd6
2938+#define HASH_HTTP_SESSION_VARS 0x7aba0d43
2939+#define HASH_HTTP_POST_FILES 0x98eb1ddc
2940+#define HASH_HTTP_RAW_POST_DATA 0xdd633fec
2941+#else
2942+#define HASH_HTTP_GET_VARS 0x8d8645bd
2943+#define HASH_HTTP_POST_VARS 0x7c699bf3
2944+#define HASH_HTTP_COOKIE_VARS 0x93ad0d6f
2945+#define HASH_HTTP_ENV_VARS 0x84da3016
2946+#define HASH_HTTP_SERVER_VARS 0x6dbf964e
2947+#define HASH_HTTP_SESSION_VARS 0x322906f5
2948+#define HASH_HTTP_POST_FILES 0xe4e4ce70
2949+#define HASH_HTTP_RAW_POST_DATA 0xe6137a0e
2950+#endif
2951+
2952+PHP_MINIT_FUNCTION(varfilter);
2953+PHP_MSHUTDOWN_FUNCTION(varfilter);
2954+PHP_RINIT_FUNCTION(varfilter);
2955+PHP_RSHUTDOWN_FUNCTION(varfilter);
2956+PHP_MINFO_FUNCTION(varfilter);
2957+
2958+
2959+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
2960+/* request variables */
2961+ long max_request_variables;
2962+ long cur_request_variables;
2963+ long max_varname_length;
2964+ long max_totalname_length;
2965+ long max_value_length;
2966+ long max_array_depth;
2967+ long max_array_index_length;
2968+ zend_bool disallow_nul;
2969+/* cookie variables */
2970+ long max_cookie_vars;
2971+ long cur_cookie_vars;
2972+ long max_cookie_name_length;
2973+ long max_cookie_totalname_length;
2974+ long max_cookie_value_length;
2975+ long max_cookie_array_depth;
2976+ long max_cookie_array_index_length;
2977+ zend_bool disallow_cookie_nul;
2978+/* get variables */
2979+ long max_get_vars;
2980+ long cur_get_vars;
2981+ long max_get_name_length;
2982+ long max_get_totalname_length;
2983+ long max_get_value_length;
2984+ long max_get_array_depth;
2985+ long max_get_array_index_length;
2986+ zend_bool disallow_get_nul;
2987+/* post variables */
2988+ long max_post_vars;
2989+ long cur_post_vars;
2990+ long max_post_name_length;
2991+ long max_post_totalname_length;
2992+ long max_post_value_length;
2993+ long max_post_array_depth;
2994+ long max_post_array_index_length;
2995+ zend_bool disallow_post_nul;
2996+/* fileupload */
2997+ long max_uploads;
2998+ long cur_uploads;
2999+ zend_bool disallow_elf_files;
3000+ char *verification_script;
3001+
3002+ zend_bool no_more_variables;
3003+ zend_bool no_more_get_variables;
3004+ zend_bool no_more_post_variables;
3005+ zend_bool no_more_cookie_variables;
3006+ zend_bool no_more_uploads;
3007+
3008+ZEND_END_MODULE_GLOBALS(varfilter)
3009+
3010+
3011+#ifdef ZTS
3012+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
3013+#else
3014+#define VARFILTER_G(v) (varfilter_globals.v)
3015+#endif
3016+
3017+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
3018+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
3019+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
3020+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
3021+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
3022+SAPI_TREAT_DATA_FUNC(varfilter_treat_data);
3023+
3024+
3025+
3026+#endif /* PHP_VARFILTER_H */
3027+
3028+
3029+/*
3030+ * Local variables:
3031+ * tab-width: 4
3032+ * c-basic-offset: 4
3033+ * indent-tabs-mode: t
3034+ * End:
3035+ */
3036diff -Nura php-4.4.1/ext/varfilter/varfilter.c hardening-patch-4.4.1-0.4.6/ext/varfilter/varfilter.c
3037--- php-4.4.1/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
3038+++ hardening-patch-4.4.1-0.4.6/ext/varfilter/varfilter.c 2005-11-25 19:17:42.000000000 +0100
3039@@ -0,0 +1,915 @@
3040+/*
3041+ +----------------------------------------------------------------------+
3042+ | Hardened-PHP Project's varfilter extension |
3043+ +----------------------------------------------------------------------+
3044+ | Copyright (c) 2004-2005 Stefan Esser |
3045+ +----------------------------------------------------------------------+
3046+ | This source file is subject to version 2.02 of the PHP license, |
3047+ | that is bundled with this package in the file LICENSE, and is |
3048+ | available at through the world-wide-web at |
3049+ | http://www.php.net/license/2_02.txt. |
3050+ | If you did not receive a copy of the PHP license and are unable to |
3051+ | obtain it through the world-wide-web, please send a note to |
3052+ | license@php.net so we can mail you a copy immediately. |
3053+ +----------------------------------------------------------------------+
3054+ | Author: Stefan Esser <sesser@hardened-php.net> |
3055+ +----------------------------------------------------------------------+
3056+
3057+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
3058+*/
3059+
3060+#ifdef HAVE_CONFIG_H
3061+#include "config.h"
3062+#endif
3063+
3064+#include "php.h"
3065+#include "php_ini.h"
3066+#include "ext/standard/info.h"
3067+#include "php_varfilter.h"
3068+#include "hardening_patch.h"
3069+
3070+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
3071+
3072+/* True global resources - no need for thread safety here */
3073+static int le_varfilter;
3074+
3075+static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
3076+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
3077+static zend_bool hooked = 0;
3078+
3079+/* {{{ varfilter_module_entry
3080+ */
3081+zend_module_entry varfilter_module_entry = {
3082+#if ZEND_MODULE_API_NO >= 20010901
3083+ STANDARD_MODULE_HEADER,
3084+#endif
3085+ "varfilter",
3086+ NULL,
3087+ PHP_MINIT(varfilter),
3088+ PHP_MSHUTDOWN(varfilter),
3089+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
3090+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
3091+ PHP_MINFO(varfilter),
3092+#if ZEND_MODULE_API_NO >= 20010901
3093+ "0.4.6", /* Replace with version number for your extension */
3094+#endif
3095+ STANDARD_MODULE_PROPERTIES
3096+};
3097+/* }}} */
3098+
3099+#ifdef COMPILE_DL_VARFILTER
3100+ZEND_GET_MODULE(varfilter)
3101+#endif
3102+
3103+/* {{{ PHP_INI
3104+ */
3105+PHP_INI_BEGIN()
3106+ /* for backward compatibility */
3107+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3108+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3109+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3110+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3111+ STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3112+ STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3113+
3114+ STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3115+ STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3116+ STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3117+ STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3118+ STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3119+ STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3120+ STD_PHP_INI_ENTRY("hphp.request.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_nul, zend_varfilter_globals, varfilter_globals)
3121+
3122+ STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
3123+ STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
3124+ STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
3125+ STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
3126+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
3127+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
3128+ STD_PHP_INI_ENTRY("hphp.cookie.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_cookie_nul, zend_varfilter_globals, varfilter_globals)
3129+
3130+ STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
3131+ STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
3132+ STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
3133+ STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
3134+ STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
3135+ STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
3136+ STD_PHP_INI_ENTRY("hphp.get.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_get_nul, zend_varfilter_globals, varfilter_globals)
3137+
3138+ STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
3139+ STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
3140+ STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
3141+ STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
3142+ STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
3143+ STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
3144+ STD_PHP_INI_ENTRY("hphp.post.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_post_nul, zend_varfilter_globals, varfilter_globals)
3145+
3146+ STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
3147+ STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
3148+ STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
3149+
3150+
3151+PHP_INI_END()
3152+/* }}} */
3153+
3154+/* {{{ php_varfilter_init_globals
3155+ */
3156+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
3157+{
3158+ varfilter_globals->max_request_variables = 200;
3159+ varfilter_globals->max_varname_length = 64;
3160+ varfilter_globals->max_value_length = 10000;
3161+ varfilter_globals->max_array_depth = 100;
3162+ varfilter_globals->max_totalname_length = 256;
3163+ varfilter_globals->max_array_index_length = 64;
3164+ varfilter_globals->disallow_nul = 1;
3165+
3166+ varfilter_globals->max_cookie_vars = 100;
3167+ varfilter_globals->max_cookie_name_length = 64;
3168+ varfilter_globals->max_cookie_totalname_length = 256;
3169+ varfilter_globals->max_cookie_value_length = 10000;
3170+ varfilter_globals->max_cookie_array_depth = 100;
3171+ varfilter_globals->max_cookie_array_index_length = 64;
3172+ varfilter_globals->disallow_cookie_nul = 1;
3173+
3174+ varfilter_globals->max_get_vars = 100;
3175+ varfilter_globals->max_get_name_length = 64;
3176+ varfilter_globals->max_get_totalname_length = 256;
3177+ varfilter_globals->max_get_value_length = 512;
3178+ varfilter_globals->max_get_array_depth = 50;
3179+ varfilter_globals->max_get_array_index_length = 64;
3180+ varfilter_globals->disallow_get_nul = 1;
3181+
3182+ varfilter_globals->max_post_vars = 200;
3183+ varfilter_globals->max_post_name_length = 64;
3184+ varfilter_globals->max_post_totalname_length = 256;
3185+ varfilter_globals->max_post_value_length = 65000;
3186+ varfilter_globals->max_post_array_depth = 100;
3187+ varfilter_globals->max_post_array_index_length = 64;
3188+ varfilter_globals->disallow_post_nul = 1;
3189+
3190+ varfilter_globals->max_uploads = 25;
3191+ varfilter_globals->disallow_elf_files = 1;
3192+ varfilter_globals->verification_script = NULL;
3193+
3194+ varfilter_globals->no_more_variables = 0;
3195+ varfilter_globals->no_more_get_variables = 0;
3196+ varfilter_globals->no_more_post_variables = 0;
3197+ varfilter_globals->no_more_cookie_variables = 0;
3198+ varfilter_globals->no_more_uploads = 0;
3199+
3200+ varfilter_globals->cur_request_variables = 0;
3201+ varfilter_globals->cur_get_vars = 0;
3202+ varfilter_globals->cur_post_vars = 0;
3203+ varfilter_globals->cur_cookie_vars = 0;
3204+
3205+ varfilter_globals->cur_uploads = 0;
3206+
3207+}
3208+/* }}} */
3209+
3210+
3211+void varfilter_register_server_variables(zval *track_vars_array TSRMLS_DC)
3212+{
3213+ HashTable *svars;
3214+ int retval, failure=0;
3215+
3216+ orig_register_server_variables(track_vars_array TSRMLS_CC);
3217+
3218+ svars = Z_ARRVAL_P(track_vars_array);
3219+
3220+ retval = zend_hash_del_key_or_index(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), HASH_HTTP_GET_VARS, HASH_DEL_INDEX);
3221+ if (retval == SUCCESS) failure = 1;
3222+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), HASH_HTTP_POST_VARS, HASH_DEL_INDEX);
3223+ if (retval == SUCCESS) failure = 1;
3224+ retval = zend_hash_del_key_or_index(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), HASH_HTTP_COOKIE_VARS, HASH_DEL_INDEX);
3225+ if (retval == SUCCESS) failure = 1;
3226+ retval = zend_hash_del_key_or_index(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), HASH_HTTP_ENV_VARS, HASH_DEL_INDEX);
3227+ if (retval == SUCCESS) failure = 1;
3228+ retval = zend_hash_del_key_or_index(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), HASH_HTTP_SERVER_VARS, HASH_DEL_INDEX);
3229+ if (retval == SUCCESS) failure = 1;
3230+ retval = zend_hash_del_key_or_index(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), HASH_HTTP_SESSION_VARS, HASH_DEL_INDEX);
3231+ if (retval == SUCCESS) failure = 1;
3232+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), HASH_HTTP_POST_FILES, HASH_DEL_INDEX);
3233+ if (retval == SUCCESS) failure = 1;
3234+ retval = zend_hash_del_key_or_index(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), HASH_HTTP_RAW_POST_DATA, HASH_DEL_INDEX);
3235+ if (retval == SUCCESS) failure = 1;
3236+
3237+ if (failure) {
3238+ php_security_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
3239+ }
3240+}
3241+
3242+int varfilter_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
3243+{
3244+ int retval, i;
3245+ char *tmp;
3246+
3247+ if (!HG(hphp_multiheader) && sapi_header && sapi_header->header) {
3248+
3249+ tmp = sapi_header->header;
3250+ for (i=0; i<sapi_header->header_len; i++, tmp++) {
3251+ if (tmp[0] == 0) {
3252+ char *fname = get_active_function_name(TSRMLS_C);
3253+
3254+ if (!fname) {
3255+ fname = "unknown";
3256+ }
3257+
3258+ php_security_log(S_MISC, "%s() - wanted to send a HTTP header with an ASCII NUL in it", fname);
3259+ sapi_header->header_len = i;
3260+ } else if (tmp[0] == '\n' && (i == sapi_header->header_len-1 || (tmp[1] != ' ' && tmp[1] != '\t'))) {
3261+ char *fname = get_active_function_name(TSRMLS_C);
3262+
3263+ if (!fname) {
3264+ fname = "unknown";
3265+ }
3266+
3267+ php_security_log(S_MISC, "%s() - wanted to send multiple HTTP headers at once", fname);
3268+ sapi_header->header_len = i;
3269+ tmp[0] = 0;
3270+ }
3271+ }
3272+ }
3273+
3274+ if (orig_header_handler) {
3275+ retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
3276+ }
3277+
3278+ return retval;
3279+}
3280+
3281+/* {{{ PHP_MINIT_FUNCTION
3282+ */
3283+PHP_MINIT_FUNCTION(varfilter)
3284+{
3285+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
3286+ REGISTER_INI_ENTRIES();
3287+
3288+ if (!hooked) {
3289+ void *temp;
3290+ hooked = 1;
3291+
3292+ temp = (void *)sapi_module.register_server_variables;
3293+ if (temp != varfilter_register_server_variables) {
3294+ orig_register_server_variables = temp;
3295+ }
3296+ temp = (void *)sapi_module.header_handler;
3297+ if (temp != varfilter_header_handler) {
3298+ orig_header_handler = temp;
3299+ }
3300+ }
3301+
3302+ sapi_register_input_filter(varfilter_input_filter);
3303+ sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
3304+ sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
3305+ sapi_register_upload_content_filter(varfilter_upload_content_filter);
3306+ sapi_register_post_upload_filter(varfilter_post_upload_filter);
3307+
3308+ sapi_module.header_handler = varfilter_header_handler;
3309+ sapi_module.register_server_variables = varfilter_register_server_variables;
3310+
3311+
3312+ return SUCCESS;
3313+}
3314+/* }}} */
3315+
3316+/* {{{ PHP_MSHUTDOWN_FUNCTION
3317+ */
3318+PHP_MSHUTDOWN_FUNCTION(varfilter)
3319+{
3320+ UNREGISTER_INI_ENTRIES();
3321+
3322+ return SUCCESS;
3323+}
3324+/* }}} */
3325+
3326+/* Remove if there's nothing to do at request start */
3327+/* {{{ PHP_RINIT_FUNCTION
3328+ */
3329+PHP_RINIT_FUNCTION(varfilter)
3330+{
3331+ VARFILTER_G(cur_request_variables) = 0;
3332+ VARFILTER_G(cur_get_vars) = 0;
3333+ VARFILTER_G(cur_post_vars) = 0;
3334+ VARFILTER_G(cur_cookie_vars) = 0;
3335+
3336+ VARFILTER_G(cur_uploads) = 0;
3337+
3338+ VARFILTER_G(no_more_variables) = 0;
3339+ VARFILTER_G(no_more_get_variables) = 0;
3340+ VARFILTER_G(no_more_post_variables) = 0;
3341+ VARFILTER_G(no_more_cookie_variables) = 0;
3342+ VARFILTER_G(no_more_uploads) = 0;
3343+
3344+ return SUCCESS;
3345+}
3346+/* }}} */
3347+
3348+/* Remove if there's nothing to do at request end */
3349+/* {{{ PHP_RSHUTDOWN_FUNCTION
3350+ */
3351+PHP_RSHUTDOWN_FUNCTION(varfilter)
3352+{
3353+ return SUCCESS;
3354+}
3355+/* }}} */
3356+
3357+/* {{{ PHP_MINFO_FUNCTION
3358+ */
3359+PHP_MINFO_FUNCTION(varfilter)
3360+{
3361+ php_info_print_table_start();
3362+ php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
3363+ php_info_print_table_end();
3364+
3365+ DISPLAY_INI_ENTRIES();
3366+}
3367+/* }}} */
3368+
3369+/* {{{ normalize_varname
3370+ */
3371+static void normalize_varname(char *varname)
3372+{
3373+ char *s=varname, *index=NULL, *indexend=NULL, *p;
3374+
3375+ /* overjump leading space */
3376+ while (*s == ' ') {
3377+ s++;
3378+ }
3379+
3380+ /* and remove it */
3381+ if (s != varname) {
3382+ memmove(varname, s, strlen(s)+1);
3383+ }
3384+
3385+ for (p=varname; *p && *p != '['; p++) {
3386+ switch(*p) {
3387+ case ' ':
3388+ case '.':
3389+ *p='_';
3390+ break;
3391+ }
3392+ }
3393+
3394+ /* find index */
3395+ index = strchr(varname, '[');
3396+ if (index) {
3397+ index++;
3398+ s=index;
3399+ } else {
3400+ return;
3401+ }
3402+
3403+ /* done? */
3404+ while (index) {
3405+
3406+ while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
3407+ index++;
3408+ }
3409+ indexend = strchr(index, ']');
3410+ indexend = indexend ? indexend + 1 : index + strlen(index);
3411+
3412+ if (s != index) {
3413+ memmove(s, index, strlen(index)+1);
3414+ s += indexend-index;
3415+ } else {
3416+ s = indexend;
3417+ }
3418+
3419+ if (*s == '[') {
3420+ s++;
3421+ index = s;
3422+ } else {
3423+ index = NULL;
3424+ }
3425+ }
3426+ *s++='\0';
3427+}
3428+/* }}} */
3429+
3430+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
3431+ */
3432+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
3433+{
3434+ char *index, *prev_index = NULL, *var;
3435+ unsigned int var_len, total_len, depth = 0;
3436+
3437+ var = estrdup(varname);
3438+
3439+ /* Normalize the variable name */
3440+ normalize_varname(var);
3441+
3442+ /* Find length of variable name */
3443+ index = strchr(var, '[');
3444+ total_len = strlen(var);
3445+ var_len = index ? index-var : total_len;
3446+
3447+ /* Drop this variable if it exceeds the varname/total length limit */
3448+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3449+ php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
3450+ goto return_failure;
3451+ }
3452+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3453+ php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
3454+ goto return_failure;
3455+ }
3456+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
3457+ php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
3458+
3459+ goto return_failure;
3460+ }
3461+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
3462+ php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
3463+ goto return_failure;
3464+ }
3465+
3466+ /* Find out array depth */
3467+ while (index) {
3468+ unsigned int index_length;
3469+
3470+ depth++;
3471+ index = strchr(index+1, '[');
3472+
3473+ if (prev_index) {
3474+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
3475+
3476+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
3477+ php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
3478+ goto return_failure;
3479+ }
3480+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
3481+ php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
3482+ goto return_failure;
3483+ }
3484+ prev_index = index;
3485+ }
3486+
3487+ }
3488+
3489+ /* Drop this variable if it exceeds the array depth limit */
3490+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
3491+ php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
3492+ goto return_failure;
3493+ }
3494+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
3495+ php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
3496+ goto return_failure;
3497+ }
3498+
3499+
3500+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
3501+ /* This is to protect several silly scripts that do globalizing themself */
3502+
3503+ switch (var_len) {
3504+ case 18:
3505+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
3506+ break;
3507+ case 17:
3508+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
3509+ break;
3510+ case 16:
3511+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
3512+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
3513+ break;
3514+ case 15:
3515+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
3516+ break;
3517+ case 14:
3518+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
3519+ break;
3520+ case 13:
3521+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
3522+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
3523+ break;
3524+ case 8:
3525+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
3526+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
3527+ break;
3528+ case 7:
3529+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
3530+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
3531+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
3532+ break;
3533+ case 6:
3534+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
3535+ break;
3536+ case 5:
3537+ if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
3538+ break;
3539+ case 4:
3540+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
3541+ if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
3542+ break;
3543+ }
3544+
3545+ efree(var);
3546+ return SUCCESS;
3547+protected_varname2:
3548+ php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
3549+return_failure:
3550+ efree(var);
3551+ return FAILURE;
3552+}
3553+/* }}} */
3554+
3555+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
3556+ */
3557+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
3558+{
3559+ /* Drop if no more variables flag is set */
3560+ if (VARFILTER_G(no_more_uploads)) {
3561+ return FAILURE;
3562+ }
3563+ /* Drop this fileupload if the limit is reached */
3564+ if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
3565+ php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
3566+ VARFILTER_G(no_more_uploads) = 1;
3567+ return FAILURE;
3568+ }
3569+
3570+ return SUCCESS;
3571+}
3572+/* }}} */
3573+
3574+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
3575+ */
3576+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
3577+{
3578+
3579+ if (VARFILTER_G(disallow_elf_files)) {
3580+
3581+ if (offset == 0 && buffer_len > 10) {
3582+
3583+ if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
3584+ php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
3585+ return FAILURE;
3586+ }
3587+ }
3588+
3589+ }
3590+
3591+ return SUCCESS;
3592+}
3593+/* }}} */
3594+
3595+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
3596+ */
3597+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
3598+{
3599+ int retval = SUCCESS;
3600+
3601+ if (VARFILTER_G(verification_script)) {
3602+ char cmd[8192];
3603+ FILE *in;
3604+ int first=1;
3605+
3606+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
3607+
3608+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
3609+ php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
3610+ return FAILURE;
3611+ }
3612+
3613+ retval = FAILURE;
3614+
3615+ /* read and forget the result */
3616+ while (1) {
3617+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
3618+ if (readbytes<=0) {
3619+ break;
3620+ }
3621+ if (first) {
3622+ retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
3623+ first = 0;
3624+ }
3625+ }
3626+ pclose(in);
3627+ }
3628+
3629+ if (retval != SUCCESS) {
3630+ php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
3631+ return FAILURE;
3632+ }
3633+
3634+ VARFILTER_G(cur_uploads)++;
3635+ return SUCCESS;
3636+}
3637+/* }}} */
3638+
3639+/* {{{ SAPI_INPUT_FILTER_FUNC
3640+ */
3641+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
3642+{
3643+ char *index, *prev_index = NULL;
3644+ unsigned int var_len, total_len, depth = 0;
3645+
3646+ /* Drop this variable if the limit was reached */
3647+ switch (arg) {
3648+ case PARSE_GET:
3649+ if (VARFILTER_G(no_more_get_variables)) {
3650+ return 0;
3651+ }
3652+ break;
3653+ case PARSE_POST:
3654+ if (VARFILTER_G(no_more_post_variables)) {
3655+ return 0;
3656+ }
3657+ break;
3658+ case PARSE_COOKIE:
3659+ if (VARFILTER_G(no_more_cookie_variables)) {
3660+ return 0;
3661+ }
3662+ break;
3663+ default: /* we do not want to protect parse_str() and friends */
3664+ if (new_val_len) {
3665+ *new_val_len = val_len;
3666+ }
3667+ return 1;
3668+ }
3669+ if (VARFILTER_G(no_more_variables)) {
3670+ return 0;
3671+ }
3672+
3673+ /* Drop this variable if the limit is now reached */
3674+ if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
3675+ php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
3676+ VARFILTER_G(no_more_variables) = 1;
3677+ return 0;
3678+ }
3679+ switch (arg) {
3680+ case PARSE_GET:
3681+ if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
3682+ php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
3683+ VARFILTER_G(no_more_get_variables) = 1;
3684+ return 0;
3685+ }
3686+ break;
3687+ case PARSE_COOKIE:
3688+ if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
3689+ php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
3690+ VARFILTER_G(no_more_cookie_variables) = 1;
3691+ return 0;
3692+ }
3693+ break;
3694+ case PARSE_POST:
3695+ if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
3696+ php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
3697+ VARFILTER_G(no_more_post_variables) = 1;
3698+ return 0;
3699+ }
3700+ break;
3701+ }
3702+
3703+
3704+ /* Drop this variable if it exceeds the value length limit */
3705+ if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
3706+ php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
3707+ return 0;
3708+ }
3709+ switch (arg) {
3710+ case PARSE_GET:
3711+ if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
3712+ php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
3713+ return 0;
3714+ }
3715+ break;
3716+ case PARSE_COOKIE:
3717+ if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
3718+ php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
3719+ return 0;
3720+ }
3721+ break;
3722+ case PARSE_POST:
3723+ if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
3724+ php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
3725+ return 0;
3726+ }
3727+ break;
3728+ }
3729+
3730+ /* Normalize the variable name */
3731+ normalize_varname(var);
3732+
3733+ /* Find length of variable name */
3734+ index = strchr(var, '[');
3735+ total_len = strlen(var);
3736+ var_len = index ? index-var : total_len;
3737+
3738+ /* Drop this variable if it exceeds the varname/total length limit */
3739+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3740+ php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
3741+ return 0;
3742+ }
3743+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3744+ php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
3745+ return 0;
3746+ }
3747+ switch (arg) {
3748+ case PARSE_GET:
3749+ if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
3750+ php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
3751+ return 0;
3752+ }
3753+ if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
3754+ php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
3755+ return 0;
3756+ }
3757+ break;
3758+ case PARSE_COOKIE:
3759+ if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
3760+ php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
3761+ return 0;
3762+ }
3763+ if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
3764+ php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
3765+ return 0;
3766+ }
3767+ break;
3768+ case PARSE_POST:
3769+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
3770+ php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
3771+ return 0;
3772+ }
3773+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
3774+ php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
3775+ return 0;
3776+ }
3777+ break;
3778+ }
3779+
3780+ /* Find out array depth */
3781+ while (index) {
3782+ unsigned int index_length;
3783+
3784+ depth++;
3785+ index = strchr(index+1, '[');
3786+
3787+ if (prev_index) {
3788+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
3789+
3790+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
3791+ php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
3792+ return 0;
3793+ }
3794+ switch (arg) {
3795+ case PARSE_GET:
3796+ if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
3797+ php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
3798+ return 0;
3799+ }
3800+ break;
3801+ case PARSE_COOKIE:
3802+ if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
3803+ php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
3804+ return 0;
3805+ }
3806+ break;
3807+ case PARSE_POST:
3808+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
3809+ php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
3810+ return 0;
3811+ }
3812+ break;
3813+ }
3814+ prev_index = index;
3815+ }
3816+
3817+ }
3818+
3819+ /* Drop this variable if it exceeds the array depth limit */
3820+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
3821+ php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
3822+ return 0;
3823+ }
3824+ switch (arg) {
3825+ case PARSE_GET:
3826+ if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
3827+ php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
3828+ return 0;
3829+ }
3830+ break;
3831+ case PARSE_COOKIE:
3832+ if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
3833+ php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
3834+ return 0;
3835+ }
3836+ break;
3837+ case PARSE_POST:
3838+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
3839+ php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
3840+ return 0;
3841+ }
3842+ break;
3843+ }
3844+
3845+ /* Check if variable value is truncated by a \0 */
3846+
3847+ if (val && *val && val_len != strlen(*val)) {
3848+
3849+ if (VARFILTER_G(disallow_nul)) {
3850+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped %s", var);
3851+ return 0;
3852+ }
3853+ switch (arg) {
3854+ case PARSE_GET:
3855+ if (VARFILTER_G(disallow_get_nul)) {
3856+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped %s", var);
3857+ return 0;
3858+ }
3859+ break;
3860+ case PARSE_COOKIE:
3861+ if (VARFILTER_G(disallow_cookie_nul)) {
3862+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped %s", var);
3863+ return 0;
3864+ }
3865+ break;
3866+ case PARSE_POST:
3867+ if (VARFILTER_G(disallow_post_nul)) {
3868+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped %s", var);
3869+ return 0;
3870+ }
3871+ break;
3872+ }
3873+ }
3874+
3875+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
3876+ /* This is to protect several silly scripts that do globalizing themself */
3877+
3878+ switch (var_len) {
3879+ case 18:
3880+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
3881+ break;
3882+ case 17:
3883+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
3884+ break;
3885+ case 16:
3886+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
3887+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
3888+ break;
3889+ case 15:
3890+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
3891+ break;
3892+ case 14:
3893+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
3894+ break;
3895+ case 13:
3896+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
3897+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
3898+ break;
3899+ case 8:
3900+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
3901+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
3902+ break;
3903+ case 7:
3904+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
3905+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
3906+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
3907+ break;
3908+ case 6:
3909+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
3910+ break;
3911+ case 5:
3912+ if (memcmp(var, "_POST", 5)==0) goto protected_varname;
3913+ break;
3914+ case 4:
3915+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
3916+ if (memcmp(var, "_GET", 4)==0) goto protected_varname;
3917+ break;
3918+ }
3919+
3920+ /* Okay let PHP register this variable */
3921+ VARFILTER_G(cur_request_variables)++;
3922+ switch (arg) {
3923+ case PARSE_GET:
3924+ VARFILTER_G(cur_get_vars)++;
3925+ break;
3926+ case PARSE_COOKIE:
3927+ VARFILTER_G(cur_cookie_vars)++;
3928+ break;
3929+ case PARSE_POST:
3930+ VARFILTER_G(cur_post_vars)++;
3931+ break;
3932+ }
3933+
3934+ if (new_val_len) {
3935+ *new_val_len = val_len;
3936+ }
3937+
3938+ return 1;
3939+protected_varname:
3940+ php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
3941+ return 0;
3942+}
3943+/* }}} */
3944+
3945+/*
3946+ * Local variables:
3947+ * tab-width: 4
3948+ * c-basic-offset: 4
3949+ * End:
3950+ * vim600: noet sw=4 ts=4 fdm=marker
3951+ * vim<600: noet sw=4 ts=4
3952+ */
3953+
3954+
3955diff -Nura php-4.4.1/main/fopen_wrappers.c hardening-patch-4.4.1-0.4.6/main/fopen_wrappers.c
3956--- php-4.4.1/main/fopen_wrappers.c 2005-09-27 17:08:43.000000000 +0200
3957+++ hardening-patch-4.4.1-0.4.6/main/fopen_wrappers.c 2005-11-05 13:04:08.000000000 +0100
3958@@ -156,6 +156,21 @@
3959 char *pathbuf;
3960 char *ptr;
3961 char *end;
3962+ char path_copy[MAXPATHLEN];
3963+ int path_len;
3964+
3965+ /* Special case path ends with a trailing slash */
3966+ path_len = strlen(path);
3967+ if (path_len >= MAXPATHLEN) {
3968+ errno = EPERM; /* we deny permission to open it */
3969+ return -1;
3970+ }
3971+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
3972+ memcpy(path_copy, path, path_len+1);
3973+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
3974+ path_copy[path_len] = '\0';
3975+ path = (const char *)&path_copy;
3976+ }
3977
3978 pathbuf = estrdup(PG(open_basedir));
3979
3980diff -Nura php-4.4.1/main/hardened_globals.h hardening-patch-4.4.1-0.4.6/main/hardened_globals.h
3981--- php-4.4.1/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
3982+++ hardening-patch-4.4.1-0.4.6/main/hardened_globals.h 2005-11-25 13:26:41.000000000 +0100
3983@@ -0,0 +1,62 @@
3984+/*
3985+ +----------------------------------------------------------------------+
3986+ | Hardening-Patch for PHP |
3987+ +----------------------------------------------------------------------+
3988+ | Copyright (c) 2004-2005 Stefan Esser |
3989+ +----------------------------------------------------------------------+
3990+ | This source file is subject to version 2.02 of the PHP license, |
3991+ | that is bundled with this package in the file LICENSE, and is |
3992+ | available at through the world-wide-web at |
3993+ | http://www.php.net/license/2_02.txt. |
3994+ | If you did not receive a copy of the PHP license and are unable to |
3995+ | obtain it through the world-wide-web, please send a note to |
3996+ | license@php.net so we can mail you a copy immediately. |
3997+ +----------------------------------------------------------------------+
3998+ | Author: Stefan Esser <sesser@hardened-php.net> |
3999+ +----------------------------------------------------------------------+
4000+ */
4001+
4002+#ifndef HARDENED_GLOBALS_H
4003+#define HARDENED_GLOBALS_H
4004+
4005+typedef struct _hardened_globals hardened_globals_struct;
4006+
4007+#ifdef ZTS
4008+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
4009+extern int hardened_globals_id;
4010+#else
4011+# define HG(v) (hardened_globals.v)
4012+extern struct _hardened_globals hardened_globals;
4013+#endif
4014+
4015+
4016+struct _hardened_globals {
4017+#if HARDENING_PATCH_MM_PROTECT
4018+ unsigned int canary_1;
4019+ unsigned int canary_2;
4020+#endif
4021+#if HARDENING_PATCH_LL_PROTECT
4022+ unsigned int canary_3;
4023+ unsigned int canary_4;
4024+ unsigned int ll_canary_inited;
4025+#endif
4026+ zend_bool hphp_sql_bailout_on_error;
4027+ zend_bool hphp_multiheader;
4028+ HashTable *eval_whitelist;
4029+ HashTable *eval_blacklist;
4030+ HashTable *func_whitelist;
4031+ HashTable *func_blacklist;
4032+ HashTable *include_whitelist;
4033+ HashTable *include_blacklist;
4034+ unsigned int dummy;
4035+};
4036+
4037+
4038+#endif /* HARDENED_GLOBALS_H */
4039+
4040+/*
4041+ * Local variables:
4042+ * tab-width: 4
4043+ * c-basic-offset: 4
4044+ * End:
4045+ */
4046diff -Nura php-4.4.1/main/hardening_patch.c hardening-patch-4.4.1-0.4.6/main/hardening_patch.c
4047--- php-4.4.1/main/hardening_patch.c 1970-01-01 01:00:00.000000000 +0100
4048+++ hardening-patch-4.4.1-0.4.6/main/hardening_patch.c 2005-11-25 13:23:41.000000000 +0100
4049@@ -0,0 +1,430 @@
4050+/*
4051+ +----------------------------------------------------------------------+
4052+ | Hardening Patch for PHP |
4053+ +----------------------------------------------------------------------+
4054+ | Copyright (c) 2004-2005 Stefan Esser |
4055+ +----------------------------------------------------------------------+
4056+ | This source file is subject to version 2.02 of the PHP license, |
4057+ | that is bundled with this package in the file LICENSE, and is |
4058+ | available at through the world-wide-web at |
4059+ | http://www.php.net/license/2_02.txt. |
4060+ | If you did not receive a copy of the PHP license and are unable to |
4061+ | obtain it through the world-wide-web, please send a note to |
4062+ | license@php.net so we can mail you a copy immediately. |
4063+ +----------------------------------------------------------------------+
4064+ | Author: Stefan Esser <sesser@hardened-php.net> |
4065+ +----------------------------------------------------------------------+
4066+ */
4067+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
4068+
4069+#include "php.h"
4070+
4071+#include <stdio.h>
4072+#include <stdlib.h>
4073+
4074+#if HAVE_UNISTD_H
4075+#include <unistd.h>
4076+#endif
4077+#include "SAPI.h"
4078+#include "php_globals.h"
4079+
4080+#if HARDENING_PATCH
4081+
4082+#ifdef HAVE_SYS_SOCKET_H
4083+#include <sys/socket.h>
4084+#endif
4085+
4086+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
4087+#undef AF_UNIX
4088+#endif
4089+
4090+#if defined(AF_UNIX)
4091+#include <sys/un.h>
4092+#endif
4093+
4094+#define SYSLOG_PATH "/dev/log"
4095+
4096+#include "snprintf.h"
4097+
4098+#include "hardening_patch.h"
4099+
4100+#ifdef ZTS
4101+#include "hardened_globals.h"
4102+int hardened_globals_id;
4103+#else
4104+struct _hardened_globals hardened_globals;
4105+#endif
4106+
4107+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
4108+{
4109+ memset(hardened_globals, 0, sizeof(*hardened_globals));
4110+}
4111+
4112+
4113+PHPAPI void hardened_startup()
4114+{
4115+#ifdef ZTS
4116+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
4117+#else
4118+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
4119+#endif
4120+}
4121+
4122+PHPAPI void hardened_clear_mm_canaries(TSRMLS_D)
4123+{
4124+ HG(canary_1) = php_canary();
4125+ HG(canary_2) = php_canary();
4126+}
4127+
4128+char *loglevel2string(int loglevel)
4129+{
4130+ switch (loglevel) {
4131+ case S_FILES:
4132+ return "FILES";
4133+ case S_INCLUDE:
4134+ return "INCLUDE";
4135+ case S_MEMORY:
4136+ return "MEMORY";
4137+ case S_MISC:
4138+ return "MISC";
4139+ case S_SQL:
4140+ return "SQL";
4141+ case S_EXECUTOR:
4142+ return "EXECUTOR";
4143+ case S_VARS:
4144+ return "VARS";
4145+ default:
4146+ return "UNKNOWN";
4147+ }
4148+}
4149+
4150+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
4151+{
4152+#if defined(AF_UNIX)
4153+ int s, r, i=0;
4154+ struct sockaddr_un saun;
4155+ char buf[4096+64];
4156+ char error[4096+100];
4157+ char *ip_address;
4158+ char *fname;
4159+ int lineno;
4160+ va_list ap;
4161+ TSRMLS_FETCH();
4162+
4163+ if (EG(hphp_log_use_x_forwarded_for)) {
4164+ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
4165+ if (ip_address == NULL) {
4166+ ip_address = "X-FORWARDED-FOR not set";
4167+ }
4168+ } else {
4169+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
4170+ if (ip_address == NULL) {
4171+ ip_address = "REMOTE_ADDR not set";
4172+ }
4173+ }
4174+
4175+
4176+ va_start(ap, fmt);
4177+ ap_php_vsnprintf(error, sizeof(error), fmt, ap);
4178+ va_end(ap);
4179+ while (error[i]) {
4180+ if (error[i] < 32) error[i] = '.';
4181+ i++;
4182+ }
4183+
4184+ if (zend_is_executing(TSRMLS_C)) {
4185+ lineno = zend_get_executed_lineno(TSRMLS_C);
4186+ fname = zend_get_executed_filename(TSRMLS_C);
4187+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
4188+ } else {
4189+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
4190+ if (fname==NULL) {
4191+ fname = "unknown";
4192+ }
4193+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
4194+ }
4195+
4196+ /* Syslog-Logging disabled? */
4197+ if ((EG(hphp_log_syslog) & loglevel)==0) {
4198+ goto log_sapi;
4199+ }
4200+
4201+ ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
4202+
4203+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
4204+ if (s == -1) {
4205+ goto log_sapi;
4206+ }
4207+
4208+ memset(&saun, 0, sizeof(saun));
4209+ saun.sun_family = AF_UNIX;
4210+ strcpy(saun.sun_path, SYSLOG_PATH);
4211+ /*saun.sun_len = sizeof(saun);*/
4212+
4213+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4214+ if (r) {
4215+ close(s);
4216+ s = socket(AF_UNIX, SOCK_STREAM, 0);
4217+ if (s == -1) {
4218+ goto log_sapi;
4219+ }
4220+
4221+ memset(&saun, 0, sizeof(saun));
4222+ saun.sun_family = AF_UNIX;
4223+ strcpy(saun.sun_path, SYSLOG_PATH);
4224+ /*saun.sun_len = sizeof(saun);*/
4225+
4226+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4227+ if (r) {
4228+ close(s);
4229+ goto log_sapi;
4230+ }
4231+ }
4232+ send(s, error, strlen(error), 0);
4233+
4234+ close(s);
4235+
4236+log_sapi:
4237+ /* SAPI Logging activated? */
4238+ if ((EG(hphp_log_sapi) & loglevel)!=0) {
4239+ sapi_module.log_message(buf);
4240+ }
4241+
4242+log_script:
4243+ /* script logging activaed? */
4244+ if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
4245+ char cmd[8192], *cmdpos, *bufpos;
4246+ FILE *in;
4247+ int space;
4248+
4249+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
4250+ space = sizeof(cmd) - strlen(cmd);
4251+ cmdpos = cmd + strlen(cmd);
4252+ bufpos = buf;
4253+ if (space <= 1) return;
4254+ while (space > 2 && *bufpos) {
4255+ if (*bufpos == '\'') {
4256+ if (space<=5) break;
4257+ *cmdpos++ = '\'';
4258+ *cmdpos++ = '\\';
4259+ *cmdpos++ = '\'';
4260+ *cmdpos++ = '\'';
4261+ bufpos++;
4262+ space-=4;
4263+ } else {
4264+ *cmdpos++ = *bufpos++;
4265+ space--;
4266+ }
4267+ }
4268+ *cmdpos++ = '\'';
4269+ *cmdpos = 0;
4270+
4271+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
4272+ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
4273+ return;
4274+ }
4275+ /* read and forget the result */
4276+ while (1) {
4277+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
4278+ if (readbytes<=0) {
4279+ break;
4280+ }
4281+ }
4282+ pclose(in);
4283+ }
4284+
4285+#endif
4286+}
4287+#endif
4288+
4289+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4290+
4291+/* will be replaced later with more compatible method */
4292+PHPAPI unsigned int php_canary()
4293+{
4294+ time_t t;
4295+ unsigned int canary;
4296+ int fd;
4297+
4298+ fd = open("/dev/urandom", 0);
4299+ if (fd != -1) {
4300+ int r = read(fd, &canary, sizeof(canary));
4301+ close(fd);
4302+ if (r == sizeof(canary)) {
4303+ return (canary);
4304+ }
4305+ }
4306+ /* not good but we never want to do this */
4307+ time(&t);
4308+ canary = *(unsigned int *)&t + getpid() << 16;
4309+ return (canary);
4310+}
4311+#endif
4312+
4313+#if HARDENING_PATCH_INC_PROTECT
4314+
4315+PHPAPI int php_is_valid_include(zval *z)
4316+{
4317+ char *filename;
4318+ int len, i;
4319+ TSRMLS_FETCH();
4320+
4321+ /* must be of type string */
4322+ if (z->type != IS_STRING || z->value.str.val == NULL) {
4323+ return (0);
4324+ }
4325+
4326+ /* short cut */
4327+ filename = z->value.str.val;
4328+ len = z->value.str.len;
4329+
4330+ /* 1. must be shorter than MAXPATHLEN */
4331+ if (len > MAXPATHLEN) {
4332+ char *fname = estrndup(filename, len);
4333+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4334+ php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
4335+ efree(fname);
4336+ return (0);
4337+ }
4338+
4339+ /* 2. must not be cutted */
4340+ if (len != strlen(filename)) {
4341+ char *fname = estrndup(filename, len);
4342+ for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
4343+ php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
4344+ efree(fname);
4345+ return (0);
4346+ }
4347+
4348+ /* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
4349+ if (strstr(filename, "://")) {
4350+ char *fname = estrndup(filename, len);
4351+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4352+
4353+ /* no black or whitelist then disallow all */
4354+ if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
4355+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
4356+ efree(fname);
4357+ return (0);
4358+ }
4359+
4360+ /* whitelist is stronger than blacklist */
4361+ if (HG(include_whitelist)) {
4362+ char *s, *t, *h, *index;
4363+ uint indexlen;
4364+ ulong numindex;
4365+
4366+ s = filename;
4367+
4368+ do {
4369+ zend_bool isOk = 0;
4370+ int tlen;
4371+
4372+ t = h = strstr(s, "://");
4373+ if (h == NULL) break;
4374+
4375+
4376+ while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
4377+ t--;
4378+ }
4379+
4380+ tlen = strlen(t);
4381+
4382+ zend_hash_internal_pointer_reset(HG(include_whitelist));
4383+ do {
4384+ int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
4385+
4386+ if (r==HASH_KEY_NON_EXISTANT) {
4387+ break;
4388+ }
4389+ if (r==HASH_KEY_IS_STRING) {
4390+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4391+ if (strncmp(t, index, indexlen-1)==0) {
4392+ isOk = 1;
4393+ break;
4394+ }
4395+ }
4396+ }
4397+
4398+ zend_hash_move_forward(HG(include_whitelist));
4399+ } while (1);
4400+
4401+ /* not found in whitelist */
4402+ if (!isOk) {
4403+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
4404+ efree(fname);
4405+ return 0;
4406+ }
4407+
4408+ s = h + 3;
4409+ } while (1);
4410+ } else {
4411+ /* okay then handle the blacklist */
4412+ char *s, *t, *h, *index;
4413+ uint indexlen;
4414+ ulong numindex;
4415+
4416+ s = filename;
4417+
4418+ do {
4419+ int tlen;
4420+
4421+ t = h = strstr(s, "://");
4422+ if (h == NULL) break;
4423+
4424+
4425+ while (t > s) {
4426+ if (isalnum(t[-1]) || t[-1]=='_') t--;
4427+ }
4428+
4429+ tlen = strlen(t);
4430+
4431+ zend_hash_internal_pointer_reset(HG(include_blacklist));
4432+ do {
4433+ int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
4434+
4435+ if (r==HASH_KEY_NON_EXISTANT) {
4436+ break;
4437+ }
4438+ if (r==HASH_KEY_IS_STRING) {
4439+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4440+ if (strncmp(t, index, indexlen-1)==0) {
4441+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
4442+ efree(fname);
4443+ return 0;
4444+ }
4445+ }
4446+ }
4447+
4448+ zend_hash_move_forward(HG(include_blacklist));
4449+ } while (1);
4450+
4451+ s = h + 3;
4452+ } while (1);
4453+ }
4454+
4455+ efree(fname);
4456+ }
4457+
4458+ /* 4. must not be an uploaded file */
4459+ if (SG(rfc1867_uploaded_files)) {
4460+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
4461+ php_security_log(S_INCLUDE, "Include filename is an uploaded file");
4462+ return (0);
4463+ }
4464+ }
4465+
4466+ /* passed all tests */
4467+ return (1);
4468+}
4469+
4470+#endif
4471+
4472+/*
4473+ * Local variables:
4474+ * tab-width: 4
4475+ * c-basic-offset: 4
4476+ * End:
4477+ * vim600: sw=4 ts=4 fdm=marker
4478+ * vim<600: sw=4 ts=4
4479+ */
4480diff -Nura php-4.4.1/main/hardening_patch.h hardening-patch-4.4.1-0.4.6/main/hardening_patch.h
4481--- php-4.4.1/main/hardening_patch.h 1970-01-01 01:00:00.000000000 +0100
4482+++ hardening-patch-4.4.1-0.4.6/main/hardening_patch.h 2005-11-25 13:23:41.000000000 +0100
4483@@ -0,0 +1,46 @@
4484+/*
4485+ +----------------------------------------------------------------------+
4486+ | Hardening Patch for PHP |
4487+ +----------------------------------------------------------------------+
4488+ | Copyright (c) 2004-2005 Stefan Esser |
4489+ +----------------------------------------------------------------------+
4490+ | This source file is subject to version 2.02 of the PHP license, |
4491+ | that is bundled with this package in the file LICENSE, and is |
4492+ | available at through the world-wide-web at |
4493+ | http://www.php.net/license/2_02.txt. |
4494+ | If you did not receive a copy of the PHP license and are unable to |
4495+ | obtain it through the world-wide-web, please send a note to |
4496+ | license@php.net so we can mail you a copy immediately. |
4497+ +----------------------------------------------------------------------+
4498+ | Author: Stefan Esser <sesser@hardened-php.net> |
4499+ +----------------------------------------------------------------------+
4500+ */
4501+
4502+#ifndef HARDENING_PATCH_H
4503+#define HARDENING_PATCH_H
4504+
4505+#include "zend.h"
4506+
4507+#if HARDENING_PATCH
4508+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
4509+PHPAPI void hardened_startup();
4510+#define HARDENING_PATCH_VERSION "0.4.6"
4511+
4512+#endif
4513+
4514+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4515+PHPAPI unsigned int php_canary();
4516+#endif
4517+
4518+#if HARDENING_PATCH_INC_PROTECT
4519+PHPAPI int php_is_valid_include(zval *z);
4520+#endif
4521+
4522+#endif /* HARDENING_PATCH_H */
4523+
4524+/*
4525+ * Local variables:
4526+ * tab-width: 4
4527+ * c-basic-offset: 4
4528+ * End:
4529+ */
4530diff -Nura php-4.4.1/main/hardening_patch.m4 hardening-patch-4.4.1-0.4.6/main/hardening_patch.m4
4531--- php-4.4.1/main/hardening_patch.m4 1970-01-01 01:00:00.000000000 +0100
4532+++ hardening-patch-4.4.1-0.4.6/main/hardening_patch.m4 2005-11-25 13:23:41.000000000 +0100
4533@@ -0,0 +1,95 @@
4534+dnl
4535+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
4536+dnl
4537+dnl This file contains Hardening Patch for PHP specific autoconf functions.
4538+dnl
4539+
4540+AC_ARG_ENABLE(hardening-patch-mm-protect,
4541+[ --disable-hardening-patch-mm-protect Disable the Memory Manager protection.],[
4542+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
4543+],[
4544+ DO_HARDENING_PATCH_MM_PROTECT=yes
4545+])
4546+
4547+AC_ARG_ENABLE(hardening-patch-ll-protect,
4548+[ --disable-hardening-patch-ll-protect Disable the Linked List protection.],[
4549+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
4550+],[
4551+ DO_HARDENING_PATCH_LL_PROTECT=yes
4552+])
4553+
4554+AC_ARG_ENABLE(hardening-patch-inc-protect,
4555+[ --disable-hardening-patch-inc-protect Disable include/require protection.],[
4556+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
4557+],[
4558+ DO_HARDENING_PATCH_INC_PROTECT=yes
4559+])
4560+
4561+AC_ARG_ENABLE(hardening-patch-fmt-protect,
4562+[ --disable-hardening-patch-fmt-protect Disable format string protection.],[
4563+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
4564+],[
4565+ DO_HARDENING_PATCH_FMT_PROTECT=yes
4566+])
4567+
4568+AC_ARG_ENABLE(hardening-patch-hash-protect,
4569+[ --disable-hardening-patch-hash-protect Disable HashTable destructor protection.],[
4570+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
4571+],[
4572+ DO_HARDENING_PATCH_HASH_PROTECT=yes
4573+])
4574+
4575+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
4576+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
4577+
4578+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
4579+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
4580+
4581+AC_MSG_CHECKING(whether to protect include/require statements)
4582+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
4583+
4584+AC_MSG_CHECKING(whether to protect PHP Format String functions)
4585+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
4586+
4587+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
4588+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
4589+
4590+
4591+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4592+
4593+
4594+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
4595+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4596+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
4597+else
4598+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
4599+fi
4600+
4601+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
4602+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4603+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
4604+else
4605+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
4606+fi
4607+
4608+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
4609+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4610+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
4611+else
4612+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
4613+fi
4614+
4615+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
4616+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4617+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
4618+else
4619+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
4620+fi
4621+
4622+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
4623+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4624+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
4625+else
4626+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
4627+fi
4628+
4629diff -Nura php-4.4.1/main/main.c hardening-patch-4.4.1-0.4.6/main/main.c
4630--- php-4.4.1/main/main.c 2005-09-15 16:06:15.000000000 +0200
4631+++ hardening-patch-4.4.1-0.4.6/main/main.c 2005-11-20 19:49:42.000000000 +0100
4632@@ -92,6 +92,10 @@
4633 PHPAPI int core_globals_id;
4634 #endif
4635
4636+#if HARDENING_PATCH
4637+#include "hardened_globals.h"
4638+#endif
4639+
4640 #define ERROR_BUF_LEN 1024
4641
4642 typedef struct {
4643@@ -142,10 +146,33 @@
4644 */
4645 static PHP_INI_MH(OnChangeMemoryLimit)
4646 {
4647+#if HARDENING_PATCH
4648+ long orig_memory_limit;
4649+
4650+ if (entry->modified) {
4651+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
4652+ } else {
4653+ orig_memory_limit = 1<<30;
4654+ }
4655+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
4656+ orig_memory_limit = 1<<30;
4657+ }
4658+#endif
4659 if (new_value) {
4660 PG(memory_limit) = zend_atoi(new_value, new_value_length);
4661+#if HARDENING_PATCH
4662+ if (PG(memory_limit) > orig_memory_limit) {
4663+ PG(memory_limit) = orig_memory_limit;
4664+ php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
4665+ return FAILURE;
4666+ }
4667+#endif
4668 } else {
4669+#if HARDENING_PATCH
4670+ PG(memory_limit) = orig_memory_limit;
4671+#else
4672 PG(memory_limit) = 1<<30; /* effectively, no limit */
4673+#endif
4674 }
4675 return zend_set_memory_limit(PG(memory_limit));
4676 }
4677@@ -998,6 +1025,9 @@
4678
4679 zend_try {
4680 shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC);
4681+#if HARDENING_PATCH
4682+ hardened_clear_mm_canaries(TSRMLS_C);
4683+#endif
4684 } zend_end_try();
4685
4686 zend_try {
4687@@ -1088,6 +1118,10 @@
4688 tsrm_ls = ts_resource(0);
4689 #endif
4690
4691+#if HARDENING_PATCH
4692+ hardened_startup();
4693+#endif
4694+
4695 sapi_initialize_empty_request(TSRMLS_C);
4696 sapi_activate(TSRMLS_C);
4697
4698@@ -1100,6 +1134,12 @@
4699 php_output_startup();
4700 php_output_activate(TSRMLS_C);
4701
4702+#if HARDENING_PATCH_INC_PROTECT
4703+ zuf.is_valid_include = php_is_valid_include;
4704+#endif
4705+#if HARDENING_PATCH
4706+ zuf.security_log_function = php_security_log;
4707+#endif
4708 zuf.error_function = php_error_cb;
4709 zuf.printf_function = php_printf;
4710 zuf.write_function = php_body_write_wrapper;
4711@@ -1201,6 +1241,10 @@
4712 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
4713 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
4714 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
4715+#if HARDENING_PATCH
4716+ REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
4717+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
4718+#endif
4719 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
4720 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
4721 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
4722@@ -1308,7 +1352,7 @@
4723 */
4724 static inline void php_register_server_variables(TSRMLS_D)
4725 {
4726- zval *array_ptr=NULL;
4727+ zval *array_ptr=NULL, *vptr;
4728
4729 ALLOC_ZVAL(array_ptr);
4730 array_init(array_ptr);
4731diff -Nura php-4.4.1/main/php_config.h.in hardening-patch-4.4.1-0.4.6/main/php_config.h.in
4732--- php-4.4.1/main/php_config.h.in 2005-10-30 12:06:40.000000000 +0100
4733+++ hardening-patch-4.4.1-0.4.6/main/php_config.h.in 2005-11-05 13:04:08.000000000 +0100
4734@@ -859,6 +859,39 @@
4735 /* Enabling BIND8 compatibility for Panther */
4736 #undef BIND_8_COMPAT
4737
4738+/* Hardening-Patch */
4739+#undef HARDENING_PATCH
4740+
4741+/* Memory Manager Protection */
4742+#undef HARDENING_PATCH_MM_PROTECT
4743+
4744+/* Memory Manager Protection */
4745+#undef HARDENING_PATCH_MM_PROTECT
4746+
4747+/* Linked List Protection */
4748+#undef HARDENING_PATCH_LL_PROTECT
4749+
4750+/* Linked List Protection */
4751+#undef HARDENING_PATCH_LL_PROTECT
4752+
4753+/* Include/Require Protection */
4754+#undef HARDENING_PATCH_INC_PROTECT
4755+
4756+/* Include/Require Protection */
4757+#undef HARDENING_PATCH_INC_PROTECT
4758+
4759+/* Fmt String Protection */
4760+#undef HARDENING_PATCH_FMT_PROTECT
4761+
4762+/* Fmt String Protection */
4763+#undef HARDENING_PATCH_FMT_PROTECT
4764+
4765+/* HashTable DTOR Protection */
4766+#undef HARDENING_PATCH_HASH_PROTECT
4767+
4768+/* HashTable DTOR Protection */
4769+#undef HARDENING_PATCH_HASH_PROTECT
4770+
4771 /* Whether you have AOLserver */
4772 #undef HAVE_AOLSERVER
4773
4774@@ -1142,6 +1175,12 @@
4775 /* Define if you have the getaddrinfo function */
4776 #undef HAVE_GETADDRINFO
4777
4778+/* Whether realpath is broken */
4779+#undef PHP_BROKEN_REALPATH
4780+
4781+/* Whether realpath is broken */
4782+#undef PHP_BROKEN_REALPATH
4783+
4784 /* Whether system headers declare timezone */
4785 #undef HAVE_DECLARED_TIMEZONE
4786
4787diff -Nura php-4.4.1/main/php_content_types.c hardening-patch-4.4.1-0.4.6/main/php_content_types.c
4788--- php-4.4.1/main/php_content_types.c 2002-12-31 17:26:14.000000000 +0100
4789+++ hardening-patch-4.4.1-0.4.6/main/php_content_types.c 2005-11-05 13:04:08.000000000 +0100
4790@@ -77,6 +77,7 @@
4791 sapi_register_post_entries(php_post_entries);
4792 sapi_register_default_post_reader(php_default_post_reader);
4793 sapi_register_treat_data(php_default_treat_data);
4794+ sapi_register_input_filter(php_default_input_filter);
4795 return SUCCESS;
4796 }
4797 /* }}} */
4798diff -Nura php-4.4.1/main/php.h hardening-patch-4.4.1-0.4.6/main/php.h
4799--- php-4.4.1/main/php.h 2005-07-27 12:26:25.000000000 +0200
4800+++ hardening-patch-4.4.1-0.4.6/main/php.h 2005-11-05 13:04:08.000000000 +0100
4801@@ -35,11 +35,19 @@
4802 #include "zend_qsort.h"
4803 #include "php_compat.h"
4804
4805+
4806 #include "zend_API.h"
4807
4808 #undef sprintf
4809 #define sprintf php_sprintf
4810
4811+#if HARDENING_PATCH
4812+#if HAVE_REALPATH
4813+#undef realpath
4814+#define realpath php_realpath
4815+#endif
4816+#endif
4817+
4818 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
4819 #undef PHP_DEBUG
4820 #define PHP_DEBUG ZEND_DEBUG
4821@@ -407,6 +415,10 @@
4822 #endif
4823 #endif /* !XtOffsetOf */
4824
4825+#if HARDENING_PATCH
4826+#include "hardening_patch.h"
4827+#endif
4828+
4829 #endif
4830
4831 /*
4832diff -Nura php-4.4.1/main/php_variables.c hardening-patch-4.4.1-0.4.6/main/php_variables.c
4833--- php-4.4.1/main/php_variables.c 2005-10-02 13:33:27.000000000 +0200
4834+++ hardening-patch-4.4.1-0.4.6/main/php_variables.c 2005-11-05 13:04:08.000000000 +0100
4835@@ -236,17 +236,28 @@
4836 while (var) {
4837 val = strchr(var, '=');
4838 if (val) { /* have a value */
4839- int val_len;
4840+ unsigned int val_len, new_val_len;
4841
4842 *val++ = '\0';
4843 php_url_decode(var, strlen(var));
4844 val_len = php_url_decode(val, strlen(val));
4845- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
4846+ val = estrndup(val, val_len);
4847+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
4848+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
4849+ }
4850+ efree(val);
4851 }
4852 var = php_strtok_r(NULL, "&", &strtok_buf);
4853 }
4854 }
4855
4856+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
4857+{
4858+ /* TODO: check .ini setting here and apply user-defined input filter */
4859+ *new_val_len = val_len;
4860+ return 1;
4861+}
4862+
4863 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
4864 {
4865 char *res = NULL, *var, *val, *separator=NULL;
4866@@ -324,15 +335,26 @@
4867 while (var) {
4868 val = strchr(var, '=');
4869 if (val) { /* have a value */
4870- int val_len;
4871+ unsigned int val_len, new_val_len;
4872
4873 *val++ = '\0';
4874 php_url_decode(var, strlen(var));
4875 val_len = php_url_decode(val, strlen(val));
4876- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
4877+ val = estrndup(val, val_len);
4878+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
4879+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
4880+ }
4881+ efree(val);
4882 } else {
4883+ unsigned int val_len, new_val_len;
4884+
4885 php_url_decode(var, strlen(var));
4886- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
4887+ val_len = 0;
4888+ val = estrndup("", 0);
4889+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
4890+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
4891+ }
4892+ efree(val);
4893 }
4894 var = php_strtok_r(NULL, separator, &strtok_buf);
4895 }
4896diff -Nura php-4.4.1/main/rfc1867.c hardening-patch-4.4.1-0.4.6/main/rfc1867.c
4897--- php-4.4.1/main/rfc1867.c 2005-07-13 22:47:56.000000000 +0200
4898+++ hardening-patch-4.4.1-0.4.6/main/rfc1867.c 2005-11-05 13:04:08.000000000 +0100
4899@@ -128,6 +128,8 @@
4900 #define UPLOAD_ERROR_D 4 /* No file uploaded */
4901 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
4902 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
4903+#define UPLOAD_ERROR_X 99 /* Filter forbids upload */
4904+
4905
4906 void php_rfc1867_register_constants(TSRMLS_D)
4907 {
4908@@ -138,6 +140,7 @@
4909 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
4910 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
4911 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
4912+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
4913 }
4914
4915 static void normalize_protected_variable(char *varname TSRMLS_DC)
4916@@ -849,6 +852,7 @@
4917 char buff[FILLUNIT];
4918 char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
4919 int blen=0, wlen=0;
4920+ unsigned long offset;
4921
4922 zend_llist_clean(&header);
4923
4924@@ -897,21 +901,24 @@
4925 if (!filename && param) {
4926
4927 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
4928+ unsigned int new_val_len; /* Dummy variable */
4929
4930 if (!value) {
4931 value = estrdup("");
4932 }
4933
4934+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
4935 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
4936- if (php_mb_encoding_translation(TSRMLS_C)) {
4937- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
4938- &num_vars, &num_vars_max TSRMLS_CC);
4939- } else {
4940- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
4941- }
4942+ if (php_mb_encoding_translation(TSRMLS_C)) {
4943+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
4944+ &num_vars, &num_vars_max TSRMLS_CC);
4945+ } else {
4946+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
4947+ }
4948 #else
4949- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
4950+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
4951 #endif
4952+ }
4953 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
4954 max_file_size = atol(value);
4955 }
4956@@ -963,7 +970,11 @@
4957 tmp++;
4958 }
4959 }
4960-
4961+
4962+ if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
4963+ skip_upload = 1;
4964+ }
4965+
4966 total_bytes = cancel_upload = 0;
4967
4968 if (!skip_upload) {
4969@@ -987,6 +998,11 @@
4970 cancel_upload = UPLOAD_ERROR_D;
4971 }
4972
4973+ if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
4974+ cancel_upload = UPLOAD_ERROR_X;
4975+ }
4976+
4977+ offset = 0;
4978 end = 0;
4979 while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
4980 {
4981@@ -997,6 +1013,11 @@
4982 sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
4983 cancel_upload = UPLOAD_ERROR_B;
4984 } else if (blen > 0) {
4985+
4986+ if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
4987+ cancel_upload = UPLOAD_ERROR_X;
4988+ }
4989+
4990 wlen = write(fd, buff, blen);
4991
4992 if (wlen < blen) {
4993@@ -1004,6 +1025,7 @@
4994 cancel_upload = UPLOAD_ERROR_F;
4995 } else {
4996 total_bytes += wlen;
4997+ offset += wlen;
4998 }
4999 }
5000 }
5001@@ -1025,6 +1047,10 @@
5002 }
5003 #endif
5004
5005+ if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
5006+ cancel_upload = UPLOAD_ERROR_X;
5007+ }
5008+
5009 if (cancel_upload) {
5010 if (temp_filename) {
5011 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
5012diff -Nura php-4.4.1/main/SAPI.c hardening-patch-4.4.1-0.4.6/main/SAPI.c
5013--- php-4.4.1/main/SAPI.c 2005-10-19 22:36:19.000000000 +0200
5014+++ hardening-patch-4.4.1-0.4.6/main/SAPI.c 2005-11-05 13:04:08.000000000 +0100
5015@@ -837,6 +837,37 @@
5016 return SUCCESS;
5017 }
5018
5019+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
5020+{
5021+ sapi_module.input_filter = input_filter;
5022+ return SUCCESS;
5023+}
5024+
5025+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
5026+{
5027+ sapi_module.upload_varname_filter = upload_varname_filter;
5028+ return SUCCESS;
5029+}
5030+
5031+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
5032+{
5033+ sapi_module.pre_upload_filter = pre_upload_filter;
5034+ return SUCCESS;
5035+}
5036+
5037+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
5038+{
5039+ sapi_module.upload_content_filter = upload_content_filter;
5040+ return SUCCESS;
5041+}
5042+
5043+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
5044+{
5045+ sapi_module.post_upload_filter = post_upload_filter;
5046+ return SUCCESS;
5047+}
5048+
5049+
5050
5051 SAPI_API int sapi_flush(TSRMLS_D)
5052 {
5053diff -Nura php-4.4.1/main/SAPI.h hardening-patch-4.4.1-0.4.6/main/SAPI.h
5054--- php-4.4.1/main/SAPI.h 2003-04-09 22:27:55.000000000 +0200
5055+++ hardening-patch-4.4.1-0.4.6/main/SAPI.h 2005-11-05 13:04:08.000000000 +0100
5056@@ -101,9 +101,10 @@
5057 char *current_user;
5058 int current_user_length;
5059
5060- /* this is necessary for CLI module */
5061- int argc;
5062- char **argv;
5063+ /* this is necessary for CLI module */
5064+ int argc;
5065+ char **argv;
5066+
5067 } sapi_request_info;
5068
5069
5070@@ -177,6 +178,10 @@
5071 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
5072 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
5073 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
5074+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
5075+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
5076+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
5077+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
5078
5079 SAPI_API int sapi_flush(TSRMLS_D);
5080 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
5081@@ -238,8 +243,16 @@
5082 int (*get_target_uid)(uid_t * TSRMLS_DC);
5083 int (*get_target_gid)(gid_t * TSRMLS_DC);
5084
5085+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
5086+
5087+ unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
5088+ unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
5089+ unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
5090+ unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
5091+
5092 void (*ini_defaults)(HashTable *configuration_hash);
5093 int phpinfo_as_text;
5094+
5095 };
5096
5097
5098@@ -262,16 +275,27 @@
5099
5100 #define SAPI_DEFAULT_MIMETYPE "text/html"
5101 #define SAPI_DEFAULT_CHARSET ""
5102+
5103+#if HARDENING_PATCH
5104+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
5105+#else
5106 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
5107+#endif
5108
5109 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
5110 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
5111
5112 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
5113+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
5114+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
5115+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
5116+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
5117+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
5118
5119 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
5120 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
5121 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
5122+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
5123
5124 #define STANDARD_SAPI_MODULE_PROPERTIES
5125
5126diff -Nura php-4.4.1/main/snprintf.c hardening-patch-4.4.1-0.4.6/main/snprintf.c
5127--- php-4.4.1/main/snprintf.c 2005-04-08 07:44:53.000000000 +0200
5128+++ hardening-patch-4.4.1-0.4.6/main/snprintf.c 2005-11-05 13:04:08.000000000 +0100
5129@@ -1013,7 +1013,11 @@
5130
5131
5132 case 'n':
5133+#if HARDENING_PATCH_FMT_PROTECT
5134+ php_security_log(S_MISC, "'n' specifier within format string");
5135+#else
5136 *(va_arg(ap, int *)) = cc;
5137+#endif
5138 break;
5139
5140 /*
5141diff -Nura php-4.4.1/main/spprintf.c hardening-patch-4.4.1-0.4.6/main/spprintf.c
5142--- php-4.4.1/main/spprintf.c 2005-04-08 07:44:53.000000000 +0200
5143+++ hardening-patch-4.4.1-0.4.6/main/spprintf.c 2005-11-05 13:04:08.000000000 +0100
5144@@ -630,7 +630,11 @@
5145
5146
5147 case 'n':
5148+#if HARDENING_PATCH_FMT_PROTECT
5149+ php_security_log(S_MISC, "'n' specifier within format string");
5150+#else
5151 *(va_arg(ap, int *)) = xbuf->len;
5152+#endif
5153 break;
5154
5155 /*
5156diff -Nura php-4.4.1/php.ini-dist hardening-patch-4.4.1-0.4.6/php.ini-dist
5157--- php-4.4.1/php.ini-dist 2005-04-28 15:14:45.000000000 +0200
5158+++ hardening-patch-4.4.1-0.4.6/php.ini-dist 2005-11-15 21:44:41.000000000 +0100
5159@@ -1112,6 +1112,209 @@
5160 ;exif.decode_jis_motorola = JIS
5161 ;exif.decode_jis_intel = JIS
5162
5163+[hardening-patch]
5164+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5165+; Hardening-Patch's logging ;
5166+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5167+
5168+;
5169+; hphp.log.syslog - Configures level for alerts reported through syslog
5170+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5171+; hphp.log.script - Configures level for alerts reported through external script
5172+;
5173+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5174+; Or each number up to get desired Hardening-Patch's reporting level
5175+;
5176+; S_ALL - All alerts
5177+; S_MEMORY - All canary violations and the safe unlink protection use this class
5178+; S_VARS - All variable filters trigger this class
5179+; S_FILES - All violation of uploaded files filter use this class
5180+; S_INCLUDE - The protection against malicious include filenames use this class
5181+; S_SQL - Failed SQL queries in MySQL are logged with this class
5182+; S_EXECUTOR - The execution depth protection uses this logging class
5183+; S_MISC - All other log messages (f.e. format string protection) use this class
5184+;
5185+; Example:
5186+;
5187+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5188+; memory alerts through syslog and SQL+Include alerts fo the script
5189+;
5190+;hphp.log.syslog = S_MEMORY
5191+;hphp.log.sapi = S_ALL & ~S_MEMORY
5192+;hphp.log.script = S_INCLUDE | S_SQL
5193+;
5194+; Syslog logging:
5195+;
5196+; - Facility configuration: one of the following facilities
5197+;
5198+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5199+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5200+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5201+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5202+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5203+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5204+; LOG_PERROR
5205+;
5206+; - Priority configuration: one of the followinf priorities
5207+;
5208+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5209+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5210+;
5211+hphp.log.syslog.priority = LOG_ALERT
5212+hphp.log.syslog.facility = LOG_USER
5213+;
5214+; Script logging:
5215+;
5216+;hphp.log.script.name = /home/hphp/log_script
5217+;
5218+; Alert configuration:
5219+;
5220+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5221+;
5222+;hphp.log.use-x-forwarded-for = On
5223+;
5224+
5225+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5226+; Hardening-Patch's Executor options ;
5227+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5228+
5229+; Execution depth limit
5230+;hphp.executor.max_depth = 8000
5231+
5232+; White-/blacklist for function calls during normal execution
5233+;hphp.executor.func.whitelist = ord,chr
5234+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5235+
5236+; White-/blacklist for function calls during eval() execution
5237+;hphp.executor.eval.whitelist = ord,chr
5238+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5239+
5240+; White-/blacklist for URLs allowes in include filenames
5241+;
5242+; - When both options are not set all URLs are forbidden
5243+;
5244+; - When both options are set whitelist is taken and blacklist ignored
5245+;
5246+; - An entry in the lists is either a URL sheme like: http, https
5247+; or the beginning of an URL like: php://input
5248+;
5249+;hphp.executor.include.whitelist = cookietest
5250+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5251+
5252+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5253+; Hardening-Patch's REQUEST variable filters ;
5254+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5255+
5256+; Limits the number of REQUEST variables
5257+hphp.request.max_vars = 200
5258+
5259+; Limits the length of variable names (without indices)
5260+hphp.request.max_varname_length = 64
5261+
5262+; Limits the length of complete variable names (with indices)
5263+hphp.request.max_totalname_length = 256
5264+
5265+; Limits the length of array indices
5266+hphp.request.max_array_index_length = 64
5267+
5268+; Limits the depth of arrays
5269+hphp.request.max_array_depth = 100
5270+
5271+; Limits the length of variable values
5272+hphp.request.max_value_length = 65000
5273+
5274+; Disallow ASCII-NUL characters in input
5275+hphp.request.disallow_nul = 1
5276+
5277+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5278+; Hardening-Patch's COOKIE variable filters ;
5279+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5280+
5281+; Limits the number of COOKIE variables
5282+hphp.cookie.max_vars = 100
5283+
5284+; Limits the length of variable names (without indices)
5285+hphp.cookie.max_name_length = 64
5286+
5287+; Limits the length of complete variable names (with indices)
5288+hphp.cookie.max_totalname_length = 256
5289+
5290+; Limits the length of array indices
5291+hphp.cookie.max_array_index_length = 64
5292+
5293+; Limits the depth of arrays
5294+hphp.cookie.max_array_depth = 100
5295+
5296+; Limits the length of variable values
5297+hphp.cookie.max_value_length = 10000
5298+
5299+; Disallow ASCII-NUL characters in input
5300+hphp.cookie.disallow_nul = 1
5301+
5302+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5303+; Hardening-Patch's GET variable filters ;
5304+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5305+
5306+; Limits the number of COOKIE variables
5307+hphp.get.max_vars = 100
5308+
5309+; Limits the length of variable names (without indices)
5310+hphp.get.max_name_length = 64
5311+
5312+; Limits the length of complete variable names (with indices)
5313+hphp.get.max_totalname_length = 256
5314+
5315+; Limits the length of array indices
5316+hphp.get.max_array_index_length = 64
5317+
5318+; Limits the depth of arrays
5319+hphp.get.max_array_depth = 50
5320+
5321+; Limits the length of variable values
5322+hphp.get.max_value_length = 512
5323+
5324+; Disallow ASCII-NUL characters in input
5325+hphp.get.disallow_nul = 1
5326+
5327+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5328+; Hardening-Patch's POST variable filters ;
5329+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5330+
5331+; Limits the number of POST variables
5332+hphp.post.max_vars = 200
5333+
5334+; Limits the length of variable names (without indices)
5335+hphp.post.max_name_length = 64
5336+
5337+; Limits the length of complete variable names (with indices)
5338+hphp.post.max_totalname_length = 256
5339+
5340+; Limits the length of array indices
5341+hphp.post.max_array_index_length = 64
5342+
5343+; Limits the depth of arrays
5344+hphp.post.max_array_depth = 100
5345+
5346+; Limits the length of variable values
5347+hphp.post.max_value_length = 65000
5348+
5349+; Disallow ASCII-NUL characters in input
5350+hphp.post.disallow_nul = 1
5351+
5352+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5353+; Hardening-Patch's fileupload variable filters ;
5354+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5355+
5356+; Limits the number of uploadable files
5357+hphp.upload.max_uploads = 25
5358+
5359+; Filter out the upload of ELF executables
5360+hphp.upload.disallow_elf_files = On
5361+
5362+; External filterscript for upload verification
5363+;hphp.upload.verification_script = /home/hphp/verify_script
5364+
5365+
5366 ; Local Variables:
5367 ; tab-width: 4
5368 ; End:
5369diff -Nura php-4.4.1/php.ini-recommended hardening-patch-4.4.1-0.4.6/php.ini-recommended
5370--- php-4.4.1/php.ini-recommended 2005-04-28 15:14:46.000000000 +0200
5371+++ hardening-patch-4.4.1-0.4.6/php.ini-recommended 2005-11-15 21:45:02.000000000 +0100
5372@@ -1110,6 +1110,209 @@
5373 ;exif.decode_jis_motorola = JIS
5374 ;exif.decode_jis_intel = JIS
5375
5376+[hardening-patch]
5377+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5378+; Hardening-Patch's logging ;
5379+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5380+
5381+;
5382+; hphp.log.syslog - Configures level for alerts reported through syslog
5383+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5384+; hphp.log.script - Configures level for alerts reported through external script
5385+;
5386+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5387+; Or each number up to get desired Hardening-Patch's reporting level
5388+;
5389+; S_ALL - All alerts
5390+; S_MEMORY - All canary violations and the safe unlink protection use this class
5391+; S_VARS - All variable filters trigger this class
5392+; S_FILES - All violation of uploaded files filter use this class
5393+; S_INCLUDE - The protection against malicious include filenames use this class
5394+; S_SQL - Failed SQL queries in MySQL are logged with this class
5395+; S_EXECUTOR - The execution depth protection uses this logging class
5396+; S_MISC - All other log messages (f.e. format string protection) use this class
5397+;
5398+; Example:
5399+;
5400+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5401+; memory alerts through syslog and SQL+Include alerts fo the script
5402+;
5403+;hphp.log.syslog = S_MEMORY
5404+;hphp.log.sapi = S_ALL & ~S_MEMORY
5405+;hphp.log.script = S_INCLUDE | S_SQL
5406+;
5407+; Syslog logging:
5408+;
5409+; - Facility configuration: one of the following facilities
5410+;
5411+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5412+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5413+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5414+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5415+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5416+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5417+; LOG_PERROR
5418+;
5419+; - Priority configuration: one of the followinf priorities
5420+;
5421+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5422+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5423+;
5424+hphp.log.syslog.priority = LOG_ALERT
5425+hphp.log.syslog.facility = LOG_USER
5426+;
5427+; Script logging:
5428+;
5429+;hphp.log.script.name = /home/hphp/log_script
5430+;
5431+; Alert configuration:
5432+;
5433+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5434+;
5435+;hphp.log.use-x-forwarded-for = On
5436+;
5437+
5438+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5439+; Hardening-Patch's Executor options ;
5440+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5441+
5442+; Execution depth limit
5443+;hphp.executor.max_depth = 8000
5444+
5445+; White-/blacklist for function calls during normal execution
5446+;hphp.executor.func.whitelist = ord,chr
5447+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5448+
5449+; White-/blacklist for function calls during eval() execution
5450+;hphp.executor.eval.whitelist = ord,chr
5451+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5452+
5453+; White-/blacklist for URLs allowes in include filenames
5454+;
5455+; - When both options are not set all URLs are forbidden
5456+;
5457+; - When both options are set whitelist is taken and blacklist ignored
5458+;
5459+; - An entry in the lists is either a URL sheme like: http, https
5460+; or the beginning of an URL like: php://input
5461+;
5462+;hphp.executor.include.whitelist = cookietest
5463+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5464+
5465+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5466+; Hardening-Patch's REQUEST variable filters ;
5467+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5468+
5469+; Limits the number of REQUEST variables
5470+hphp.request.max_vars = 200
5471+
5472+; Limits the length of variable names (without indices)
5473+hphp.request.max_varname_length = 64
5474+
5475+; Limits the length of complete variable names (with indices)
5476+hphp.request.max_totalname_length = 256
5477+
5478+; Limits the length of array indices
5479+hphp.request.max_array_index_length = 64
5480+
5481+; Limits the depth of arrays
5482+hphp.request.max_array_depth = 100
5483+
5484+; Limits the length of variable values
5485+hphp.request.max_value_length = 65000
5486+
5487+; Disallow ASCII-NUL characters in input
5488+hphp.request.disallow_nul = 1
5489+
5490+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5491+; Hardening-Patch's COOKIE variable filters ;
5492+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5493+
5494+; Limits the number of COOKIE variables
5495+hphp.cookie.max_vars = 100
5496+
5497+; Limits the length of variable names (without indices)
5498+hphp.cookie.max_name_length = 64
5499+
5500+; Limits the length of complete variable names (with indices)
5501+hphp.cookie.max_totalname_length = 256
5502+
5503+; Limits the length of array indices
5504+hphp.cookie.max_array_index_length = 64
5505+
5506+; Limits the depth of arrays
5507+hphp.cookie.max_array_depth = 100
5508+
5509+; Limits the length of variable values
5510+hphp.cookie.max_value_length = 10000
5511+
5512+; Disallow ASCII-NUL characters in input
5513+hphp.cookie.disallow_nul = 1
5514+
5515+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5516+; Hardening-Patch's GET variable filters ;
5517+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5518+
5519+; Limits the number of COOKIE variables
5520+hphp.get.max_vars = 100
5521+
5522+; Limits the length of variable names (without indices)
5523+hphp.get.max_name_length = 64
5524+
5525+; Limits the length of complete variable names (with indices)
5526+hphp.get.max_totalname_length = 256
5527+
5528+; Limits the length of array indices
5529+hphp.get.max_array_index_length = 64
5530+
5531+; Limits the depth of arrays
5532+hphp.get.max_array_depth = 50
5533+
5534+; Limits the length of variable values
5535+hphp.get.max_value_length = 512
5536+
5537+; Disallow ASCII-NUL characters in input
5538+hphp.get.disallow_nul = 1
5539+
5540+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5541+; Hardening-Patch's POST variable filters ;
5542+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5543+
5544+; Limits the number of POST variables
5545+hphp.post.max_vars = 200
5546+
5547+; Limits the length of variable names (without indices)
5548+hphp.post.max_name_length = 64
5549+
5550+; Limits the length of complete variable names (with indices)
5551+hphp.post.max_totalname_length = 256
5552+
5553+; Limits the length of array indices
5554+hphp.post.max_array_index_length = 64
5555+
5556+; Limits the depth of arrays
5557+hphp.post.max_array_depth = 100
5558+
5559+; Limits the length of variable values
5560+hphp.post.max_value_length = 65000
5561+
5562+; Disallow ASCII-NUL characters in input
5563+hphp.post.disallow_nul = 1
5564+
5565+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5566+; Hardening-Patch's fileupload variable filters ;
5567+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5568+
5569+; Limits the number of uploadable files
5570+hphp.upload.max_uploads = 25
5571+
5572+; Filter out the upload of ELF executables
5573+hphp.upload.disallow_elf_files = On
5574+
5575+; External filterscript for upload verification
5576+;hphp.upload.verification_script = /home/hphp/verify_script
5577+
5578+
5579 ; Local Variables:
5580 ; tab-width: 4
5581 ; End:
5582diff -Nura php-4.4.1/README.input_filter hardening-patch-4.4.1-0.4.6/README.input_filter
5583--- php-4.4.1/README.input_filter 1970-01-01 01:00:00.000000000 +0100
5584+++ hardening-patch-4.4.1-0.4.6/README.input_filter 2005-11-05 13:04:08.000000000 +0100
5585@@ -0,0 +1,193 @@
5586+Input Filter Support ported from PHP 5
5587+--------------------------------------
5588+
5589+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
5590+and can be quite difficult to prevent. Whenever you accept user data
5591+and somehow display this data back to users, you are likely vulnerable
5592+to XSS hacks.
5593+
5594+The Input Filter support in PHP 5 is aimed at providing the framework
5595+through which a company-wide or site-wide security policy can be
5596+enforced. It is implemented as a SAPI hook and is called from the
5597+treat_data and post handler functions. To implement your own security
5598+policy you will need to write a standard PHP extension.
5599+
5600+A simple implementation might look like the following. This stores the
5601+original raw user data and adds a my_get_raw() function while the normal
5602+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
5603+data. In this simple example all I am doing is calling strip_tags() on
5604+the data. If register_globals is turned on, the default globals that
5605+are created will be stripped ($foo) while a $RAW_foo is created with the
5606+original user input.
5607+
5608+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
5609+ zval *post_array;
5610+ zval *get_array;
5611+ zval *cookie_array;
5612+ZEND_END_MODULE_GLOBALS(my_input_filter)
5613+
5614+#ifdef ZTS
5615+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
5616+#else
5617+#define IF_G(v) (my_input_filter_globals.v)
5618+#endif
5619+
5620+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
5621+
5622+function_entry my_input_filter_functions[] = {
5623+ PHP_FE(my_get_raw, NULL)
5624+ {NULL, NULL, NULL}
5625+};
5626+
5627+zend_module_entry my_input_filter_module_entry = {
5628+ STANDARD_MODULE_HEADER,
5629+ "my_input_filter",
5630+ my_input_filter_functions,
5631+ PHP_MINIT(my_input_filter),
5632+ PHP_MSHUTDOWN(my_input_filter),
5633+ NULL,
5634+ PHP_RSHUTDOWN(my_input_filter),
5635+ PHP_MINFO(my_input_filter),
5636+ "0.1",
5637+ STANDARD_MODULE_PROPERTIES
5638+};
5639+
5640+PHP_MINIT_FUNCTION(my_input_filter)
5641+{
5642+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
5643+
5644+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
5645+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
5646+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
5647+
5648+ sapi_register_input_filter(my_sapi_input_filter);
5649+ return SUCCESS;
5650+}
5651+
5652+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
5653+{
5654+ if(IF_G(get_array)) {
5655+ zval_ptr_dtor(&IF_G(get_array));
5656+ IF_G(get_array) = NULL;
5657+ }
5658+ if(IF_G(post_array)) {
5659+ zval_ptr_dtor(&IF_G(post_array));
5660+ IF_G(post_array) = NULL;
5661+ }
5662+ if(IF_G(cookie_array)) {
5663+ zval_ptr_dtor(&IF_G(cookie_array));
5664+ IF_G(cookie_array) = NULL;
5665+ }
5666+ return SUCCESS;
5667+}
5668+
5669+PHP_MINFO_FUNCTION(my_input_filter)
5670+{
5671+ php_info_print_table_start();
5672+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
5673+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
5674+ php_info_print_table_end();
5675+}
5676+
5677+/* The filter handler. If you return 1 from it, then PHP also registers the
5678+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
5679+ * you can use this if your filter already registers the variable under a
5680+ * different name, or if you just don't want the variable registered at all. */
5681+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
5682+{
5683+ zval new_var;
5684+ zval *array_ptr = NULL;
5685+ char *raw_var;
5686+ int var_len;
5687+
5688+ assert(*val != NULL);
5689+
5690+ switch(arg) {
5691+ case PARSE_GET:
5692+ if(!IF_G(get_array)) {
5693+ ALLOC_ZVAL(array_ptr);
5694+ array_init(array_ptr);
5695+ INIT_PZVAL(array_ptr);
5696+ }
5697+ IF_G(get_array) = array_ptr;
5698+ break;
5699+ case PARSE_POST:
5700+ if(!IF_G(post_array)) {
5701+ ALLOC_ZVAL(array_ptr);
5702+ array_init(array_ptr);
5703+ INIT_PZVAL(array_ptr);
5704+ }
5705+ IF_G(post_array) = array_ptr;
5706+ break;
5707+ case PARSE_COOKIE:
5708+ if(!IF_G(cookie_array)) {
5709+ ALLOC_ZVAL(array_ptr);
5710+ array_init(array_ptr);
5711+ INIT_PZVAL(array_ptr);
5712+ }
5713+ IF_G(cookie_array) = array_ptr;
5714+ break;
5715+ }
5716+ Z_STRLEN(new_var) = val_len;
5717+ Z_STRVAL(new_var) = estrndup(*val, val_len);
5718+ Z_TYPE(new_var) = IS_STRING;
5719+
5720+ var_len = strlen(var);
5721+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
5722+ strcpy(raw_var, "RAW_");
5723+ strlcat(raw_var,var,var_len+5);
5724+
5725+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
5726+
5727+ php_strip_tags(*val, val_len, NULL, NULL, 0);
5728+
5729+ *new_val_len = strlen(*val);
5730+ return 1;
5731+}
5732+
5733+PHP_FUNCTION(my_get_raw)
5734+{
5735+ long arg;
5736+ char *var;
5737+ int var_len;
5738+ zval **tmp;
5739+ zval *array_ptr = NULL;
5740+ HashTable *hash_ptr;
5741+ char *raw_var;
5742+
5743+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
5744+ return;
5745+ }
5746+
5747+ switch(arg) {
5748+ case PARSE_GET:
5749+ array_ptr = IF_G(get_array);
5750+ break;
5751+ case PARSE_POST:
5752+ array_ptr = IF_G(post_array);
5753+ break;
5754+ case PARSE_COOKIE:
5755+ array_ptr = IF_G(post_array);
5756+ break;
5757+ }
5758+
5759+ if(!array_ptr) RETURN_FALSE;
5760+
5761+ /*
5762+ * I'm changing the variable name here because when running with register_globals on,
5763+ * the variable will end up in the global symbol table
5764+ */
5765+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
5766+ strcpy(raw_var, "RAW_");
5767+ strlcat(raw_var,var,var_len+5);
5768+ hash_ptr = HASH_OF(array_ptr);
5769+
5770+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
5771+ *return_value = **tmp;
5772+ zval_copy_ctor(return_value);
5773+ } else {
5774+ RETVAL_FALSE;
5775+ }
5776+ efree(raw_var);
5777+}
5778+
5779diff -Nura php-4.4.1/run-tests.php hardening-patch-4.4.1-0.4.6/run-tests.php
5780--- php-4.4.1/run-tests.php 2005-06-19 00:54:07.000000000 +0200
5781+++ hardening-patch-4.4.1-0.4.6/run-tests.php 2005-11-15 21:42:20.000000000 +0100
5782@@ -152,6 +152,10 @@
5783 'error_reporting=2047',
5784 'display_errors=1',
5785 'log_errors=0',
5786+ 'hphp.executor.include.whitelist=cookietest',
5787+ 'hphp.log.syslog=0',
5788+ 'hphp.log.sapi=0',
5789+ 'hphp.log.script=0',
5790 'html_errors=0',
5791 'track_errors=1',
5792 'report_memleaks=1',
5793diff -Nura php-4.4.1/sapi/apache/mod_php4.c hardening-patch-4.4.1-0.4.6/sapi/apache/mod_php4.c
5794--- php-4.4.1/sapi/apache/mod_php4.c 2005-05-19 18:14:46.000000000 +0200
5795+++ hardening-patch-4.4.1-0.4.6/sapi/apache/mod_php4.c 2005-11-05 13:04:08.000000000 +0100
5796@@ -452,7 +452,7 @@
5797 sapi_apache_get_fd,
5798 sapi_apache_force_http_10,
5799 sapi_apache_get_target_uid,
5800- sapi_apache_get_target_gid
5801+ sapi_apache_get_target_gid,
5802 };
5803 /* }}} */
5804
5805@@ -898,7 +898,11 @@
5806 {
5807 TSRMLS_FETCH();
5808 if (PG(expose_php)) {
5809+#if HARDENING_PATCH
5810+ ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
5811+#else
5812 ap_add_version_component("PHP/" PHP_VERSION);
5813+#endif
5814 }
5815 }
5816 #endif
5817diff -Nura php-4.4.1/sapi/apache2filter/sapi_apache2.c hardening-patch-4.4.1-0.4.6/sapi/apache2filter/sapi_apache2.c
5818--- php-4.4.1/sapi/apache2filter/sapi_apache2.c 2005-08-03 16:49:50.000000000 +0200
5819+++ hardening-patch-4.4.1-0.4.6/sapi/apache2filter/sapi_apache2.c 2005-11-05 13:04:08.000000000 +0100
5820@@ -562,7 +562,11 @@
5821 {
5822 TSRMLS_FETCH();
5823 if (PG(expose_php)) {
5824+#if HARDENING_PATCH
5825+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
5826+#else
5827 ap_add_version_component(p, "PHP/" PHP_VERSION);
5828+#endif
5829 }
5830 }
5831
5832diff -Nura php-4.4.1/sapi/apache2handler/sapi_apache2.c hardening-patch-4.4.1-0.4.6/sapi/apache2handler/sapi_apache2.c
5833--- php-4.4.1/sapi/apache2handler/sapi_apache2.c 2005-10-12 23:41:36.000000000 +0200
5834+++ hardening-patch-4.4.1-0.4.6/sapi/apache2handler/sapi_apache2.c 2005-11-05 13:04:08.000000000 +0100
5835@@ -340,7 +340,11 @@
5836 {
5837 TSRMLS_FETCH();
5838 if (PG(expose_php)) {
5839+#if HARDENING_PATCH
5840+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
5841+#else
5842 ap_add_version_component(p, "PHP/" PHP_VERSION);
5843+#endif
5844 }
5845 }
5846
5847diff -Nura php-4.4.1/sapi/cgi/cgi_main.c hardening-patch-4.4.1-0.4.6/sapi/cgi/cgi_main.c
5848--- php-4.4.1/sapi/cgi/cgi_main.c 2005-10-06 22:39:26.000000000 +0200
5849+++ hardening-patch-4.4.1-0.4.6/sapi/cgi/cgi_main.c 2005-11-05 13:04:08.000000000 +0100
5850@@ -1440,11 +1440,19 @@
5851 SG(headers_sent) = 1;
5852 SG(request_info).no_headers = 1;
5853 }
5854+#if HARDENING_PATCH
5855+#if ZEND_DEBUG
5856+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5857+#else
5858+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5859+#endif
5860+#else
5861 #if ZEND_DEBUG
5862 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5863 #else
5864 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5865 #endif
5866+#endif
5867 php_end_ob_buffers(1 TSRMLS_CC);
5868 exit(0);
5869 break;
5870diff -Nura php-4.4.1/sapi/cli/php_cli.c hardening-patch-4.4.1-0.4.6/sapi/cli/php_cli.c
5871--- php-4.4.1/sapi/cli/php_cli.c 2005-10-11 20:59:23.000000000 +0200
5872+++ hardening-patch-4.4.1-0.4.6/sapi/cli/php_cli.c 2005-11-05 13:04:08.000000000 +0100
5873@@ -654,11 +654,19 @@
5874 if (php_request_startup(TSRMLS_C)==FAILURE) {
5875 goto err;
5876 }
5877+#if HARDENING_PATCH
5878+#if ZEND_DEBUG
5879+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5880+#else
5881+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5882+#endif
5883+#else
5884 #if ZEND_DEBUG
5885 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5886 #else
5887 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
5888 #endif
5889+#endif
5890 php_end_ob_buffers(1 TSRMLS_CC);
5891 exit_status=0;
5892 goto out;
5893diff -Nura php-4.4.1/TSRM/TSRM.h hardening-patch-4.4.1-0.4.6/TSRM/TSRM.h
5894--- php-4.4.1/TSRM/TSRM.h 2005-07-26 15:34:52.000000000 +0200
5895+++ hardening-patch-4.4.1-0.4.6/TSRM/TSRM.h 2005-11-05 13:04:08.000000000 +0100
5896@@ -33,6 +33,13 @@
5897 # define TSRM_API
5898 #endif
5899
5900+#if HARDENING_PATCH
5901+# if HAVE_REALPATH
5902+# undef realpath
5903+# define realpath php_realpath
5904+# endif
5905+#endif
5906+
5907 /* Only compile multi-threading functions if we're in ZTS mode */
5908 #ifdef ZTS
5909
5910@@ -84,6 +91,7 @@
5911
5912 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
5913
5914+
5915 #ifdef __cplusplus
5916 extern "C" {
5917 #endif
5918diff -Nura php-4.4.1/TSRM/tsrm_virtual_cwd.c hardening-patch-4.4.1-0.4.6/TSRM/tsrm_virtual_cwd.c
5919--- php-4.4.1/TSRM/tsrm_virtual_cwd.c 2005-08-03 16:51:24.000000000 +0200
5920+++ hardening-patch-4.4.1-0.4.6/TSRM/tsrm_virtual_cwd.c 2005-11-05 13:07:14.000000000 +0100
5921@@ -179,6 +179,165 @@
5922 return p;
5923 }
5924
5925+#if HARDENING_PATCH
5926+CWD_API char *php_realpath(const char *path, char *resolved)
5927+{
5928+ struct stat sb;
5929+ char *p, *q, *s;
5930+ size_t left_len, resolved_len;
5931+ unsigned symlinks;
5932+ int serrno, slen;
5933+ int is_dir = 1;
5934+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
5935+
5936+ serrno = errno;
5937+ symlinks = 0;
5938+ if (path[0] == '/') {
5939+ resolved[0] = '/';
5940+ resolved[1] = '\0';
5941+ if (path[1] == '\0')
5942+ return (resolved);
5943+ resolved_len = 1;
5944+ left_len = strlcpy(left, path + 1, sizeof(left));
5945+ } else {
5946+ if (getcwd(resolved, PATH_MAX) == NULL) {
5947+ strlcpy(resolved, ".", PATH_MAX);
5948+ return (NULL);
5949+ }
5950+ resolved_len = strlen(resolved);
5951+ left_len = strlcpy(left, path, sizeof(left));
5952+ }
5953+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
5954+ errno = ENAMETOOLONG;
5955+ return (NULL);
5956+ }
5957+
5958+ /*
5959+ * Iterate over path components in `left'.
5960+ */
5961+ while (left_len != 0) {
5962+ /*
5963+ * Extract the next path component and adjust `left'
5964+ * and its length.
5965+ */
5966+ p = strchr(left, '/');
5967+ s = p ? p : left + left_len;
5968+ if (s - left >= sizeof(next_token)) {
5969+ errno = ENAMETOOLONG;
5970+ return (NULL);
5971+ }
5972+ memcpy(next_token, left, s - left);
5973+ next_token[s - left] = '\0';
5974+ left_len -= s - left;
5975+ if (p != NULL)
5976+ memmove(left, s + 1, left_len + 1);
5977+ if (resolved[resolved_len - 1] != '/') {
5978+ if (resolved_len + 1 >= PATH_MAX) {
5979+ errno = ENAMETOOLONG;
5980+ return (NULL);
5981+ }
5982+ resolved[resolved_len++] = '/';
5983+ resolved[resolved_len] = '\0';
5984+ }
5985+ if (next_token[0] == '\0')
5986+ continue;
5987+ else if (strcmp(next_token, ".") == 0)
5988+ continue;
5989+ else if (strcmp(next_token, "..") == 0) {
5990+ /*
5991+ * Strip the last path component except when we have
5992+ * single "/"
5993+ */
5994+ if (!is_dir) {
5995+ errno = ENOENT;
5996+ return (NULL);
5997+ }
5998+ if (resolved_len > 1) {
5999+ resolved[resolved_len - 1] = '\0';
6000+ q = strrchr(resolved, '/');
6001+ *q = '\0';
6002+ resolved_len = q - resolved;
6003+ }
6004+ continue;
6005+ }
6006+
6007+ /*
6008+ * Append the next path component and lstat() it. If
6009+ * lstat() fails we still can return successfully if
6010+ * there are no more path components left.
6011+ */
6012+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
6013+ if (resolved_len >= PATH_MAX) {
6014+ errno = ENAMETOOLONG;
6015+ return (NULL);
6016+ }
6017+ if (lstat(resolved, &sb) != 0) {
6018+ if (errno == ENOENT && p == NULL) {
6019+ errno = serrno;
6020+ return (resolved);
6021+ }
6022+ return (NULL);
6023+ }
6024+ if (S_ISLNK(sb.st_mode)) {
6025+ if (symlinks++ > MAXSYMLINKS) {
6026+ errno = ELOOP;
6027+ return (NULL);
6028+ }
6029+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
6030+ if (slen < 0)
6031+ return (NULL);
6032+ symlink[slen] = '\0';
6033+ if (symlink[0] == '/') {
6034+ resolved[1] = 0;
6035+ resolved_len = 1;
6036+ } else if (resolved_len > 1) {
6037+ /* Strip the last path component. */
6038+ resolved[resolved_len - 1] = '\0';
6039+ q = strrchr(resolved, '/');
6040+ *q = '\0';
6041+ resolved_len = q - resolved;
6042+ }
6043+
6044+ /*
6045+ * If there are any path components left, then
6046+ * append them to symlink. The result is placed
6047+ * in `left'.
6048+ */
6049+ if (p != NULL) {
6050+ if (symlink[slen - 1] != '/') {
6051+ if (slen + 1 >= sizeof(symlink)) {
6052+ errno = ENAMETOOLONG;
6053+ return (NULL);
6054+ }
6055+ symlink[slen] = '/';
6056+ symlink[slen + 1] = 0;
6057+ }
6058+ left_len = strlcat(symlink, left, sizeof(left));
6059+ if (left_len >= sizeof(left)) {
6060+ errno = ENAMETOOLONG;
6061+ return (NULL);
6062+ }
6063+ }
6064+ left_len = strlcpy(left, symlink, sizeof(left));
6065+ } else {
6066+ if (S_ISDIR(sb.st_mode)) {
6067+ is_dir = 1;
6068+ } else {
6069+ is_dir = 0;
6070+ }
6071+ }
6072+ }
6073+
6074+ /*
6075+ * Remove trailing slash except when the resolved pathname
6076+ * is a single "/".
6077+ */
6078+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
6079+ resolved[resolved_len - 1] = '\0';
6080+ return (resolved);
6081+}
6082+#endif
6083+
6084 CWD_API void virtual_cwd_startup(void)
6085 {
6086 char cwd[MAXPATHLEN];
6087@@ -300,8 +459,11 @@
6088
6089 if (path_length == 0)
6090 return (0);
6091- if (path_length >= MAXPATHLEN)
6092+ if (path_length >= MAXPATHLEN) {
6093+ state->cwd[0] = 0;
6094+ state->cwd_length = 0;
6095 return (1);
6096+ }
6097
6098 #if !defined(TSRM_WIN32) && !defined(NETWARE)
6099 /* cwd_length can be 0 when getcwd() fails.
6100@@ -313,8 +475,9 @@
6101 path = resolved_path;
6102 path_length = strlen(path);
6103 } else {
6104- /* disable for now
6105- return 1; */
6106+ state->cwd[0] = 0;
6107+ state->cwd_length = 0;
6108+ return 1;
6109 }
6110 }
6111 } else { /* Concat current directory with relative path and then run realpath() on it */
6112@@ -323,6 +486,8 @@
6113
6114 ptr = tmp = (char *) malloc(state->cwd_length+path_length+sizeof("/"));
6115 if (!tmp) {
6116+ state->cwd[0] = 0;
6117+ state->cwd_length = 0;
6118 return 1;
6119 }
6120 memcpy(ptr, state->cwd, state->cwd_length);
6121@@ -332,6 +497,8 @@
6122 ptr += path_length;
6123 *ptr = '\0';
6124 if (strlen(tmp) >= MAXPATHLEN) {
6125+ state->cwd[0] = 0;
6126+ state->cwd_length = 0;
6127 free(tmp);
6128 return 1;
6129 }
6130@@ -340,9 +507,10 @@
6131 path = resolved_path;
6132 path_length = strlen(path);
6133 } else {
6134- /* disable for now
6135+ state->cwd[0] = 0;
6136+ state->cwd_length = 0;
6137 free(tmp);
6138- return 1; */
6139+ return 1;
6140 }
6141 }
6142 free(tmp);
6143diff -Nura php-4.4.1/TSRM/tsrm_virtual_cwd.h hardening-patch-4.4.1-0.4.6/TSRM/tsrm_virtual_cwd.h
6144--- php-4.4.1/TSRM/tsrm_virtual_cwd.h 2005-08-03 16:51:24.000000000 +0200
6145+++ hardening-patch-4.4.1-0.4.6/TSRM/tsrm_virtual_cwd.h 2005-11-05 13:04:08.000000000 +0100
6146@@ -128,6 +128,22 @@
6147
6148 typedef int (*verify_path_func)(const cwd_state *);
6149
6150+#ifndef HAVE_STRLCPY
6151+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
6152+#undef strlcpy
6153+#define strlcpy php_strlcpy
6154+#endif
6155+
6156+#ifndef HAVE_STRLCAT
6157+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
6158+#undef strlcat
6159+#define strlcat php_strlcat
6160+#endif
6161+
6162+
6163+#if HARDENING_PATCH
6164+CWD_API char *php_realpath(const char *path, char *resolved);
6165+#endif
6166 CWD_API void virtual_cwd_startup(void);
6167 CWD_API void virtual_cwd_shutdown(void);
6168 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
6169diff -Nura php-4.4.1/Zend/zend_alloc.c hardening-patch-4.4.1-0.4.6/Zend/zend_alloc.c
6170--- php-4.4.1/Zend/zend_alloc.c 2005-08-18 17:14:48.000000000 +0200
6171+++ hardening-patch-4.4.1-0.4.6/Zend/zend_alloc.c 2005-11-05 13:04:08.000000000 +0100
6172@@ -56,6 +56,11 @@
6173 # define END_MAGIC_SIZE 0
6174 #endif
6175
6176+#if HARDENING_PATCH_MM_PROTECT
6177+# define CANARY_SIZE sizeof(unsigned int)
6178+#else
6179+# define CANARY_SIZE 0
6180+#endif
6181
6182 # if MEMORY_LIMIT
6183 # if ZEND_DEBUG
6184@@ -96,9 +101,17 @@
6185 if (p==AG(head)) { \
6186 AG(head) = p->pNext; \
6187 } else { \
6188+ if (p != p->pLast->pNext) { \
6189+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6190+ exit(1); \
6191+ } \
6192 p->pLast->pNext = p->pNext; \
6193 } \
6194 if (p->pNext) { \
6195+ if (p != p->pNext->pLast) { \
6196+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6197+ exit(1); \
6198+ } \
6199 p->pNext->pLast = p->pLast; \
6200 }
6201
6202@@ -130,6 +143,12 @@
6203 DECLARE_CACHE_VARS();
6204 TSRMLS_FETCH();
6205
6206+#if HARDENING_PATCH_MM_PROTECT
6207+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
6208+ zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
6209+ exit(1);
6210+ }
6211+#endif
6212 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
6213
6214 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
6215@@ -147,6 +166,10 @@
6216 AG(cache_stats)[CACHE_INDEX][1]++;
6217 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6218 #endif
6219+#if HARDENING_PATCH_MM_PROTECT
6220+ p->canary = HG(canary_1);
6221+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6222+#endif
6223 p->cached = 0;
6224 p->size = size;
6225 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6226@@ -162,7 +185,7 @@
6227 AG(allocated_memory_peak) = AG(allocated_memory);
6228 }
6229 #endif
6230- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
6231+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
6232 }
6233
6234 HANDLE_BLOCK_INTERRUPTIONS();
6235@@ -192,7 +215,10 @@
6236 # endif
6237 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6238 #endif
6239-
6240+#if HARDENING_PATCH_MM_PROTECT
6241+ p->canary = HG(canary_1);
6242+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6243+#endif
6244 HANDLE_UNBLOCK_INTERRUPTIONS();
6245 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6246 }
6247@@ -219,17 +245,36 @@
6248 return emalloc_rel(lval + offset);
6249 }
6250 }
6251-
6252+
6253+#if HARDENING_PATCH
6254+ zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
6255+#endif
6256 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
6257 return 0;
6258 }
6259
6260 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6261 {
6262+#if HARDENING_PATCH_MM_PROTECT
6263+ unsigned int canary_2;
6264+#endif
6265 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
6266 DECLARE_CACHE_VARS();
6267 TSRMLS_FETCH();
6268
6269+#if HARDENING_PATCH_MM_PROTECT
6270+ if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
6271+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6272+ if (canary_2 != HG(canary_2)) {
6273+efree_canary_mismatch:
6274+ zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
6275+ exit(1);
6276+ }
6277+ /* to catch double efree()s */
6278+ memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
6279+ p->canary = 0;
6280+#endif
6281+
6282 #if defined(ZTS) && TSRM_DEBUG
6283 if (p->thread_id != tsrm_thread_id()) {
6284 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
6285@@ -274,6 +319,9 @@
6286 size_t _size = nmemb * size;
6287
6288 if (nmemb && (_size/nmemb!=size)) {
6289+#if HARDENING_PATCH
6290+ zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
6291+#endif
6292 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
6293 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
6294 kill(getpid(), SIGSEGV);
6295@@ -293,6 +341,9 @@
6296
6297 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6298 {
6299+#if HARDENING_PATCH_MM_PROTECT
6300+ unsigned int canary_2;
6301+#endif
6302 zend_mem_header *p;
6303 zend_mem_header *orig;
6304 DECLARE_CACHE_VARS();
6305@@ -304,6 +355,16 @@
6306
6307 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
6308
6309+#if HARDENING_PATCH_MM_PROTECT
6310+ if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
6311+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6312+ if (canary_2 != HG(canary_2)) {
6313+erealloc_canary_mismatch:
6314+ zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
6315+ exit(1);
6316+ }
6317+#endif
6318+
6319 #if defined(ZTS) && TSRM_DEBUG
6320 if (p->thread_id != tsrm_thread_id()) {
6321 void *new_p;
6322@@ -327,7 +388,7 @@
6323 }
6324 #endif
6325 REMOVE_POINTER_FROM_LIST(p);
6326- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
6327+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
6328 if (!p) {
6329 if (!allow_failure) {
6330 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
6331@@ -349,6 +410,9 @@
6332 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6333 #endif
6334
6335+#if HARDENING_PATCH_MM_PROTECT
6336+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6337+#endif
6338 p->size = size;
6339
6340 HANDLE_UNBLOCK_INTERRUPTIONS();
6341@@ -423,6 +487,10 @@
6342 {
6343 AG(head) = NULL;
6344
6345+#if HARDENING_PATCH_MM_PROTECT
6346+ HG(canary_1) = zend_canary();
6347+ HG(canary_2) = zend_canary();
6348+#endif
6349 #if MEMORY_LIMIT
6350 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
6351 AG(allocated_memory) = 0;
6352diff -Nura php-4.4.1/Zend/zend_alloc.h hardening-patch-4.4.1-0.4.6/Zend/zend_alloc.h
6353--- php-4.4.1/Zend/zend_alloc.h 2005-06-07 15:37:33.000000000 +0200
6354+++ hardening-patch-4.4.1-0.4.6/Zend/zend_alloc.h 2005-11-05 13:04:08.000000000 +0100
6355@@ -32,6 +32,9 @@
6356 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
6357
6358 typedef struct _zend_mem_header {
6359+#if HARDENING_PATCH_MM_PROTECT
6360+ unsigned int canary;
6361+#endif
6362 #if ZEND_DEBUG
6363 long magic;
6364 char *filename;
6365diff -Nura php-4.4.1/Zend/zend_builtin_functions.c hardening-patch-4.4.1-0.4.6/Zend/zend_builtin_functions.c
6366--- php-4.4.1/Zend/zend_builtin_functions.c 2005-06-23 14:20:47.000000000 +0200
6367+++ hardening-patch-4.4.1-0.4.6/Zend/zend_builtin_functions.c 2005-11-05 13:04:08.000000000 +0100
6368@@ -49,6 +49,9 @@
6369 static ZEND_FUNCTION(crash);
6370 #endif
6371 #endif
6372+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6373+static ZEND_FUNCTION(heap_overflow);
6374+#endif
6375 static ZEND_FUNCTION(get_included_files);
6376 static ZEND_FUNCTION(is_subclass_of);
6377 static ZEND_FUNCTION(is_a);
6378@@ -101,6 +104,9 @@
6379 ZEND_FE(crash, NULL)
6380 #endif
6381 #endif
6382+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6383+ ZEND_FE(heap_overflow, NULL)
6384+#endif
6385 ZEND_FE(get_included_files, NULL)
6386 ZEND_FALIAS(get_required_files, get_included_files, NULL)
6387 ZEND_FE(is_subclass_of, NULL)
6388@@ -805,6 +811,19 @@
6389
6390 #endif /* ZEND_DEBUG */
6391
6392+
6393+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6394+ZEND_FUNCTION(heap_overflow)
6395+{
6396+ char *nowhere = emalloc(10);
6397+
6398+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
6399+
6400+ efree(nowhere);
6401+}
6402+#endif
6403+
6404+
6405 /* {{{ proto array get_included_files(void)
6406 Returns an array with the file names that were include_once()'d */
6407 ZEND_FUNCTION(get_included_files)
6408diff -Nura php-4.4.1/Zend/zend.c hardening-patch-4.4.1-0.4.6/Zend/zend.c
6409--- php-4.4.1/Zend/zend.c 2005-06-09 12:14:25.000000000 +0200
6410+++ hardening-patch-4.4.1-0.4.6/Zend/zend.c 2005-11-26 00:10:28.000000000 +0100
6411@@ -53,6 +53,12 @@
6412 ZEND_API void (*zend_unblock_interruptions)(void);
6413 ZEND_API void (*zend_ticks_function)(int ticks);
6414 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
6415+#if HARDENING_PATCH
6416+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
6417+#endif
6418+#if HARDENING_PATCH_INC_PROTECT
6419+ZEND_API int (*zend_is_valid_include)(zval *z);
6420+#endif
6421
6422 void (*zend_on_timeout)(int seconds TSRMLS_DC);
6423
6424@@ -70,9 +76,390 @@
6425 return SUCCESS;
6426 }
6427
6428+#if HARDENING_PATCH
6429+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
6430+{
6431+ if (!new_value) {
6432+ EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
6433+ } else {
6434+ EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
6435+ }
6436+ return SUCCESS;
6437+}
6438+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
6439+{
6440+ if (!new_value) {
6441+ EG(hphp_log_syslog_facility) = LOG_USER;
6442+ } else {
6443+ EG(hphp_log_syslog_facility) = atoi(new_value);
6444+ }
6445+ return SUCCESS;
6446+}
6447+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
6448+{
6449+ if (!new_value) {
6450+ EG(hphp_log_syslog_priority) = LOG_ALERT;
6451+ } else {
6452+ EG(hphp_log_syslog_priority) = atoi(new_value);
6453+ }
6454+ return SUCCESS;
6455+}
6456+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
6457+{
6458+ if (!new_value) {
6459+ EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
6460+ } else {
6461+ EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
6462+ }
6463+ return SUCCESS;
6464+}
6465+static ZEND_INI_MH(OnUpdateHPHP_log_script)
6466+{
6467+ if (!new_value) {
6468+ EG(hphp_log_script) = S_ALL & (~S_MEMORY) & (~S_INTERNAL);
6469+ } else {
6470+ EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
6471+ }
6472+ return SUCCESS;
6473+}
6474+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
6475+{
6476+ if (EG(hphp_log_scriptname)) {
6477+ pefree(EG(hphp_log_scriptname),1);
6478+ }
6479+ EG(hphp_log_scriptname) = NULL;
6480+ if (new_value) {
6481+ EG(hphp_log_scriptname) = pestrdup(new_value,1);
6482+ }
6483+ return SUCCESS;
6484+}
6485+
6486+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
6487+{
6488+ char *s = NULL, *e, *val;
6489+ unsigned long dummy = 1;
6490+
6491+ if (!new_value) {
6492+include_whitelist_destroy:
6493+ if (HG(include_whitelist)) {
6494+ zend_hash_destroy(HG(include_whitelist));
6495+ pefree(HG(include_whitelist),1);
6496+ }
6497+ HG(include_whitelist) = NULL;
6498+ return SUCCESS;
6499+ }
6500+ if (!(*new_value)) {
6501+ goto include_whitelist_destroy;
6502+ }
6503+
6504+ HG(include_whitelist) = pemalloc(sizeof(HashTable), 1);
6505+ zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 1);
6506+
6507+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6508+ e = val;
6509+
6510+ while (*e) {
6511+ switch (*e) {
6512+ case ' ':
6513+ case ',':
6514+ if (s) {
6515+ *e = '\0';
6516+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6517+ s = NULL;
6518+ }
6519+ break;
6520+ default:
6521+ if (!s) {
6522+ s = e;
6523+ }
6524+ break;
6525+ }
6526+ e++;
6527+ }
6528+ if (s) {
6529+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6530+ }
6531+ efree(val);
6532+
6533+ return SUCCESS;
6534+}
6535+
6536+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
6537+{
6538+ char *s = NULL, *e, *val;
6539+ unsigned long dummy = 1;
6540+
6541+ if (!new_value) {
6542+include_blacklist_destroy:
6543+ if (HG(include_blacklist)) {
6544+ zend_hash_destroy(HG(include_blacklist));
6545+ pefree(HG(include_blacklist),1);
6546+ }
6547+ HG(include_blacklist) = NULL;
6548+ return SUCCESS;
6549+ }
6550+ if (!(*new_value)) {
6551+ goto include_blacklist_destroy;
6552+ }
6553+
6554+ HG(include_blacklist) = pemalloc(sizeof(HashTable), 1);
6555+ zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 1);
6556+
6557+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6558+ e = val;
6559+
6560+ while (*e) {
6561+ switch (*e) {
6562+ case ' ':
6563+ case ',':
6564+ if (s) {
6565+ *e = '\0';
6566+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6567+ s = NULL;
6568+ }
6569+ break;
6570+ default:
6571+ if (!s) {
6572+ s = e;
6573+ }
6574+ break;
6575+ }
6576+ e++;
6577+ }
6578+ if (s) {
6579+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6580+ }
6581+ efree(val);
6582+
6583+ return SUCCESS;
6584+}
6585+
6586+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
6587+{
6588+ char *s = NULL, *e, *val;
6589+ unsigned long dummy = 1;
6590+
6591+ if (!new_value) {
6592+eval_whitelist_destroy:
6593+ if (HG(eval_whitelist)) {
6594+ zend_hash_destroy(HG(eval_whitelist));
6595+ pefree(HG(eval_whitelist),1);
6596+ }
6597+ HG(eval_whitelist) = NULL;
6598+ return SUCCESS;
6599+ }
6600+ if (!(*new_value)) {
6601+ goto eval_whitelist_destroy;
6602+ }
6603+
6604+ HG(eval_whitelist) = pemalloc(sizeof(HashTable), 1);
6605+ zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 1);
6606+
6607+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6608+ e = val;
6609+
6610+ while (*e) {
6611+ switch (*e) {
6612+ case ' ':
6613+ case ',':
6614+ if (s) {
6615+ *e = '\0';
6616+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6617+ s = NULL;
6618+ }
6619+ break;
6620+ default:
6621+ if (!s) {
6622+ s = e;
6623+ }
6624+ break;
6625+ }
6626+ e++;
6627+ }
6628+ if (s) {
6629+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6630+ }
6631+ efree(val);
6632+
6633+ return SUCCESS;
6634+}
6635+
6636+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
6637+{
6638+ char *s = NULL, *e, *val;
6639+ unsigned long dummy = 1;
6640+
6641+ if (!new_value) {
6642+eval_blacklist_destroy:
6643+ if (HG(eval_blacklist)) {
6644+ zend_hash_destroy(HG(eval_blacklist));
6645+ pefree(HG(eval_blacklist), 1);
6646+ }
6647+ HG(eval_blacklist) = NULL;
6648+ return SUCCESS;
6649+ }
6650+ if (!(*new_value)) {
6651+ goto eval_blacklist_destroy;
6652+ }
6653+
6654+ HG(eval_blacklist) = pemalloc(sizeof(HashTable), 1);
6655+ zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 1);
6656+
6657+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6658+ e = val;
6659+
6660+ while (*e) {
6661+ switch (*e) {
6662+ case ' ':
6663+ case ',':
6664+ if (s) {
6665+ *e = '\0';
6666+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6667+ s = NULL;
6668+ }
6669+ break;
6670+ default:
6671+ if (!s) {
6672+ s = e;
6673+ }
6674+ break;
6675+ }
6676+ e++;
6677+ }
6678+ if (s) {
6679+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6680+ }
6681+ efree(val);
6682+
6683+
6684+ return SUCCESS;
6685+}
6686+
6687+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
6688+{
6689+ char *s = NULL, *e, *val;
6690+ unsigned long dummy = 1;
6691+
6692+ if (!new_value) {
6693+func_whitelist_destroy:
6694+ if (HG(func_whitelist)) {
6695+ zend_hash_destroy(HG(func_whitelist));
6696+ pefree(HG(func_whitelist),1);
6697+ }
6698+ HG(func_whitelist) = NULL;
6699+ return SUCCESS;
6700+ }
6701+ if (!(*new_value)) {
6702+ goto func_whitelist_destroy;
6703+ }
6704+
6705+ HG(func_whitelist) = pemalloc(sizeof(HashTable), 1);
6706+ zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 1);
6707+
6708+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6709+ e = val;
6710+
6711+ while (*e) {
6712+ switch (*e) {
6713+ case ' ':
6714+ case ',':
6715+ if (s) {
6716+ *e = '\0';
6717+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6718+ s = NULL;
6719+ }
6720+ break;
6721+ default:
6722+ if (!s) {
6723+ s = e;
6724+ }
6725+ break;
6726+ }
6727+ e++;
6728+ }
6729+ if (s) {
6730+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6731+ }
6732+ efree(val);
6733+
6734+ return SUCCESS;
6735+}
6736+
6737+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
6738+{
6739+ char *s = NULL, *e, *val;
6740+ unsigned long dummy = 1;
6741+
6742+ if (!new_value) {
6743+func_blacklist_destroy:
6744+ if (HG(func_blacklist)) {
6745+ zend_hash_destroy(HG(func_blacklist));
6746+ pefree(HG(func_blacklist),1);
6747+ }
6748+ HG(func_blacklist) = NULL;
6749+ return SUCCESS;
6750+ }
6751+ if (!(*new_value)) {
6752+ goto func_blacklist_destroy;
6753+ }
6754+
6755+ HG(func_blacklist) = pemalloc(sizeof(HashTable), 1);
6756+ zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 1);
6757+
6758+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6759+ e = val;
6760+
6761+ while (*e) {
6762+ switch (*e) {
6763+ case ' ':
6764+ case ',':
6765+ if (s) {
6766+ *e = '\0';
6767+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6768+ s = NULL;
6769+ }
6770+ break;
6771+ default:
6772+ if (!s) {
6773+ s = e;
6774+ }
6775+ break;
6776+ }
6777+ e++;
6778+ }
6779+ if (s) {
6780+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6781+ }
6782+ efree(val);
6783+
6784+
6785+ return SUCCESS;
6786+}
6787+
6788+#endif
6789
6790 ZEND_INI_BEGIN()
6791 ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting)
6792+#if HARDENING_PATCH
6793+ ZEND_INI_ENTRY("hphp.log.syslog", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog)
6794+ ZEND_INI_ENTRY("hphp.log.syslog.facility", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_facility)
6795+ ZEND_INI_ENTRY("hphp.log.syslog.priority", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_priority)
6796+ ZEND_INI_ENTRY("hphp.log.sapi", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_sapi)
6797+ ZEND_INI_ENTRY("hphp.log.script", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_script)
6798+ ZEND_INI_ENTRY("hphp.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_scriptname)
6799+ STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for", "0", ZEND_INI_SYSTEM, OnUpdateBool, hphp_log_use_x_forwarded_for, zend_executor_globals, executor_globals)
6800+
6801+ ZEND_INI_ENTRY("hphp.executor.include.whitelist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_whitelist)
6802+ ZEND_INI_ENTRY("hphp.executor.include.blacklist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_blacklist)
6803+ ZEND_INI_ENTRY("hphp.executor.eval.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_whitelist)
6804+ ZEND_INI_ENTRY("hphp.executor.eval.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_blacklist)
6805+ ZEND_INI_ENTRY("hphp.executor.func.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_whitelist)
6806+ ZEND_INI_ENTRY("hphp.executor.func.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_blacklist)
6807+
6808+ STD_ZEND_INI_ENTRY("hphp.executor.max_depth", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
6809+ STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_sql_bailout_on_error, hardened_globals_struct, hardened_globals)
6810+ STD_ZEND_INI_BOOLEAN("hphp.multiheader", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_multiheader, hardened_globals_struct, hardened_globals)
6811+#endif
6812 ZEND_INI_END()
6813
6814
6815@@ -354,8 +741,12 @@
6816 zend_init_rsrc_plist(TSRMLS_C);
6817 EG(lambda_count)=0;
6818 EG(user_error_handler) = NULL;
6819+ EG(in_code_type) = 0;
6820 EG(in_execution) = 0;
6821 EG(current_execute_data) = NULL;
6822+#if HARDENING_PATCH
6823+ EG(hphp_log_scriptname) = NULL;
6824+#endif
6825 }
6826
6827
6828@@ -420,6 +811,14 @@
6829 extern zend_scanner_globals language_scanner_globals;
6830 #endif
6831
6832+ /* Set up Hardening-Patch utility functions first */
6833+#if HARDENING_PATCH
6834+ zend_security_log = utility_functions->security_log_function;
6835+#endif
6836+#if HARDENING_PATCH_INC_PROTECT
6837+ zend_is_valid_include = utility_functions->is_valid_include;
6838+#endif
6839+
6840 #ifdef ZTS
6841 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
6842 #else
6843@@ -623,6 +1022,7 @@
6844 }
6845 CG(unclean_shutdown) = 1;
6846 CG(in_compilation) = EG(in_execution) = 0;
6847+ EG(in_code_type) = 0;
6848 EG(current_execute_data) = NULL;
6849 longjmp(EG(bailout), FAILURE);
6850 }
6851diff -Nura php-4.4.1/Zend/zend_canary.c hardening-patch-4.4.1-0.4.6/Zend/zend_canary.c
6852--- php-4.4.1/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
6853+++ hardening-patch-4.4.1-0.4.6/Zend/zend_canary.c 2005-11-05 13:04:08.000000000 +0100
6854@@ -0,0 +1,58 @@
6855+/*
6856+ +----------------------------------------------------------------------+
6857+ | Hardening-Patch for PHP |
6858+ +----------------------------------------------------------------------+
6859+ | Copyright (c) 2004-2005 Stefan Esser |
6860+ +----------------------------------------------------------------------+
6861+ | This source file is subject to version 2.02 of the PHP license, |
6862+ | that is bundled with this package in the file LICENSE, and is |
6863+ | available at through the world-wide-web at |
6864+ | http://www.php.net/license/2_02.txt. |
6865+ | If you did not receive a copy of the PHP license and are unable to |
6866+ | obtain it through the world-wide-web, please send a note to |
6867+ | license@php.net so we can mail you a copy immediately. |
6868+ +----------------------------------------------------------------------+
6869+ | Author: Stefan Esser <sesser@hardened-php.net> |
6870+ +----------------------------------------------------------------------+
6871+ */
6872+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
6873+
6874+#include "zend.h"
6875+
6876+#include <stdio.h>
6877+#include <stdlib.h>
6878+
6879+
6880+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
6881+
6882+/* will be replaced later with more compatible method */
6883+ZEND_API unsigned int zend_canary()
6884+{
6885+ time_t t;
6886+ unsigned int canary;
6887+ int fd;
6888+
6889+ fd = open("/dev/urandom", 0);
6890+ if (fd != -1) {
6891+ int r = read(fd, &canary, sizeof(canary));
6892+ close(fd);
6893+ if (r == sizeof(canary)) {
6894+ return (canary);
6895+ }
6896+ }
6897+ /* not good but we never want to do this */
6898+ time(&t);
6899+ canary = *(unsigned int *)&t + getpid() << 16;
6900+ return (canary);
6901+}
6902+#endif
6903+
6904+
6905+/*
6906+ * Local variables:
6907+ * tab-width: 4
6908+ * c-basic-offset: 4
6909+ * End:
6910+ * vim600: sw=4 ts=4 fdm=marker
6911+ * vim<600: sw=4 ts=4
6912+ */
6913diff -Nura php-4.4.1/Zend/zend_compile.c hardening-patch-4.4.1-0.4.6/Zend/zend_compile.c
6914--- php-4.4.1/Zend/zend_compile.c 2005-10-07 10:42:49.000000000 +0200
6915+++ hardening-patch-4.4.1-0.4.6/Zend/zend_compile.c 2005-11-05 13:04:08.000000000 +0100
6916@@ -768,6 +768,13 @@
6917 op_array.function_name = name;
6918 op_array.arg_types = NULL;
6919 op_array.return_reference = return_reference;
6920+#if HARDENING_PATCH
6921+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
6922+ op_array.created_by_eval = 1;
6923+ } else {
6924+ op_array.created_by_eval = 0;
6925+ }
6926+#endif
6927
6928 if (is_method) {
6929 if (zend_hash_add(&CG(active_class_entry)->function_table, name, name_len+1, &op_array, sizeof(zend_op_array), (void **) &CG(active_op_array)) == FAILURE) {
6930diff -Nura php-4.4.1/Zend/zend_compile.h hardening-patch-4.4.1-0.4.6/Zend/zend_compile.h
6931--- php-4.4.1/Zend/zend_compile.h 2005-06-06 11:30:09.000000000 +0200
6932+++ hardening-patch-4.4.1-0.4.6/Zend/zend_compile.h 2005-11-05 13:04:08.000000000 +0100
6933@@ -106,6 +106,9 @@
6934 char *filename;
6935
6936 void *reserved[ZEND_MAX_RESERVED_RESOURCES];
6937+#if HARDENING_PATCH
6938+ zend_bool created_by_eval;
6939+#endif
6940 };
6941
6942
6943@@ -549,6 +552,7 @@
6944 #define ZEND_USER_FUNCTION 2
6945 #define ZEND_OVERLOADED_FUNCTION 3
6946 #define ZEND_EVAL_CODE 4
6947+#define ZEND_SANDBOX_CODE 6
6948
6949 #define ZEND_INTERNAL_CLASS 1
6950 #define ZEND_USER_CLASS 2
6951diff -Nura php-4.4.1/Zend/zend_constants.c hardening-patch-4.4.1-0.4.6/Zend/zend_constants.c
6952--- php-4.4.1/Zend/zend_constants.c 2004-07-13 21:29:45.000000000 +0200
6953+++ hardening-patch-4.4.1-0.4.6/Zend/zend_constants.c 2005-11-05 13:04:08.000000000 +0100
6954@@ -111,6 +111,73 @@
6955 REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
6956
6957 REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
6958+#if HARDENING_PATCH
6959+ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
6960+ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
6961+ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
6962+ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
6963+ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
6964+ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
6965+ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
6966+ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
6967+ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
6968+
6969+ /* error levels */
6970+ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
6971+ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
6972+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
6973+ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT);
6974+ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
6975+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
6976+ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
6977+ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
6978+ /* facility: type of program logging the message */
6979+ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
6980+ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
6981+ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
6982+ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
6983+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
6984+ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
6985+ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
6986+#ifdef LOG_NEWS
6987+ /* No LOG_NEWS on HP-UX */
6988+ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
6989+#endif
6990+#ifdef LOG_UUCP
6991+ /* No LOG_UUCP on HP-UX */
6992+ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
6993+#endif
6994+#ifdef LOG_CRON
6995+ /* apparently some systems don't have this one */
6996+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
6997+#endif
6998+#ifdef LOG_AUTHPRIV
6999+ /* AIX doesn't have LOG_AUTHPRIV */
7000+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
7001+#endif
7002+#if !defined(PHP_WIN32) && !defined(NETWARE)
7003+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
7004+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
7005+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
7006+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
7007+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
7008+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
7009+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
7010+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
7011+#endif
7012+ /* options */
7013+ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
7014+ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
7015+ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
7016+ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
7017+#ifdef LOG_NOWAIT
7018+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
7019+#endif
7020+#ifdef LOG_PERROR
7021+ /* AIX doesn't have LOG_PERROR */
7022+ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
7023+#endif
7024+#endif
7025
7026 /* true/false constants */
7027 {
7028diff -Nura php-4.4.1/Zend/zend_errors.h hardening-patch-4.4.1-0.4.6/Zend/zend_errors.h
7029--- php-4.4.1/Zend/zend_errors.h 2002-12-31 17:22:59.000000000 +0100
7030+++ hardening-patch-4.4.1-0.4.6/Zend/zend_errors.h 2005-11-05 13:04:08.000000000 +0100
7031@@ -36,5 +36,17 @@
7032 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
7033 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
7034
7035+#if HARDENING_PATCH
7036+#define S_MEMORY (1<<0L)
7037+#define S_VARS (1<<1L)
7038+#define S_FILES (1<<2L)
7039+#define S_INCLUDE (1<<3L)
7040+#define S_SQL (1<<4L)
7041+#define S_EXECUTOR (1<<5L)
7042+#define S_MISC (1<<30L)
7043+#define S_INTERNAL (1<<29L)
7044+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MISC | S_SQL | S_EXECUTOR)
7045+#endif
7046+
7047 #endif /* ZEND_ERRORS_H */
7048
7049diff -Nura php-4.4.1/Zend/zend_execute_API.c hardening-patch-4.4.1-0.4.6/Zend/zend_execute_API.c
7050--- php-4.4.1/Zend/zend_execute_API.c 2005-08-02 19:52:33.000000000 +0200
7051+++ hardening-patch-4.4.1-0.4.6/Zend/zend_execute_API.c 2005-11-05 13:04:08.000000000 +0100
7052@@ -142,6 +142,7 @@
7053 EG(class_table) = CG(class_table);
7054
7055 EG(in_execution) = 0;
7056+ EG(in_code_type) = 0;
7057
7058 zend_ptr_stack_init(&EG(argument_stack));
7059
7060@@ -431,12 +432,14 @@
7061 zend_execute_data execute_data;
7062
7063 /* Initialize execute_data */
7064+ memset(&execute_data, 0, sizeof(execute_data));
7065 EX(fbc) = NULL;
7066 EX(object).ptr = NULL;
7067 EX(ce) = NULL;
7068 EX(Ts) = NULL;
7069 EX(op_array) = NULL;
7070 EX(opline) = NULL;
7071+ EX(execute_depth) = 0;
7072
7073 *retval_ptr_ptr = NULL;
7074
7075@@ -494,6 +497,39 @@
7076 zval_dtor(&function_name_copy);
7077 return FAILURE;
7078 }
7079+#if HARDENING_PATCH
7080+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
7081+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7082+ if (HG(eval_whitelist) != NULL) {
7083+ if (!zend_hash_exists(HG(eval_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7084+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_copy.value.str.val);
7085+ zval_dtor(&function_name_copy);
7086+ zend_bailout();
7087+ }
7088+ } else if (HG(eval_blacklist) != NULL) {
7089+ if (zend_hash_exists(HG(eval_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7090+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_copy.value.str.val);
7091+ zval_dtor(&function_name_copy);
7092+ zend_bailout();
7093+ }
7094+ }
7095+ }
7096+
7097+ if (HG(func_whitelist) != NULL) {
7098+ if (!zend_hash_exists(HG(func_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7099+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_copy.value.str.val);
7100+ zval_dtor(&function_name_copy);
7101+ zend_bailout();
7102+ }
7103+ } else if (HG(func_blacklist) != NULL) {
7104+ if (zend_hash_exists(HG(func_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7105+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_copy.value.str.val);
7106+ zval_dtor(&function_name_copy);
7107+ zend_bailout();
7108+ }
7109+ }
7110+ }
7111+#endif
7112 zval_dtor(&function_name_copy);
7113
7114 for (i=0; i<param_count; i++) {
7115@@ -606,8 +642,7 @@
7116 return SUCCESS;
7117 }
7118
7119-
7120-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7121+ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
7122 {
7123 zval pv;
7124 zend_op_array *new_op_array;
7125@@ -640,6 +675,7 @@
7126 zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
7127 zend_op **original_opline_ptr = EG(opline_ptr);
7128
7129+ new_op_array->type = type;
7130 EG(return_value_ptr_ptr) = &local_retval_ptr;
7131 EG(active_op_array) = new_op_array;
7132 EG(no_extensions)=1;
7133@@ -673,6 +709,10 @@
7134 return retval;
7135 }
7136
7137+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7138+{
7139+ return (zend_eval_string_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
7140+}
7141
7142 void execute_new_code(TSRMLS_D)
7143 {
7144diff -Nura php-4.4.1/Zend/zend_execute.c hardening-patch-4.4.1-0.4.6/Zend/zend_execute.c
7145--- php-4.4.1/Zend/zend_execute.c 2005-10-13 10:46:27.000000000 +0200
7146+++ hardening-patch-4.4.1-0.4.6/Zend/zend_execute.c 2005-11-05 13:04:08.000000000 +0100
7147@@ -1042,6 +1042,7 @@
7148 zend_execute_data execute_data;
7149
7150 /* Initialize execute_data */
7151+ memset(&execute_data, 0, sizeof(execute_data));
7152 EX(fbc) = NULL;
7153 EX(ce) = NULL;
7154 EX(object).ptr = NULL;
7155@@ -1053,9 +1054,21 @@
7156 }
7157 EX(prev_execute_data) = EG(current_execute_data);
7158 EX(original_in_execution)=EG(in_execution);
7159+ EX(original_in_code_type)=EG(in_code_type);
7160
7161 EG(current_execute_data) = &execute_data;
7162
7163+#if HARDENING_PATCH
7164+ EX(execute_depth) = 0;
7165+
7166+ if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval) && EG(in_code_type) != ZEND_SANDBOX_CODE) {
7167+ EG(in_code_type) = ZEND_EVAL_CODE;
7168+ } else if (op_array->type == ZEND_SANDBOX_CODE) {
7169+ EG(in_code_type) = ZEND_SANDBOX_CODE;
7170+ op_array->type = ZEND_EVAL_CODE;
7171+ }
7172+#endif
7173+
7174 EG(in_execution) = 1;
7175 if (op_array->start_op) {
7176 EX(opline) = op_array->start_op;
7177@@ -1087,6 +1100,19 @@
7178 }
7179 }
7180
7181+#if HARDENING_PATCH
7182+ if (EX(prev_execute_data) == NULL) {
7183+ EX(execute_depth) = 0;
7184+ } else {
7185+ EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
7186+ }
7187+
7188+ if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
7189+ zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
7190+ zend_bailout();
7191+ }
7192+#endif
7193+
7194 while (1) {
7195 #ifdef ZEND_WIN32
7196 if (EG(timed_out)) {
7197@@ -1634,6 +1660,36 @@
7198 if (zend_hash_find(active_function_table, function_name->value.str.val, function_name->value.str.len+1, (void **) &function)==FAILURE) {
7199 zend_error(E_ERROR, "Call to undefined function: %s()", function_name->value.str.val);
7200 }
7201+#if HARDENING_PATCH
7202+ if (active_function_table == EG(function_table)) {
7203+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7204+ if (HG(eval_whitelist) != NULL) {
7205+ if (!zend_hash_exists(HG(eval_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7206+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name->value.str.val);
7207+ zend_bailout();
7208+ }
7209+ } else if (HG(eval_blacklist) != NULL) {
7210+ if (zend_hash_exists(HG(eval_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7211+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name->value.str.val);
7212+ zend_bailout();
7213+ }
7214+ }
7215+ }
7216+
7217+ if (HG(func_whitelist) != NULL) {
7218+ if (!zend_hash_exists(HG(func_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7219+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name->value.str.val);
7220+ zend_bailout();
7221+ }
7222+ } else if (HG(func_blacklist) != NULL) {
7223+ if (zend_hash_exists(HG(func_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7224+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name->value.str.val);
7225+ zend_bailout();
7226+ }
7227+ }
7228+ }
7229+#endif
7230+
7231 zval_dtor(&tmp);
7232 EX(fbc) = function;
7233 overloaded_function_call_cont:
7234@@ -1649,6 +1705,35 @@
7235 if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
7236 zend_error(E_ERROR, "Unknown function: %s()", fname->value.str.val);
7237 }
7238+#if HARDENING_PATCH
7239+ if (EX(function_state).function->type==ZEND_INTERNAL_FUNCTION) {
7240+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7241+ if (HG(eval_whitelist) != NULL) {
7242+ if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7243+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
7244+ zend_bailout();
7245+ }
7246+ } else if (HG(eval_blacklist) != NULL) {
7247+ if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7248+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
7249+ zend_bailout();
7250+ }
7251+ }
7252+ }
7253+
7254+ if (HG(func_whitelist) != NULL) {
7255+ if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7256+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
7257+ zend_bailout();
7258+ }
7259+ } else if (HG(func_blacklist) != NULL) {
7260+ if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7261+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
7262+ zend_bailout();
7263+ }
7264+ }
7265+ }
7266+#endif
7267 FREE_OP(EX(Ts), &EX(opline)->op1, EG(free_op1));
7268 zend_ptr_stack_n_push(&EG(arg_types_stack), 2, EX(object).ptr, EX(ce));
7269 EX(object).ptr = NULL;
7270@@ -1821,6 +1906,7 @@
7271 efree(EX(Ts));
7272 }
7273 EG(in_execution) = EX(original_in_execution);
7274+ EG(in_code_type) = EX(original_in_code_type);
7275 EG(current_execute_data) = EX(prev_execute_data);
7276 return;
7277 }
7278@@ -2210,7 +2296,12 @@
7279 int dummy = 1;
7280 zend_file_handle file_handle = {0};
7281
7282+#if HARDENING_PATCH_INC_PROTECT
7283+ if (zend_is_valid_include(inc_filename)
7284+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7285+#else
7286 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7287+#endif
7288 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
7289
7290 file_handle.filename = inc_filename->value.str.val;
7291@@ -2239,6 +2330,11 @@
7292 break;
7293 case ZEND_INCLUDE:
7294 case ZEND_REQUIRE:
7295+#if HARDENING_PATCH_INC_PROTECT
7296+ if (!zend_is_valid_include(inc_filename)) {
7297+ break;
7298+ }
7299+#endif
7300 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
7301 break;
7302 case ZEND_EVAL: {
7303diff -Nura php-4.4.1/Zend/zend_execute_globals.h hardening-patch-4.4.1-0.4.6/Zend/zend_execute_globals.h
7304--- php-4.4.1/Zend/zend_execute_globals.h 2005-06-06 11:30:09.000000000 +0200
7305+++ hardening-patch-4.4.1-0.4.6/Zend/zend_execute_globals.h 2005-11-05 13:04:08.000000000 +0100
7306@@ -60,6 +60,8 @@
7307 object_info object;
7308 temp_variable *Ts;
7309 zend_bool original_in_execution;
7310+ zend_uint original_in_code_type;
7311+ zend_uint execute_depth;
7312 zend_op_array *op_array;
7313 struct _zend_execute_data *prev_execute_data;
7314 } zend_execute_data;
7315diff -Nura php-4.4.1/Zend/zend_extensions.c hardening-patch-4.4.1-0.4.6/Zend/zend_extensions.c
7316--- php-4.4.1/Zend/zend_extensions.c 2003-03-19 19:00:57.000000000 +0100
7317+++ hardening-patch-4.4.1-0.4.6/Zend/zend_extensions.c 2005-11-05 13:04:08.000000000 +0100
7318@@ -54,23 +54,44 @@
7319 return FAILURE;
7320 }
7321
7322+ /* check if module is compiled against Hardening-Patch */
7323+ if (extension_version_info->zend_extension_api_no < 1000000000) {
7324+ fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
7325+ "The Hardening-Patch version %d is installed.\n\n",
7326+ new_extension->name,
7327+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7328+ DL_UNLOAD(handle);
7329+ return FAILURE;
7330+ }
7331+
7332+
7333+ /* check if module is compiled against correct Hardening-Patch version */
7334+ if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
7335+ fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
7336+ "The Hardening-Patch version %d is installed.\n\n",
7337+ new_extension->name,
7338+ extension_version_info->zend_extension_api_no,
7339+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7340+ DL_UNLOAD(handle);
7341+ return FAILURE;
7342+ }
7343
7344 /* allow extension to proclaim compatibility with any Zend version */
7345- if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7346- if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7347+ if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7348+ if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7349 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7350 "The Zend Engine API version %d which is installed, is outdated.\n\n",
7351 new_extension->name,
7352- extension_version_info->zend_extension_api_no,
7353+ extension_version_info->real_zend_extension_api_no,
7354 ZEND_EXTENSION_API_NO);
7355 DL_UNLOAD(handle);
7356 return FAILURE;
7357- } else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7358+ } else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7359 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7360 "The Zend Engine API version %d which is installed, is newer.\n"
7361 "Contact %s at %s for a later version of %s.\n\n",
7362 new_extension->name,
7363- extension_version_info->zend_extension_api_no,
7364+ extension_version_info->real_zend_extension_api_no,
7365 ZEND_EXTENSION_API_NO,
7366 new_extension->author,
7367 new_extension->URL,
7368diff -Nura php-4.4.1/Zend/zend_extensions.h hardening-patch-4.4.1-0.4.6/Zend/zend_extensions.h
7369--- php-4.4.1/Zend/zend_extensions.h 2005-06-06 11:44:59.000000000 +0200
7370+++ hardening-patch-4.4.1-0.4.6/Zend/zend_extensions.h 2005-11-05 13:04:08.000000000 +0100
7371@@ -23,6 +23,9 @@
7372
7373 #include "zend_compile.h"
7374
7375+/* Create own API version number for Hardening-Patch */
7376+
7377+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO 1001050805
7378 #define ZEND_EXTENSION_API_NO 20050606
7379
7380 typedef struct _zend_extension_version_info {
7381@@ -30,6 +33,7 @@
7382 char *required_zend_version;
7383 unsigned char thread_safe;
7384 unsigned char debug;
7385+ int real_zend_extension_api_no;
7386 } zend_extension_version_info;
7387
7388
7389@@ -96,7 +100,7 @@
7390
7391
7392 #define ZEND_EXTENSION() \
7393- ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
7394+ ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
7395
7396 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7397 #define COMPAT_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7398diff -Nura php-4.4.1/Zend/zend_globals.h hardening-patch-4.4.1-0.4.6/Zend/zend_globals.h
7399--- php-4.4.1/Zend/zend_globals.h 2004-11-04 00:15:05.000000000 +0100
7400+++ hardening-patch-4.4.1-0.4.6/Zend/zend_globals.h 2005-11-05 13:04:08.000000000 +0100
7401@@ -163,6 +163,16 @@
7402
7403 int error_reporting;
7404 int orig_error_reporting;
7405+#if HARDENING_PATCH
7406+ int hphp_log_syslog;
7407+ int hphp_log_syslog_facility;
7408+ int hphp_log_syslog_priority;
7409+ int hphp_log_sapi;
7410+ int hphp_log_script;
7411+ char *hphp_log_scriptname;
7412+ zend_bool hphp_log_use_x_forwarded_for;
7413+ long hphp_executor_max_depth;
7414+#endif
7415 int exit_status;
7416
7417 zend_op_array *active_op_array;
7418@@ -176,6 +186,7 @@
7419 int ticks_count;
7420
7421 zend_bool in_execution;
7422+ zend_uint in_code_type;
7423 zend_bool bailout_set;
7424 zend_bool full_tables_cleanup;
7425
7426diff -Nura php-4.4.1/Zend/zend.h hardening-patch-4.4.1-0.4.6/Zend/zend.h
7427--- php-4.4.1/Zend/zend.h 2005-07-23 13:58:40.000000000 +0200
7428+++ hardening-patch-4.4.1-0.4.6/Zend/zend.h 2005-11-05 13:04:08.000000000 +0100
7429@@ -274,9 +274,10 @@
7430 struct _zval_struct {
7431 /* Variable information */
7432 zvalue_value value; /* value */
7433+ zend_uint refcount;
7434+ zend_ushort flags;
7435 zend_uchar type; /* active type */
7436 zend_uchar is_ref;
7437- zend_ushort refcount;
7438 };
7439
7440
7441@@ -337,6 +338,12 @@
7442 void (*ticks_function)(int ticks);
7443 void (*on_timeout)(int seconds TSRMLS_DC);
7444 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
7445+#if HARDENING_PATCH
7446+ void (*security_log_function)(int loglevel, char *fmt, ...);
7447+#endif
7448+#if HARDENING_PATCH_INC_PROTECT
7449+ int (*is_valid_include)(zval *z);
7450+#endif
7451 } zend_utility_functions;
7452
7453
7454@@ -468,7 +475,16 @@
7455 extern ZEND_API void (*zend_ticks_function)(int ticks);
7456 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
7457 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
7458+#if HARDENING_PATCH
7459+extern ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
7460+#endif
7461+#if HARDENING_PATCH_INC_PROTECT
7462+extern ZEND_API int (*zend_is_valid_include)(zval *z);
7463+#endif
7464
7465+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7466+ZEND_API unsigned int zend_canary(void);
7467+#endif
7468
7469 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
7470
7471@@ -575,6 +591,11 @@
7472
7473 #define ZEND_MAX_RESERVED_RESOURCES 4
7474
7475+#if HARDENING_PATCH
7476+#include "hardened_globals.h"
7477+#include "php_syslog.h"
7478+#endif
7479+
7480 #endif /* ZEND_H */
7481
7482 /*
7483diff -Nura php-4.4.1/Zend/zend_hash.c hardening-patch-4.4.1-0.4.6/Zend/zend_hash.c
7484--- php-4.4.1/Zend/zend_hash.c 2005-04-28 09:34:32.000000000 +0200
7485+++ hardening-patch-4.4.1-0.4.6/Zend/zend_hash.c 2005-11-05 13:04:08.000000000 +0100
7486@@ -26,6 +26,17 @@
7487 # include <stdlib.h>
7488 #endif
7489
7490+#if HARDENING_PATCH_HASH_PROTECT
7491+ unsigned int zend_hash_canary = 0x1234567;
7492+ zend_bool zend_hash_canary_inited = 0;
7493+#endif
7494+
7495+#define CHECK_HASH_CANARY(hash) \
7496+ if (zend_hash_canary != (hash)->canary) { \
7497+ zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
7498+ exit(1); \
7499+ }
7500+
7501 #define HANDLE_NUMERIC(key, length, func) { \
7502 register char *tmp=key; \
7503 \
7504@@ -175,6 +186,9 @@
7505 {
7506 uint i = 3;
7507 Bucket **tmp;
7508+#if HARDENING_PATCH_HASH_PROTECT
7509+ TSRMLS_FETCH();
7510+#endif
7511
7512 SET_INCONSISTENT(HT_OK);
7513
7514@@ -184,6 +198,13 @@
7515
7516 ht->nTableSize = 1 << i;
7517 ht->nTableMask = ht->nTableSize - 1;
7518+#if HARDENING_PATCH_HASH_PROTECT
7519+ if (zend_hash_canary_inited==0) {
7520+ zend_hash_canary = zend_canary();
7521+ zend_hash_canary_inited = 1;
7522+ }
7523+ ht->canary = zend_hash_canary;
7524+#endif
7525 ht->pDestructor = pDestructor;
7526 ht->pListHead = NULL;
7527 ht->pListTail = NULL;
7528@@ -259,6 +280,9 @@
7529 }
7530 #endif
7531 if (ht->pDestructor) {
7532+#if HARDENING_PATCH_HASH_PROTECT
7533+ CHECK_HASH_CANARY(ht);
7534+#endif
7535 ht->pDestructor(p->pData);
7536 }
7537 UPDATE_DATA(ht, p, pData, nDataSize);
7538@@ -327,6 +351,9 @@
7539 }
7540 #endif
7541 if (ht->pDestructor) {
7542+#if HARDENING_PATCH_HASH_PROTECT
7543+ CHECK_HASH_CANARY(ht);
7544+#endif
7545 ht->pDestructor(p->pData);
7546 }
7547 UPDATE_DATA(ht, p, pData, nDataSize);
7548@@ -402,6 +429,9 @@
7549 }
7550 #endif
7551 if (ht->pDestructor) {
7552+#if HARDENING_PATCH_HASH_PROTECT
7553+ CHECK_HASH_CANARY(ht);
7554+#endif
7555 ht->pDestructor(p->pData);
7556 }
7557 UPDATE_DATA(ht, p, pData, nDataSize);
7558@@ -450,7 +480,7 @@
7559 IS_CONSISTENT(ht);
7560
7561 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
7562- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7563+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7564 if (t) {
7565 HANDLE_BLOCK_INTERRUPTIONS();
7566 ht->arBuckets = t;
7567@@ -460,6 +490,7 @@
7568 HANDLE_UNBLOCK_INTERRUPTIONS();
7569 return SUCCESS;
7570 }
7571+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
7572 return FAILURE;
7573 }
7574 return SUCCESS;
7575@@ -524,6 +555,9 @@
7576 ht->pInternalPointer = p->pListNext;
7577 }
7578 if (ht->pDestructor) {
7579+#if HARDENING_PATCH_HASH_PROTECT
7580+ CHECK_HASH_CANARY(ht);
7581+#endif
7582 ht->pDestructor(p->pData);
7583 }
7584 if (!p->pDataPtr) {
7585@@ -553,6 +587,9 @@
7586 q = p;
7587 p = p->pListNext;
7588 if (ht->pDestructor) {
7589+#if HARDENING_PATCH_HASH_PROTECT
7590+ CHECK_HASH_CANARY(ht);
7591+#endif
7592 ht->pDestructor(q->pData);
7593 }
7594 if (!q->pDataPtr && q->pData) {
7595@@ -579,6 +616,9 @@
7596 q = p;
7597 p = p->pListNext;
7598 if (ht->pDestructor) {
7599+#if HARDENING_PATCH_HASH_PROTECT
7600+ CHECK_HASH_CANARY(ht);
7601+#endif
7602 ht->pDestructor(q->pData);
7603 }
7604 if (!q->pDataPtr && q->pData) {
7605@@ -608,6 +648,9 @@
7606 HANDLE_BLOCK_INTERRUPTIONS();
7607
7608 if (ht->pDestructor) {
7609+#if HARDENING_PATCH_HASH_PROTECT
7610+ CHECK_HASH_CANARY(ht);
7611+#endif
7612 ht->pDestructor(p->pData);
7613 }
7614 if (!p->pDataPtr) {
7615diff -Nura php-4.4.1/Zend/zend_hash.h hardening-patch-4.4.1-0.4.6/Zend/zend_hash.h
7616--- php-4.4.1/Zend/zend_hash.h 2002-12-31 17:23:03.000000000 +0100
7617+++ hardening-patch-4.4.1-0.4.6/Zend/zend_hash.h 2005-11-05 13:04:08.000000000 +0100
7618@@ -54,6 +54,9 @@
7619 } Bucket;
7620
7621 typedef struct _hashtable {
7622+#if HARDENING_PATCH_HASH_PROTECT
7623+ unsigned int canary;
7624+#endif
7625 uint nTableSize;
7626 uint nTableMask;
7627 uint nNumOfElements;
7628diff -Nura php-4.4.1/Zend/zend_ini.h hardening-patch-4.4.1-0.4.6/Zend/zend_ini.h
7629--- php-4.4.1/Zend/zend_ini.h 2005-01-09 18:00:16.000000000 +0100
7630+++ hardening-patch-4.4.1-0.4.6/Zend/zend_ini.h 2005-11-05 13:04:08.000000000 +0100
7631@@ -174,6 +174,7 @@
7632 /* Standard message handlers */
7633 BEGIN_EXTERN_C()
7634 ZEND_API ZEND_INI_MH(OnUpdateBool);
7635+#define OnUpdateLong OnUpdateInt
7636 ZEND_API ZEND_INI_MH(OnUpdateInt);
7637 ZEND_API ZEND_INI_MH(OnUpdateReal);
7638 ZEND_API ZEND_INI_MH(OnUpdateString);
7639diff -Nura php-4.4.1/Zend/zend_language_scanner.l hardening-patch-4.4.1-0.4.6/Zend/zend_language_scanner.l
7640--- php-4.4.1/Zend/zend_language_scanner.l 2005-03-09 16:07:19.000000000 +0100
7641+++ hardening-patch-4.4.1-0.4.6/Zend/zend_language_scanner.l 2005-11-05 13:04:08.000000000 +0100
7642@@ -393,6 +393,13 @@
7643 compilation_successful=0;
7644 } else {
7645 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7646+#if HARDENING_PATCH
7647+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7648+ op_array->created_by_eval = 1;
7649+ } else {
7650+ op_array->created_by_eval = 0;
7651+ }
7652+#endif
7653 CG(in_compilation) = 1;
7654 CG(active_op_array) = op_array;
7655 compiler_result = zendparse(TSRMLS_C);
7656diff -Nura php-4.4.1/Zend/zend_language_scanner.c hardening-patch-4.4.1-0.4.6/Zend/zend_language_scanner.c
7657--- php-4.4.1/Zend/zend_language_scanner.c 2005-10-30 12:06:40.000000000 +0100
7658+++ hardening-patch-4.4.1-0.4.6/Zend/zend_language_scanner.c 2005-11-15 22:09:54.000000000 +0100
7659@@ -3121,6 +3121,13 @@
7660 compilation_successful=0;
7661 } else {
7662 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7663+#if HARDENING_PATCH
7664+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7665+ op_array->created_by_eval = 1;
7666+ } else {
7667+ op_array->created_by_eval = 0;
7668+ }
7669+#endif
7670 CG(in_compilation) = 1;
7671 CG(active_op_array) = op_array;
7672 compiler_result = zendparse(TSRMLS_C);
7673diff -Nura php-4.4.1/Zend/zend_llist.c hardening-patch-4.4.1-0.4.6/Zend/zend_llist.c
7674--- php-4.4.1/Zend/zend_llist.c 2002-12-31 17:23:04.000000000 +0100
7675+++ hardening-patch-4.4.1-0.4.6/Zend/zend_llist.c 2005-11-05 13:04:08.000000000 +0100
7676@@ -21,9 +21,34 @@
7677 #include "zend.h"
7678 #include "zend_llist.h"
7679 #include "zend_qsort.h"
7680+#include "zend_globals.h"
7681+
7682+#define CHECK_LIST_CANARY(list) \
7683+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
7684+ zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
7685+ exit(1); \
7686+ }
7687+
7688+#define CHECK_LISTELEMENT_CANARY(elem) \
7689+ if (HG(canary_3) != (elem)->canary) { \
7690+ zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
7691+ exit(1); \
7692+ }
7693+
7694
7695 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
7696 {
7697+#if HARDENING_PATCH_LL_PROTECT
7698+ TSRMLS_FETCH();
7699+
7700+ if (!HG(ll_canary_inited)) {
7701+ HG(canary_3) = zend_canary();
7702+ HG(canary_4) = zend_canary();
7703+ HG(ll_canary_inited) = 1;
7704+ }
7705+ l->canary_h = HG(canary_3);
7706+ l->canary_t = HG(canary_4);
7707+#endif
7708 l->head = NULL;
7709 l->tail = NULL;
7710 l->count = 0;
7711@@ -37,6 +62,11 @@
7712 {
7713 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
7714
7715+#if HARDENING_PATCH_LL_PROTECT
7716+ TSRMLS_FETCH();
7717+ CHECK_LIST_CANARY(l)
7718+ tmp->canary = HG(canary_3);
7719+#endif
7720 tmp->prev = l->tail;
7721 tmp->next = NULL;
7722 if (l->tail) {
7723@@ -55,6 +85,11 @@
7724 {
7725 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
7726
7727+#if HARDENING_PATCH_LL_PROTECT
7728+ TSRMLS_FETCH();
7729+ CHECK_LIST_CANARY(l)
7730+ tmp->canary = HG(canary_3);
7731+#endif
7732 tmp->next = l->head;
7733 tmp->prev = NULL;
7734 if (l->head) {
7735@@ -91,10 +126,20 @@
7736 zend_llist_element *current=l->head;
7737 zend_llist_element *next;
7738
7739+#if HARDENING_PATCH_LL_PROTECT
7740+ TSRMLS_FETCH();
7741+ CHECK_LIST_CANARY(l)
7742+#endif
7743 while (current) {
7744+#if HARDENING_PATCH_LL_PROTECT
7745+ CHECK_LISTELEMENT_CANARY(current)
7746+#endif
7747 next = current->next;
7748 if (compare(current->data, element)) {
7749 DEL_LLIST_ELEMENT(current, l);
7750+#if HARDENING_PATCH_LL_PROTECT
7751+ current->canary = 0;
7752+#endif
7753 break;
7754 }
7755 current = next;
7756@@ -106,7 +151,14 @@
7757 {
7758 zend_llist_element *current=l->head, *next;
7759
7760+#if HARDENING_PATCH_LL_PROTECT
7761+ TSRMLS_FETCH();
7762+ CHECK_LIST_CANARY(l)
7763+#endif
7764 while (current) {
7765+#if HARDENING_PATCH_LL_PROTECT
7766+ CHECK_LISTELEMENT_CANARY(current)
7767+#endif
7768 next = current->next;
7769 if (l->dtor) {
7770 l->dtor(current->data);
7771@@ -131,7 +183,14 @@
7772 zend_llist_element *old_tail;
7773 void *data;
7774
7775+#if HARDENING_PATCH_LL_PROTECT
7776+ TSRMLS_FETCH();
7777+ CHECK_LIST_CANARY(l)
7778+#endif
7779 if ((old_tail = l->tail)) {
7780+#if HARDENING_PATCH_LL_PROTECT
7781+ CHECK_LISTELEMENT_CANARY(old_tail)
7782+#endif
7783 if (l->tail->prev) {
7784 l->tail->prev->next = NULL;
7785 }
7786@@ -157,9 +216,16 @@
7787 {
7788 zend_llist_element *ptr;
7789
7790+#if HARDENING_PATCH_LL_PROTECT
7791+ TSRMLS_FETCH();
7792+ CHECK_LIST_CANARY(src)
7793+#endif
7794 zend_llist_init(dst, src->size, src->dtor, src->persistent);
7795 ptr = src->head;
7796 while (ptr) {
7797+#if HARDENING_PATCH_LL_PROTECT
7798+ CHECK_LISTELEMENT_CANARY(ptr)
7799+#endif
7800 zend_llist_add_element(dst, ptr->data);
7801 ptr = ptr->next;
7802 }
7803@@ -170,11 +236,21 @@
7804 {
7805 zend_llist_element *element, *next;
7806
7807+#if HARDENING_PATCH_LL_PROTECT
7808+ TSRMLS_FETCH();
7809+ CHECK_LIST_CANARY(l)
7810+#endif
7811 element=l->head;
7812 while (element) {
7813+#if HARDENING_PATCH_LL_PROTECT
7814+ CHECK_LISTELEMENT_CANARY(element)
7815+#endif
7816 next = element->next;
7817 if (func(element->data)) {
7818 DEL_LLIST_ELEMENT(element, l);
7819+#if HARDENING_PATCH_LL_PROTECT
7820+ element->canary = 0;
7821+#endif
7822 }
7823 element = next;
7824 }
7825@@ -185,7 +261,13 @@
7826 {
7827 zend_llist_element *element;
7828
7829+#if HARDENING_PATCH_LL_PROTECT
7830+ CHECK_LIST_CANARY(l)
7831+#endif
7832 for (element=l->head; element; element=element->next) {
7833+#if HARDENING_PATCH_LL_PROTECT
7834+ CHECK_LISTELEMENT_CANARY(element)
7835+#endif
7836 func(element->data TSRMLS_CC);
7837 }
7838 }
7839@@ -197,6 +279,9 @@
7840 zend_llist_element **elements;
7841 zend_llist_element *element, **ptr;
7842
7843+#if HARDENING_PATCH_LL_PROTECT
7844+ CHECK_LIST_CANARY(l)
7845+#endif
7846 if (l->count <= 0) {
7847 return;
7848 }
7849@@ -206,6 +291,9 @@
7850 ptr = &elements[0];
7851
7852 for (element=l->head; element; element=element->next) {
7853+#if HARDENING_PATCH_LL_PROTECT
7854+ CHECK_LISTELEMENT_CANARY(element)
7855+#endif
7856 *ptr++ = element;
7857 }
7858
7859@@ -228,7 +316,13 @@
7860 {
7861 zend_llist_element *element;
7862
7863+#if HARDENING_PATCH_LL_PROTECT
7864+ CHECK_LIST_CANARY(l)
7865+#endif
7866 for (element=l->head; element; element=element->next) {
7867+#if HARDENING_PATCH_LL_PROTECT
7868+ CHECK_LISTELEMENT_CANARY(element)
7869+#endif
7870 func(element->data, arg TSRMLS_CC);
7871 }
7872 }
7873@@ -239,8 +333,14 @@
7874 zend_llist_element *element;
7875 va_list args;
7876
7877+#if HARDENING_PATCH_LL_PROTECT
7878+ CHECK_LIST_CANARY(l)
7879+#endif
7880 va_start(args, num_args);
7881 for (element=l->head; element; element=element->next) {
7882+#if HARDENING_PATCH_LL_PROTECT
7883+ CHECK_LISTELEMENT_CANARY(element)
7884+#endif
7885 func(element->data, num_args, args TSRMLS_CC);
7886 }
7887 va_end(args);
7888@@ -249,6 +349,10 @@
7889
7890 ZEND_API int zend_llist_count(zend_llist *l)
7891 {
7892+#if HARDENING_PATCH_LL_PROTECT
7893+ TSRMLS_FETCH();
7894+ CHECK_LIST_CANARY(l)
7895+#endif
7896 return l->count;
7897 }
7898
7899@@ -256,8 +360,15 @@
7900 {
7901 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
7902
7903+#if HARDENING_PATCH_LL_PROTECT
7904+ TSRMLS_FETCH();
7905+ CHECK_LIST_CANARY(l)
7906+#endif
7907 *current = l->head;
7908 if (*current) {
7909+#if HARDENING_PATCH_LL_PROTECT
7910+ CHECK_LISTELEMENT_CANARY(*current)
7911+#endif
7912 return (*current)->data;
7913 } else {
7914 return NULL;
7915@@ -269,8 +380,15 @@
7916 {
7917 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
7918
7919+#if HARDENING_PATCH_LL_PROTECT
7920+ TSRMLS_FETCH();
7921+ CHECK_LIST_CANARY(l)
7922+#endif
7923 *current = l->tail;
7924 if (*current) {
7925+#if HARDENING_PATCH_LL_PROTECT
7926+ CHECK_LISTELEMENT_CANARY(*current)
7927+#endif
7928 return (*current)->data;
7929 } else {
7930 return NULL;
7931@@ -282,9 +400,19 @@
7932 {
7933 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
7934
7935+#if HARDENING_PATCH_LL_PROTECT
7936+ TSRMLS_FETCH();
7937+ CHECK_LIST_CANARY(l)
7938+#endif
7939 if (*current) {
7940+#if HARDENING_PATCH_LL_PROTECT
7941+ CHECK_LISTELEMENT_CANARY(*current)
7942+#endif
7943 *current = (*current)->next;
7944 if (*current) {
7945+#if HARDENING_PATCH_LL_PROTECT
7946+ CHECK_LISTELEMENT_CANARY(*current)
7947+#endif
7948 return (*current)->data;
7949 }
7950 }
7951@@ -296,9 +424,19 @@
7952 {
7953 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
7954
7955+#if HARDENING_PATCH_LL_PROTECT
7956+ TSRMLS_FETCH();
7957+ CHECK_LIST_CANARY(l)
7958+#endif
7959 if (*current) {
7960+#if HARDENING_PATCH_LL_PROTECT
7961+ CHECK_LISTELEMENT_CANARY(*current)
7962+#endif
7963 *current = (*current)->prev;
7964 if (*current) {
7965+#if HARDENING_PATCH_LL_PROTECT
7966+ CHECK_LISTELEMENT_CANARY(*current)
7967+#endif
7968 return (*current)->data;
7969 }
7970 }
7971diff -Nura php-4.4.1/Zend/zend_llist.h hardening-patch-4.4.1-0.4.6/Zend/zend_llist.h
7972--- php-4.4.1/Zend/zend_llist.h 2002-12-31 17:23:04.000000000 +0100
7973+++ hardening-patch-4.4.1-0.4.6/Zend/zend_llist.h 2005-11-15 21:45:52.000000000 +0100
7974@@ -24,6 +24,9 @@
7975 #include <stdlib.h>
7976
7977 typedef struct _zend_llist_element {
7978+#if HARDENING_PATCH_LL_PROTECT
7979+ unsigned int canary, padding;
7980+#endif
7981 struct _zend_llist_element *next;
7982 struct _zend_llist_element *prev;
7983 char data[1]; /* Needs to always be last in the struct */
7984@@ -36,6 +39,9 @@
7985 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
7986
7987 typedef struct _zend_llist {
7988+#if HARDENING_PATCH_LL_PROTECT
7989+ unsigned int canary_h; /* head */
7990+#endif
7991 zend_llist_element *head;
7992 zend_llist_element *tail;
7993 size_t size;
7994@@ -43,6 +49,9 @@
7995 llist_dtor_func_t dtor;
7996 unsigned char persistent;
7997 zend_llist_element *traverse_ptr;
7998+#if HARDENING_PATCH_LL_PROTECT
7999+ unsigned int canary_t; /* tail */
8000+#endif
8001 } zend_llist;
8002
8003 typedef zend_llist_element* zend_llist_position;
8004diff -Nura php-4.4.1/Zend/zend_modules.h hardening-patch-4.4.1-0.4.6/Zend/zend_modules.h
8005--- php-4.4.1/Zend/zend_modules.h 2002-12-31 17:23:04.000000000 +0100
8006+++ hardening-patch-4.4.1-0.4.6/Zend/zend_modules.h 2005-11-15 21:46:49.000000000 +0100
8007@@ -34,6 +34,7 @@
8008 ZEND_API extern unsigned char second_arg_force_ref[];
8009 ZEND_API extern unsigned char third_arg_force_ref[];
8010
8011+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1001051112
8012 #define ZEND_MODULE_API_NO 20020429
8013 #ifdef ZTS
8014 #define USING_ZTS 1
8015@@ -41,9 +42,9 @@
8016 #define USING_ZTS 0
8017 #endif
8018
8019-#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8020+#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8021
8022-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
8023+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
8024
8025 #define STANDARD_MODULE_PROPERTIES \
8026 NULL, NULL, STANDARD_MODULE_PROPERTIES_EX
8027@@ -75,6 +76,7 @@
8028 unsigned char type;
8029 void *handle;
8030 int module_number;
8031+ unsigned int real_zend_api;
8032 };
8033
8034
8035diff -Nura php-4.4.1/Zend/zend_opcode.c hardening-patch-4.4.1-0.4.6/Zend/zend_opcode.c
8036--- php-4.4.1/Zend/zend_opcode.c 2002-12-31 17:23:04.000000000 +0100
8037+++ hardening-patch-4.4.1-0.4.6/Zend/zend_opcode.c 2005-11-05 13:04:08.000000000 +0100
8038@@ -88,6 +88,9 @@
8039 op_array->done_pass_two = 0;
8040
8041 op_array->start_op = NULL;
8042+#if HARDENING_PATCH
8043+ op_array->created_by_eval = 0;
8044+#endif
8045
8046 zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
8047 }
8048diff -Nura php-4.4.1/Zend/zend_operators.c hardening-patch-4.4.1-0.4.6/Zend/zend_operators.c
8049--- php-4.4.1/Zend/zend_operators.c 2005-03-31 10:18:39.000000000 +0200
8050+++ hardening-patch-4.4.1-0.4.6/Zend/zend_operators.c 2005-11-05 13:04:08.000000000 +0100
8051@@ -1604,6 +1604,20 @@
8052 return (op->value.lval ? 1 : 0);
8053 }
8054
8055+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length)
8056+{
8057+ register unsigned char *str = (unsigned char*)source;
8058+ register unsigned char *result = (unsigned char*)dest;
8059+ register unsigned char *end = str + length;
8060+
8061+ while (str < end) {
8062+ *result++ = tolower((int)*str++);
8063+ }
8064+ *result = *end;
8065+
8066+ return dest;
8067+}
8068+
8069 ZEND_API void zend_str_tolower(char *str, unsigned int length)
8070 {
8071 register char *p=str, *end=p+length;
8072diff -Nura php-4.4.1/Zend/zend_operators.h hardening-patch-4.4.1-0.4.6/Zend/zend_operators.h
8073--- php-4.4.1/Zend/zend_operators.h 2005-03-31 10:18:40.000000000 +0200
8074+++ hardening-patch-4.4.1-0.4.6/Zend/zend_operators.h 2005-11-05 13:04:08.000000000 +0100
8075@@ -174,6 +174,14 @@
8076 #endif
8077
8078 ZEND_API void zend_str_tolower(char *str, unsigned int length);
8079+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length);
8080+
8081+static inline char *
8082+zend_str_tolower_dup(const char *source, unsigned int length)
8083+{
8084+ return zend_str_tolower_copy((char *)emalloc(length+1), source, length);
8085+}
8086+
8087 ZEND_API int zend_binary_zval_strcmp(zval *s1, zval *s2);
8088 ZEND_API int zend_binary_zval_strncmp(zval *s1, zval *s2, zval *s3);
8089 ZEND_API int zend_binary_zval_strcasecmp(zval *s1, zval *s2);