summaryrefslogtreecommitdiff
path: root/0.4.9
diff options
context:
space:
mode:
authorjvoisin2019-10-13 12:57:37 +0200
committerjvoisin2019-10-13 12:57:37 +0200
commit5fea1ebe59050ca0bc8de210e93e8fb4ae6cd8c8 (patch)
tree32a7da950a47305fdc5753a3eeae0b500c6b3a04 /0.4.9
parentad5a70c7aedd0a78de0915b6434a76a4976528c0 (diff)
Add more patches
Diffstat (limited to '0.4.9')
-rw-r--r--0.4.9/hardening-patch-4.4.2-0.4.9.patch8369
1 files changed, 8369 insertions, 0 deletions
diff --git a/0.4.9/hardening-patch-4.4.2-0.4.9.patch b/0.4.9/hardening-patch-4.4.2-0.4.9.patch
new file mode 100644
index 0000000..1a82e70
--- /dev/null
+++ b/0.4.9/hardening-patch-4.4.2-0.4.9.patch
@@ -0,0 +1,8369 @@
1diff -Nura php-4.4.2/acinclude.m4 hardening-patch-4.4.2-0.4.9/acinclude.m4
2--- php-4.4.2/acinclude.m4 2005-12-19 23:29:11.000000000 +0100
3+++ hardening-patch-4.4.2-0.4.9/acinclude.m4 2006-05-02 16:46:34.000000000 +0200
4@@ -1186,6 +1186,36 @@
5 fi
6 ])
7
8+dnl
9+dnl Check for broken realpath()
10+dnl
11+dnl realpath("/etc/hosts/../passwd",XXX) should not return
12+dnl "/etc/passwd"
13+dnl
14+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
15+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
16+ AC_TRY_RUN([
17+main() {
18+ char buf[4096+1];
19+ buf[0] = 0;
20+ realpath("/etc/hosts/../passwd", buf);
21+ exit(strcmp(buf, "/etc/passwd")==0);
22+}
23+ ],[
24+ ac_cv_broken_realpath=no
25+ ],[
26+ ac_cv_broken_realpath=yes
27+ ],[
28+ ac_cv_broken_realpath=no
29+ ])
30+ ])
31+ if test "$ac_cv_broken_realpath" = "yes"; then
32+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
33+ else
34+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
35+ fi
36+])
37+
38 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
39 dnl
40 dnl Basically sets up the link-stage for building module-name
41diff -Nura php-4.4.2/configure hardening-patch-4.4.2-0.4.9/configure
42--- php-4.4.2/configure 2006-01-12 19:24:23.000000000 +0100
43+++ hardening-patch-4.4.2-0.4.9/configure 2006-05-02 16:46:34.000000000 +0200
44@@ -402,6 +402,16 @@
45 ac_default_prefix=/usr/local
46 # Any additions from configure.in:
47 ac_help="$ac_help
48+ --disable-hardening-patch-mm-protect Disable the Memory Manager protection."
49+ac_help="$ac_help
50+ --disable-hardening-patch-ll-protect Disable the Linked List protection."
51+ac_help="$ac_help
52+ --disable-hardening-patch-inc-protect Disable include/require protection."
53+ac_help="$ac_help
54+ --disable-hardening-patch-fmt-protect Disable format string protection."
55+ac_help="$ac_help
56+ --disable-hardening-patch-hash-protect Disable Zend HashTable DTOR protection."
57+ac_help="$ac_help
58
59 SAPI modules:
60 "
61@@ -854,6 +864,8 @@
62 ac_help="$ac_help
63 --disable-tokenizer Disable tokenizer support"
64 ac_help="$ac_help
65+ --disable-varfilter Disable Hardening-Patch's variable filter"
66+ac_help="$ac_help
67 --enable-wddx Enable WDDX support."
68 ac_help="$ac_help
69 --disable-xml Disable XML support using bundled expat lib"
70@@ -2942,6 +2954,157 @@
71
72
73
74+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
75+if test "${enable_hardening_patch_mm_protect+set}" = set; then
76+ enableval="$enable_hardening_patch_mm_protect"
77+
78+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
79+
80+else
81+
82+ DO_HARDENING_PATCH_MM_PROTECT=yes
83+
84+fi
85+
86+
87+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
88+if test "${enable_hardening_patch_ll_protect+set}" = set; then
89+ enableval="$enable_hardening_patch_ll_protect"
90+
91+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
92+
93+else
94+
95+ DO_HARDENING_PATCH_LL_PROTECT=yes
96+
97+fi
98+
99+
100+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
101+if test "${enable_hardening_patch_inc_protect+set}" = set; then
102+ enableval="$enable_hardening_patch_inc_protect"
103+
104+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
105+
106+else
107+
108+ DO_HARDENING_PATCH_INC_PROTECT=yes
109+
110+fi
111+
112+
113+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
114+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
115+ enableval="$enable_hardening_patch_fmt_protect"
116+
117+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
118+
119+else
120+
121+ DO_HARDENING_PATCH_FMT_PROTECT=yes
122+
123+fi
124+
125+
126+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
127+if test "${enable_hardening_patch_hash_protect+set}" = set; then
128+ enableval="$enable_hardening_patch_hash_protect"
129+
130+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
131+
132+else
133+
134+ DO_HARDENING_PATCH_HASH_PROTECT=yes
135+
136+fi
137+
138+
139+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
140+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
141+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
142+
143+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
144+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
145+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
146+
147+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
148+echo "configure:2733: checking whether to protect include/require statements" >&5
149+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
150+
151+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
152+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
153+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
154+
155+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
156+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
157+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
158+
159+
160+cat >> confdefs.h <<\EOF
161+#define HARDENING_PATCH 1
162+EOF
163+
164+
165+
166+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
167+ cat >> confdefs.h <<\EOF
168+#define HARDENING_PATCH_MM_PROTECT 1
169+EOF
170+
171+else
172+ cat >> confdefs.h <<\EOF
173+#define HARDENING_PATCH_MM_PROTECT 0
174+EOF
175+
176+fi
177+
178+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
179+ cat >> confdefs.h <<\EOF
180+#define HARDENING_PATCH_LL_PROTECT 1
181+EOF
182+
183+else
184+ cat >> confdefs.h <<\EOF
185+#define HARDENING_PATCH_LL_PROTECT 0
186+EOF
187+
188+fi
189+
190+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
191+ cat >> confdefs.h <<\EOF
192+#define HARDENING_PATCH_INC_PROTECT 1
193+EOF
194+
195+else
196+ cat >> confdefs.h <<\EOF
197+#define HARDENING_PATCH_INC_PROTECT 0
198+EOF
199+
200+fi
201+
202+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
203+ cat >> confdefs.h <<\EOF
204+#define HARDENING_PATCH_FMT_PROTECT 1
205+EOF
206+
207+else
208+ cat >> confdefs.h <<\EOF
209+#define HARDENING_PATCH_FMT_PROTECT 0
210+EOF
211+
212+fi
213+
214+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
215+ cat >> confdefs.h <<\EOF
216+#define HARDENING_PATCH_HASH_PROTECT 1
217+EOF
218+
219+else
220+ cat >> confdefs.h <<\EOF
221+#define HARDENING_PATCH_HASH_PROTECT 0
222+EOF
223+
224+fi
225
226
227
228@@ -16017,6 +16180,62 @@
229 fi
230
231
232+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
233+echo "configure:14928: checking whether realpath is broken" >&5
234+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
235+ echo $ac_n "(cached) $ac_c" 1>&6
236+else
237+
238+ if test "$cross_compiling" = yes; then
239+
240+ ac_cv_broken_realpath=no
241+
242+else
243+ cat > conftest.$ac_ext <<EOF
244+#line 14939 "configure"
245+#include "confdefs.h"
246+
247+main() {
248+ char buf[4096+1];
249+ buf[0] = 0;
250+ realpath("/etc/hosts/../passwd", buf);
251+ exit(strcmp(buf, "/etc/passwd")==0);
252+}
253+
254+EOF
255+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
256+then
257+
258+ ac_cv_broken_realpath=no
259+
260+else
261+ echo "configure: failed program was:" >&5
262+ cat conftest.$ac_ext >&5
263+ rm -fr conftest*
264+
265+ ac_cv_broken_realpath=yes
266+
267+fi
268+rm -fr conftest*
269+fi
270+
271+
272+fi
273+
274+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
275+ if test "$ac_cv_broken_realpath" = "yes"; then
276+ cat >> confdefs.h <<\EOF
277+#define PHP_BROKEN_REALPATH 1
278+EOF
279+
280+ else
281+ cat >> confdefs.h <<\EOF
282+#define PHP_BROKEN_REALPATH 0
283+EOF
284+
285+ fi
286+
287+
288 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
289 echo "configure:16022: checking for declared timezone" >&5
290 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
291@@ -86718,7 +86937,7 @@
292 if test "$ac_cv_crypt_blowfish" = "yes"; then
293 ac_result=1
294 else
295- ac_result=0
296+ ac_result=1
297 fi
298 cat >> confdefs.h <<EOF
299 #define PHP_BLOWFISH_CRYPT $ac_result
300@@ -87420,7 +87639,7 @@
301 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
302 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
303 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
304- var_unserializer.c ftok.c aggregation.c sha1.c ; do
305+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
306
307 IFS=.
308 set $ac_src
309@@ -87475,7 +87694,7 @@
310 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
311 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
312 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
313- var_unserializer.c ftok.c aggregation.c sha1.c ; do
314+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
315
316 IFS=.
317 set $ac_src
318@@ -87601,7 +87820,7 @@
319 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
320 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
321 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
322- var_unserializer.c ftok.c aggregation.c sha1.c ; do
323+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
324
325 IFS=.
326 set $ac_src
327@@ -87653,7 +87872,7 @@
328 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
329 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
330 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
331- var_unserializer.c ftok.c aggregation.c sha1.c ; do
332+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
333
334 IFS=.
335 set $ac_src
336@@ -91124,6 +91343,265 @@
337 fi
338
339
340+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
341+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
342+# Check whether --enable-varfilter or --disable-varfilter was given.
343+if test "${enable_varfilter+set}" = set; then
344+ enableval="$enable_varfilter"
345+ PHP_VARFILTER=$enableval
346+else
347+
348+ PHP_VARFILTER=yes
349+
350+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
351+ PHP_VARFILTER=$PHP_ENABLE_ALL
352+ fi
353+
354+fi
355+
356+
357+
358+ext_output="yes, shared"
359+ext_shared=yes
360+case $PHP_VARFILTER in
361+shared,*)
362+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
363+ ;;
364+shared)
365+ PHP_VARFILTER=yes
366+ ;;
367+no)
368+ ext_output=no
369+ ext_shared=no
370+ ;;
371+*)
372+ ext_output=yes
373+ ext_shared=no
374+ ;;
375+esac
376+
377+
378+
379+echo "$ac_t""$ext_output" 1>&6
380+
381+
382+
383+
384+if test "$PHP_VARFILTER" != "no"; then
385+ cat >> confdefs.h <<\EOF
386+#define HAVE_VARFILTER 1
387+EOF
388+
389+
390+ ext_builddir=ext/varfilter
391+ ext_srcdir=$abs_srcdir/ext/varfilter
392+
393+ ac_extra=
394+
395+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
396+
397+
398+
399+ case ext/varfilter in
400+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
401+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
402+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
403+ esac
404+
405+
406+
407+ b_c_pre=$php_c_pre
408+ b_cxx_pre=$php_cxx_pre
409+ b_c_meta=$php_c_meta
410+ b_cxx_meta=$php_cxx_meta
411+ b_c_post=$php_c_post
412+ b_cxx_post=$php_cxx_post
413+ b_lo=$php_lo
414+
415+
416+ old_IFS=$IFS
417+ for ac_src in varfilter.c; do
418+
419+ IFS=.
420+ set $ac_src
421+ ac_obj=$1
422+ IFS=$old_IFS
423+
424+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
425+
426+ case $ac_src in
427+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
428+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
429+ esac
430+
431+ cat >>Makefile.objects<<EOF
432+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
433+ $ac_comp
434+EOF
435+ done
436+
437+
438+ EXT_STATIC="$EXT_STATIC varfilter"
439+ if test "$ext_shared" != "nocli"; then
440+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
441+ fi
442+ else
443+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
444+
445+ case ext/varfilter in
446+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
447+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
448+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
449+ esac
450+
451+
452+
453+ b_c_pre=$shared_c_pre
454+ b_cxx_pre=$shared_cxx_pre
455+ b_c_meta=$shared_c_meta
456+ b_cxx_meta=$shared_cxx_meta
457+ b_c_post=$shared_c_post
458+ b_cxx_post=$shared_cxx_post
459+ b_lo=$shared_lo
460+
461+
462+ old_IFS=$IFS
463+ for ac_src in varfilter.c; do
464+
465+ IFS=.
466+ set $ac_src
467+ ac_obj=$1
468+ IFS=$old_IFS
469+
470+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
471+
472+ case $ac_src in
473+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
474+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
475+ esac
476+
477+ cat >>Makefile.objects<<EOF
478+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
479+ $ac_comp
480+EOF
481+ done
482+
483+
484+ install_modules="install-modules"
485+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
486+
487+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
488+
489+ cat >>Makefile.objects<<EOF
490+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
491+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
492+
493+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
494+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
495+
496+EOF
497+
498+ cat >> confdefs.h <<EOF
499+#define COMPILE_DL_VARFILTER 1
500+EOF
501+
502+ fi
503+ fi
504+
505+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
506+ if test "$PHP_SAPI" = "cgi"; then
507+
508+
509+ case ext/varfilter in
510+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
511+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
512+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
513+ esac
514+
515+
516+
517+ b_c_pre=$php_c_pre
518+ b_cxx_pre=$php_cxx_pre
519+ b_c_meta=$php_c_meta
520+ b_cxx_meta=$php_cxx_meta
521+ b_c_post=$php_c_post
522+ b_cxx_post=$php_cxx_post
523+ b_lo=$php_lo
524+
525+
526+ old_IFS=$IFS
527+ for ac_src in varfilter.c; do
528+
529+ IFS=.
530+ set $ac_src
531+ ac_obj=$1
532+ IFS=$old_IFS
533+
534+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
535+
536+ case $ac_src in
537+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
538+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
539+ esac
540+
541+ cat >>Makefile.objects<<EOF
542+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
543+ $ac_comp
544+EOF
545+ done
546+
547+
548+ EXT_STATIC="$EXT_STATIC varfilter"
549+ else
550+
551+
552+ case ext/varfilter in
553+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
554+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
555+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
556+ esac
557+
558+
559+
560+ b_c_pre=$php_c_pre
561+ b_cxx_pre=$php_cxx_pre
562+ b_c_meta=$php_c_meta
563+ b_cxx_meta=$php_cxx_meta
564+ b_c_post=$php_c_post
565+ b_cxx_post=$php_cxx_post
566+ b_lo=$php_lo
567+
568+
569+ old_IFS=$IFS
570+ for ac_src in varfilter.c; do
571+
572+ IFS=.
573+ set $ac_src
574+ ac_obj=$1
575+ IFS=$old_IFS
576+
577+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
578+
579+ case $ac_src in
580+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
581+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
582+ esac
583+
584+ cat >>Makefile.objects<<EOF
585+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
586+ $ac_comp
587+EOF
588+ done
589+
590+
591+ fi
592+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
593+ fi
594+
595+ BUILD_DIR="$BUILD_DIR $ext_builddir"
596+
597+
598+fi
599
600
601 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
602@@ -104088,7 +104566,7 @@
603 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
604 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
605 streams.c network.c php_open_temporary_file.c php_logos.c \
606- output.c memory_streams.c user_streams.c; do
607+ output.c memory_streams.c user_streams.c hardening_patch.c; do
608
609 IFS=.
610 set $ac_src
611@@ -104273,7 +104751,7 @@
612 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
613 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
614 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
615- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
616+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
617
618 IFS=.
619 set $ac_src
620diff -Nura php-4.4.2/configure.in hardening-patch-4.4.2-0.4.9/configure.in
621--- php-4.4.2/configure.in 2006-01-12 18:52:29.000000000 +0100
622+++ hardening-patch-4.4.2-0.4.9/configure.in 2006-05-02 16:46:34.000000000 +0200
623@@ -247,7 +247,7 @@
624 sinclude(Zend/acinclude.m4)
625 sinclude(Zend/Zend.m4)
626 sinclude(TSRM/tsrm.m4)
627-
628+sinclude(main/hardening_patch.m4)
629
630
631 divert(2)
632@@ -621,6 +621,7 @@
633 AC_FUNC_ALLOCA
634 dnl PHP_AC_BROKEN_SPRINTF
635 dnl PHP_AC_BROKEN_SNPRINTF
636+PHP_AC_BROKEN_REALPATH
637 PHP_DECLARED_TIMEZONE
638 PHP_TIME_R_TYPE
639 PHP_READDIR_R_TYPE
640@@ -1260,7 +1261,7 @@
641 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
642 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
643 streams.c network.c php_open_temporary_file.c php_logos.c \
644- output.c memory_streams.c user_streams.c)
645+ output.c memory_streams.c user_streams.c hardening_patch.c)
646 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
647 case $host_alias in
648 *netware*)
649@@ -1281,7 +1282,7 @@
650 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
651 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
652 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
653- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
654+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
655
656 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
657 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
658diff -Nura php-4.4.2/ext/curl/curl.c hardening-patch-4.4.2-0.4.9/ext/curl/curl.c
659--- php-4.4.2/ext/curl/curl.c 2006-01-05 19:03:18.000000000 +0100
660+++ hardening-patch-4.4.2-0.4.9/ext/curl/curl.c 2006-05-02 16:46:34.000000000 +0200
661@@ -111,7 +111,7 @@
662
663 #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
664 if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
665- strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
666+ strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
667 { \
668 php_url *tmp_url; \
669 \
670diff -Nura php-4.4.2/ext/fbsql/php_fbsql.c hardening-patch-4.4.2-0.4.9/ext/fbsql/php_fbsql.c
671--- php-4.4.2/ext/fbsql/php_fbsql.c 2006-01-01 14:46:52.000000000 +0100
672+++ hardening-patch-4.4.2-0.4.9/ext/fbsql/php_fbsql.c 2006-05-02 16:46:34.000000000 +0200
673@@ -1797,8 +1797,24 @@
674 }
675 else if (fbcmdErrorsFound(md))
676 {
677+#if HARDENING_PATCH
678+ char* query_copy;
679+ int i;
680+#endif
681 FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
682 char* emg = fbcemdAllErrorMessages(emd);
683+#if HARDENING_PATCH
684+ query_copy=estrdup(query_copy);
685+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
686+ php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
687+ efree(query_copy);
688+ if (HG(hphp_sql_bailout_on_error)) {
689+ free(emg);
690+ fbcemdRelease(emd);
691+ result = 0;
692+ zend_bailout();
693+ }
694+#endif
695 if (FB_SQL_G(generateWarnings))
696 {
697 if (emg)
698diff -Nura php-4.4.2/ext/mbstring/mbstring.c hardening-patch-4.4.2-0.4.9/ext/mbstring/mbstring.c
699--- php-4.4.2/ext/mbstring/mbstring.c 2006-01-01 14:46:54.000000000 +0100
700+++ hardening-patch-4.4.2-0.4.9/ext/mbstring/mbstring.c 2006-05-02 16:46:34.000000000 +0200
701@@ -1488,6 +1488,7 @@
702 char *strtok_buf = NULL, **val_list;
703 zval *array_ptr = (zval *) arg;
704 int n, num, val_len, *len_list;
705+ unsigned int new_val_len;
706 enum mbfl_no_encoding from_encoding;
707 mbfl_string string, resvar, resval;
708 mbfl_encoding_detector *identd = NULL;
709@@ -1610,8 +1611,14 @@
710 val_len = len_list[n];
711 }
712 n++;
713- /* add variable to symbol table */
714- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
715+ /* we need val to be emalloc()ed */
716+ val = estrndup(val, val_len);
717+ if (sapi_module.input_filter(info->data_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
718+ /* add variable to symbol table */
719+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
720+ }
721+ efree(val);
722+
723 if (convd != NULL){
724 mbfl_string_clear(&resvar);
725 mbfl_string_clear(&resval);
726diff -Nura php-4.4.2/ext/mysql/php_mysql.c hardening-patch-4.4.2-0.4.9/ext/mysql/php_mysql.c
727--- php-4.4.2/ext/mysql/php_mysql.c 2006-01-01 14:46:55.000000000 +0100
728+++ hardening-patch-4.4.2-0.4.9/ext/mysql/php_mysql.c 2006-05-02 16:46:34.000000000 +0200
729@@ -1218,6 +1218,8 @@
730 {
731 php_mysql_conn *mysql;
732 MYSQL_RES *mysql_result;
733+ char *copy_query;
734+ int i;
735
736 ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
737
738@@ -1268,6 +1270,13 @@
739 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
740 }
741 }
742+ copy_query = estrdup(Z_STRVAL_PP(query));
743+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
744+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
745+ efree(copy_query);
746+ if (HG(hphp_sql_bailout_on_error)) {
747+ zend_bailout();
748+ }
749 RETURN_FALSE;
750 }
751 #else
752@@ -1275,12 +1284,20 @@
753 /* check possible error */
754 if (MySG(trace_mode)){
755 if (mysql_errno(&mysql->conn)){
756- php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, mysql_error(&mysql->conn));
757+ php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
758 }
759 }
760+ copy_query = estrdup(Z_STRVAL_PP(query));
761+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
762+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
763+ efree(copy_query);
764+ if (HG(hphp_sql_bailout_on_error)) {
765+ zend_bailout();
766+ }
767 RETURN_FALSE;
768 }
769 #endif
770+
771 if(use_store == MYSQL_USE_RESULT) {
772 mysql_result=mysql_use_result(&mysql->conn);
773 } else {
774diff -Nura php-4.4.2/ext/pgsql/pgsql.c hardening-patch-4.4.2-0.4.9/ext/pgsql/pgsql.c
775--- php-4.4.2/ext/pgsql/pgsql.c 2006-01-01 14:46:56.000000000 +0100
776+++ hardening-patch-4.4.2-0.4.9/ext/pgsql/pgsql.c 2006-05-02 16:46:34.000000000 +0200
777@@ -1001,10 +1001,28 @@
778 case PGRES_EMPTY_QUERY:
779 case PGRES_BAD_RESPONSE:
780 case PGRES_NONFATAL_ERROR:
781- case PGRES_FATAL_ERROR:
782- PHP_PQ_ERROR("Query failed: %s", pgsql);
783- PQclear(pgsql_result);
784- RETURN_FALSE;
785+ case PGRES_FATAL_ERROR:
786+ {
787+#if HARDENING_PATCH
788+ int i;
789+ char *query_copy;
790+#endif
791+ char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
792+ PQclear(pgsql_result);
793+#if HARDENING_PATCH
794+ query_copy = estrdup(Z_STRVAL_PP(query));
795+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
796+ php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
797+ efree(query_copy);
798+ if (HG(hphp_sql_bailout_on_error)) {
799+ efree(msgbuf);
800+ zend_bailout();
801+ }
802+#endif
803+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
804+ efree(msgbuf);
805+ RETURN_FALSE;
806+ }
807 break;
808 case PGRES_COMMAND_OK: /* successful command that did not return rows */
809 default:
810diff -Nura php-4.4.2/ext/session/mod_files.c hardening-patch-4.4.2-0.4.9/ext/session/mod_files.c
811--- php-4.4.2/ext/session/mod_files.c 2006-01-01 14:46:56.000000000 +0100
812+++ hardening-patch-4.4.2-0.4.9/ext/session/mod_files.c 2006-05-02 16:48:05.000000000 +0200
813@@ -16,7 +16,7 @@
814 +----------------------------------------------------------------------+
815 */
816
817-/* $Id: mod_files.c,v 1.83.2.9.2.2 2006/01/01 13:46:56 sniper Exp $ */
818+/* $Id: mod_files.c,v 1.83.2.9.2.3 2006/04/17 23:29:37 iliaa Exp $ */
819
820 #include "php.h"
821
822@@ -364,10 +364,12 @@
823 if (!ps_files_path_create(buf, sizeof(buf), data, key))
824 return FAILURE;
825
826- ps_files_close(data);
827+ if (data->fd != -1) {
828+ ps_files_close(data);
829
830- if (VCWD_UNLINK(buf) == -1) {
831- return FAILURE;
832+ if (VCWD_UNLINK(buf) == -1) {
833+ return FAILURE;
834+ }
835 }
836
837 return SUCCESS;
838@@ -389,6 +391,34 @@
839 return SUCCESS;
840 }
841
842+PS_VALIDATE_SID_FUNC(files)
843+{
844+ char buf[MAXPATHLEN];
845+ int fd;
846+ PS_FILES_DATA;
847+
848+ if (!ps_files_valid_key(key)) {
849+ return FAILURE;
850+ }
851+
852+ if (!PS(use_strict_mode)) {
853+ return SUCCESS;
854+ }
855+
856+ if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
857+ return FAILURE;
858+ }
859+
860+ fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, 0600);
861+
862+ if (fd != -1) {
863+ close(fd);
864+ return SUCCESS;
865+ }
866+
867+ return FAILURE;
868+}
869+
870 /*
871 * Local variables:
872 * tab-width: 4
873diff -Nura php-4.4.2/ext/session/mod_mm.c hardening-patch-4.4.2-0.4.9/ext/session/mod_mm.c
874--- php-4.4.2/ext/session/mod_mm.c 2006-01-01 14:46:56.000000000 +0100
875+++ hardening-patch-4.4.2-0.4.9/ext/session/mod_mm.c 2006-05-02 16:46:34.000000000 +0200
876@@ -425,6 +425,42 @@
877 return SUCCESS;
878 }
879
880+PS_VALIDATE_SID_FUNC(mm)
881+{
882+ PS_MM_DATA;
883+ ps_sd *sd;
884+ const char *p;
885+ char c;
886+ int ret = SUCCESS;
887+
888+ for (p = key; (c = *p); p++) {
889+ /* valid characters are a..z,A..Z,0..9 */
890+ if (!((c >= 'a' && c <= 'z')
891+ || (c >= 'A' && c <= 'Z')
892+ || (c >= '0' && c <= '9')
893+ || c == ','
894+ || c == '-')) {
895+ return FAILURE;
896+ }
897+ }
898+
899+ if (!PS(use_strict_mode)) {
900+ return SUCCESS;
901+ }
902+
903+ mm_lock(data->mm, MM_LOCK_RD);
904+
905+ sd = ps_sd_lookup(data, key, 0);
906+ if (sd) {
907+ mm_unlock(data->mm);
908+ return SUCCESS;
909+ }
910+
911+ mm_unlock(data->mm);
912+
913+ return FAILURE;
914+}
915+
916 #endif
917
918 /*
919diff -Nura php-4.4.2/ext/session/mod_user.c hardening-patch-4.4.2-0.4.9/ext/session/mod_user.c
920--- php-4.4.2/ext/session/mod_user.c 2006-01-01 14:46:56.000000000 +0100
921+++ hardening-patch-4.4.2-0.4.9/ext/session/mod_user.c 2006-05-02 16:46:34.000000000 +0200
922@@ -23,7 +23,7 @@
923 #include "mod_user.h"
924
925 ps_module ps_mod_user = {
926- PS_MOD(user)
927+ PS_MOD_SID(user)
928 };
929
930 #define SESS_ZVAL_LONG(val, a) \
931@@ -174,6 +174,83 @@
932 FINISH;
933 }
934
935+PS_CREATE_SID_FUNC(user)
936+{
937+ int i;
938+ char *val = NULL;
939+ zval *retval;
940+ ps_user *mdata = PS_GET_MOD_DATA();
941+
942+ if (!mdata)
943+ return estrndup("", 0);
944+
945+ if (PSF(create) == NULL || ZVAL_IS_NULL(PSF(create))) {
946+ return php_session_create_id(mod_data, newlen TSRMLS_CC);
947+ }
948+ retval = ps_call_handler(PSF(create), 0, NULL TSRMLS_CC);
949+
950+ if (retval) {
951+ if (Z_TYPE_P(retval) == IS_STRING) {
952+ val = estrndup(Z_STRVAL_P(retval), Z_STRLEN_P(retval));
953+ } else {
954+ val = estrndup("", 0);
955+ }
956+ zval_ptr_dtor(&retval);
957+ } else {
958+ val = estrndup("", 0);
959+ }
960+
961+ return val;
962+}
963+
964+static int ps_user_valid_key(const char *key TSRMLS_DC)
965+{
966+ size_t len;
967+ const char *p;
968+ char c;
969+ int ret = SUCCESS;
970+
971+ for (p = key; (c = *p); p++) {
972+ /* valid characters are a..z,A..Z,0..9 */
973+ if (!((c >= 'a' && c <= 'z')
974+ || (c >= 'A' && c <= 'Z')
975+ || (c >= '0' && c <= '9')
976+ || c == ','
977+ || c == '-')) {
978+ ret = FAILURE;
979+ break;
980+ }
981+ }
982+
983+ len = p - key;
984+
985+ if (len == 0)
986+ ret = FAILURE;
987+
988+ return ret;
989+}
990+
991+PS_VALIDATE_SID_FUNC(user)
992+{
993+ zval *args[1];
994+ STDVARS;
995+
996+ if (PSF(validate) == NULL || ZVAL_IS_NULL(PSF(validate))) {
997+ return ps_user_valid_key(key TSRMLS_CC);
998+ }
999+ SESS_ZVAL_STRING(key, args[0]);
1000+
1001+ retval = ps_call_handler(PSF(validate), 1, args TSRMLS_CC);
1002+
1003+ if (retval) {
1004+ convert_to_long(retval);
1005+ ret = Z_LVAL_P(retval) ? SUCCESS : FAILURE;
1006+ zval_ptr_dtor(&retval);
1007+ }
1008+
1009+ return ret;
1010+}
1011+
1012 /*
1013 * Local variables:
1014 * tab-width: 4
1015diff -Nura php-4.4.2/ext/session/mod_user.h hardening-patch-4.4.2-0.4.9/ext/session/mod_user.h
1016--- php-4.4.2/ext/session/mod_user.h 2006-01-01 14:46:56.000000000 +0100
1017+++ hardening-patch-4.4.2-0.4.9/ext/session/mod_user.h 2006-05-02 16:46:34.000000000 +0200
1018@@ -22,7 +22,7 @@
1019 #define MOD_USER_H
1020
1021 typedef union {
1022- zval *names[6];
1023+ zval *names[8];
1024 struct {
1025 zval *ps_open;
1026 zval *ps_close;
1027@@ -30,6 +30,8 @@
1028 zval *ps_write;
1029 zval *ps_destroy;
1030 zval *ps_gc;
1031+ zval *ps_create;
1032+ zval *ps_validate;
1033 } name;
1034 } ps_user;
1035
1036diff -Nura php-4.4.2/ext/session/php_session.h hardening-patch-4.4.2-0.4.9/ext/session/php_session.h
1037--- php-4.4.2/ext/session/php_session.h 2006-01-01 14:46:56.000000000 +0100
1038+++ hardening-patch-4.4.2-0.4.9/ext/session/php_session.h 2006-05-02 16:46:34.000000000 +0200
1039@@ -23,7 +23,7 @@
1040
1041 #include "ext/standard/php_var.h"
1042
1043-#define PHP_SESSION_API 20020330
1044+#define PHP_SESSION_API 20051121
1045
1046 #define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
1047 #define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
1048@@ -32,6 +32,7 @@
1049 #define PS_DESTROY_ARGS void **mod_data, const char *key TSRMLS_DC
1050 #define PS_GC_ARGS void **mod_data, int maxlifetime, int *nrdels TSRMLS_DC
1051 #define PS_CREATE_SID_ARGS void **mod_data, int *newlen TSRMLS_DC
1052+#define PS_VALIDATE_SID_ARGS void **mod_data, const char *key TSRMLS_DC
1053
1054 /* default create id function */
1055 char *php_session_create_id(PS_CREATE_SID_ARGS);
1056@@ -45,6 +46,7 @@
1057 int (*s_destroy)(PS_DESTROY_ARGS);
1058 int (*s_gc)(PS_GC_ARGS);
1059 char *(*s_create_sid)(PS_CREATE_SID_ARGS);
1060+ int (*s_validate_sid)(PS_VALIDATE_SID_ARGS);
1061 } ps_module;
1062
1063 #define PS_GET_MOD_DATA() *mod_data
1064@@ -57,6 +59,7 @@
1065 #define PS_DESTROY_FUNC(x) int ps_delete_##x(PS_DESTROY_ARGS)
1066 #define PS_GC_FUNC(x) int ps_gc_##x(PS_GC_ARGS)
1067 #define PS_CREATE_SID_FUNC(x) char *ps_create_sid_##x(PS_CREATE_SID_ARGS)
1068+#define PS_VALIDATE_SID_FUNC(x) int ps_validate_sid_##x(PS_VALIDATE_SID_ARGS)
1069
1070 #define PS_FUNCS(x) \
1071 PS_OPEN_FUNC(x); \
1072@@ -65,11 +68,12 @@
1073 PS_WRITE_FUNC(x); \
1074 PS_DESTROY_FUNC(x); \
1075 PS_GC_FUNC(x); \
1076- PS_CREATE_SID_FUNC(x)
1077+ PS_CREATE_SID_FUNC(x); \
1078+ PS_VALIDATE_SID_FUNC(x)
1079
1080 #define PS_MOD(x) \
1081 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1082- ps_delete_##x, ps_gc_##x, php_session_create_id
1083+ ps_delete_##x, ps_gc_##x, php_session_create_id, ps_validate_sid_##x
1084
1085 /* SID enabled module handler definitions */
1086 #define PS_FUNCS_SID(x) \
1087@@ -79,11 +83,12 @@
1088 PS_WRITE_FUNC(x); \
1089 PS_DESTROY_FUNC(x); \
1090 PS_GC_FUNC(x); \
1091- PS_CREATE_SID_FUNC(x)
1092+ PS_CREATE_SID_FUNC(x); \
1093+ PS_VALIDATE_SID(x)
1094
1095 #define PS_MOD_SID(x) \
1096 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1097- ps_delete_##x, ps_gc_##x, ps_create_sid_##x
1098+ ps_delete_##x, ps_gc_##x, ps_create_sid_##x, ps_validate_sid_##x
1099
1100 typedef enum {
1101 php_session_disabled,
1102@@ -120,6 +125,7 @@
1103 zend_bool use_only_cookies;
1104 zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
1105 zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
1106+ zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */
1107 int send_cookie;
1108 int define_sid;
1109 } php_ps_globals;
1110diff -Nura php-4.4.2/ext/session/session.c hardening-patch-4.4.2-0.4.9/ext/session/session.c
1111--- php-4.4.2/ext/session/session.c 2006-01-01 14:46:56.000000000 +0100
1112+++ hardening-patch-4.4.2-0.4.9/ext/session/session.c 2006-05-02 16:48:19.000000000 +0200
1113@@ -17,7 +17,7 @@
1114 +----------------------------------------------------------------------+
1115 */
1116
1117-/* $Id: session.c,v 1.336.2.53.2.4 2006/01/01 13:46:56 sniper Exp $ */
1118+/* $Id: session.c,v 1.336.2.53.2.5 2006/01/15 16:52:10 iliaa Exp $ */
1119
1120 #ifdef HAVE_CONFIG_H
1121 #include "config.h"
1122@@ -155,6 +155,7 @@
1123 STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals)
1124 STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals)
1125 STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
1126+ STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals)
1127 STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
1128 STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
1129 STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals)
1130@@ -626,6 +627,12 @@
1131 char *val;
1132 int vallen;
1133
1134+ /* check session name for invalid characters */
1135+ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
1136+ efree(PS(id));
1137+ PS(id) = NULL;
1138+ }
1139+
1140 if (!PS(mod)) {
1141 php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module chosen - failed to initialize session.");
1142 return;
1143@@ -637,6 +644,15 @@
1144 return;
1145 }
1146
1147+ /* If there is an ID, use session module to verify it */
1148+ if (PS(id)) {
1149+ if (PS(mod)->s_validate_sid(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1150+ efree(PS(id));
1151+ PS(id) = NULL;
1152+ PS(send_cookie) = 1;
1153+ }
1154+ }
1155+
1156 /* If there is no ID, use session module to create one */
1157 if (!PS(id))
1158 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1159@@ -1256,22 +1272,31 @@
1160 }
1161 /* }}} */
1162
1163-/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc)
1164+/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc[, string create, string validate])
1165 Sets user-level functions */
1166 PHP_FUNCTION(session_set_save_handler)
1167 {
1168- zval **args[6];
1169- int i;
1170+ zval **args[8];
1171+ int i, numargs;
1172 ps_user *mdata;
1173 char *name;
1174
1175+ numargs = ZEND_NUM_ARGS();
1176+ args[6] = NULL;
1177+ args[7] = NULL;
1178+
1179+ if (numargs < 6 || numargs > 8 || zend_get_parameters_array_ex(numargs, args) == FAILURE)
1180+ WRONG_PARAM_COUNT;
1181 if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
1182 WRONG_PARAM_COUNT;
1183
1184 if (PS(session_status) != php_session_none)
1185 RETURN_FALSE;
1186
1187- for (i = 0; i < 6; i++) {
1188+ for (i = 0; i < 8; i++) {
1189+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1190+ continue;
1191+ }
1192 if (!zend_is_callable(*args[i], 0, &name)) {
1193 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
1194 efree(name);
1195@@ -1284,7 +1309,11 @@
1196
1197 mdata = emalloc(sizeof(*mdata));
1198
1199- for (i = 0; i < 6; i++) {
1200+ for (i = 0; i < 8; i++) {
1201+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1202+ mdata->names[i] = NULL;
1203+ continue;
1204+ }
1205 ZVAL_ADDREF(*args[i]);
1206 mdata->names[i] = *args[i];
1207 }
1208@@ -1345,8 +1374,20 @@
1209 Update the current session id with a newly generated one. */
1210 PHP_FUNCTION(session_regenerate_id)
1211 {
1212+ zend_bool del_ses = 0;
1213+
1214+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &del_ses) == FAILURE) {
1215+ WRONG_PARAM_COUNT;
1216+ }
1217+
1218 if (PS(session_status) == php_session_active) {
1219- if (PS(id)) efree(PS(id));
1220+ if (PS(id)) {
1221+ if (del_ses && PS(mod)->s_destroy(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1222+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Session object destruction failed");
1223+ RETURN_FALSE;
1224+ }
1225+ efree(PS(id));
1226+ }
1227
1228 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1229
1230diff -Nura php-4.4.2/ext/session/tests/014.phpt hardening-patch-4.4.2-0.4.9/ext/session/tests/014.phpt
1231--- php-4.4.2/ext/session/tests/014.phpt 2002-11-26 00:19:18.000000000 +0100
1232+++ hardening-patch-4.4.2-0.4.9/ext/session/tests/014.phpt 2006-05-02 16:46:34.000000000 +0200
1233@@ -5,6 +5,7 @@
1234 --INI--
1235 session.use_trans_sid=1
1236 session.use_cookies=0
1237+session.use_strict_mode=0
1238 session.cache_limiter=
1239 register_globals=1
1240 session.bug_compat_42=1
1241diff -Nura php-4.4.2/ext/session/tests/015.phpt hardening-patch-4.4.2-0.4.9/ext/session/tests/015.phpt
1242--- php-4.4.2/ext/session/tests/015.phpt 2002-11-26 00:19:19.000000000 +0100
1243+++ hardening-patch-4.4.2-0.4.9/ext/session/tests/015.phpt 2006-05-02 16:46:34.000000000 +0200
1244@@ -5,6 +5,7 @@
1245 --INI--
1246 session.use_trans_sid=1
1247 session.use_cookies=0
1248+session.use_strict_mode=0
1249 session.cache_limiter=
1250 arg_separator.output=&
1251 session.name=PHPSESSID
1252diff -Nura php-4.4.2/ext/session/tests/018.phpt hardening-patch-4.4.2-0.4.9/ext/session/tests/018.phpt
1253--- php-4.4.2/ext/session/tests/018.phpt 2002-11-26 00:19:19.000000000 +0100
1254+++ hardening-patch-4.4.2-0.4.9/ext/session/tests/018.phpt 2006-05-02 16:46:34.000000000 +0200
1255@@ -4,6 +4,7 @@
1256 <?php include('skipif.inc'); ?>
1257 --INI--
1258 session.use_cookies=0
1259+session.use_strict_mode=0
1260 session.cache_limiter=
1261 session.use_trans_sid=1
1262 session.name=PHPSESSID
1263diff -Nura php-4.4.2/ext/session/tests/020.phpt hardening-patch-4.4.2-0.4.9/ext/session/tests/020.phpt
1264--- php-4.4.2/ext/session/tests/020.phpt 2002-11-26 00:19:19.000000000 +0100
1265+++ hardening-patch-4.4.2-0.4.9/ext/session/tests/020.phpt 2006-05-02 16:46:34.000000000 +0200
1266@@ -4,6 +4,7 @@
1267 <?php include('skipif.inc'); ?>
1268 --INI--
1269 session.use_cookies=0
1270+session.use_strict_mode=0
1271 session.cache_limiter=
1272 session.use_trans_sid=1
1273 arg_separator.output=&amp;
1274diff -Nura php-4.4.2/ext/session/tests/021.phpt hardening-patch-4.4.2-0.4.9/ext/session/tests/021.phpt
1275--- php-4.4.2/ext/session/tests/021.phpt 2002-11-26 00:19:19.000000000 +0100
1276+++ hardening-patch-4.4.2-0.4.9/ext/session/tests/021.phpt 2006-05-02 16:46:34.000000000 +0200
1277@@ -4,6 +4,7 @@
1278 <?php include('skipif.inc'); ?>
1279 --INI--
1280 session.use_cookies=0
1281+session.use_strict_mode=0
1282 session.cache_limiter=
1283 session.use_trans_sid=1
1284 url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
1285diff -Nura php-4.4.2/ext/standard/array.c hardening-patch-4.4.2-0.4.9/ext/standard/array.c
1286--- php-4.4.2/ext/standard/array.c 2006-01-01 14:46:57.000000000 +0100
1287+++ hardening-patch-4.4.2-0.4.9/ext/standard/array.c 2006-05-02 16:46:34.000000000 +0200
1288@@ -1162,6 +1162,32 @@
1289 }
1290 }
1291 }
1292+
1293+ if (var_name[0] == 'H') {
1294+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
1295+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
1296+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
1297+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
1298+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
1299+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
1300+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
1301+ (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
1302+ return 0;
1303+ }
1304+ } else if (var_name[0] == '_') {
1305+ if ((strcmp(var_name, "_COOKIE")==0)||
1306+ (strcmp(var_name, "_ENV")==0)||
1307+ (strcmp(var_name, "_FILES")==0)||
1308+ (strcmp(var_name, "_GET")==0)||
1309+ (strcmp(var_name, "_POST")==0)||
1310+ (strcmp(var_name, "_REQUEST")==0)||
1311+ (strcmp(var_name, "_SESSION")==0)||
1312+ (strcmp(var_name, "_SERVER")==0)) {
1313+ return 0;
1314+ }
1315+ } else if (strcmp(var_name, "GLOBALS")==0) {
1316+ return 0;
1317+ }
1318
1319 return 1;
1320 }
1321diff -Nura php-4.4.2/ext/standard/basic_functions.c hardening-patch-4.4.2-0.4.9/ext/standard/basic_functions.c
1322--- php-4.4.2/ext/standard/basic_functions.c 2006-01-01 14:46:57.000000000 +0100
1323+++ hardening-patch-4.4.2-0.4.9/ext/standard/basic_functions.c 2006-05-02 16:46:34.000000000 +0200
1324@@ -107,12 +107,14 @@
1325 typedef struct _php_shutdown_function_entry {
1326 zval **arguments;
1327 int arg_count;
1328+ zend_bool created_by_eval;
1329 } php_shutdown_function_entry;
1330
1331 typedef struct _user_tick_function_entry {
1332 zval **arguments;
1333 int arg_count;
1334 int calling;
1335+ zend_bool created_by_eval;
1336 } user_tick_function_entry;
1337
1338 /* some prototypes for local functions */
1339@@ -295,6 +297,8 @@
1340 PHP_FE(get_html_translation_table, NULL)
1341 PHP_FE(sha1, NULL)
1342 PHP_FE(sha1_file, NULL)
1343+ PHP_FE(sha256, NULL)
1344+ PHP_FE(sha256_file, NULL)
1345 PHP_NAMED_FE(md5,php_if_md5, NULL)
1346 PHP_NAMED_FE(md5_file,php_if_md5_file, NULL)
1347 PHP_NAMED_FE(crc32,php_if_crc32, NULL)
1348@@ -676,7 +680,7 @@
1349 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
1350
1351 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1352- PHP_FE(realpath, NULL)
1353+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
1354 #endif
1355
1356 #ifdef HAVE_FNMATCH
1357@@ -2096,6 +2100,13 @@
1358 {
1359 zval retval;
1360 char *function_name = NULL;
1361+#if HARDENING_PATCH
1362+ zend_uint orig_code_type = EG(in_code_type);
1363+
1364+ if (shutdown_function_entry->created_by_eval) {
1365+ EG(in_code_type) = ZEND_EVAL_CODE;
1366+ }
1367+#endif
1368
1369 if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
1370 php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
1371@@ -2111,6 +2122,9 @@
1372 if (function_name) {
1373 efree(function_name);
1374 }
1375+#if HARDENING_PATCH
1376+ EG(in_code_type) = orig_code_type;
1377+#endif
1378 return 0;
1379 }
1380
1381@@ -2118,6 +2132,13 @@
1382 {
1383 zval retval;
1384 zval *function = tick_fe->arguments[0];
1385+#if HARDENING_PATCH
1386+ zend_uint orig_code_type = EG(in_code_type);
1387+
1388+ if (tick_fe->created_by_eval) {
1389+ EG(in_code_type) = ZEND_EVAL_CODE;
1390+ }
1391+#endif
1392
1393 /* Prevent reentrant calls to the same user ticks function */
1394 if (! tick_fe->calling) {
1395@@ -2149,6 +2170,9 @@
1396
1397 tick_fe->calling = 0;
1398 }
1399+#if HARDENING_PATCH
1400+ EG(in_code_type) = orig_code_type;
1401+#endif
1402 }
1403
1404 static void run_user_tick_functions(int tick_count)
1405@@ -2216,6 +2240,13 @@
1406 if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
1407 RETURN_FALSE;
1408 }
1409+#if HARDENING_PATCH
1410+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1411+ shutdown_function_entry.created_by_eval = 1;
1412+ } else {
1413+ shutdown_function_entry.created_by_eval = 0;
1414+ }
1415+#endif
1416
1417 /* Prevent entering of anything but valid callback (syntax check only!) */
1418 if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
1419@@ -2753,6 +2784,13 @@
1420 }
1421
1422 tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
1423+#if HARDENING_PATCH
1424+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1425+ tick_fe.created_by_eval = 1;
1426+ } else {
1427+ tick_fe.created_by_eval = 0;
1428+ }
1429+#endif
1430
1431 if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
1432 RETURN_FALSE;
1433@@ -3050,6 +3088,35 @@
1434 new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
1435 }
1436
1437+ if (new_key[0] == 'H') {
1438+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
1439+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
1440+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
1441+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
1442+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
1443+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
1444+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
1445+ (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
1446+ efree(new_key);
1447+ return 0;
1448+ }
1449+ } else if (new_key[0] == '_') {
1450+ if ((strcmp(new_key, "_COOKIE")==0)||
1451+ (strcmp(new_key, "_ENV")==0)||
1452+ (strcmp(new_key, "_FILES")==0)||
1453+ (strcmp(new_key, "_GET")==0)||
1454+ (strcmp(new_key, "_POST")==0)||
1455+ (strcmp(new_key, "_REQUEST")==0)||
1456+ (strcmp(new_key, "_SESSION")==0)||
1457+ (strcmp(new_key, "_SERVER")==0)) {
1458+ efree(new_key);
1459+ return 0;
1460+ }
1461+ } else if (strcmp(new_key, "GLOBALS")==0) {
1462+ efree(new_key);
1463+ return 0;
1464+ }
1465+
1466 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1467 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1468
1469diff -Nura php-4.4.2/ext/standard/config.m4 hardening-patch-4.4.2-0.4.9/ext/standard/config.m4
1470--- php-4.4.2/ext/standard/config.m4 2004-12-30 08:02:18.000000000 +0100
1471+++ hardening-patch-4.4.2-0.4.9/ext/standard/config.m4 2006-05-02 16:46:34.000000000 +0200
1472@@ -203,7 +203,7 @@
1473 if test "$ac_cv_crypt_blowfish" = "yes"; then
1474 ac_result=1
1475 else
1476- ac_result=0
1477+ ac_result=1
1478 fi
1479 AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
1480 ])
1481@@ -419,6 +419,6 @@
1482 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
1483 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
1484 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
1485- var_unserializer.c ftok.c aggregation.c sha1.c )
1486+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c )
1487
1488 PHP_ADD_MAKEFILE_FRAGMENT
1489diff -Nura php-4.4.2/ext/standard/crypt_blowfish.c hardening-patch-4.4.2-0.4.9/ext/standard/crypt_blowfish.c
1490--- php-4.4.2/ext/standard/crypt_blowfish.c 1970-01-01 01:00:00.000000000 +0100
1491+++ hardening-patch-4.4.2-0.4.9/ext/standard/crypt_blowfish.c 2006-05-02 16:46:34.000000000 +0200
1492@@ -0,0 +1,748 @@
1493+/*
1494+ * This code comes from John the Ripper password cracker, with reentrant
1495+ * and crypt(3) interfaces added, but optimizations specific to password
1496+ * cracking removed.
1497+ *
1498+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
1499+ * placed in the public domain.
1500+ *
1501+ * There's absolutely no warranty.
1502+ *
1503+ * It is my intent that you should be able to use this on your system,
1504+ * as a part of a software package, or anywhere else to improve security,
1505+ * ensure compatibility, or for any other purpose. I would appreciate
1506+ * it if you give credit where it is due and keep your modifications in
1507+ * the public domain as well, but I don't require that in order to let
1508+ * you place this code and any modifications you make under a license
1509+ * of your choice.
1510+ *
1511+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
1512+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
1513+ * ideas. The password hashing algorithm was designed by David Mazieres
1514+ * <dm at lcs.mit.edu>.
1515+ *
1516+ * There's a paper on the algorithm that explains its design decisions:
1517+ *
1518+ * http://www.usenix.org/events/usenix99/provos.html
1519+ *
1520+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
1521+ * Blowfish library (I can't be sure if I would think of something if I
1522+ * hadn't seen his code).
1523+ */
1524+
1525+#include <string.h>
1526+
1527+#include <errno.h>
1528+#ifndef __set_errno
1529+#define __set_errno(val) errno = (val)
1530+#endif
1531+
1532+#undef __CONST
1533+#ifdef __GNUC__
1534+#define __CONST __const
1535+#else
1536+#define __CONST
1537+#endif
1538+
1539+#ifdef __i386__
1540+#define BF_ASM 0
1541+#define BF_SCALE 1
1542+#elif defined(__alpha__) || defined(__hppa__)
1543+#define BF_ASM 0
1544+#define BF_SCALE 1
1545+#else
1546+#define BF_ASM 0
1547+#define BF_SCALE 0
1548+#endif
1549+
1550+typedef unsigned int BF_word;
1551+
1552+/* Number of Blowfish rounds, this is also hardcoded into a few places */
1553+#define BF_N 16
1554+
1555+typedef BF_word BF_key[BF_N + 2];
1556+
1557+typedef struct {
1558+ BF_word S[4][0x100];
1559+ BF_key P;
1560+} BF_ctx;
1561+
1562+/*
1563+ * Magic IV for 64 Blowfish encryptions that we do at the end.
1564+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
1565+ */
1566+static BF_word BF_magic_w[6] = {
1567+ 0x4F727068, 0x65616E42, 0x65686F6C,
1568+ 0x64657253, 0x63727944, 0x6F756274
1569+};
1570+
1571+/*
1572+ * P-box and S-box tables initialized with digits of Pi.
1573+ */
1574+static BF_ctx BF_init_state = {
1575+ {
1576+ {
1577+ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
1578+ 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
1579+ 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
1580+ 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
1581+ 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
1582+ 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
1583+ 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
1584+ 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
1585+ 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
1586+ 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
1587+ 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
1588+ 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
1589+ 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
1590+ 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
1591+ 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
1592+ 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
1593+ 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
1594+ 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
1595+ 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
1596+ 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
1597+ 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
1598+ 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
1599+ 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
1600+ 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
1601+ 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
1602+ 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
1603+ 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
1604+ 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
1605+ 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
1606+ 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
1607+ 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
1608+ 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
1609+ 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
1610+ 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
1611+ 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
1612+ 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
1613+ 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
1614+ 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
1615+ 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
1616+ 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
1617+ 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
1618+ 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
1619+ 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
1620+ 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
1621+ 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
1622+ 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
1623+ 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
1624+ 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
1625+ 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
1626+ 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
1627+ 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
1628+ 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
1629+ 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
1630+ 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
1631+ 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
1632+ 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
1633+ 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
1634+ 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
1635+ 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
1636+ 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
1637+ 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
1638+ 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
1639+ 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
1640+ 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
1641+ }, {
1642+ 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
1643+ 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
1644+ 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
1645+ 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
1646+ 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
1647+ 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
1648+ 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
1649+ 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
1650+ 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
1651+ 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
1652+ 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
1653+ 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
1654+ 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
1655+ 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
1656+ 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
1657+ 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
1658+ 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
1659+ 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
1660+ 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
1661+ 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
1662+ 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
1663+ 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
1664+ 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
1665+ 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
1666+ 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
1667+ 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
1668+ 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
1669+ 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
1670+ 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
1671+ 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
1672+ 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
1673+ 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
1674+ 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
1675+ 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
1676+ 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
1677+ 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
1678+ 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
1679+ 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
1680+ 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
1681+ 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
1682+ 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
1683+ 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
1684+ 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
1685+ 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
1686+ 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
1687+ 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
1688+ 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
1689+ 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
1690+ 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
1691+ 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
1692+ 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
1693+ 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
1694+ 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
1695+ 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
1696+ 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
1697+ 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
1698+ 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
1699+ 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
1700+ 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
1701+ 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
1702+ 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
1703+ 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
1704+ 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
1705+ 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
1706+ }, {
1707+ 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
1708+ 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
1709+ 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
1710+ 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
1711+ 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
1712+ 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
1713+ 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
1714+ 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
1715+ 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
1716+ 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
1717+ 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
1718+ 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
1719+ 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
1720+ 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
1721+ 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
1722+ 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
1723+ 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
1724+ 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
1725+ 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
1726+ 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
1727+ 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
1728+ 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
1729+ 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
1730+ 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
1731+ 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
1732+ 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
1733+ 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
1734+ 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
1735+ 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
1736+ 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
1737+ 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
1738+ 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
1739+ 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
1740+ 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
1741+ 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
1742+ 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
1743+ 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
1744+ 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
1745+ 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
1746+ 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
1747+ 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
1748+ 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
1749+ 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
1750+ 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
1751+ 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
1752+ 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
1753+ 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
1754+ 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
1755+ 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
1756+ 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
1757+ 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
1758+ 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
1759+ 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
1760+ 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
1761+ 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
1762+ 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
1763+ 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
1764+ 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
1765+ 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
1766+ 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
1767+ 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
1768+ 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
1769+ 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
1770+ 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
1771+ }, {
1772+ 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
1773+ 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
1774+ 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
1775+ 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
1776+ 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
1777+ 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
1778+ 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
1779+ 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
1780+ 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
1781+ 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
1782+ 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
1783+ 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
1784+ 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
1785+ 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
1786+ 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
1787+ 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
1788+ 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
1789+ 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
1790+ 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
1791+ 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
1792+ 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
1793+ 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
1794+ 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
1795+ 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
1796+ 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
1797+ 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
1798+ 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
1799+ 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
1800+ 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
1801+ 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
1802+ 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
1803+ 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
1804+ 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
1805+ 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
1806+ 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
1807+ 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
1808+ 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
1809+ 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
1810+ 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
1811+ 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
1812+ 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
1813+ 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
1814+ 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
1815+ 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
1816+ 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
1817+ 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
1818+ 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
1819+ 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
1820+ 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
1821+ 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
1822+ 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
1823+ 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
1824+ 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
1825+ 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
1826+ 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
1827+ 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
1828+ 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
1829+ 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
1830+ 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
1831+ 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
1832+ 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
1833+ 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
1834+ 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
1835+ 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
1836+ }
1837+ }, {
1838+ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
1839+ 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
1840+ 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
1841+ 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
1842+ 0x9216d5d9, 0x8979fb1b
1843+ }
1844+};
1845+
1846+static unsigned char BF_itoa64[64 + 1] =
1847+ "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
1848+
1849+static unsigned char BF_atoi64[0x60] = {
1850+ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
1851+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
1852+ 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
1853+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
1854+ 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
1855+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
1856+};
1857+
1858+/*
1859+ * This may be optimized out if built with function inlining and no BF_ASM.
1860+ */
1861+static void clean(void *data, int size)
1862+{
1863+#if BF_ASM
1864+ extern void _BF_clean(void *data);
1865+#endif
1866+ memset(data, 0, size);
1867+#if BF_ASM
1868+ _BF_clean(data);
1869+#endif
1870+}
1871+
1872+#define BF_safe_atoi64(dst, src) \
1873+{ \
1874+ tmp = (unsigned char)(src); \
1875+ if (tmp == '$') break; \
1876+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
1877+ tmp = BF_atoi64[tmp]; \
1878+ if (tmp > 63) return -1; \
1879+ (dst) = tmp; \
1880+}
1881+
1882+static int BF_decode(BF_word *dst, __CONST char *src, int size)
1883+{
1884+ unsigned char *dptr = (unsigned char *)dst;
1885+ unsigned char *end = dptr + size;
1886+ unsigned char *sptr = (unsigned char *)src;
1887+ unsigned int tmp, c1, c2, c3, c4;
1888+
1889+ do {
1890+ BF_safe_atoi64(c1, *sptr++);
1891+ BF_safe_atoi64(c2, *sptr++);
1892+ *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
1893+ if (dptr >= end) break;
1894+
1895+ BF_safe_atoi64(c3, *sptr++);
1896+ *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
1897+ if (dptr >= end) break;
1898+
1899+ BF_safe_atoi64(c4, *sptr++);
1900+ *dptr++ = ((c3 & 0x03) << 6) | c4;
1901+ } while (dptr < end);
1902+
1903+ while (dptr < end)
1904+ *dptr++ = 0;
1905+
1906+ return 0;
1907+}
1908+
1909+static void BF_encode(char *dst, __CONST BF_word *src, int size)
1910+{
1911+ unsigned char *sptr = (unsigned char *)src;
1912+ unsigned char *end = sptr + size;
1913+ unsigned char *dptr = (unsigned char *)dst;
1914+ unsigned int c1, c2;
1915+
1916+ do {
1917+ c1 = *sptr++;
1918+ *dptr++ = BF_itoa64[c1 >> 2];
1919+ c1 = (c1 & 0x03) << 4;
1920+ if (sptr >= end) {
1921+ *dptr++ = BF_itoa64[c1];
1922+ break;
1923+ }
1924+
1925+ c2 = *sptr++;
1926+ c1 |= c2 >> 4;
1927+ *dptr++ = BF_itoa64[c1];
1928+ c1 = (c2 & 0x0f) << 2;
1929+ if (sptr >= end) {
1930+ *dptr++ = BF_itoa64[c1];
1931+ break;
1932+ }
1933+
1934+ c2 = *sptr++;
1935+ c1 |= c2 >> 6;
1936+ *dptr++ = BF_itoa64[c1];
1937+ *dptr++ = BF_itoa64[c2 & 0x3f];
1938+ } while (sptr < end);
1939+}
1940+
1941+static void BF_swap(BF_word *x, int count)
1942+{
1943+ static int endianness_check = 1;
1944+ char *is_little_endian = (char *)&endianness_check;
1945+ BF_word tmp;
1946+
1947+ if (*is_little_endian)
1948+ do {
1949+ tmp = *x;
1950+ tmp = (tmp << 16) | (tmp >> 16);
1951+ *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
1952+ } while (--count);
1953+}
1954+
1955+#if BF_SCALE
1956+/* Architectures which can shift addresses left by 2 bits with no extra cost */
1957+#define BF_ROUND(L, R, N) \
1958+ tmp1 = L & 0xFF; \
1959+ tmp2 = L >> 8; \
1960+ tmp2 &= 0xFF; \
1961+ tmp3 = L >> 16; \
1962+ tmp3 &= 0xFF; \
1963+ tmp4 = L >> 24; \
1964+ tmp1 = data.ctx.S[3][tmp1]; \
1965+ tmp2 = data.ctx.S[2][tmp2]; \
1966+ tmp3 = data.ctx.S[1][tmp3]; \
1967+ tmp3 += data.ctx.S[0][tmp4]; \
1968+ tmp3 ^= tmp2; \
1969+ R ^= data.ctx.P[N + 1]; \
1970+ tmp3 += tmp1; \
1971+ R ^= tmp3;
1972+#else
1973+/* Architectures with no complicated addressing modes supported */
1974+#define BF_INDEX(S, i) \
1975+ (*((BF_word *)(((unsigned char *)S) + (i))))
1976+#define BF_ROUND(L, R, N) \
1977+ tmp1 = L & 0xFF; \
1978+ tmp1 <<= 2; \
1979+ tmp2 = L >> 6; \
1980+ tmp2 &= 0x3FC; \
1981+ tmp3 = L >> 14; \
1982+ tmp3 &= 0x3FC; \
1983+ tmp4 = L >> 22; \
1984+ tmp4 &= 0x3FC; \
1985+ tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
1986+ tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
1987+ tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
1988+ tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
1989+ tmp3 ^= tmp2; \
1990+ R ^= data.ctx.P[N + 1]; \
1991+ tmp3 += tmp1; \
1992+ R ^= tmp3;
1993+#endif
1994+
1995+/*
1996+ * Encrypt one block, BF_N is hardcoded here.
1997+ */
1998+#define BF_ENCRYPT \
1999+ L ^= data.ctx.P[0]; \
2000+ BF_ROUND(L, R, 0); \
2001+ BF_ROUND(R, L, 1); \
2002+ BF_ROUND(L, R, 2); \
2003+ BF_ROUND(R, L, 3); \
2004+ BF_ROUND(L, R, 4); \
2005+ BF_ROUND(R, L, 5); \
2006+ BF_ROUND(L, R, 6); \
2007+ BF_ROUND(R, L, 7); \
2008+ BF_ROUND(L, R, 8); \
2009+ BF_ROUND(R, L, 9); \
2010+ BF_ROUND(L, R, 10); \
2011+ BF_ROUND(R, L, 11); \
2012+ BF_ROUND(L, R, 12); \
2013+ BF_ROUND(R, L, 13); \
2014+ BF_ROUND(L, R, 14); \
2015+ BF_ROUND(R, L, 15); \
2016+ tmp4 = R; \
2017+ R = L; \
2018+ L = tmp4 ^ data.ctx.P[BF_N + 1];
2019+
2020+#if BF_ASM
2021+#define BF_body() \
2022+ _BF_body_r(&data.ctx);
2023+#else
2024+#define BF_body() \
2025+ L = R = 0; \
2026+ ptr = data.ctx.P; \
2027+ do { \
2028+ ptr += 2; \
2029+ BF_ENCRYPT; \
2030+ *(ptr - 2) = L; \
2031+ *(ptr - 1) = R; \
2032+ } while (ptr < &data.ctx.P[BF_N + 2]); \
2033+\
2034+ ptr = data.ctx.S[0]; \
2035+ do { \
2036+ ptr += 2; \
2037+ BF_ENCRYPT; \
2038+ *(ptr - 2) = L; \
2039+ *(ptr - 1) = R; \
2040+ } while (ptr < &data.ctx.S[3][0xFF]);
2041+#endif
2042+
2043+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
2044+{
2045+ __CONST char *ptr = key;
2046+ int i, j;
2047+ BF_word tmp;
2048+
2049+ for (i = 0; i < BF_N + 2; i++) {
2050+ tmp = 0;
2051+ for (j = 0; j < 4; j++) {
2052+ tmp <<= 8;
2053+ tmp |= *ptr;
2054+
2055+ if (!*ptr) ptr = key; else ptr++;
2056+ }
2057+
2058+ expanded[i] = tmp;
2059+ initial[i] = BF_init_state.P[i] ^ tmp;
2060+ }
2061+}
2062+
2063+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
2064+ char *output, int size)
2065+{
2066+#if BF_ASM
2067+ extern void _BF_body_r(BF_ctx *ctx);
2068+#endif
2069+ struct {
2070+ BF_ctx ctx;
2071+ BF_key expanded_key;
2072+ union {
2073+ BF_word salt[4];
2074+ BF_word output[6];
2075+ } binary;
2076+ } data;
2077+ BF_word L, R;
2078+ BF_word tmp1, tmp2, tmp3, tmp4;
2079+ BF_word *ptr;
2080+ BF_word count;
2081+ int i;
2082+
2083+ if (size < 7 + 22 + 31 + 1) {
2084+ __set_errno(ERANGE);
2085+ return NULL;
2086+ }
2087+
2088+ if (setting[0] != '$' ||
2089+ setting[1] != '2' ||
2090+ setting[2] != 'a' ||
2091+ setting[3] != '$' ||
2092+ setting[4] < '0' || setting[4] > '3' ||
2093+ setting[5] < '0' || setting[5] > '9' ||
2094+ setting[6] != '$') {
2095+ __set_errno(EINVAL);
2096+ return NULL;
2097+ }
2098+
2099+ count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
2100+ if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
2101+ clean(data.binary.salt, sizeof(data.binary.salt));
2102+ __set_errno(EINVAL);
2103+ return NULL;
2104+ }
2105+
2106+ BF_swap(data.binary.salt, 4);
2107+
2108+ BF_set_key(key, data.expanded_key, data.ctx.P);
2109+
2110+ memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
2111+
2112+ L = R = 0;
2113+ for (i = 0; i < BF_N + 2; i += 2) {
2114+ L ^= data.binary.salt[i & 2];
2115+ R ^= data.binary.salt[(i & 2) + 1];
2116+ BF_ENCRYPT;
2117+ data.ctx.P[i] = L;
2118+ data.ctx.P[i + 1] = R;
2119+ }
2120+
2121+ ptr = data.ctx.S[0];
2122+ do {
2123+ ptr += 4;
2124+ L ^= data.binary.salt[(BF_N + 2) & 3];
2125+ R ^= data.binary.salt[(BF_N + 3) & 3];
2126+ BF_ENCRYPT;
2127+ *(ptr - 4) = L;
2128+ *(ptr - 3) = R;
2129+
2130+ L ^= data.binary.salt[(BF_N + 4) & 3];
2131+ R ^= data.binary.salt[(BF_N + 5) & 3];
2132+ BF_ENCRYPT;
2133+ *(ptr - 2) = L;
2134+ *(ptr - 1) = R;
2135+ } while (ptr < &data.ctx.S[3][0xFF]);
2136+
2137+ do {
2138+ data.ctx.P[0] ^= data.expanded_key[0];
2139+ data.ctx.P[1] ^= data.expanded_key[1];
2140+ data.ctx.P[2] ^= data.expanded_key[2];
2141+ data.ctx.P[3] ^= data.expanded_key[3];
2142+ data.ctx.P[4] ^= data.expanded_key[4];
2143+ data.ctx.P[5] ^= data.expanded_key[5];
2144+ data.ctx.P[6] ^= data.expanded_key[6];
2145+ data.ctx.P[7] ^= data.expanded_key[7];
2146+ data.ctx.P[8] ^= data.expanded_key[8];
2147+ data.ctx.P[9] ^= data.expanded_key[9];
2148+ data.ctx.P[10] ^= data.expanded_key[10];
2149+ data.ctx.P[11] ^= data.expanded_key[11];
2150+ data.ctx.P[12] ^= data.expanded_key[12];
2151+ data.ctx.P[13] ^= data.expanded_key[13];
2152+ data.ctx.P[14] ^= data.expanded_key[14];
2153+ data.ctx.P[15] ^= data.expanded_key[15];
2154+ data.ctx.P[16] ^= data.expanded_key[16];
2155+ data.ctx.P[17] ^= data.expanded_key[17];
2156+
2157+ BF_body();
2158+
2159+ tmp1 = data.binary.salt[0];
2160+ tmp2 = data.binary.salt[1];
2161+ tmp3 = data.binary.salt[2];
2162+ tmp4 = data.binary.salt[3];
2163+ data.ctx.P[0] ^= tmp1;
2164+ data.ctx.P[1] ^= tmp2;
2165+ data.ctx.P[2] ^= tmp3;
2166+ data.ctx.P[3] ^= tmp4;
2167+ data.ctx.P[4] ^= tmp1;
2168+ data.ctx.P[5] ^= tmp2;
2169+ data.ctx.P[6] ^= tmp3;
2170+ data.ctx.P[7] ^= tmp4;
2171+ data.ctx.P[8] ^= tmp1;
2172+ data.ctx.P[9] ^= tmp2;
2173+ data.ctx.P[10] ^= tmp3;
2174+ data.ctx.P[11] ^= tmp4;
2175+ data.ctx.P[12] ^= tmp1;
2176+ data.ctx.P[13] ^= tmp2;
2177+ data.ctx.P[14] ^= tmp3;
2178+ data.ctx.P[15] ^= tmp4;
2179+ data.ctx.P[16] ^= tmp1;
2180+ data.ctx.P[17] ^= tmp2;
2181+
2182+ BF_body();
2183+ } while (--count);
2184+
2185+ for (i = 0; i < 6; i += 2) {
2186+ L = BF_magic_w[i];
2187+ R = BF_magic_w[i + 1];
2188+
2189+ count = 64;
2190+ do {
2191+ BF_ENCRYPT;
2192+ } while (--count);
2193+
2194+ data.binary.output[i] = L;
2195+ data.binary.output[i + 1] = R;
2196+ }
2197+
2198+ memcpy(output, setting, 7 + 22 - 1);
2199+ output[7 + 22 - 1] = BF_itoa64[(int)
2200+ BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
2201+
2202+/* This has to be bug-compatible with the original implementation, so
2203+ * only encode 23 of the 24 bytes. :-) */
2204+ BF_swap(data.binary.output, 6);
2205+ BF_encode(&output[7 + 22], data.binary.output, 23);
2206+ output[7 + 22 + 31] = '\0';
2207+
2208+/* Overwrite the most obvious sensitive data we have on the stack. Note
2209+ * that this does not guarantee there's no sensitive data left on the
2210+ * stack and/or in registers; I'm not aware of portable code that does. */
2211+ clean(&data, sizeof(data));
2212+
2213+ return output;
2214+}
2215+
2216+char *_crypt_gensalt_blowfish_rn(unsigned long count,
2217+ __CONST char *input, int size, char *output, int output_size)
2218+{
2219+ if (size < 16 || output_size < 7 + 22 + 1 ||
2220+ (count && (count < 4 || count > 31))) {
2221+ if (output_size > 0) output[0] = '\0';
2222+ __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
2223+ return NULL;
2224+ }
2225+
2226+ if (!count) count = 5;
2227+
2228+ output[0] = '$';
2229+ output[1] = '2';
2230+ output[2] = 'a';
2231+ output[3] = '$';
2232+ output[4] = '0' + count / 10;
2233+ output[5] = '0' + count % 10;
2234+ output[6] = '$';
2235+
2236+ BF_encode(&output[7], (BF_word *)input, 16);
2237+ output[7 + 22] = '\0';
2238+
2239+ return output;
2240+}
2241diff -Nura php-4.4.2/ext/standard/crypt.c hardening-patch-4.4.2-0.4.9/ext/standard/crypt.c
2242--- php-4.4.2/ext/standard/crypt.c 2006-01-01 14:46:57.000000000 +0100
2243+++ hardening-patch-4.4.2-0.4.9/ext/standard/crypt.c 2006-05-02 16:46:34.000000000 +0200
2244@@ -100,6 +100,8 @@
2245 return SUCCESS;
2246 }
2247
2248+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
2249+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
2250
2251 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
2252
2253@@ -135,7 +137,14 @@
2254
2255 /* The automatic salt generation only covers standard DES and md5-crypt */
2256 if(!*salt) {
2257-#if PHP_MD5_CRYPT
2258+#if PHP_BLOWFISH_CRYPT
2259+ char randat[16];
2260+ int i;
2261+
2262+ for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
2263+
2264+ _crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
2265+#elif PHP_MD5_CRYPT
2266 strcpy(salt, "$1$");
2267 php_to64(&salt[3], PHP_CRYPT_RAND, 4);
2268 php_to64(&salt[7], PHP_CRYPT_RAND, 4);
2269@@ -145,8 +154,24 @@
2270 salt[2] = '\0';
2271 #endif
2272 }
2273-
2274- RETVAL_STRING(crypt(str, salt), 1);
2275+
2276+ if (salt[0] == '$' &&
2277+ salt[1] == '2' &&
2278+ salt[2] == 'a' &&
2279+ salt[3] == '$' &&
2280+ salt[4] >= '0' && salt[4] <= '3' &&
2281+ salt[5] >= '0' && salt[5] <= '9' &&
2282+ salt[6] == '$') {
2283+
2284+ char output[PHP_MAX_SALT_LEN+1];
2285+
2286+ output[0] = 0;
2287+ _crypt_blowfish_rn(str, salt, output, sizeof(output));
2288+ RETVAL_STRING(output, 1);
2289+
2290+ } else {
2291+ RETVAL_STRING(crypt(str, salt), 1);
2292+ }
2293 }
2294 /* }}} */
2295 #endif
2296diff -Nura php-4.4.2/ext/standard/dl.c hardening-patch-4.4.2-0.4.9/ext/standard/dl.c
2297--- php-4.4.2/ext/standard/dl.c 2006-01-01 14:46:57.000000000 +0100
2298+++ hardening-patch-4.4.2-0.4.9/ext/standard/dl.c 2006-05-02 16:46:34.000000000 +0200
2299@@ -160,8 +160,35 @@
2300 RETURN_FALSE;
2301 }
2302 module_entry = get_module();
2303+
2304+ /* check if Hardening-Patch is installed */
2305+ if (module_entry->zend_api < 1000000000) {
2306+ php_error_docref(NULL TSRMLS_CC, error_type,
2307+ "%s: Unable to initialize module\n"
2308+ "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
2309+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2310+ "These options need to match\n",
2311+ module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
2312+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2313+ DL_UNLOAD(handle);
2314+ RETURN_FALSE;
2315+ }
2316+
2317+ /* check if correct Hardening-Patch is installed */
2318+ if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
2319+ php_error_docref(NULL TSRMLS_CC, error_type,
2320+ "%s: Unable to initialize module\n"
2321+ "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2322+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2323+ "These options need to match\n",
2324+ module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
2325+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2326+ DL_UNLOAD(handle);
2327+ RETURN_FALSE;
2328+ }
2329+
2330 if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
2331- || (module_entry->zend_api != ZEND_MODULE_API_NO)) {
2332+ || (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
2333 /* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
2334 struct pre_4_1_0_module_entry {
2335 char *name;
2336@@ -195,7 +222,7 @@
2337 zts = ((struct pre_4_1_0_module_entry *)module_entry)->zts;
2338 } else {
2339 name = module_entry->name;
2340- zend_api = module_entry->zend_api;
2341+ zend_api = module_entry->real_zend_api;
2342 zend_debug = module_entry->zend_debug;
2343 zts = module_entry->zts;
2344 }
2345diff -Nura php-4.4.2/ext/standard/file.c hardening-patch-4.4.2-0.4.9/ext/standard/file.c
2346--- php-4.4.2/ext/standard/file.c 2006-01-01 14:46:57.000000000 +0100
2347+++ hardening-patch-4.4.2-0.4.9/ext/standard/file.c 2006-05-02 16:49:46.000000000 +0200
2348@@ -21,7 +21,7 @@
2349 +----------------------------------------------------------------------+
2350 */
2351
2352-/* $Id: file.c,v 1.279.2.70.2.3 2006/01/01 13:46:57 sniper Exp $ */
2353+/* $Id: file.c,v 1.279.2.70.2.7 2006/04/14 17:46:59 pollita Exp $ */
2354
2355 /* Synced with php 3.0 revision 1.218 1999-06-16 [ssb] */
2356
2357@@ -552,7 +552,7 @@
2358 pval **arg1, **arg2;
2359 char *d;
2360 char *opened_path;
2361- char p[64];
2362+ char *p;
2363 FILE *fp;
2364
2365 if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
2366@@ -566,7 +566,11 @@
2367 }
2368
2369 d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
2370- strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
2371+
2372+ p = php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0);
2373+ if (strlen(p) > 64) {
2374+ p[63] = '\0';
2375+ }
2376
2377 if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
2378 fclose(fp);
2379@@ -574,6 +578,7 @@
2380 } else {
2381 RETVAL_FALSE;
2382 }
2383+ efree(p);
2384 efree(d);
2385 }
2386 /* }}} */
2387@@ -819,7 +824,7 @@
2388
2389 /* If seconds is not set to null, build the timeval, else we wait indefinitely */
2390 if (sec != NULL) {
2391- convert_to_long_ex(&sec);
2392+ convert_to_long(sec);
2393
2394 if (usec > 999999) {
2395 tv.tv_sec = Z_LVAL_P(sec) + (usec / 1000000);
2396@@ -2196,7 +2201,7 @@
2397 safe_to_copy:
2398
2399 srcstream = php_stream_open_wrapper(src, "rb",
2400- STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
2401+ ENFORCE_SAFE_MODE | REPORT_ERRORS,
2402 NULL);
2403
2404 if (!srcstream)
2405@@ -2522,7 +2527,7 @@
2406 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2407 /* {{{ proto string realpath(string path)
2408 Return the resolved path */
2409-PHP_FUNCTION(realpath)
2410+PHP_FUNCTION(real_path)
2411 {
2412 zval **path;
2413 char resolved_path_buff[MAXPATHLEN];
2414diff -Nura php-4.4.2/ext/standard/file.h hardening-patch-4.4.2-0.4.9/ext/standard/file.h
2415--- php-4.4.2/ext/standard/file.h 2006-01-01 14:46:57.000000000 +0100
2416+++ hardening-patch-4.4.2-0.4.9/ext/standard/file.h 2006-05-02 16:46:34.000000000 +0200
2417@@ -64,7 +64,7 @@
2418 PHP_FUNCTION(fd_set);
2419 PHP_FUNCTION(fd_isset);
2420 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2421-PHP_FUNCTION(realpath);
2422+PHP_FUNCTION(real_path);
2423 #endif
2424 #ifdef HAVE_FNMATCH
2425 PHP_FUNCTION(fnmatch);
2426diff -Nura php-4.4.2/ext/standard/head.c hardening-patch-4.4.2-0.4.9/ext/standard/head.c
2427--- php-4.4.2/ext/standard/head.c 2006-01-01 14:46:57.000000000 +0100
2428+++ hardening-patch-4.4.2-0.4.9/ext/standard/head.c 2006-05-02 16:46:34.000000000 +0200
2429@@ -44,7 +44,7 @@
2430 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
2431 &ctr.line_len, &rep, &ctr.response_code) == FAILURE)
2432 return;
2433-
2434+
2435 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
2436 }
2437 /* }}} */
2438diff -Nura php-4.4.2/ext/standard/html.c hardening-patch-4.4.2-0.4.9/ext/standard/html.c
2439--- php-4.4.2/ext/standard/html.c 2006-01-01 14:46:57.000000000 +0100
2440+++ hardening-patch-4.4.2-0.4.9/ext/standard/html.c 2006-05-02 16:49:55.000000000 +0200
2441@@ -18,7 +18,7 @@
2442 +----------------------------------------------------------------------+
2443 */
2444
2445-/* $Id: html.c,v 1.63.2.23.2.1 2006/01/01 13:46:57 sniper Exp $ */
2446+/* $Id: html.c,v 1.63.2.23.2.2 2006/02/25 21:33:06 rasmus Exp $ */
2447
2448 /*
2449 * HTML entity resources:
2450@@ -793,7 +793,7 @@
2451 enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
2452 unsigned char replacement[15];
2453
2454- ret = estrdup(old);
2455+ ret = estrndup(old, oldlen);
2456 retlen = oldlen;
2457 if (!retlen) {
2458 goto empty_source;
2459diff -Nura php-4.4.2/ext/standard/info.c hardening-patch-4.4.2-0.4.9/ext/standard/info.c
2460--- php-4.4.2/ext/standard/info.c 2006-01-01 14:46:57.000000000 +0100
2461+++ hardening-patch-4.4.2-0.4.9/ext/standard/info.c 2006-05-02 16:53:57.000000000 +0200
2462@@ -58,6 +58,23 @@
2463
2464 PHPAPI extern char *php_ini_opened_path;
2465 PHPAPI extern char *php_ini_scanned_files;
2466+
2467+static int php_info_write_wrapper(const char *str, uint str_length)
2468+{
2469+ int new_len, written;
2470+ char *elem_esc;
2471+
2472+ TSRMLS_FETCH();
2473+
2474+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
2475+
2476+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
2477+
2478+ efree(elem_esc);
2479+
2480+ return written;
2481+}
2482+
2483
2484 /* {{{ _display_module_info
2485 */
2486@@ -133,23 +150,12 @@
2487 PUTS(" => ");
2488 }
2489 if (Z_TYPE_PP(tmp) == IS_ARRAY) {
2490- zval *tmp3;
2491- MAKE_STD_ZVAL(tmp3);
2492 if (!sapi_module.phpinfo_as_text) {
2493 PUTS("<pre>");
2494- }
2495- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
2496- zend_print_zval_r(*tmp, 0);
2497- php_ob_get_buffer(tmp3 TSRMLS_CC);
2498- php_end_ob_buffer(0, 0 TSRMLS_CC);
2499-
2500- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
2501- PUTS(elem_esc);
2502- efree(elem_esc);
2503- zval_ptr_dtor(&tmp3);
2504-
2505- if (!sapi_module.phpinfo_as_text) {
2506+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
2507 PUTS("</pre>");
2508+ } else {
2509+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
2510 }
2511 } else if (Z_TYPE_PP(tmp) != IS_STRING) {
2512 tmp2 = **tmp;
2513@@ -408,7 +414,7 @@
2514
2515 if (flag & PHP_INFO_GENERAL) {
2516 char *zend_version = get_zend_version();
2517- char temp_api[9];
2518+ char temp_api[11];
2519
2520 php_uname = php_get_uname('a');
2521
2522@@ -430,11 +436,22 @@
2523 }
2524 }
2525
2526+#if HARDENING_PATCH
2527+ if (!sapi_module.phpinfo_as_text) {
2528+ php_printf("<h1 class=\"p\">PHP Version %s with <a href=\"http://www.hardened-php.net\">Hardening-Patch</a> %s</h1>\n", PHP_VERSION, HARDENING_PATCH_VERSION);
2529+ } else {
2530+ char temp_ver[40];
2531+
2532+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENING_PATCH_VERSION);
2533+ php_info_print_table_row(2, "PHP/Hardening-Patch Version", temp_ver);
2534+ }
2535+#else
2536 if (!sapi_module.phpinfo_as_text) {
2537 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2538 } else {
2539 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2540 }
2541+#endif
2542 php_info_print_box_end();
2543 php_info_print_table_start();
2544 php_info_print_table_row(2, "System", php_uname );
2545diff -Nura php-4.4.2/ext/standard/pack.c hardening-patch-4.4.2-0.4.9/ext/standard/pack.c
2546--- php-4.4.2/ext/standard/pack.c 2006-01-01 14:46:57.000000000 +0100
2547+++ hardening-patch-4.4.2-0.4.9/ext/standard/pack.c 2006-05-02 16:50:05.000000000 +0200
2548@@ -15,7 +15,7 @@
2549 | Author: Chris Schneider <cschneid@relog.ch> |
2550 +----------------------------------------------------------------------+
2551 */
2552-/* $Id: pack.c,v 1.40.2.7.2.4 2006/01/01 13:46:57 sniper Exp $ */
2553+/* $Id: pack.c,v 1.40.2.7.2.5 2006/01/26 15:47:31 iliaa Exp $ */
2554
2555 #include "php.h"
2556
2557@@ -693,7 +693,9 @@
2558 len = size * 2;
2559 }
2560
2561- len -= argb % 2;
2562+ if (argb > 0) {
2563+ len -= argb % 2;
2564+ }
2565
2566 buf = emalloc(len + 1);
2567
2568diff -Nura php-4.4.2/ext/standard/php_standard.h hardening-patch-4.4.2-0.4.9/ext/standard/php_standard.h
2569--- php-4.4.2/ext/standard/php_standard.h 2006-01-01 14:46:58.000000000 +0100
2570+++ hardening-patch-4.4.2-0.4.9/ext/standard/php_standard.h 2006-05-02 16:46:34.000000000 +0200
2571@@ -28,6 +28,7 @@
2572 #include "php_mail.h"
2573 #include "md5.h"
2574 #include "sha1.h"
2575+#include "sha256.h"
2576 #include "html.h"
2577 #include "exec.h"
2578 #include "file.h"
2579diff -Nura php-4.4.2/ext/standard/sha256.c hardening-patch-4.4.2-0.4.9/ext/standard/sha256.c
2580--- php-4.4.2/ext/standard/sha256.c 1970-01-01 01:00:00.000000000 +0100
2581+++ hardening-patch-4.4.2-0.4.9/ext/standard/sha256.c 2006-05-02 16:46:34.000000000 +0200
2582@@ -0,0 +1,398 @@
2583+/*
2584+ +----------------------------------------------------------------------+
2585+ | PHP Version 5 |
2586+ +----------------------------------------------------------------------+
2587+ | Copyright (c) 1997-2004 The PHP Group |
2588+ +----------------------------------------------------------------------+
2589+ | This source file is subject to version 3.0 of the PHP license, |
2590+ | that is bundled with this package in the file LICENSE, and is |
2591+ | available through the world-wide-web at the following url: |
2592+ | http://www.php.net/license/3_0.txt. |
2593+ | If you did not receive a copy of the PHP license and are unable to |
2594+ | obtain it through the world-wide-web, please send a note to |
2595+ | license@php.net so we can mail you a copy immediately. |
2596+ +----------------------------------------------------------------------+
2597+ | Author: Stefan Esser <sesser@php.net> |
2598+ +----------------------------------------------------------------------+
2599+*/
2600+
2601+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
2602+
2603+#include <stdio.h>
2604+#include "php.h"
2605+
2606+/* This code is heavily based on the PHP md5/sha1 implementations */
2607+
2608+#include "sha256.h"
2609+
2610+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
2611+{
2612+ int i;
2613+
2614+ for (i = 0; i < 32; i++) {
2615+ sprintf(sha256str, "%02x", digest[i]);
2616+ sha256str += 2;
2617+ }
2618+
2619+ *sha256str = '\0';
2620+}
2621+
2622+/* {{{ proto string sha256(string str [, bool raw_output])
2623+ Calculate the sha256 hash of a string */
2624+PHP_FUNCTION(sha256)
2625+{
2626+ char *arg;
2627+ int arg_len;
2628+ zend_bool raw_output = 0;
2629+ char sha256str[65];
2630+ PHP_SHA256_CTX context;
2631+ unsigned char digest[32];
2632+
2633+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2634+ return;
2635+ }
2636+
2637+ sha256str[0] = '\0';
2638+ PHP_SHA256Init(&context);
2639+ PHP_SHA256Update(&context, arg, arg_len);
2640+ PHP_SHA256Final(digest, &context);
2641+ if (raw_output) {
2642+ RETURN_STRINGL(digest, 32, 1);
2643+ } else {
2644+ make_sha256_digest(sha256str, digest);
2645+ RETVAL_STRING(sha256str, 1);
2646+ }
2647+
2648+}
2649+
2650+/* }}} */
2651+
2652+/* {{{ proto string sha256_file(string filename [, bool raw_output])
2653+ Calculate the sha256 hash of given filename */
2654+PHP_FUNCTION(sha256_file)
2655+{
2656+ char *arg;
2657+ int arg_len;
2658+ zend_bool raw_output = 0;
2659+ char sha256str[65];
2660+ unsigned char buf[1024];
2661+ unsigned char digest[32];
2662+ PHP_SHA256_CTX context;
2663+ int n;
2664+ FILE *fp;
2665+
2666+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2667+ return;
2668+ }
2669+
2670+ if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
2671+ RETURN_FALSE;
2672+ }
2673+
2674+ if (php_check_open_basedir(arg TSRMLS_CC)) {
2675+ RETURN_FALSE;
2676+ }
2677+
2678+ if ((fp = VCWD_FOPEN(arg, "rb")) == NULL) {
2679+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open file");
2680+ RETURN_FALSE;
2681+ }
2682+
2683+ PHP_SHA256Init(&context);
2684+
2685+ while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
2686+ PHP_SHA256Update(&context, buf, n);
2687+ }
2688+
2689+ PHP_SHA256Final(digest, &context);
2690+
2691+ if (ferror(fp)) {
2692+ fclose(fp);
2693+ RETURN_FALSE;
2694+ }
2695+
2696+ fclose(fp);
2697+
2698+ if (raw_output) {
2699+ RETURN_STRINGL(digest, 32, 1);
2700+ } else {
2701+ make_sha256_digest(sha256str, digest);
2702+ RETVAL_STRING(sha256str, 1);
2703+ }
2704+}
2705+/* }}} */
2706+
2707+
2708+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
2709+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
2710+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
2711+
2712+static unsigned char PADDING[64] =
2713+{
2714+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2715+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2716+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2717+};
2718+
2719+/* F, G, H and I are basic SHA256 functions.
2720+ */
2721+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
2722+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
2723+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
2724+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
2725+
2726+/* ROTATE_RIGHT rotates x right n bits.
2727+ */
2728+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
2729+
2730+/* W[i]
2731+ */
2732+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
2733+ tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
2734+ (x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) )
2735+
2736+/* ROUND function of sha256
2737+ */
2738+
2739+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
2740+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
2741+ (h) = F((a)) + G((a), (b), (c)) + t1; \
2742+ (d) += t1; \
2743+ }
2744+
2745+
2746+/* {{{ PHP_SHA256Init
2747+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
2748+ */
2749+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX * context)
2750+{
2751+ context->count[0] = context->count[1] = 0;
2752+ /* Load magic initialization constants.
2753+ */
2754+ context->state[0] = 0x6a09e667;
2755+ context->state[1] = 0xbb67ae85;
2756+ context->state[2] = 0x3c6ef372;
2757+ context->state[3] = 0xa54ff53a;
2758+ context->state[4] = 0x510e527f;
2759+ context->state[5] = 0x9b05688c;
2760+ context->state[6] = 0x1f83d9ab;
2761+ context->state[7] = 0x5be0cd19;
2762+}
2763+/* }}} */
2764+
2765+/* {{{ PHP_SHA256Update
2766+ SHA256 block update operation. Continues an SHA256 message-digest
2767+ operation, processing another message block, and updating the
2768+ context.
2769+ */
2770+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
2771+ unsigned int inputLen)
2772+{
2773+ unsigned int i, index, partLen;
2774+
2775+ /* Compute number of bytes mod 64 */
2776+ index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
2777+
2778+ /* Update number of bits */
2779+ if ((context->count[0] += ((php_uint32) inputLen << 3))
2780+ < ((php_uint32) inputLen << 3))
2781+ context->count[1]++;
2782+ context->count[1] += ((php_uint32) inputLen >> 29);
2783+
2784+ partLen = 64 - index;
2785+
2786+ /* Transform as many times as possible.
2787+ */
2788+ if (inputLen >= partLen) {
2789+ memcpy
2790+ ((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
2791+ SHA256Transform(context->state, context->buffer);
2792+
2793+ for (i = partLen; i + 63 < inputLen; i += 64)
2794+ SHA256Transform(context->state, &input[i]);
2795+
2796+ index = 0;
2797+ } else
2798+ i = 0;
2799+
2800+ /* Buffer remaining input */
2801+ memcpy
2802+ ((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
2803+ inputLen - i);
2804+}
2805+/* }}} */
2806+
2807+/* {{{ PHP_SHA256Final
2808+ SHA256 finalization. Ends an SHA256 message-digest operation, writing the
2809+ the message digest and zeroizing the context.
2810+ */
2811+PHPAPI void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
2812+{
2813+ unsigned char bits[8];
2814+ unsigned int index, padLen;
2815+
2816+ /* Save number of bits */
2817+ bits[7] = context->count[0] & 0xFF;
2818+ bits[6] = (context->count[0] >> 8) & 0xFF;
2819+ bits[5] = (context->count[0] >> 16) & 0xFF;
2820+ bits[4] = (context->count[0] >> 24) & 0xFF;
2821+ bits[3] = context->count[1] & 0xFF;
2822+ bits[2] = (context->count[1] >> 8) & 0xFF;
2823+ bits[1] = (context->count[1] >> 16) & 0xFF;
2824+ bits[0] = (context->count[1] >> 24) & 0xFF;
2825+
2826+ /* Pad out to 56 mod 64.
2827+ */
2828+ index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
2829+ padLen = (index < 56) ? (56 - index) : (120 - index);
2830+ PHP_SHA256Update(context, PADDING, padLen);
2831+
2832+ /* Append length (before padding) */
2833+ PHP_SHA256Update(context, bits, 8);
2834+
2835+ /* Store state in digest */
2836+ SHA256Encode(digest, context->state, 32);
2837+
2838+ /* Zeroize sensitive information.
2839+ */
2840+ memset((unsigned char*) context, 0, sizeof(*context));
2841+}
2842+/* }}} */
2843+
2844+/* {{{ SHA256Transform
2845+ * SHA256 basic transformation. Transforms state based on block.
2846+ */
2847+static void SHA256Transform(state, block)
2848+php_uint32 state[8];
2849+const unsigned char block[64];
2850+{
2851+ php_uint32 a = state[0], b = state[1], c = state[2];
2852+ php_uint32 d = state[3], e = state[4], f = state[5];
2853+ php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
2854+
2855+ SHA256Decode(x, block, 64);
2856+
2857+ ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
2858+ ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
2859+ ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
2860+ ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
2861+ ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
2862+ ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
2863+ ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
2864+ ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
2865+ ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
2866+ ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
2867+ ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
2868+ ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
2869+ ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
2870+ ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
2871+ ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
2872+ ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
2873+ ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
2874+ ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
2875+ ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
2876+ ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
2877+ ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
2878+ ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
2879+ ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
2880+ ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
2881+ ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
2882+ ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
2883+ ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
2884+ ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
2885+ ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
2886+ ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
2887+ ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
2888+ ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
2889+ ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
2890+ ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
2891+ ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
2892+ ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
2893+ ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
2894+ ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
2895+ ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
2896+ ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
2897+ ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
2898+ ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
2899+ ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
2900+ ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
2901+ ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
2902+ ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
2903+ ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
2904+ ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
2905+ ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
2906+ ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
2907+ ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
2908+ ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
2909+ ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
2910+ ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
2911+ ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
2912+ ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
2913+ ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
2914+ ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
2915+ ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
2916+ ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
2917+ ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
2918+ ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
2919+ ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
2920+ ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
2921+
2922+ state[0] += a;
2923+ state[1] += b;
2924+ state[2] += c;
2925+ state[3] += d;
2926+ state[4] += e;
2927+ state[5] += f;
2928+ state[6] += g;
2929+ state[7] += h;
2930+
2931+ /* Zeroize sensitive information. */
2932+ memset((unsigned char*) x, 0, sizeof(x));
2933+}
2934+/* }}} */
2935+
2936+/* {{{ SHA256Encode
2937+ Encodes input (php_uint32) into output (unsigned char). Assumes len is
2938+ a multiple of 4.
2939+ */
2940+static void SHA256Encode(output, input, len)
2941+unsigned char *output;
2942+php_uint32 *input;
2943+unsigned int len;
2944+{
2945+ unsigned int i, j;
2946+
2947+ for (i = 0, j = 0; j < len; i++, j += 4) {
2948+ output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
2949+ output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
2950+ output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
2951+ output[j + 3] = (unsigned char) (input[i] & 0xff);
2952+ }
2953+}
2954+/* }}} */
2955+
2956+/* {{{ SHA256Decode
2957+ Decodes input (unsigned char) into output (php_uint32). Assumes len is
2958+ a multiple of 4.
2959+ */
2960+static void SHA256Decode(output, input, len)
2961+php_uint32 *output;
2962+const unsigned char *input;
2963+unsigned int len;
2964+{
2965+ unsigned int i, j;
2966+
2967+ for (i = 0, j = 0; j < len; i++, j += 4)
2968+ output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
2969+ (((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
2970+}
2971+/* }}} */
2972+
2973+/*
2974+ * Local variables:
2975+ * tab-width: 4
2976+ * c-basic-offset: 4
2977+ * End:
2978+ * vim600: sw=4 ts=4 fdm=marker
2979+ * vim<600: sw=4 ts=4
2980+ */
2981diff -Nura php-4.4.2/ext/standard/sha256.h hardening-patch-4.4.2-0.4.9/ext/standard/sha256.h
2982--- php-4.4.2/ext/standard/sha256.h 1970-01-01 01:00:00.000000000 +0100
2983+++ hardening-patch-4.4.2-0.4.9/ext/standard/sha256.h 2006-05-02 16:46:34.000000000 +0200
2984@@ -0,0 +1,40 @@
2985+/*
2986+ +----------------------------------------------------------------------+
2987+ | PHP Version 5 |
2988+ +----------------------------------------------------------------------+
2989+ | Copyright (c) 1997-2004 The PHP Group |
2990+ +----------------------------------------------------------------------+
2991+ | This source file is subject to version 3.0 of the PHP license, |
2992+ | that is bundled with this package in the file LICENSE, and is |
2993+ | available through the world-wide-web at the following url: |
2994+ | http://www.php.net/license/3_0.txt. |
2995+ | If you did not receive a copy of the PHP license and are unable to |
2996+ | obtain it through the world-wide-web, please send a note to |
2997+ | license@php.net so we can mail you a copy immediately. |
2998+ +----------------------------------------------------------------------+
2999+ | Author: Stefan Esser <sesser@php.net> |
3000+ +----------------------------------------------------------------------+
3001+*/
3002+
3003+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
3004+
3005+#ifndef SHA256_H
3006+#define SHA256_H
3007+
3008+#include "ext/standard/basic_functions.h"
3009+
3010+/* SHA1 context. */
3011+typedef struct {
3012+ php_uint32 state[8]; /* state (ABCD) */
3013+ php_uint32 count[2]; /* number of bits, modulo 2^64 (lsb first) */
3014+ unsigned char buffer[64]; /* input buffer */
3015+} PHP_SHA256_CTX;
3016+
3017+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX *);
3018+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
3019+PHPAPI void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
3020+
3021+PHP_FUNCTION(sha256);
3022+PHP_FUNCTION(sha256_file);
3023+
3024+#endif
3025diff -Nura php-4.4.2/ext/standard/string.c hardening-patch-4.4.2-0.4.9/ext/standard/string.c
3026--- php-4.4.2/ext/standard/string.c 2006-01-01 14:46:58.000000000 +0100
3027+++ hardening-patch-4.4.2-0.4.9/ext/standard/string.c 2006-05-02 16:50:16.000000000 +0200
3028@@ -18,7 +18,7 @@
3029 +----------------------------------------------------------------------+
3030 */
3031
3032-/* $Id: string.c,v 1.333.2.52.2.3 2006/01/01 13:46:58 sniper Exp $ */
3033+/* $Id: string.c,v 1.333.2.52.2.4 2006/03/13 14:41:27 iliaa Exp $ */
3034
3035 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
3036
3037@@ -672,15 +672,13 @@
3038 /* Multiple character line break or forced cut */
3039 if (linelength > 0) {
3040 chk = (int)(textlen/linelength + 1);
3041+ newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
3042 alloced = textlen + chk * breakcharlen + 1;
3043 } else {
3044 chk = textlen;
3045+ newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
3046 alloced = textlen * (breakcharlen + 1) + 1;
3047 }
3048- if (alloced <= 0) {
3049- RETURN_FALSE;
3050- }
3051- newtext = emalloc(alloced);
3052
3053 /* now keep track of the actual new text length */
3054 newtextlen = 0;
3055diff -Nura php-4.4.2/ext/standard/syslog.c hardening-patch-4.4.2-0.4.9/ext/standard/syslog.c
3056--- php-4.4.2/ext/standard/syslog.c 2006-01-01 14:46:58.000000000 +0100
3057+++ hardening-patch-4.4.2-0.4.9/ext/standard/syslog.c 2006-05-02 16:46:34.000000000 +0200
3058@@ -42,6 +42,8 @@
3059 */
3060 PHP_MINIT_FUNCTION(syslog)
3061 {
3062+
3063+#if !HARDENING_PATCH
3064 /* error levels */
3065 REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
3066 REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
3067@@ -97,7 +99,7 @@
3068 /* AIX doesn't have LOG_PERROR */
3069 REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
3070 #endif
3071-
3072+#endif
3073 return SUCCESS;
3074 }
3075 /* }}} */
3076diff -Nura php-4.4.2/ext/standard/url.c hardening-patch-4.4.2-0.4.9/ext/standard/url.c
3077--- php-4.4.2/ext/standard/url.c 2006-01-01 14:46:58.000000000 +0100
3078+++ hardening-patch-4.4.2-0.4.9/ext/standard/url.c 2006-05-02 16:50:23.000000000 +0200
3079@@ -15,7 +15,7 @@
3080 | Author: Jim Winstead <jimw@php.net> |
3081 +----------------------------------------------------------------------+
3082 */
3083-/* $Id: url.c,v 1.58.2.21.2.2 2006/01/01 13:46:58 sniper Exp $ */
3084+/* $Id: url.c,v 1.58.2.21.2.3 2006/02/12 16:43:03 iliaa Exp $ */
3085
3086 #include <stdlib.h>
3087 #include <string.h>
3088@@ -137,7 +137,7 @@
3089 p++;
3090 }
3091
3092- if ((*p) == '\0' || *p == '/') {
3093+ if ((*p == '\0' || *p == '/') && (p - e) < 7) {
3094 goto parse_port;
3095 }
3096
3097diff -Nura php-4.4.2/ext/varfilter/config.m4 hardening-patch-4.4.2-0.4.9/ext/varfilter/config.m4
3098--- php-4.4.2/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
3099+++ hardening-patch-4.4.2-0.4.9/ext/varfilter/config.m4 2006-05-02 16:46:34.000000000 +0200
3100@@ -0,0 +1,11 @@
3101+dnl
3102+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
3103+dnl
3104+
3105+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
3106+[ --disable-varfilter Disable Hardening-Patch's variable filter], yes)
3107+
3108+if test "$PHP_VARFILTER" != "no"; then
3109+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
3110+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
3111+fi
3112diff -Nura php-4.4.2/ext/varfilter/CREDITS hardening-patch-4.4.2-0.4.9/ext/varfilter/CREDITS
3113--- php-4.4.2/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
3114+++ hardening-patch-4.4.2-0.4.9/ext/varfilter/CREDITS 2006-05-02 16:46:34.000000000 +0200
3115@@ -0,0 +1,2 @@
3116+varfilter
3117+Stefan Esser
3118\ Kein Zeilenumbruch am Dateiende.
3119diff -Nura php-4.4.2/ext/varfilter/php_varfilter.h hardening-patch-4.4.2-0.4.9/ext/varfilter/php_varfilter.h
3120--- php-4.4.2/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
3121+++ hardening-patch-4.4.2-0.4.9/ext/varfilter/php_varfilter.h 2006-05-02 16:46:34.000000000 +0200
3122@@ -0,0 +1,144 @@
3123+/*
3124+ +----------------------------------------------------------------------+
3125+ | Hardened-PHP Project's varfilter extension |
3126+ +----------------------------------------------------------------------+
3127+ | Copyright (c) 2004-2005 Stefan Esser |
3128+ +----------------------------------------------------------------------+
3129+ | This source file is subject to version 2.02 of the PHP license, |
3130+ | that is bundled with this package in the file LICENSE, and is |
3131+ | available at through the world-wide-web at |
3132+ | http://www.php.net/license/2_02.txt. |
3133+ | If you did not receive a copy of the PHP license and are unable to |
3134+ | obtain it through the world-wide-web, please send a note to |
3135+ | license@php.net so we can mail you a copy immediately. |
3136+ +----------------------------------------------------------------------+
3137+ | Author: Stefan Esser <sesser@hardened-php.net> |
3138+ +----------------------------------------------------------------------+
3139+
3140+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
3141+*/
3142+
3143+#ifndef PHP_VARFILTER_H
3144+#define PHP_VARFILTER_H
3145+
3146+extern zend_module_entry varfilter_module_entry;
3147+#define phpext_varfilter_ptr &varfilter_module_entry
3148+
3149+#ifdef PHP_WIN32
3150+#define PHP_VARFILTER_API __declspec(dllexport)
3151+#else
3152+#define PHP_VARFILTER_API
3153+#endif
3154+
3155+#ifdef ZTS
3156+#include "TSRM.h"
3157+#endif
3158+
3159+#include "SAPI.h"
3160+
3161+#include "php_variables.h"
3162+
3163+#ifdef ZEND_ENGINE_2
3164+#define HASH_HTTP_GET_VARS 0x2095733f
3165+#define HASH_HTTP_POST_VARS 0xbfee1265
3166+#define HASH_HTTP_COOKIE_VARS 0xaaca9d99
3167+#define HASH_HTTP_ENV_VARS 0x1fe186a8
3168+#define HASH_HTTP_SERVER_VARS 0xc987afd6
3169+#define HASH_HTTP_SESSION_VARS 0x7aba0d43
3170+#define HASH_HTTP_POST_FILES 0x98eb1ddc
3171+#define HASH_HTTP_RAW_POST_DATA 0xdd633fec
3172+#else
3173+#define HASH_HTTP_GET_VARS 0x8d8645bd
3174+#define HASH_HTTP_POST_VARS 0x7c699bf3
3175+#define HASH_HTTP_COOKIE_VARS 0x93ad0d6f
3176+#define HASH_HTTP_ENV_VARS 0x84da3016
3177+#define HASH_HTTP_SERVER_VARS 0x6dbf964e
3178+#define HASH_HTTP_SESSION_VARS 0x322906f5
3179+#define HASH_HTTP_POST_FILES 0xe4e4ce70
3180+#define HASH_HTTP_RAW_POST_DATA 0xe6137a0e
3181+#endif
3182+
3183+PHP_MINIT_FUNCTION(varfilter);
3184+PHP_MSHUTDOWN_FUNCTION(varfilter);
3185+PHP_RINIT_FUNCTION(varfilter);
3186+PHP_RSHUTDOWN_FUNCTION(varfilter);
3187+PHP_MINFO_FUNCTION(varfilter);
3188+
3189+
3190+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
3191+/* request variables */
3192+ long max_request_variables;
3193+ long cur_request_variables;
3194+ long max_varname_length;
3195+ long max_totalname_length;
3196+ long max_value_length;
3197+ long max_array_depth;
3198+ long max_array_index_length;
3199+ zend_bool disallow_nul;
3200+/* cookie variables */
3201+ long max_cookie_vars;
3202+ long cur_cookie_vars;
3203+ long max_cookie_name_length;
3204+ long max_cookie_totalname_length;
3205+ long max_cookie_value_length;
3206+ long max_cookie_array_depth;
3207+ long max_cookie_array_index_length;
3208+ zend_bool disallow_cookie_nul;
3209+/* get variables */
3210+ long max_get_vars;
3211+ long cur_get_vars;
3212+ long max_get_name_length;
3213+ long max_get_totalname_length;
3214+ long max_get_value_length;
3215+ long max_get_array_depth;
3216+ long max_get_array_index_length;
3217+ zend_bool disallow_get_nul;
3218+/* post variables */
3219+ long max_post_vars;
3220+ long cur_post_vars;
3221+ long max_post_name_length;
3222+ long max_post_totalname_length;
3223+ long max_post_value_length;
3224+ long max_post_array_depth;
3225+ long max_post_array_index_length;
3226+ zend_bool disallow_post_nul;
3227+/* fileupload */
3228+ long max_uploads;
3229+ long cur_uploads;
3230+ zend_bool disallow_elf_files;
3231+ char *verification_script;
3232+
3233+ zend_bool no_more_variables;
3234+ zend_bool no_more_get_variables;
3235+ zend_bool no_more_post_variables;
3236+ zend_bool no_more_cookie_variables;
3237+ zend_bool no_more_uploads;
3238+
3239+ZEND_END_MODULE_GLOBALS(varfilter)
3240+
3241+
3242+#ifdef ZTS
3243+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
3244+#else
3245+#define VARFILTER_G(v) (varfilter_globals.v)
3246+#endif
3247+
3248+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
3249+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
3250+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
3251+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
3252+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
3253+SAPI_TREAT_DATA_FUNC(varfilter_treat_data);
3254+
3255+
3256+
3257+#endif /* PHP_VARFILTER_H */
3258+
3259+
3260+/*
3261+ * Local variables:
3262+ * tab-width: 4
3263+ * c-basic-offset: 4
3264+ * indent-tabs-mode: t
3265+ * End:
3266+ */
3267diff -Nura php-4.4.2/ext/varfilter/varfilter.c hardening-patch-4.4.2-0.4.9/ext/varfilter/varfilter.c
3268--- php-4.4.2/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
3269+++ hardening-patch-4.4.2-0.4.9/ext/varfilter/varfilter.c 2006-05-02 16:54:39.000000000 +0200
3270@@ -0,0 +1,915 @@
3271+/*
3272+ +----------------------------------------------------------------------+
3273+ | Hardened-PHP Project's varfilter extension |
3274+ +----------------------------------------------------------------------+
3275+ | Copyright (c) 2004-2005 Stefan Esser |
3276+ +----------------------------------------------------------------------+
3277+ | This source file is subject to version 2.02 of the PHP license, |
3278+ | that is bundled with this package in the file LICENSE, and is |
3279+ | available at through the world-wide-web at |
3280+ | http://www.php.net/license/2_02.txt. |
3281+ | If you did not receive a copy of the PHP license and are unable to |
3282+ | obtain it through the world-wide-web, please send a note to |
3283+ | license@php.net so we can mail you a copy immediately. |
3284+ +----------------------------------------------------------------------+
3285+ | Author: Stefan Esser <sesser@hardened-php.net> |
3286+ +----------------------------------------------------------------------+
3287+
3288+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
3289+*/
3290+
3291+#ifdef HAVE_CONFIG_H
3292+#include "config.h"
3293+#endif
3294+
3295+#include "php.h"
3296+#include "php_ini.h"
3297+#include "ext/standard/info.h"
3298+#include "php_varfilter.h"
3299+#include "hardening_patch.h"
3300+
3301+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
3302+
3303+/* True global resources - no need for thread safety here */
3304+static int le_varfilter;
3305+
3306+static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
3307+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
3308+static zend_bool hooked = 0;
3309+
3310+/* {{{ varfilter_module_entry
3311+ */
3312+zend_module_entry varfilter_module_entry = {
3313+#if ZEND_MODULE_API_NO >= 20010901
3314+ STANDARD_MODULE_HEADER,
3315+#endif
3316+ "varfilter",
3317+ NULL,
3318+ PHP_MINIT(varfilter),
3319+ PHP_MSHUTDOWN(varfilter),
3320+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
3321+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
3322+ PHP_MINFO(varfilter),
3323+#if ZEND_MODULE_API_NO >= 20010901
3324+ "0.4.9", /* Replace with version number for your extension */
3325+#endif
3326+ STANDARD_MODULE_PROPERTIES
3327+};
3328+/* }}} */
3329+
3330+#ifdef COMPILE_DL_VARFILTER
3331+ZEND_GET_MODULE(varfilter)
3332+#endif
3333+
3334+/* {{{ PHP_INI
3335+ */
3336+PHP_INI_BEGIN()
3337+ /* for backward compatibility */
3338+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3339+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3340+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3341+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3342+ STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3343+ STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3344+
3345+ STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3346+ STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3347+ STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3348+ STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3349+ STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3350+ STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3351+ STD_PHP_INI_ENTRY("hphp.request.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_nul, zend_varfilter_globals, varfilter_globals)
3352+
3353+ STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
3354+ STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
3355+ STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
3356+ STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
3357+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
3358+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
3359+ STD_PHP_INI_ENTRY("hphp.cookie.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_cookie_nul, zend_varfilter_globals, varfilter_globals)
3360+
3361+ STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
3362+ STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
3363+ STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
3364+ STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
3365+ STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
3366+ STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
3367+ STD_PHP_INI_ENTRY("hphp.get.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_get_nul, zend_varfilter_globals, varfilter_globals)
3368+
3369+ STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
3370+ STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
3371+ STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
3372+ STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
3373+ STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
3374+ STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
3375+ STD_PHP_INI_ENTRY("hphp.post.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_post_nul, zend_varfilter_globals, varfilter_globals)
3376+
3377+ STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
3378+ STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
3379+ STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
3380+
3381+
3382+PHP_INI_END()
3383+/* }}} */
3384+
3385+/* {{{ php_varfilter_init_globals
3386+ */
3387+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
3388+{
3389+ varfilter_globals->max_request_variables = 200;
3390+ varfilter_globals->max_varname_length = 64;
3391+ varfilter_globals->max_value_length = 10000;
3392+ varfilter_globals->max_array_depth = 100;
3393+ varfilter_globals->max_totalname_length = 256;
3394+ varfilter_globals->max_array_index_length = 64;
3395+ varfilter_globals->disallow_nul = 1;
3396+
3397+ varfilter_globals->max_cookie_vars = 100;
3398+ varfilter_globals->max_cookie_name_length = 64;
3399+ varfilter_globals->max_cookie_totalname_length = 256;
3400+ varfilter_globals->max_cookie_value_length = 10000;
3401+ varfilter_globals->max_cookie_array_depth = 100;
3402+ varfilter_globals->max_cookie_array_index_length = 64;
3403+ varfilter_globals->disallow_cookie_nul = 1;
3404+
3405+ varfilter_globals->max_get_vars = 100;
3406+ varfilter_globals->max_get_name_length = 64;
3407+ varfilter_globals->max_get_totalname_length = 256;
3408+ varfilter_globals->max_get_value_length = 512;
3409+ varfilter_globals->max_get_array_depth = 50;
3410+ varfilter_globals->max_get_array_index_length = 64;
3411+ varfilter_globals->disallow_get_nul = 1;
3412+
3413+ varfilter_globals->max_post_vars = 200;
3414+ varfilter_globals->max_post_name_length = 64;
3415+ varfilter_globals->max_post_totalname_length = 256;
3416+ varfilter_globals->max_post_value_length = 65000;
3417+ varfilter_globals->max_post_array_depth = 100;
3418+ varfilter_globals->max_post_array_index_length = 64;
3419+ varfilter_globals->disallow_post_nul = 1;
3420+
3421+ varfilter_globals->max_uploads = 25;
3422+ varfilter_globals->disallow_elf_files = 1;
3423+ varfilter_globals->verification_script = NULL;
3424+
3425+ varfilter_globals->no_more_variables = 0;
3426+ varfilter_globals->no_more_get_variables = 0;
3427+ varfilter_globals->no_more_post_variables = 0;
3428+ varfilter_globals->no_more_cookie_variables = 0;
3429+ varfilter_globals->no_more_uploads = 0;
3430+
3431+ varfilter_globals->cur_request_variables = 0;
3432+ varfilter_globals->cur_get_vars = 0;
3433+ varfilter_globals->cur_post_vars = 0;
3434+ varfilter_globals->cur_cookie_vars = 0;
3435+
3436+ varfilter_globals->cur_uploads = 0;
3437+
3438+}
3439+/* }}} */
3440+
3441+
3442+void varfilter_register_server_variables(zval *track_vars_array TSRMLS_DC)
3443+{
3444+ HashTable *svars;
3445+ int retval, failure=0;
3446+
3447+ orig_register_server_variables(track_vars_array TSRMLS_CC);
3448+
3449+ svars = Z_ARRVAL_P(track_vars_array);
3450+
3451+ retval = zend_hash_del_key_or_index(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), HASH_HTTP_GET_VARS, HASH_DEL_INDEX);
3452+ if (retval == SUCCESS) failure = 1;
3453+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), HASH_HTTP_POST_VARS, HASH_DEL_INDEX);
3454+ if (retval == SUCCESS) failure = 1;
3455+ retval = zend_hash_del_key_or_index(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), HASH_HTTP_COOKIE_VARS, HASH_DEL_INDEX);
3456+ if (retval == SUCCESS) failure = 1;
3457+ retval = zend_hash_del_key_or_index(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), HASH_HTTP_ENV_VARS, HASH_DEL_INDEX);
3458+ if (retval == SUCCESS) failure = 1;
3459+ retval = zend_hash_del_key_or_index(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), HASH_HTTP_SERVER_VARS, HASH_DEL_INDEX);
3460+ if (retval == SUCCESS) failure = 1;
3461+ retval = zend_hash_del_key_or_index(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), HASH_HTTP_SESSION_VARS, HASH_DEL_INDEX);
3462+ if (retval == SUCCESS) failure = 1;
3463+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), HASH_HTTP_POST_FILES, HASH_DEL_INDEX);
3464+ if (retval == SUCCESS) failure = 1;
3465+ retval = zend_hash_del_key_or_index(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), HASH_HTTP_RAW_POST_DATA, HASH_DEL_INDEX);
3466+ if (retval == SUCCESS) failure = 1;
3467+
3468+ if (failure) {
3469+ php_security_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
3470+ }
3471+}
3472+
3473+int varfilter_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
3474+{
3475+ int retval = SAPI_HEADER_ADD, i;
3476+ char *tmp;
3477+
3478+ if (!HG(hphp_multiheader) && sapi_header && sapi_header->header) {
3479+
3480+ tmp = sapi_header->header;
3481+ for (i=0; i<sapi_header->header_len; i++, tmp++) {
3482+ if (tmp[0] == 0) {
3483+ char *fname = get_active_function_name(TSRMLS_C);
3484+
3485+ if (!fname) {
3486+ fname = "unknown";
3487+ }
3488+
3489+ php_security_log(S_MISC, "%s() - wanted to send a HTTP header with an ASCII NUL in it", fname);
3490+ sapi_header->header_len = i;
3491+ } else if (tmp[0] == '\n' && (i == sapi_header->header_len-1 || (tmp[1] != ' ' && tmp[1] != '\t'))) {
3492+ char *fname = get_active_function_name(TSRMLS_C);
3493+
3494+ if (!fname) {
3495+ fname = "unknown";
3496+ }
3497+
3498+ php_security_log(S_MISC, "%s() - wanted to send multiple HTTP headers at once", fname);
3499+ sapi_header->header_len = i;
3500+ tmp[0] = 0;
3501+ }
3502+ }
3503+ }
3504+
3505+ if (orig_header_handler) {
3506+ retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
3507+ }
3508+
3509+ return retval;
3510+}
3511+
3512+/* {{{ PHP_MINIT_FUNCTION
3513+ */
3514+PHP_MINIT_FUNCTION(varfilter)
3515+{
3516+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
3517+ REGISTER_INI_ENTRIES();
3518+
3519+ if (!hooked) {
3520+ void *temp;
3521+ hooked = 1;
3522+
3523+ temp = (void *)sapi_module.register_server_variables;
3524+ if (temp != varfilter_register_server_variables) {
3525+ orig_register_server_variables = temp;
3526+ }
3527+ temp = (void *)sapi_module.header_handler;
3528+ if (temp != varfilter_header_handler) {
3529+ orig_header_handler = temp;
3530+ }
3531+ }
3532+
3533+ sapi_register_input_filter(varfilter_input_filter);
3534+ sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
3535+ sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
3536+ sapi_register_upload_content_filter(varfilter_upload_content_filter);
3537+ sapi_register_post_upload_filter(varfilter_post_upload_filter);
3538+
3539+ sapi_module.header_handler = varfilter_header_handler;
3540+ sapi_module.register_server_variables = varfilter_register_server_variables;
3541+
3542+
3543+ return SUCCESS;
3544+}
3545+/* }}} */
3546+
3547+/* {{{ PHP_MSHUTDOWN_FUNCTION
3548+ */
3549+PHP_MSHUTDOWN_FUNCTION(varfilter)
3550+{
3551+ UNREGISTER_INI_ENTRIES();
3552+
3553+ return SUCCESS;
3554+}
3555+/* }}} */
3556+
3557+/* Remove if there's nothing to do at request start */
3558+/* {{{ PHP_RINIT_FUNCTION
3559+ */
3560+PHP_RINIT_FUNCTION(varfilter)
3561+{
3562+ VARFILTER_G(cur_request_variables) = 0;
3563+ VARFILTER_G(cur_get_vars) = 0;
3564+ VARFILTER_G(cur_post_vars) = 0;
3565+ VARFILTER_G(cur_cookie_vars) = 0;
3566+
3567+ VARFILTER_G(cur_uploads) = 0;
3568+
3569+ VARFILTER_G(no_more_variables) = 0;
3570+ VARFILTER_G(no_more_get_variables) = 0;
3571+ VARFILTER_G(no_more_post_variables) = 0;
3572+ VARFILTER_G(no_more_cookie_variables) = 0;
3573+ VARFILTER_G(no_more_uploads) = 0;
3574+
3575+ return SUCCESS;
3576+}
3577+/* }}} */
3578+
3579+/* Remove if there's nothing to do at request end */
3580+/* {{{ PHP_RSHUTDOWN_FUNCTION
3581+ */
3582+PHP_RSHUTDOWN_FUNCTION(varfilter)
3583+{
3584+ return SUCCESS;
3585+}
3586+/* }}} */
3587+
3588+/* {{{ PHP_MINFO_FUNCTION
3589+ */
3590+PHP_MINFO_FUNCTION(varfilter)
3591+{
3592+ php_info_print_table_start();
3593+ php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
3594+ php_info_print_table_end();
3595+
3596+ DISPLAY_INI_ENTRIES();
3597+}
3598+/* }}} */
3599+
3600+/* {{{ normalize_varname
3601+ */
3602+static void normalize_varname(char *varname)
3603+{
3604+ char *s=varname, *index=NULL, *indexend=NULL, *p;
3605+
3606+ /* overjump leading space */
3607+ while (*s == ' ') {
3608+ s++;
3609+ }
3610+
3611+ /* and remove it */
3612+ if (s != varname) {
3613+ memmove(varname, s, strlen(s)+1);
3614+ }
3615+
3616+ for (p=varname; *p && *p != '['; p++) {
3617+ switch(*p) {
3618+ case ' ':
3619+ case '.':
3620+ *p='_';
3621+ break;
3622+ }
3623+ }
3624+
3625+ /* find index */
3626+ index = strchr(varname, '[');
3627+ if (index) {
3628+ index++;
3629+ s=index;
3630+ } else {
3631+ return;
3632+ }
3633+
3634+ /* done? */
3635+ while (index) {
3636+
3637+ while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
3638+ index++;
3639+ }
3640+ indexend = strchr(index, ']');
3641+ indexend = indexend ? indexend + 1 : index + strlen(index);
3642+
3643+ if (s != index) {
3644+ memmove(s, index, strlen(index)+1);
3645+ s += indexend-index;
3646+ } else {
3647+ s = indexend;
3648+ }
3649+
3650+ if (*s == '[') {
3651+ s++;
3652+ index = s;
3653+ } else {
3654+ index = NULL;
3655+ }
3656+ }
3657+ *s++='\0';
3658+}
3659+/* }}} */
3660+
3661+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
3662+ */
3663+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
3664+{
3665+ char *index, *prev_index = NULL, *var;
3666+ unsigned int var_len, total_len, depth = 0;
3667+
3668+ var = estrdup(varname);
3669+
3670+ /* Normalize the variable name */
3671+ normalize_varname(var);
3672+
3673+ /* Find length of variable name */
3674+ index = strchr(var, '[');
3675+ total_len = strlen(var);
3676+ var_len = index ? index-var : total_len;
3677+
3678+ /* Drop this variable if it exceeds the varname/total length limit */
3679+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3680+ php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
3681+ goto return_failure;
3682+ }
3683+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3684+ php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
3685+ goto return_failure;
3686+ }
3687+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
3688+ php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
3689+
3690+ goto return_failure;
3691+ }
3692+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
3693+ php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
3694+ goto return_failure;
3695+ }
3696+
3697+ /* Find out array depth */
3698+ while (index) {
3699+ unsigned int index_length;
3700+
3701+ depth++;
3702+ index = strchr(index+1, '[');
3703+
3704+ if (prev_index) {
3705+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
3706+
3707+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
3708+ php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
3709+ goto return_failure;
3710+ }
3711+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
3712+ php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
3713+ goto return_failure;
3714+ }
3715+ prev_index = index;
3716+ }
3717+
3718+ }
3719+
3720+ /* Drop this variable if it exceeds the array depth limit */
3721+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
3722+ php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
3723+ goto return_failure;
3724+ }
3725+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
3726+ php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
3727+ goto return_failure;
3728+ }
3729+
3730+
3731+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
3732+ /* This is to protect several silly scripts that do globalizing themself */
3733+
3734+ switch (var_len) {
3735+ case 18:
3736+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
3737+ break;
3738+ case 17:
3739+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
3740+ break;
3741+ case 16:
3742+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
3743+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
3744+ break;
3745+ case 15:
3746+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
3747+ break;
3748+ case 14:
3749+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
3750+ break;
3751+ case 13:
3752+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
3753+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
3754+ break;
3755+ case 8:
3756+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
3757+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
3758+ break;
3759+ case 7:
3760+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
3761+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
3762+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
3763+ break;
3764+ case 6:
3765+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
3766+ break;
3767+ case 5:
3768+ if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
3769+ break;
3770+ case 4:
3771+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
3772+ if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
3773+ break;
3774+ }
3775+
3776+ efree(var);
3777+ return SUCCESS;
3778+protected_varname2:
3779+ php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
3780+return_failure:
3781+ efree(var);
3782+ return FAILURE;
3783+}
3784+/* }}} */
3785+
3786+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
3787+ */
3788+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
3789+{
3790+ /* Drop if no more variables flag is set */
3791+ if (VARFILTER_G(no_more_uploads)) {
3792+ return FAILURE;
3793+ }
3794+ /* Drop this fileupload if the limit is reached */
3795+ if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
3796+ php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
3797+ VARFILTER_G(no_more_uploads) = 1;
3798+ return FAILURE;
3799+ }
3800+
3801+ return SUCCESS;
3802+}
3803+/* }}} */
3804+
3805+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
3806+ */
3807+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
3808+{
3809+
3810+ if (VARFILTER_G(disallow_elf_files)) {
3811+
3812+ if (offset == 0 && buffer_len > 10) {
3813+
3814+ if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
3815+ php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
3816+ return FAILURE;
3817+ }
3818+ }
3819+
3820+ }
3821+
3822+ return SUCCESS;
3823+}
3824+/* }}} */
3825+
3826+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
3827+ */
3828+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
3829+{
3830+ int retval = SUCCESS;
3831+
3832+ if (VARFILTER_G(verification_script)) {
3833+ char cmd[8192];
3834+ FILE *in;
3835+ int first=1;
3836+
3837+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
3838+
3839+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
3840+ php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
3841+ return FAILURE;
3842+ }
3843+
3844+ retval = FAILURE;
3845+
3846+ /* read and forget the result */
3847+ while (1) {
3848+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
3849+ if (readbytes<=0) {
3850+ break;
3851+ }
3852+ if (first) {
3853+ retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
3854+ first = 0;
3855+ }
3856+ }
3857+ pclose(in);
3858+ }
3859+
3860+ if (retval != SUCCESS) {
3861+ php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
3862+ return FAILURE;
3863+ }
3864+
3865+ VARFILTER_G(cur_uploads)++;
3866+ return SUCCESS;
3867+}
3868+/* }}} */
3869+
3870+/* {{{ SAPI_INPUT_FILTER_FUNC
3871+ */
3872+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
3873+{
3874+ char *index, *prev_index = NULL;
3875+ unsigned int var_len, total_len, depth = 0;
3876+
3877+ /* Drop this variable if the limit was reached */
3878+ switch (arg) {
3879+ case PARSE_GET:
3880+ if (VARFILTER_G(no_more_get_variables)) {
3881+ return 0;
3882+ }
3883+ break;
3884+ case PARSE_POST:
3885+ if (VARFILTER_G(no_more_post_variables)) {
3886+ return 0;
3887+ }
3888+ break;
3889+ case PARSE_COOKIE:
3890+ if (VARFILTER_G(no_more_cookie_variables)) {
3891+ return 0;
3892+ }
3893+ break;
3894+ default: /* we do not want to protect parse_str() and friends */
3895+ if (new_val_len) {
3896+ *new_val_len = val_len;
3897+ }
3898+ return 1;
3899+ }
3900+ if (VARFILTER_G(no_more_variables)) {
3901+ return 0;
3902+ }
3903+
3904+ /* Drop this variable if the limit is now reached */
3905+ if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
3906+ php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
3907+ VARFILTER_G(no_more_variables) = 1;
3908+ return 0;
3909+ }
3910+ switch (arg) {
3911+ case PARSE_GET:
3912+ if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
3913+ php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
3914+ VARFILTER_G(no_more_get_variables) = 1;
3915+ return 0;
3916+ }
3917+ break;
3918+ case PARSE_COOKIE:
3919+ if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
3920+ php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
3921+ VARFILTER_G(no_more_cookie_variables) = 1;
3922+ return 0;
3923+ }
3924+ break;
3925+ case PARSE_POST:
3926+ if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
3927+ php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
3928+ VARFILTER_G(no_more_post_variables) = 1;
3929+ return 0;
3930+ }
3931+ break;
3932+ }
3933+
3934+
3935+ /* Drop this variable if it exceeds the value length limit */
3936+ if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
3937+ php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
3938+ return 0;
3939+ }
3940+ switch (arg) {
3941+ case PARSE_GET:
3942+ if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
3943+ php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
3944+ return 0;
3945+ }
3946+ break;
3947+ case PARSE_COOKIE:
3948+ if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
3949+ php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
3950+ return 0;
3951+ }
3952+ break;
3953+ case PARSE_POST:
3954+ if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
3955+ php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
3956+ return 0;
3957+ }
3958+ break;
3959+ }
3960+
3961+ /* Normalize the variable name */
3962+ normalize_varname(var);
3963+
3964+ /* Find length of variable name */
3965+ index = strchr(var, '[');
3966+ total_len = strlen(var);
3967+ var_len = index ? index-var : total_len;
3968+
3969+ /* Drop this variable if it exceeds the varname/total length limit */
3970+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3971+ php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
3972+ return 0;
3973+ }
3974+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3975+ php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
3976+ return 0;
3977+ }
3978+ switch (arg) {
3979+ case PARSE_GET:
3980+ if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
3981+ php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
3982+ return 0;
3983+ }
3984+ if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
3985+ php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
3986+ return 0;
3987+ }
3988+ break;
3989+ case PARSE_COOKIE:
3990+ if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
3991+ php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
3992+ return 0;
3993+ }
3994+ if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
3995+ php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
3996+ return 0;
3997+ }
3998+ break;
3999+ case PARSE_POST:
4000+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
4001+ php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
4002+ return 0;
4003+ }
4004+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
4005+ php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
4006+ return 0;
4007+ }
4008+ break;
4009+ }
4010+
4011+ /* Find out array depth */
4012+ while (index) {
4013+ unsigned int index_length;
4014+
4015+ depth++;
4016+ index = strchr(index+1, '[');
4017+
4018+ if (prev_index) {
4019+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
4020+
4021+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
4022+ php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
4023+ return 0;
4024+ }
4025+ switch (arg) {
4026+ case PARSE_GET:
4027+ if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
4028+ php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
4029+ return 0;
4030+ }
4031+ break;
4032+ case PARSE_COOKIE:
4033+ if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
4034+ php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
4035+ return 0;
4036+ }
4037+ break;
4038+ case PARSE_POST:
4039+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
4040+ php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
4041+ return 0;
4042+ }
4043+ break;
4044+ }
4045+ prev_index = index;
4046+ }
4047+
4048+ }
4049+
4050+ /* Drop this variable if it exceeds the array depth limit */
4051+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
4052+ php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
4053+ return 0;
4054+ }
4055+ switch (arg) {
4056+ case PARSE_GET:
4057+ if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
4058+ php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
4059+ return 0;
4060+ }
4061+ break;
4062+ case PARSE_COOKIE:
4063+ if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
4064+ php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
4065+ return 0;
4066+ }
4067+ break;
4068+ case PARSE_POST:
4069+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
4070+ php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
4071+ return 0;
4072+ }
4073+ break;
4074+ }
4075+
4076+ /* Check if variable value is truncated by a \0 */
4077+
4078+ if (val && *val && val_len != strlen(*val)) {
4079+
4080+ if (VARFILTER_G(disallow_nul)) {
4081+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped %s", var);
4082+ return 0;
4083+ }
4084+ switch (arg) {
4085+ case PARSE_GET:
4086+ if (VARFILTER_G(disallow_get_nul)) {
4087+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped %s", var);
4088+ return 0;
4089+ }
4090+ break;
4091+ case PARSE_COOKIE:
4092+ if (VARFILTER_G(disallow_cookie_nul)) {
4093+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped %s", var);
4094+ return 0;
4095+ }
4096+ break;
4097+ case PARSE_POST:
4098+ if (VARFILTER_G(disallow_post_nul)) {
4099+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped %s", var);
4100+ return 0;
4101+ }
4102+ break;
4103+ }
4104+ }
4105+
4106+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
4107+ /* This is to protect several silly scripts that do globalizing themself */
4108+
4109+ switch (var_len) {
4110+ case 18:
4111+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
4112+ break;
4113+ case 17:
4114+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
4115+ break;
4116+ case 16:
4117+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
4118+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
4119+ break;
4120+ case 15:
4121+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
4122+ break;
4123+ case 14:
4124+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
4125+ break;
4126+ case 13:
4127+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
4128+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
4129+ break;
4130+ case 8:
4131+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
4132+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
4133+ break;
4134+ case 7:
4135+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
4136+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
4137+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
4138+ break;
4139+ case 6:
4140+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
4141+ break;
4142+ case 5:
4143+ if (memcmp(var, "_POST", 5)==0) goto protected_varname;
4144+ break;
4145+ case 4:
4146+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
4147+ if (memcmp(var, "_GET", 4)==0) goto protected_varname;
4148+ break;
4149+ }
4150+
4151+ /* Okay let PHP register this variable */
4152+ VARFILTER_G(cur_request_variables)++;
4153+ switch (arg) {
4154+ case PARSE_GET:
4155+ VARFILTER_G(cur_get_vars)++;
4156+ break;
4157+ case PARSE_COOKIE:
4158+ VARFILTER_G(cur_cookie_vars)++;
4159+ break;
4160+ case PARSE_POST:
4161+ VARFILTER_G(cur_post_vars)++;
4162+ break;
4163+ }
4164+
4165+ if (new_val_len) {
4166+ *new_val_len = val_len;
4167+ }
4168+
4169+ return 1;
4170+protected_varname:
4171+ php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
4172+ return 0;
4173+}
4174+/* }}} */
4175+
4176+/*
4177+ * Local variables:
4178+ * tab-width: 4
4179+ * c-basic-offset: 4
4180+ * End:
4181+ * vim600: noet sw=4 ts=4 fdm=marker
4182+ * vim<600: noet sw=4 ts=4
4183+ */
4184+
4185+
4186diff -Nura php-4.4.2/main/fopen_wrappers.c hardening-patch-4.4.2-0.4.9/main/fopen_wrappers.c
4187--- php-4.4.2/main/fopen_wrappers.c 2006-01-01 14:46:59.000000000 +0100
4188+++ hardening-patch-4.4.2-0.4.9/main/fopen_wrappers.c 2006-05-02 17:00:53.000000000 +0200
4189@@ -124,6 +124,12 @@
4190 }
4191 }
4192
4193+ if (resolved_name_len == resolved_basedir_len - 1) {
4194+ if (resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) {
4195+ resolved_basedir_len--;
4196+ }
4197+ }
4198+
4199 /* Check the path */
4200 #ifdef PHP_WIN32
4201 if (strncasecmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) {
4202@@ -156,6 +162,21 @@
4203 char *pathbuf;
4204 char *ptr;
4205 char *end;
4206+ char path_copy[MAXPATHLEN];
4207+ int path_len;
4208+
4209+ /* Special case path ends with a trailing slash */
4210+ path_len = strlen(path);
4211+ if (path_len >= MAXPATHLEN) {
4212+ errno = EPERM; /* we deny permission to open it */
4213+ return -1;
4214+ }
4215+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
4216+ memcpy(path_copy, path, path_len+1);
4217+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
4218+ path_copy[path_len] = '\0';
4219+ path = (const char *)&path_copy;
4220+ }
4221
4222 pathbuf = estrdup(PG(open_basedir));
4223
4224diff -Nura php-4.4.2/main/hardened_globals.h hardening-patch-4.4.2-0.4.9/main/hardened_globals.h
4225--- php-4.4.2/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
4226+++ hardening-patch-4.4.2-0.4.9/main/hardened_globals.h 2006-05-02 16:46:34.000000000 +0200
4227@@ -0,0 +1,62 @@
4228+/*
4229+ +----------------------------------------------------------------------+
4230+ | Hardening-Patch for PHP |
4231+ +----------------------------------------------------------------------+
4232+ | Copyright (c) 2004-2005 Stefan Esser |
4233+ +----------------------------------------------------------------------+
4234+ | This source file is subject to version 2.02 of the PHP license, |
4235+ | that is bundled with this package in the file LICENSE, and is |
4236+ | available at through the world-wide-web at |
4237+ | http://www.php.net/license/2_02.txt. |
4238+ | If you did not receive a copy of the PHP license and are unable to |
4239+ | obtain it through the world-wide-web, please send a note to |
4240+ | license@php.net so we can mail you a copy immediately. |
4241+ +----------------------------------------------------------------------+
4242+ | Author: Stefan Esser <sesser@hardened-php.net> |
4243+ +----------------------------------------------------------------------+
4244+ */
4245+
4246+#ifndef HARDENED_GLOBALS_H
4247+#define HARDENED_GLOBALS_H
4248+
4249+typedef struct _hardened_globals hardened_globals_struct;
4250+
4251+#ifdef ZTS
4252+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
4253+extern int hardened_globals_id;
4254+#else
4255+# define HG(v) (hardened_globals.v)
4256+extern struct _hardened_globals hardened_globals;
4257+#endif
4258+
4259+
4260+struct _hardened_globals {
4261+#if HARDENING_PATCH_MM_PROTECT
4262+ unsigned int canary_1;
4263+ unsigned int canary_2;
4264+#endif
4265+#if HARDENING_PATCH_LL_PROTECT
4266+ unsigned int canary_3;
4267+ unsigned int canary_4;
4268+ unsigned int ll_canary_inited;
4269+#endif
4270+ zend_bool hphp_sql_bailout_on_error;
4271+ zend_bool hphp_multiheader;
4272+ HashTable *eval_whitelist;
4273+ HashTable *eval_blacklist;
4274+ HashTable *func_whitelist;
4275+ HashTable *func_blacklist;
4276+ HashTable *include_whitelist;
4277+ HashTable *include_blacklist;
4278+ unsigned int dummy;
4279+};
4280+
4281+
4282+#endif /* HARDENED_GLOBALS_H */
4283+
4284+/*
4285+ * Local variables:
4286+ * tab-width: 4
4287+ * c-basic-offset: 4
4288+ * End:
4289+ */
4290diff -Nura php-4.4.2/main/hardening_patch.c hardening-patch-4.4.2-0.4.9/main/hardening_patch.c
4291--- php-4.4.2/main/hardening_patch.c 1970-01-01 01:00:00.000000000 +0100
4292+++ hardening-patch-4.4.2-0.4.9/main/hardening_patch.c 2006-05-02 16:46:34.000000000 +0200
4293@@ -0,0 +1,430 @@
4294+/*
4295+ +----------------------------------------------------------------------+
4296+ | Hardening Patch for PHP |
4297+ +----------------------------------------------------------------------+
4298+ | Copyright (c) 2004-2005 Stefan Esser |
4299+ +----------------------------------------------------------------------+
4300+ | This source file is subject to version 2.02 of the PHP license, |
4301+ | that is bundled with this package in the file LICENSE, and is |
4302+ | available at through the world-wide-web at |
4303+ | http://www.php.net/license/2_02.txt. |
4304+ | If you did not receive a copy of the PHP license and are unable to |
4305+ | obtain it through the world-wide-web, please send a note to |
4306+ | license@php.net so we can mail you a copy immediately. |
4307+ +----------------------------------------------------------------------+
4308+ | Author: Stefan Esser <sesser@hardened-php.net> |
4309+ +----------------------------------------------------------------------+
4310+ */
4311+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
4312+
4313+#include "php.h"
4314+
4315+#include <stdio.h>
4316+#include <stdlib.h>
4317+
4318+#if HAVE_UNISTD_H
4319+#include <unistd.h>
4320+#endif
4321+#include "SAPI.h"
4322+#include "php_globals.h"
4323+
4324+#if HARDENING_PATCH
4325+
4326+#ifdef HAVE_SYS_SOCKET_H
4327+#include <sys/socket.h>
4328+#endif
4329+
4330+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
4331+#undef AF_UNIX
4332+#endif
4333+
4334+#if defined(AF_UNIX)
4335+#include <sys/un.h>
4336+#endif
4337+
4338+#define SYSLOG_PATH "/dev/log"
4339+
4340+#include "snprintf.h"
4341+
4342+#include "hardening_patch.h"
4343+
4344+#ifdef ZTS
4345+#include "hardened_globals.h"
4346+int hardened_globals_id;
4347+#else
4348+struct _hardened_globals hardened_globals;
4349+#endif
4350+
4351+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
4352+{
4353+ memset(hardened_globals, 0, sizeof(*hardened_globals));
4354+}
4355+
4356+
4357+PHPAPI void hardened_startup()
4358+{
4359+#ifdef ZTS
4360+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
4361+#else
4362+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
4363+#endif
4364+}
4365+
4366+PHPAPI void hardened_clear_mm_canaries(TSRMLS_D)
4367+{
4368+ HG(canary_1) = php_canary();
4369+ HG(canary_2) = php_canary();
4370+}
4371+
4372+char *loglevel2string(int loglevel)
4373+{
4374+ switch (loglevel) {
4375+ case S_FILES:
4376+ return "FILES";
4377+ case S_INCLUDE:
4378+ return "INCLUDE";
4379+ case S_MEMORY:
4380+ return "MEMORY";
4381+ case S_MISC:
4382+ return "MISC";
4383+ case S_SQL:
4384+ return "SQL";
4385+ case S_EXECUTOR:
4386+ return "EXECUTOR";
4387+ case S_VARS:
4388+ return "VARS";
4389+ default:
4390+ return "UNKNOWN";
4391+ }
4392+}
4393+
4394+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
4395+{
4396+#if defined(AF_UNIX)
4397+ int s, r, i=0;
4398+ struct sockaddr_un saun;
4399+ char buf[4096+64];
4400+ char error[4096+100];
4401+ char *ip_address;
4402+ char *fname;
4403+ int lineno;
4404+ va_list ap;
4405+ TSRMLS_FETCH();
4406+
4407+ if (EG(hphp_log_use_x_forwarded_for)) {
4408+ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
4409+ if (ip_address == NULL) {
4410+ ip_address = "X-FORWARDED-FOR not set";
4411+ }
4412+ } else {
4413+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
4414+ if (ip_address == NULL) {
4415+ ip_address = "REMOTE_ADDR not set";
4416+ }
4417+ }
4418+
4419+
4420+ va_start(ap, fmt);
4421+ ap_php_vsnprintf(error, sizeof(error), fmt, ap);
4422+ va_end(ap);
4423+ while (error[i]) {
4424+ if (error[i] < 32) error[i] = '.';
4425+ i++;
4426+ }
4427+
4428+ if (zend_is_executing(TSRMLS_C)) {
4429+ lineno = zend_get_executed_lineno(TSRMLS_C);
4430+ fname = zend_get_executed_filename(TSRMLS_C);
4431+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
4432+ } else {
4433+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
4434+ if (fname==NULL) {
4435+ fname = "unknown";
4436+ }
4437+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
4438+ }
4439+
4440+ /* Syslog-Logging disabled? */
4441+ if ((EG(hphp_log_syslog) & loglevel)==0) {
4442+ goto log_sapi;
4443+ }
4444+
4445+ ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
4446+
4447+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
4448+ if (s == -1) {
4449+ goto log_sapi;
4450+ }
4451+
4452+ memset(&saun, 0, sizeof(saun));
4453+ saun.sun_family = AF_UNIX;
4454+ strcpy(saun.sun_path, SYSLOG_PATH);
4455+ /*saun.sun_len = sizeof(saun);*/
4456+
4457+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4458+ if (r) {
4459+ close(s);
4460+ s = socket(AF_UNIX, SOCK_STREAM, 0);
4461+ if (s == -1) {
4462+ goto log_sapi;
4463+ }
4464+
4465+ memset(&saun, 0, sizeof(saun));
4466+ saun.sun_family = AF_UNIX;
4467+ strcpy(saun.sun_path, SYSLOG_PATH);
4468+ /*saun.sun_len = sizeof(saun);*/
4469+
4470+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4471+ if (r) {
4472+ close(s);
4473+ goto log_sapi;
4474+ }
4475+ }
4476+ send(s, error, strlen(error), 0);
4477+
4478+ close(s);
4479+
4480+log_sapi:
4481+ /* SAPI Logging activated? */
4482+ if ((EG(hphp_log_sapi) & loglevel)!=0) {
4483+ sapi_module.log_message(buf);
4484+ }
4485+
4486+log_script:
4487+ /* script logging activaed? */
4488+ if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
4489+ char cmd[8192], *cmdpos, *bufpos;
4490+ FILE *in;
4491+ int space;
4492+
4493+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
4494+ space = sizeof(cmd) - strlen(cmd);
4495+ cmdpos = cmd + strlen(cmd);
4496+ bufpos = buf;
4497+ if (space <= 1) return;
4498+ while (space > 2 && *bufpos) {
4499+ if (*bufpos == '\'') {
4500+ if (space<=5) break;
4501+ *cmdpos++ = '\'';
4502+ *cmdpos++ = '\\';
4503+ *cmdpos++ = '\'';
4504+ *cmdpos++ = '\'';
4505+ bufpos++;
4506+ space-=4;
4507+ } else {
4508+ *cmdpos++ = *bufpos++;
4509+ space--;
4510+ }
4511+ }
4512+ *cmdpos++ = '\'';
4513+ *cmdpos = 0;
4514+
4515+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
4516+ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
4517+ return;
4518+ }
4519+ /* read and forget the result */
4520+ while (1) {
4521+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
4522+ if (readbytes<=0) {
4523+ break;
4524+ }
4525+ }
4526+ pclose(in);
4527+ }
4528+
4529+#endif
4530+}
4531+#endif
4532+
4533+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4534+
4535+/* will be replaced later with more compatible method */
4536+PHPAPI unsigned int php_canary()
4537+{
4538+ time_t t;
4539+ unsigned int canary;
4540+ int fd;
4541+
4542+ fd = open("/dev/urandom", 0);
4543+ if (fd != -1) {
4544+ int r = read(fd, &canary, sizeof(canary));
4545+ close(fd);
4546+ if (r == sizeof(canary)) {
4547+ return (canary);
4548+ }
4549+ }
4550+ /* not good but we never want to do this */
4551+ time(&t);
4552+ canary = *(unsigned int *)&t + getpid() << 16;
4553+ return (canary);
4554+}
4555+#endif
4556+
4557+#if HARDENING_PATCH_INC_PROTECT
4558+
4559+PHPAPI int php_is_valid_include(zval *z)
4560+{
4561+ char *filename;
4562+ int len, i;
4563+ TSRMLS_FETCH();
4564+
4565+ /* must be of type string */
4566+ if (z->type != IS_STRING || z->value.str.val == NULL) {
4567+ return (0);
4568+ }
4569+
4570+ /* short cut */
4571+ filename = z->value.str.val;
4572+ len = z->value.str.len;
4573+
4574+ /* 1. must be shorter than MAXPATHLEN */
4575+ if (len > MAXPATHLEN) {
4576+ char *fname = estrndup(filename, len);
4577+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4578+ php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
4579+ efree(fname);
4580+ return (0);
4581+ }
4582+
4583+ /* 2. must not be cutted */
4584+ if (len != strlen(filename)) {
4585+ char *fname = estrndup(filename, len);
4586+ for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
4587+ php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
4588+ efree(fname);
4589+ return (0);
4590+ }
4591+
4592+ /* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
4593+ if (strstr(filename, "://")) {
4594+ char *fname = estrndup(filename, len);
4595+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4596+
4597+ /* no black or whitelist then disallow all */
4598+ if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
4599+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
4600+ efree(fname);
4601+ return (0);
4602+ }
4603+
4604+ /* whitelist is stronger than blacklist */
4605+ if (HG(include_whitelist)) {
4606+ char *s, *t, *h, *index;
4607+ uint indexlen;
4608+ ulong numindex;
4609+
4610+ s = filename;
4611+
4612+ do {
4613+ zend_bool isOk = 0;
4614+ int tlen;
4615+
4616+ t = h = strstr(s, "://");
4617+ if (h == NULL) break;
4618+
4619+
4620+ while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
4621+ t--;
4622+ }
4623+
4624+ tlen = strlen(t);
4625+
4626+ zend_hash_internal_pointer_reset(HG(include_whitelist));
4627+ do {
4628+ int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
4629+
4630+ if (r==HASH_KEY_NON_EXISTANT) {
4631+ break;
4632+ }
4633+ if (r==HASH_KEY_IS_STRING) {
4634+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4635+ if (strncmp(t, index, indexlen-1)==0) {
4636+ isOk = 1;
4637+ break;
4638+ }
4639+ }
4640+ }
4641+
4642+ zend_hash_move_forward(HG(include_whitelist));
4643+ } while (1);
4644+
4645+ /* not found in whitelist */
4646+ if (!isOk) {
4647+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
4648+ efree(fname);
4649+ return 0;
4650+ }
4651+
4652+ s = h + 3;
4653+ } while (1);
4654+ } else {
4655+ /* okay then handle the blacklist */
4656+ char *s, *t, *h, *index;
4657+ uint indexlen;
4658+ ulong numindex;
4659+
4660+ s = filename;
4661+
4662+ do {
4663+ int tlen;
4664+
4665+ t = h = strstr(s, "://");
4666+ if (h == NULL) break;
4667+
4668+
4669+ while (t > s) {
4670+ if (isalnum(t[-1]) || t[-1]=='_') t--;
4671+ }
4672+
4673+ tlen = strlen(t);
4674+
4675+ zend_hash_internal_pointer_reset(HG(include_blacklist));
4676+ do {
4677+ int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
4678+
4679+ if (r==HASH_KEY_NON_EXISTANT) {
4680+ break;
4681+ }
4682+ if (r==HASH_KEY_IS_STRING) {
4683+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4684+ if (strncmp(t, index, indexlen-1)==0) {
4685+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
4686+ efree(fname);
4687+ return 0;
4688+ }
4689+ }
4690+ }
4691+
4692+ zend_hash_move_forward(HG(include_blacklist));
4693+ } while (1);
4694+
4695+ s = h + 3;
4696+ } while (1);
4697+ }
4698+
4699+ efree(fname);
4700+ }
4701+
4702+ /* 4. must not be an uploaded file */
4703+ if (SG(rfc1867_uploaded_files)) {
4704+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
4705+ php_security_log(S_INCLUDE, "Include filename is an uploaded file");
4706+ return (0);
4707+ }
4708+ }
4709+
4710+ /* passed all tests */
4711+ return (1);
4712+}
4713+
4714+#endif
4715+
4716+/*
4717+ * Local variables:
4718+ * tab-width: 4
4719+ * c-basic-offset: 4
4720+ * End:
4721+ * vim600: sw=4 ts=4 fdm=marker
4722+ * vim<600: sw=4 ts=4
4723+ */
4724diff -Nura php-4.4.2/main/hardening_patch.h hardening-patch-4.4.2-0.4.9/main/hardening_patch.h
4725--- php-4.4.2/main/hardening_patch.h 1970-01-01 01:00:00.000000000 +0100
4726+++ hardening-patch-4.4.2-0.4.9/main/hardening_patch.h 2006-05-02 16:54:23.000000000 +0200
4727@@ -0,0 +1,46 @@
4728+/*
4729+ +----------------------------------------------------------------------+
4730+ | Hardening Patch for PHP |
4731+ +----------------------------------------------------------------------+
4732+ | Copyright (c) 2004-2005 Stefan Esser |
4733+ +----------------------------------------------------------------------+
4734+ | This source file is subject to version 2.02 of the PHP license, |
4735+ | that is bundled with this package in the file LICENSE, and is |
4736+ | available at through the world-wide-web at |
4737+ | http://www.php.net/license/2_02.txt. |
4738+ | If you did not receive a copy of the PHP license and are unable to |
4739+ | obtain it through the world-wide-web, please send a note to |
4740+ | license@php.net so we can mail you a copy immediately. |
4741+ +----------------------------------------------------------------------+
4742+ | Author: Stefan Esser <sesser@hardened-php.net> |
4743+ +----------------------------------------------------------------------+
4744+ */
4745+
4746+#ifndef HARDENING_PATCH_H
4747+#define HARDENING_PATCH_H
4748+
4749+#include "zend.h"
4750+
4751+#if HARDENING_PATCH
4752+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
4753+PHPAPI void hardened_startup();
4754+#define HARDENING_PATCH_VERSION "0.4.9"
4755+
4756+#endif
4757+
4758+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4759+PHPAPI unsigned int php_canary();
4760+#endif
4761+
4762+#if HARDENING_PATCH_INC_PROTECT
4763+PHPAPI int php_is_valid_include(zval *z);
4764+#endif
4765+
4766+#endif /* HARDENING_PATCH_H */
4767+
4768+/*
4769+ * Local variables:
4770+ * tab-width: 4
4771+ * c-basic-offset: 4
4772+ * End:
4773+ */
4774diff -Nura php-4.4.2/main/hardening_patch.m4 hardening-patch-4.4.2-0.4.9/main/hardening_patch.m4
4775--- php-4.4.2/main/hardening_patch.m4 1970-01-01 01:00:00.000000000 +0100
4776+++ hardening-patch-4.4.2-0.4.9/main/hardening_patch.m4 2006-05-02 16:46:34.000000000 +0200
4777@@ -0,0 +1,95 @@
4778+dnl
4779+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
4780+dnl
4781+dnl This file contains Hardening Patch for PHP specific autoconf functions.
4782+dnl
4783+
4784+AC_ARG_ENABLE(hardening-patch-mm-protect,
4785+[ --disable-hardening-patch-mm-protect Disable the Memory Manager protection.],[
4786+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
4787+],[
4788+ DO_HARDENING_PATCH_MM_PROTECT=yes
4789+])
4790+
4791+AC_ARG_ENABLE(hardening-patch-ll-protect,
4792+[ --disable-hardening-patch-ll-protect Disable the Linked List protection.],[
4793+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
4794+],[
4795+ DO_HARDENING_PATCH_LL_PROTECT=yes
4796+])
4797+
4798+AC_ARG_ENABLE(hardening-patch-inc-protect,
4799+[ --disable-hardening-patch-inc-protect Disable include/require protection.],[
4800+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
4801+],[
4802+ DO_HARDENING_PATCH_INC_PROTECT=yes
4803+])
4804+
4805+AC_ARG_ENABLE(hardening-patch-fmt-protect,
4806+[ --disable-hardening-patch-fmt-protect Disable format string protection.],[
4807+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
4808+],[
4809+ DO_HARDENING_PATCH_FMT_PROTECT=yes
4810+])
4811+
4812+AC_ARG_ENABLE(hardening-patch-hash-protect,
4813+[ --disable-hardening-patch-hash-protect Disable HashTable destructor protection.],[
4814+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
4815+],[
4816+ DO_HARDENING_PATCH_HASH_PROTECT=yes
4817+])
4818+
4819+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
4820+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
4821+
4822+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
4823+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
4824+
4825+AC_MSG_CHECKING(whether to protect include/require statements)
4826+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
4827+
4828+AC_MSG_CHECKING(whether to protect PHP Format String functions)
4829+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
4830+
4831+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
4832+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
4833+
4834+
4835+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4836+
4837+
4838+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
4839+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4840+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
4841+else
4842+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
4843+fi
4844+
4845+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
4846+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4847+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
4848+else
4849+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
4850+fi
4851+
4852+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
4853+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4854+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
4855+else
4856+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
4857+fi
4858+
4859+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
4860+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4861+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
4862+else
4863+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
4864+fi
4865+
4866+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
4867+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4868+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
4869+else
4870+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
4871+fi
4872+
4873diff -Nura php-4.4.2/main/main.c hardening-patch-4.4.2-0.4.9/main/main.c
4874--- php-4.4.2/main/main.c 2006-01-01 14:46:59.000000000 +0100
4875+++ hardening-patch-4.4.2-0.4.9/main/main.c 2006-05-02 16:46:34.000000000 +0200
4876@@ -92,6 +92,10 @@
4877 PHPAPI int core_globals_id;
4878 #endif
4879
4880+#if HARDENING_PATCH
4881+#include "hardened_globals.h"
4882+#endif
4883+
4884 #define ERROR_BUF_LEN 1024
4885
4886 typedef struct {
4887@@ -142,10 +146,33 @@
4888 */
4889 static PHP_INI_MH(OnChangeMemoryLimit)
4890 {
4891+#if HARDENING_PATCH
4892+ long orig_memory_limit;
4893+
4894+ if (entry->modified) {
4895+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
4896+ } else {
4897+ orig_memory_limit = 1<<30;
4898+ }
4899+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
4900+ orig_memory_limit = 1<<30;
4901+ }
4902+#endif
4903 if (new_value) {
4904 PG(memory_limit) = zend_atoi(new_value, new_value_length);
4905+#if HARDENING_PATCH
4906+ if (PG(memory_limit) > orig_memory_limit) {
4907+ PG(memory_limit) = orig_memory_limit;
4908+ php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
4909+ return FAILURE;
4910+ }
4911+#endif
4912 } else {
4913+#if HARDENING_PATCH
4914+ PG(memory_limit) = orig_memory_limit;
4915+#else
4916 PG(memory_limit) = 1<<30; /* effectively, no limit */
4917+#endif
4918 }
4919 return zend_set_memory_limit(PG(memory_limit));
4920 }
4921@@ -1008,6 +1035,9 @@
4922
4923 zend_try {
4924 shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC);
4925+#if HARDENING_PATCH
4926+ hardened_clear_mm_canaries(TSRMLS_C);
4927+#endif
4928 } zend_end_try();
4929
4930 zend_try {
4931@@ -1098,6 +1128,10 @@
4932 tsrm_ls = ts_resource(0);
4933 #endif
4934
4935+#if HARDENING_PATCH
4936+ hardened_startup();
4937+#endif
4938+
4939 sapi_initialize_empty_request(TSRMLS_C);
4940 sapi_activate(TSRMLS_C);
4941
4942@@ -1110,6 +1144,12 @@
4943 php_output_startup();
4944 php_output_activate(TSRMLS_C);
4945
4946+#if HARDENING_PATCH_INC_PROTECT
4947+ zuf.is_valid_include = php_is_valid_include;
4948+#endif
4949+#if HARDENING_PATCH
4950+ zuf.security_log_function = php_security_log;
4951+#endif
4952 zuf.error_function = php_error_cb;
4953 zuf.printf_function = php_printf;
4954 zuf.write_function = php_body_write_wrapper;
4955@@ -1211,6 +1251,10 @@
4956 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
4957 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
4958 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
4959+#if HARDENING_PATCH
4960+ REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
4961+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
4962+#endif
4963 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
4964 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
4965 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
4966@@ -1318,7 +1362,7 @@
4967 */
4968 static inline void php_register_server_variables(TSRMLS_D)
4969 {
4970- zval *array_ptr=NULL;
4971+ zval *array_ptr=NULL, *vptr;
4972
4973 ALLOC_ZVAL(array_ptr);
4974 array_init(array_ptr);
4975diff -Nura php-4.4.2/main/php_config.h.in hardening-patch-4.4.2-0.4.9/main/php_config.h.in
4976--- php-4.4.2/main/php_config.h.in 2006-01-12 19:24:28.000000000 +0100
4977+++ hardening-patch-4.4.2-0.4.9/main/php_config.h.in 2006-05-02 16:46:34.000000000 +0200
4978@@ -865,6 +865,39 @@
4979 /* Enabling BIND8 compatibility for Panther */
4980 #undef BIND_8_COMPAT
4981
4982+/* Hardening-Patch */
4983+#undef HARDENING_PATCH
4984+
4985+/* Memory Manager Protection */
4986+#undef HARDENING_PATCH_MM_PROTECT
4987+
4988+/* Memory Manager Protection */
4989+#undef HARDENING_PATCH_MM_PROTECT
4990+
4991+/* Linked List Protection */
4992+#undef HARDENING_PATCH_LL_PROTECT
4993+
4994+/* Linked List Protection */
4995+#undef HARDENING_PATCH_LL_PROTECT
4996+
4997+/* Include/Require Protection */
4998+#undef HARDENING_PATCH_INC_PROTECT
4999+
5000+/* Include/Require Protection */
5001+#undef HARDENING_PATCH_INC_PROTECT
5002+
5003+/* Fmt String Protection */
5004+#undef HARDENING_PATCH_FMT_PROTECT
5005+
5006+/* Fmt String Protection */
5007+#undef HARDENING_PATCH_FMT_PROTECT
5008+
5009+/* HashTable DTOR Protection */
5010+#undef HARDENING_PATCH_HASH_PROTECT
5011+
5012+/* HashTable DTOR Protection */
5013+#undef HARDENING_PATCH_HASH_PROTECT
5014+
5015 /* Whether you have AOLserver */
5016 #undef HAVE_AOLSERVER
5017
5018@@ -1148,6 +1181,12 @@
5019 /* Define if you have the getaddrinfo function */
5020 #undef HAVE_GETADDRINFO
5021
5022+/* Whether realpath is broken */
5023+#undef PHP_BROKEN_REALPATH
5024+
5025+/* Whether realpath is broken */
5026+#undef PHP_BROKEN_REALPATH
5027+
5028 /* Whether system headers declare timezone */
5029 #undef HAVE_DECLARED_TIMEZONE
5030
5031diff -Nura php-4.4.2/main/php_content_types.c hardening-patch-4.4.2-0.4.9/main/php_content_types.c
5032--- php-4.4.2/main/php_content_types.c 2006-01-01 14:46:59.000000000 +0100
5033+++ hardening-patch-4.4.2-0.4.9/main/php_content_types.c 2006-05-02 16:46:34.000000000 +0200
5034@@ -77,6 +77,7 @@
5035 sapi_register_post_entries(php_post_entries);
5036 sapi_register_default_post_reader(php_default_post_reader);
5037 sapi_register_treat_data(php_default_treat_data);
5038+ sapi_register_input_filter(php_default_input_filter);
5039 return SUCCESS;
5040 }
5041 /* }}} */
5042diff -Nura php-4.4.2/main/php.h hardening-patch-4.4.2-0.4.9/main/php.h
5043--- php-4.4.2/main/php.h 2006-01-01 14:46:59.000000000 +0100
5044+++ hardening-patch-4.4.2-0.4.9/main/php.h 2006-05-02 16:46:34.000000000 +0200
5045@@ -35,11 +35,19 @@
5046 #include "zend_qsort.h"
5047 #include "php_compat.h"
5048
5049+
5050 #include "zend_API.h"
5051
5052 #undef sprintf
5053 #define sprintf php_sprintf
5054
5055+#if HARDENING_PATCH
5056+#if HAVE_REALPATH
5057+#undef realpath
5058+#define realpath php_realpath
5059+#endif
5060+#endif
5061+
5062 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
5063 #undef PHP_DEBUG
5064 #define PHP_DEBUG ZEND_DEBUG
5065@@ -409,6 +417,10 @@
5066 #endif
5067 #endif /* !XtOffsetOf */
5068
5069+#if HARDENING_PATCH
5070+#include "hardening_patch.h"
5071+#endif
5072+
5073 #endif
5074
5075 /*
5076diff -Nura php-4.4.2/main/php_variables.c hardening-patch-4.4.2-0.4.9/main/php_variables.c
5077--- php-4.4.2/main/php_variables.c 2006-01-01 14:47:00.000000000 +0100
5078+++ hardening-patch-4.4.2-0.4.9/main/php_variables.c 2006-05-02 16:46:34.000000000 +0200
5079@@ -236,17 +236,28 @@
5080 while (var) {
5081 val = strchr(var, '=');
5082 if (val) { /* have a value */
5083- int val_len;
5084+ unsigned int val_len, new_val_len;
5085
5086 *val++ = '\0';
5087 php_url_decode(var, strlen(var));
5088 val_len = php_url_decode(val, strlen(val));
5089- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5090+ val = estrndup(val, val_len);
5091+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5092+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5093+ }
5094+ efree(val);
5095 }
5096 var = php_strtok_r(NULL, "&", &strtok_buf);
5097 }
5098 }
5099
5100+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
5101+{
5102+ /* TODO: check .ini setting here and apply user-defined input filter */
5103+ *new_val_len = val_len;
5104+ return 1;
5105+}
5106+
5107 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
5108 {
5109 char *res = NULL, *var, *val, *separator=NULL;
5110@@ -324,15 +335,26 @@
5111 while (var) {
5112 val = strchr(var, '=');
5113 if (val) { /* have a value */
5114- int val_len;
5115+ unsigned int val_len, new_val_len;
5116
5117 *val++ = '\0';
5118 php_url_decode(var, strlen(var));
5119 val_len = php_url_decode(val, strlen(val));
5120- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5121+ val = estrndup(val, val_len);
5122+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5123+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5124+ }
5125+ efree(val);
5126 } else {
5127+ unsigned int val_len, new_val_len;
5128+
5129 php_url_decode(var, strlen(var));
5130- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
5131+ val_len = 0;
5132+ val = estrndup("", 0);
5133+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5134+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5135+ }
5136+ efree(val);
5137 }
5138 var = php_strtok_r(NULL, separator, &strtok_buf);
5139 }
5140diff -Nura php-4.4.2/main/rfc1867.c hardening-patch-4.4.2-0.4.9/main/rfc1867.c
5141--- php-4.4.2/main/rfc1867.c 2006-01-01 14:47:00.000000000 +0100
5142+++ hardening-patch-4.4.2-0.4.9/main/rfc1867.c 2006-05-02 16:46:34.000000000 +0200
5143@@ -128,6 +128,8 @@
5144 #define UPLOAD_ERROR_D 4 /* No file uploaded */
5145 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
5146 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
5147+#define UPLOAD_ERROR_X 99 /* Filter forbids upload */
5148+
5149
5150 void php_rfc1867_register_constants(TSRMLS_D)
5151 {
5152@@ -138,6 +140,7 @@
5153 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
5154 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
5155 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
5156+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
5157 }
5158
5159 static void normalize_protected_variable(char *varname TSRMLS_DC)
5160@@ -849,6 +852,7 @@
5161 char buff[FILLUNIT];
5162 char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
5163 int blen=0, wlen=0;
5164+ unsigned long offset;
5165
5166 zend_llist_clean(&header);
5167
5168@@ -897,21 +901,24 @@
5169 if (!filename && param) {
5170
5171 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
5172+ unsigned int new_val_len; /* Dummy variable */
5173
5174 if (!value) {
5175 value = estrdup("");
5176 }
5177
5178+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
5179 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
5180- if (php_mb_encoding_translation(TSRMLS_C)) {
5181- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5182- &num_vars, &num_vars_max TSRMLS_CC);
5183- } else {
5184- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5185- }
5186+ if (php_mb_encoding_translation(TSRMLS_C)) {
5187+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5188+ &num_vars, &num_vars_max TSRMLS_CC);
5189+ } else {
5190+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5191+ }
5192 #else
5193- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5194+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5195 #endif
5196+ }
5197 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
5198 max_file_size = atol(value);
5199 }
5200@@ -963,7 +970,11 @@
5201 tmp++;
5202 }
5203 }
5204-
5205+
5206+ if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
5207+ skip_upload = 1;
5208+ }
5209+
5210 total_bytes = cancel_upload = 0;
5211
5212 if (!skip_upload) {
5213@@ -987,6 +998,11 @@
5214 cancel_upload = UPLOAD_ERROR_D;
5215 }
5216
5217+ if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
5218+ cancel_upload = UPLOAD_ERROR_X;
5219+ }
5220+
5221+ offset = 0;
5222 end = 0;
5223 while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
5224 {
5225@@ -997,6 +1013,11 @@
5226 sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
5227 cancel_upload = UPLOAD_ERROR_B;
5228 } else if (blen > 0) {
5229+
5230+ if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
5231+ cancel_upload = UPLOAD_ERROR_X;
5232+ }
5233+
5234 wlen = write(fd, buff, blen);
5235
5236 if (wlen < blen) {
5237@@ -1004,6 +1025,7 @@
5238 cancel_upload = UPLOAD_ERROR_F;
5239 } else {
5240 total_bytes += wlen;
5241+ offset += wlen;
5242 }
5243 }
5244 }
5245@@ -1025,6 +1047,10 @@
5246 }
5247 #endif
5248
5249+ if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
5250+ cancel_upload = UPLOAD_ERROR_X;
5251+ }
5252+
5253 if (cancel_upload) {
5254 if (temp_filename) {
5255 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
5256diff -Nura php-4.4.2/main/SAPI.c hardening-patch-4.4.2-0.4.9/main/SAPI.c
5257--- php-4.4.2/main/SAPI.c 2006-01-01 14:46:59.000000000 +0100
5258+++ hardening-patch-4.4.2-0.4.9/main/SAPI.c 2006-05-02 16:46:34.000000000 +0200
5259@@ -854,6 +854,37 @@
5260 return SUCCESS;
5261 }
5262
5263+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
5264+{
5265+ sapi_module.input_filter = input_filter;
5266+ return SUCCESS;
5267+}
5268+
5269+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
5270+{
5271+ sapi_module.upload_varname_filter = upload_varname_filter;
5272+ return SUCCESS;
5273+}
5274+
5275+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
5276+{
5277+ sapi_module.pre_upload_filter = pre_upload_filter;
5278+ return SUCCESS;
5279+}
5280+
5281+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
5282+{
5283+ sapi_module.upload_content_filter = upload_content_filter;
5284+ return SUCCESS;
5285+}
5286+
5287+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
5288+{
5289+ sapi_module.post_upload_filter = post_upload_filter;
5290+ return SUCCESS;
5291+}
5292+
5293+
5294
5295 SAPI_API int sapi_flush(TSRMLS_D)
5296 {
5297diff -Nura php-4.4.2/main/SAPI.h hardening-patch-4.4.2-0.4.9/main/SAPI.h
5298--- php-4.4.2/main/SAPI.h 2006-01-01 14:46:59.000000000 +0100
5299+++ hardening-patch-4.4.2-0.4.9/main/SAPI.h 2006-05-02 16:46:34.000000000 +0200
5300@@ -101,9 +101,10 @@
5301 char *current_user;
5302 int current_user_length;
5303
5304- /* this is necessary for CLI module */
5305- int argc;
5306- char **argv;
5307+ /* this is necessary for CLI module */
5308+ int argc;
5309+ char **argv;
5310+
5311 } sapi_request_info;
5312
5313
5314@@ -177,6 +178,10 @@
5315 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
5316 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
5317 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
5318+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
5319+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
5320+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
5321+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
5322
5323 SAPI_API int sapi_flush(TSRMLS_D);
5324 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
5325@@ -238,8 +243,16 @@
5326 int (*get_target_uid)(uid_t * TSRMLS_DC);
5327 int (*get_target_gid)(gid_t * TSRMLS_DC);
5328
5329+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
5330+
5331+ unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
5332+ unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
5333+ unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
5334+ unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
5335+
5336 void (*ini_defaults)(HashTable *configuration_hash);
5337 int phpinfo_as_text;
5338+
5339 };
5340
5341
5342@@ -262,16 +275,27 @@
5343
5344 #define SAPI_DEFAULT_MIMETYPE "text/html"
5345 #define SAPI_DEFAULT_CHARSET ""
5346+
5347+#if HARDENING_PATCH
5348+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
5349+#else
5350 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
5351+#endif
5352
5353 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
5354 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
5355
5356 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
5357+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
5358+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
5359+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
5360+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
5361+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
5362
5363 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
5364 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
5365 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
5366+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
5367
5368 #define STANDARD_SAPI_MODULE_PROPERTIES
5369
5370diff -Nura php-4.4.2/main/snprintf.c hardening-patch-4.4.2-0.4.9/main/snprintf.c
5371--- php-4.4.2/main/snprintf.c 2006-01-01 14:47:00.000000000 +0100
5372+++ hardening-patch-4.4.2-0.4.9/main/snprintf.c 2006-05-02 16:46:34.000000000 +0200
5373@@ -1014,7 +1014,11 @@
5374
5375
5376 case 'n':
5377+#if HARDENING_PATCH_FMT_PROTECT
5378+ php_security_log(S_MISC, "'n' specifier within format string");
5379+#else
5380 *(va_arg(ap, int *)) = cc;
5381+#endif
5382 break;
5383
5384 /*
5385diff -Nura php-4.4.2/main/spprintf.c hardening-patch-4.4.2-0.4.9/main/spprintf.c
5386--- php-4.4.2/main/spprintf.c 2006-01-01 14:47:00.000000000 +0100
5387+++ hardening-patch-4.4.2-0.4.9/main/spprintf.c 2006-05-02 16:46:34.000000000 +0200
5388@@ -630,7 +630,11 @@
5389
5390
5391 case 'n':
5392+#if HARDENING_PATCH_FMT_PROTECT
5393+ php_security_log(S_MISC, "'n' specifier within format string");
5394+#else
5395 *(va_arg(ap, int *)) = xbuf->len;
5396+#endif
5397 break;
5398
5399 /*
5400diff -Nura php-4.4.2/php.ini-dist hardening-patch-4.4.2-0.4.9/php.ini-dist
5401--- php-4.4.2/php.ini-dist 2005-12-30 18:19:43.000000000 +0100
5402+++ hardening-patch-4.4.2-0.4.9/php.ini-dist 2006-05-02 16:46:34.000000000 +0200
5403@@ -1114,6 +1114,209 @@
5404 ;exif.decode_jis_motorola = JIS
5405 ;exif.decode_jis_intel = JIS
5406
5407+[hardening-patch]
5408+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5409+; Hardening-Patch's logging ;
5410+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5411+
5412+;
5413+; hphp.log.syslog - Configures level for alerts reported through syslog
5414+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5415+; hphp.log.script - Configures level for alerts reported through external script
5416+;
5417+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5418+; Or each number up to get desired Hardening-Patch's reporting level
5419+;
5420+; S_ALL - All alerts
5421+; S_MEMORY - All canary violations and the safe unlink protection use this class
5422+; S_VARS - All variable filters trigger this class
5423+; S_FILES - All violation of uploaded files filter use this class
5424+; S_INCLUDE - The protection against malicious include filenames use this class
5425+; S_SQL - Failed SQL queries in MySQL are logged with this class
5426+; S_EXECUTOR - The execution depth protection uses this logging class
5427+; S_MISC - All other log messages (f.e. format string protection) use this class
5428+;
5429+; Example:
5430+;
5431+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5432+; memory alerts through syslog and SQL+Include alerts fo the script
5433+;
5434+;hphp.log.syslog = S_MEMORY
5435+;hphp.log.sapi = S_ALL & ~S_MEMORY
5436+;hphp.log.script = S_INCLUDE | S_SQL
5437+;
5438+; Syslog logging:
5439+;
5440+; - Facility configuration: one of the following facilities
5441+;
5442+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5443+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5444+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5445+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5446+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5447+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5448+; LOG_PERROR
5449+;
5450+; - Priority configuration: one of the followinf priorities
5451+;
5452+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5453+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5454+;
5455+hphp.log.syslog.priority = LOG_ALERT
5456+hphp.log.syslog.facility = LOG_USER
5457+;
5458+; Script logging:
5459+;
5460+;hphp.log.script.name = /home/hphp/log_script
5461+;
5462+; Alert configuration:
5463+;
5464+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5465+;
5466+;hphp.log.use-x-forwarded-for = On
5467+;
5468+
5469+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5470+; Hardening-Patch's Executor options ;
5471+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5472+
5473+; Execution depth limit
5474+;hphp.executor.max_depth = 8000
5475+
5476+; White-/blacklist for function calls during normal execution
5477+;hphp.executor.func.whitelist = ord,chr
5478+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5479+
5480+; White-/blacklist for function calls during eval() execution
5481+;hphp.executor.eval.whitelist = ord,chr
5482+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5483+
5484+; White-/blacklist for URLs allowes in include filenames
5485+;
5486+; - When both options are not set all URLs are forbidden
5487+;
5488+; - When both options are set whitelist is taken and blacklist ignored
5489+;
5490+; - An entry in the lists is either a URL sheme like: http, https
5491+; or the beginning of an URL like: php://input
5492+;
5493+;hphp.executor.include.whitelist = cookietest
5494+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5495+
5496+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5497+; Hardening-Patch's REQUEST variable filters ;
5498+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5499+
5500+; Limits the number of REQUEST variables
5501+hphp.request.max_vars = 200
5502+
5503+; Limits the length of variable names (without indices)
5504+hphp.request.max_varname_length = 64
5505+
5506+; Limits the length of complete variable names (with indices)
5507+hphp.request.max_totalname_length = 256
5508+
5509+; Limits the length of array indices
5510+hphp.request.max_array_index_length = 64
5511+
5512+; Limits the depth of arrays
5513+hphp.request.max_array_depth = 100
5514+
5515+; Limits the length of variable values
5516+hphp.request.max_value_length = 65000
5517+
5518+; Disallow ASCII-NUL characters in input
5519+hphp.request.disallow_nul = 1
5520+
5521+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5522+; Hardening-Patch's COOKIE variable filters ;
5523+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5524+
5525+; Limits the number of COOKIE variables
5526+hphp.cookie.max_vars = 100
5527+
5528+; Limits the length of variable names (without indices)
5529+hphp.cookie.max_name_length = 64
5530+
5531+; Limits the length of complete variable names (with indices)
5532+hphp.cookie.max_totalname_length = 256
5533+
5534+; Limits the length of array indices
5535+hphp.cookie.max_array_index_length = 64
5536+
5537+; Limits the depth of arrays
5538+hphp.cookie.max_array_depth = 100
5539+
5540+; Limits the length of variable values
5541+hphp.cookie.max_value_length = 10000
5542+
5543+; Disallow ASCII-NUL characters in input
5544+hphp.cookie.disallow_nul = 1
5545+
5546+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5547+; Hardening-Patch's GET variable filters ;
5548+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5549+
5550+; Limits the number of COOKIE variables
5551+hphp.get.max_vars = 100
5552+
5553+; Limits the length of variable names (without indices)
5554+hphp.get.max_name_length = 64
5555+
5556+; Limits the length of complete variable names (with indices)
5557+hphp.get.max_totalname_length = 256
5558+
5559+; Limits the length of array indices
5560+hphp.get.max_array_index_length = 64
5561+
5562+; Limits the depth of arrays
5563+hphp.get.max_array_depth = 50
5564+
5565+; Limits the length of variable values
5566+hphp.get.max_value_length = 512
5567+
5568+; Disallow ASCII-NUL characters in input
5569+hphp.get.disallow_nul = 1
5570+
5571+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5572+; Hardening-Patch's POST variable filters ;
5573+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5574+
5575+; Limits the number of POST variables
5576+hphp.post.max_vars = 200
5577+
5578+; Limits the length of variable names (without indices)
5579+hphp.post.max_name_length = 64
5580+
5581+; Limits the length of complete variable names (with indices)
5582+hphp.post.max_totalname_length = 256
5583+
5584+; Limits the length of array indices
5585+hphp.post.max_array_index_length = 64
5586+
5587+; Limits the depth of arrays
5588+hphp.post.max_array_depth = 100
5589+
5590+; Limits the length of variable values
5591+hphp.post.max_value_length = 65000
5592+
5593+; Disallow ASCII-NUL characters in input
5594+hphp.post.disallow_nul = 1
5595+
5596+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5597+; Hardening-Patch's fileupload variable filters ;
5598+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5599+
5600+; Limits the number of uploadable files
5601+hphp.upload.max_uploads = 25
5602+
5603+; Filter out the upload of ELF executables
5604+hphp.upload.disallow_elf_files = On
5605+
5606+; External filterscript for upload verification
5607+;hphp.upload.verification_script = /home/hphp/verify_script
5608+
5609+
5610 ; Local Variables:
5611 ; tab-width: 4
5612 ; End:
5613diff -Nura php-4.4.2/php.ini-recommended hardening-patch-4.4.2-0.4.9/php.ini-recommended
5614--- php-4.4.2/php.ini-recommended 2005-12-30 18:19:43.000000000 +0100
5615+++ hardening-patch-4.4.2-0.4.9/php.ini-recommended 2006-05-02 16:46:34.000000000 +0200
5616@@ -1112,6 +1112,209 @@
5617 ;exif.decode_jis_motorola = JIS
5618 ;exif.decode_jis_intel = JIS
5619
5620+[hardening-patch]
5621+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5622+; Hardening-Patch's logging ;
5623+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5624+
5625+;
5626+; hphp.log.syslog - Configures level for alerts reported through syslog
5627+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5628+; hphp.log.script - Configures level for alerts reported through external script
5629+;
5630+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5631+; Or each number up to get desired Hardening-Patch's reporting level
5632+;
5633+; S_ALL - All alerts
5634+; S_MEMORY - All canary violations and the safe unlink protection use this class
5635+; S_VARS - All variable filters trigger this class
5636+; S_FILES - All violation of uploaded files filter use this class
5637+; S_INCLUDE - The protection against malicious include filenames use this class
5638+; S_SQL - Failed SQL queries in MySQL are logged with this class
5639+; S_EXECUTOR - The execution depth protection uses this logging class
5640+; S_MISC - All other log messages (f.e. format string protection) use this class
5641+;
5642+; Example:
5643+;
5644+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5645+; memory alerts through syslog and SQL+Include alerts fo the script
5646+;
5647+;hphp.log.syslog = S_MEMORY
5648+;hphp.log.sapi = S_ALL & ~S_MEMORY
5649+;hphp.log.script = S_INCLUDE | S_SQL
5650+;
5651+; Syslog logging:
5652+;
5653+; - Facility configuration: one of the following facilities
5654+;
5655+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5656+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5657+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5658+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5659+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5660+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5661+; LOG_PERROR
5662+;
5663+; - Priority configuration: one of the followinf priorities
5664+;
5665+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5666+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5667+;
5668+hphp.log.syslog.priority = LOG_ALERT
5669+hphp.log.syslog.facility = LOG_USER
5670+;
5671+; Script logging:
5672+;
5673+;hphp.log.script.name = /home/hphp/log_script
5674+;
5675+; Alert configuration:
5676+;
5677+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5678+;
5679+;hphp.log.use-x-forwarded-for = On
5680+;
5681+
5682+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5683+; Hardening-Patch's Executor options ;
5684+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5685+
5686+; Execution depth limit
5687+;hphp.executor.max_depth = 8000
5688+
5689+; White-/blacklist for function calls during normal execution
5690+;hphp.executor.func.whitelist = ord,chr
5691+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5692+
5693+; White-/blacklist for function calls during eval() execution
5694+;hphp.executor.eval.whitelist = ord,chr
5695+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5696+
5697+; White-/blacklist for URLs allowes in include filenames
5698+;
5699+; - When both options are not set all URLs are forbidden
5700+;
5701+; - When both options are set whitelist is taken and blacklist ignored
5702+;
5703+; - An entry in the lists is either a URL sheme like: http, https
5704+; or the beginning of an URL like: php://input
5705+;
5706+;hphp.executor.include.whitelist = cookietest
5707+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5708+
5709+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5710+; Hardening-Patch's REQUEST variable filters ;
5711+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5712+
5713+; Limits the number of REQUEST variables
5714+hphp.request.max_vars = 200
5715+
5716+; Limits the length of variable names (without indices)
5717+hphp.request.max_varname_length = 64
5718+
5719+; Limits the length of complete variable names (with indices)
5720+hphp.request.max_totalname_length = 256
5721+
5722+; Limits the length of array indices
5723+hphp.request.max_array_index_length = 64
5724+
5725+; Limits the depth of arrays
5726+hphp.request.max_array_depth = 100
5727+
5728+; Limits the length of variable values
5729+hphp.request.max_value_length = 65000
5730+
5731+; Disallow ASCII-NUL characters in input
5732+hphp.request.disallow_nul = 1
5733+
5734+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5735+; Hardening-Patch's COOKIE variable filters ;
5736+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5737+
5738+; Limits the number of COOKIE variables
5739+hphp.cookie.max_vars = 100
5740+
5741+; Limits the length of variable names (without indices)
5742+hphp.cookie.max_name_length = 64
5743+
5744+; Limits the length of complete variable names (with indices)
5745+hphp.cookie.max_totalname_length = 256
5746+
5747+; Limits the length of array indices
5748+hphp.cookie.max_array_index_length = 64
5749+
5750+; Limits the depth of arrays
5751+hphp.cookie.max_array_depth = 100
5752+
5753+; Limits the length of variable values
5754+hphp.cookie.max_value_length = 10000
5755+
5756+; Disallow ASCII-NUL characters in input
5757+hphp.cookie.disallow_nul = 1
5758+
5759+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5760+; Hardening-Patch's GET variable filters ;
5761+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5762+
5763+; Limits the number of COOKIE variables
5764+hphp.get.max_vars = 100
5765+
5766+; Limits the length of variable names (without indices)
5767+hphp.get.max_name_length = 64
5768+
5769+; Limits the length of complete variable names (with indices)
5770+hphp.get.max_totalname_length = 256
5771+
5772+; Limits the length of array indices
5773+hphp.get.max_array_index_length = 64
5774+
5775+; Limits the depth of arrays
5776+hphp.get.max_array_depth = 50
5777+
5778+; Limits the length of variable values
5779+hphp.get.max_value_length = 512
5780+
5781+; Disallow ASCII-NUL characters in input
5782+hphp.get.disallow_nul = 1
5783+
5784+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5785+; Hardening-Patch's POST variable filters ;
5786+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5787+
5788+; Limits the number of POST variables
5789+hphp.post.max_vars = 200
5790+
5791+; Limits the length of variable names (without indices)
5792+hphp.post.max_name_length = 64
5793+
5794+; Limits the length of complete variable names (with indices)
5795+hphp.post.max_totalname_length = 256
5796+
5797+; Limits the length of array indices
5798+hphp.post.max_array_index_length = 64
5799+
5800+; Limits the depth of arrays
5801+hphp.post.max_array_depth = 100
5802+
5803+; Limits the length of variable values
5804+hphp.post.max_value_length = 65000
5805+
5806+; Disallow ASCII-NUL characters in input
5807+hphp.post.disallow_nul = 1
5808+
5809+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5810+; Hardening-Patch's fileupload variable filters ;
5811+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5812+
5813+; Limits the number of uploadable files
5814+hphp.upload.max_uploads = 25
5815+
5816+; Filter out the upload of ELF executables
5817+hphp.upload.disallow_elf_files = On
5818+
5819+; External filterscript for upload verification
5820+;hphp.upload.verification_script = /home/hphp/verify_script
5821+
5822+
5823 ; Local Variables:
5824 ; tab-width: 4
5825 ; End:
5826diff -Nura php-4.4.2/README.input_filter hardening-patch-4.4.2-0.4.9/README.input_filter
5827--- php-4.4.2/README.input_filter 1970-01-01 01:00:00.000000000 +0100
5828+++ hardening-patch-4.4.2-0.4.9/README.input_filter 2006-05-02 16:46:34.000000000 +0200
5829@@ -0,0 +1,193 @@
5830+Input Filter Support ported from PHP 5
5831+--------------------------------------
5832+
5833+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
5834+and can be quite difficult to prevent. Whenever you accept user data
5835+and somehow display this data back to users, you are likely vulnerable
5836+to XSS hacks.
5837+
5838+The Input Filter support in PHP 5 is aimed at providing the framework
5839+through which a company-wide or site-wide security policy can be
5840+enforced. It is implemented as a SAPI hook and is called from the
5841+treat_data and post handler functions. To implement your own security
5842+policy you will need to write a standard PHP extension.
5843+
5844+A simple implementation might look like the following. This stores the
5845+original raw user data and adds a my_get_raw() function while the normal
5846+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
5847+data. In this simple example all I am doing is calling strip_tags() on
5848+the data. If register_globals is turned on, the default globals that
5849+are created will be stripped ($foo) while a $RAW_foo is created with the
5850+original user input.
5851+
5852+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
5853+ zval *post_array;
5854+ zval *get_array;
5855+ zval *cookie_array;
5856+ZEND_END_MODULE_GLOBALS(my_input_filter)
5857+
5858+#ifdef ZTS
5859+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
5860+#else
5861+#define IF_G(v) (my_input_filter_globals.v)
5862+#endif
5863+
5864+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
5865+
5866+function_entry my_input_filter_functions[] = {
5867+ PHP_FE(my_get_raw, NULL)
5868+ {NULL, NULL, NULL}
5869+};
5870+
5871+zend_module_entry my_input_filter_module_entry = {
5872+ STANDARD_MODULE_HEADER,
5873+ "my_input_filter",
5874+ my_input_filter_functions,
5875+ PHP_MINIT(my_input_filter),
5876+ PHP_MSHUTDOWN(my_input_filter),
5877+ NULL,
5878+ PHP_RSHUTDOWN(my_input_filter),
5879+ PHP_MINFO(my_input_filter),
5880+ "0.1",
5881+ STANDARD_MODULE_PROPERTIES
5882+};
5883+
5884+PHP_MINIT_FUNCTION(my_input_filter)
5885+{
5886+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
5887+
5888+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
5889+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
5890+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
5891+
5892+ sapi_register_input_filter(my_sapi_input_filter);
5893+ return SUCCESS;
5894+}
5895+
5896+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
5897+{
5898+ if(IF_G(get_array)) {
5899+ zval_ptr_dtor(&IF_G(get_array));
5900+ IF_G(get_array) = NULL;
5901+ }
5902+ if(IF_G(post_array)) {
5903+ zval_ptr_dtor(&IF_G(post_array));
5904+ IF_G(post_array) = NULL;
5905+ }
5906+ if(IF_G(cookie_array)) {
5907+ zval_ptr_dtor(&IF_G(cookie_array));
5908+ IF_G(cookie_array) = NULL;
5909+ }
5910+ return SUCCESS;
5911+}
5912+
5913+PHP_MINFO_FUNCTION(my_input_filter)
5914+{
5915+ php_info_print_table_start();
5916+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
5917+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
5918+ php_info_print_table_end();
5919+}
5920+
5921+/* The filter handler. If you return 1 from it, then PHP also registers the
5922+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
5923+ * you can use this if your filter already registers the variable under a
5924+ * different name, or if you just don't want the variable registered at all. */
5925+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
5926+{
5927+ zval new_var;
5928+ zval *array_ptr = NULL;
5929+ char *raw_var;
5930+ int var_len;
5931+
5932+ assert(*val != NULL);
5933+
5934+ switch(arg) {
5935+ case PARSE_GET:
5936+ if(!IF_G(get_array)) {
5937+ ALLOC_ZVAL(array_ptr);
5938+ array_init(array_ptr);
5939+ INIT_PZVAL(array_ptr);
5940+ }
5941+ IF_G(get_array) = array_ptr;
5942+ break;
5943+ case PARSE_POST:
5944+ if(!IF_G(post_array)) {
5945+ ALLOC_ZVAL(array_ptr);
5946+ array_init(array_ptr);
5947+ INIT_PZVAL(array_ptr);
5948+ }
5949+ IF_G(post_array) = array_ptr;
5950+ break;
5951+ case PARSE_COOKIE:
5952+ if(!IF_G(cookie_array)) {
5953+ ALLOC_ZVAL(array_ptr);
5954+ array_init(array_ptr);
5955+ INIT_PZVAL(array_ptr);
5956+ }
5957+ IF_G(cookie_array) = array_ptr;
5958+ break;
5959+ }
5960+ Z_STRLEN(new_var) = val_len;
5961+ Z_STRVAL(new_var) = estrndup(*val, val_len);
5962+ Z_TYPE(new_var) = IS_STRING;
5963+
5964+ var_len = strlen(var);
5965+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
5966+ strcpy(raw_var, "RAW_");
5967+ strlcat(raw_var,var,var_len+5);
5968+
5969+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
5970+
5971+ php_strip_tags(*val, val_len, NULL, NULL, 0);
5972+
5973+ *new_val_len = strlen(*val);
5974+ return 1;
5975+}
5976+
5977+PHP_FUNCTION(my_get_raw)
5978+{
5979+ long arg;
5980+ char *var;
5981+ int var_len;
5982+ zval **tmp;
5983+ zval *array_ptr = NULL;
5984+ HashTable *hash_ptr;
5985+ char *raw_var;
5986+
5987+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
5988+ return;
5989+ }
5990+
5991+ switch(arg) {
5992+ case PARSE_GET:
5993+ array_ptr = IF_G(get_array);
5994+ break;
5995+ case PARSE_POST:
5996+ array_ptr = IF_G(post_array);
5997+ break;
5998+ case PARSE_COOKIE:
5999+ array_ptr = IF_G(post_array);
6000+ break;
6001+ }
6002+
6003+ if(!array_ptr) RETURN_FALSE;
6004+
6005+ /*
6006+ * I'm changing the variable name here because when running with register_globals on,
6007+ * the variable will end up in the global symbol table
6008+ */
6009+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
6010+ strcpy(raw_var, "RAW_");
6011+ strlcat(raw_var,var,var_len+5);
6012+ hash_ptr = HASH_OF(array_ptr);
6013+
6014+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
6015+ *return_value = **tmp;
6016+ zval_copy_ctor(return_value);
6017+ } else {
6018+ RETVAL_FALSE;
6019+ }
6020+ efree(raw_var);
6021+}
6022+
6023diff -Nura php-4.4.2/run-tests.php hardening-patch-4.4.2-0.4.9/run-tests.php
6024--- php-4.4.2/run-tests.php 2006-01-01 14:46:48.000000000 +0100
6025+++ hardening-patch-4.4.2-0.4.9/run-tests.php 2006-05-02 16:46:34.000000000 +0200
6026@@ -152,6 +152,10 @@
6027 'error_reporting=2047',
6028 'display_errors=1',
6029 'log_errors=0',
6030+ 'hphp.executor.include.whitelist=cookietest',
6031+ 'hphp.log.syslog=0',
6032+ 'hphp.log.sapi=0',
6033+ 'hphp.log.script=0',
6034 'html_errors=0',
6035 'track_errors=1',
6036 'report_memleaks=1',
6037diff -Nura php-4.4.2/sapi/apache/mod_php4.c hardening-patch-4.4.2-0.4.9/sapi/apache/mod_php4.c
6038--- php-4.4.2/sapi/apache/mod_php4.c 2006-01-01 14:47:01.000000000 +0100
6039+++ hardening-patch-4.4.2-0.4.9/sapi/apache/mod_php4.c 2006-05-02 16:46:34.000000000 +0200
6040@@ -452,7 +452,7 @@
6041 sapi_apache_get_fd,
6042 sapi_apache_force_http_10,
6043 sapi_apache_get_target_uid,
6044- sapi_apache_get_target_gid
6045+ sapi_apache_get_target_gid,
6046 };
6047 /* }}} */
6048
6049@@ -898,7 +898,11 @@
6050 {
6051 TSRMLS_FETCH();
6052 if (PG(expose_php)) {
6053+#if HARDENING_PATCH
6054+ ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
6055+#else
6056 ap_add_version_component("PHP/" PHP_VERSION);
6057+#endif
6058 }
6059 }
6060 #endif
6061diff -Nura php-4.4.2/sapi/apache2filter/sapi_apache2.c hardening-patch-4.4.2-0.4.9/sapi/apache2filter/sapi_apache2.c
6062--- php-4.4.2/sapi/apache2filter/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6063+++ hardening-patch-4.4.2-0.4.9/sapi/apache2filter/sapi_apache2.c 2006-05-02 16:46:34.000000000 +0200
6064@@ -562,7 +562,11 @@
6065 {
6066 TSRMLS_FETCH();
6067 if (PG(expose_php)) {
6068+#if HARDENING_PATCH
6069+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6070+#else
6071 ap_add_version_component(p, "PHP/" PHP_VERSION);
6072+#endif
6073 }
6074 }
6075
6076diff -Nura php-4.4.2/sapi/apache2handler/sapi_apache2.c hardening-patch-4.4.2-0.4.9/sapi/apache2handler/sapi_apache2.c
6077--- php-4.4.2/sapi/apache2handler/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6078+++ hardening-patch-4.4.2-0.4.9/sapi/apache2handler/sapi_apache2.c 2006-05-02 16:46:34.000000000 +0200
6079@@ -340,7 +340,11 @@
6080 {
6081 TSRMLS_FETCH();
6082 if (PG(expose_php)) {
6083+#if HARDENING_PATCH
6084+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6085+#else
6086 ap_add_version_component(p, "PHP/" PHP_VERSION);
6087+#endif
6088 }
6089 }
6090
6091diff -Nura php-4.4.2/sapi/cgi/cgi_main.c hardening-patch-4.4.2-0.4.9/sapi/cgi/cgi_main.c
6092--- php-4.4.2/sapi/cgi/cgi_main.c 2006-01-01 14:47:01.000000000 +0100
6093+++ hardening-patch-4.4.2-0.4.9/sapi/cgi/cgi_main.c 2006-05-02 16:46:34.000000000 +0200
6094@@ -1432,11 +1432,19 @@
6095 SG(headers_sent) = 1;
6096 SG(request_info).no_headers = 1;
6097 }
6098+#if HARDENING_PATCH
6099+#if ZEND_DEBUG
6100+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6101+#else
6102+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6103+#endif
6104+#else
6105 #if ZEND_DEBUG
6106 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6107 #else
6108 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6109 #endif
6110+#endif
6111 php_end_ob_buffers(1 TSRMLS_CC);
6112 exit(0);
6113 break;
6114diff -Nura php-4.4.2/sapi/cli/php_cli.c hardening-patch-4.4.2-0.4.9/sapi/cli/php_cli.c
6115--- php-4.4.2/sapi/cli/php_cli.c 2006-01-01 14:47:01.000000000 +0100
6116+++ hardening-patch-4.4.2-0.4.9/sapi/cli/php_cli.c 2006-05-02 16:46:34.000000000 +0200
6117@@ -654,11 +654,19 @@
6118 if (php_request_startup(TSRMLS_C)==FAILURE) {
6119 goto err;
6120 }
6121+#if HARDENING_PATCH
6122+#if ZEND_DEBUG
6123+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6124+#else
6125+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6126+#endif
6127+#else
6128 #if ZEND_DEBUG
6129 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6130 #else
6131 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6132 #endif
6133+#endif
6134 php_end_ob_buffers(1 TSRMLS_CC);
6135 exit_status=0;
6136 goto out;
6137diff -Nura php-4.4.2/TSRM/TSRM.h hardening-patch-4.4.2-0.4.9/TSRM/TSRM.h
6138--- php-4.4.2/TSRM/TSRM.h 2005-07-26 15:34:52.000000000 +0200
6139+++ hardening-patch-4.4.2-0.4.9/TSRM/TSRM.h 2006-05-02 16:46:34.000000000 +0200
6140@@ -33,6 +33,13 @@
6141 # define TSRM_API
6142 #endif
6143
6144+#if HARDENING_PATCH
6145+# if HAVE_REALPATH
6146+# undef realpath
6147+# define realpath php_realpath
6148+# endif
6149+#endif
6150+
6151 /* Only compile multi-threading functions if we're in ZTS mode */
6152 #ifdef ZTS
6153
6154@@ -84,6 +91,7 @@
6155
6156 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
6157
6158+
6159 #ifdef __cplusplus
6160 extern "C" {
6161 #endif
6162diff -Nura php-4.4.2/TSRM/tsrm_virtual_cwd.c hardening-patch-4.4.2-0.4.9/TSRM/tsrm_virtual_cwd.c
6163--- php-4.4.2/TSRM/tsrm_virtual_cwd.c 2006-01-01 14:46:48.000000000 +0100
6164+++ hardening-patch-4.4.2-0.4.9/TSRM/tsrm_virtual_cwd.c 2006-05-02 16:46:34.000000000 +0200
6165@@ -179,6 +179,165 @@
6166 return p;
6167 }
6168
6169+#if HARDENING_PATCH
6170+CWD_API char *php_realpath(const char *path, char *resolved)
6171+{
6172+ struct stat sb;
6173+ char *p, *q, *s;
6174+ size_t left_len, resolved_len;
6175+ unsigned symlinks;
6176+ int serrno, slen;
6177+ int is_dir = 1;
6178+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
6179+
6180+ serrno = errno;
6181+ symlinks = 0;
6182+ if (path[0] == '/') {
6183+ resolved[0] = '/';
6184+ resolved[1] = '\0';
6185+ if (path[1] == '\0')
6186+ return (resolved);
6187+ resolved_len = 1;
6188+ left_len = strlcpy(left, path + 1, sizeof(left));
6189+ } else {
6190+ if (getcwd(resolved, PATH_MAX) == NULL) {
6191+ strlcpy(resolved, ".", PATH_MAX);
6192+ return (NULL);
6193+ }
6194+ resolved_len = strlen(resolved);
6195+ left_len = strlcpy(left, path, sizeof(left));
6196+ }
6197+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
6198+ errno = ENAMETOOLONG;
6199+ return (NULL);
6200+ }
6201+
6202+ /*
6203+ * Iterate over path components in `left'.
6204+ */
6205+ while (left_len != 0) {
6206+ /*
6207+ * Extract the next path component and adjust `left'
6208+ * and its length.
6209+ */
6210+ p = strchr(left, '/');
6211+ s = p ? p : left + left_len;
6212+ if (s - left >= sizeof(next_token)) {
6213+ errno = ENAMETOOLONG;
6214+ return (NULL);
6215+ }
6216+ memcpy(next_token, left, s - left);
6217+ next_token[s - left] = '\0';
6218+ left_len -= s - left;
6219+ if (p != NULL)
6220+ memmove(left, s + 1, left_len + 1);
6221+ if (resolved[resolved_len - 1] != '/') {
6222+ if (resolved_len + 1 >= PATH_MAX) {
6223+ errno = ENAMETOOLONG;
6224+ return (NULL);
6225+ }
6226+ resolved[resolved_len++] = '/';
6227+ resolved[resolved_len] = '\0';
6228+ }
6229+ if (next_token[0] == '\0')
6230+ continue;
6231+ else if (strcmp(next_token, ".") == 0)
6232+ continue;
6233+ else if (strcmp(next_token, "..") == 0) {
6234+ /*
6235+ * Strip the last path component except when we have
6236+ * single "/"
6237+ */
6238+ if (!is_dir) {
6239+ errno = ENOENT;
6240+ return (NULL);
6241+ }
6242+ if (resolved_len > 1) {
6243+ resolved[resolved_len - 1] = '\0';
6244+ q = strrchr(resolved, '/');
6245+ *q = '\0';
6246+ resolved_len = q - resolved;
6247+ }
6248+ continue;
6249+ }
6250+
6251+ /*
6252+ * Append the next path component and lstat() it. If
6253+ * lstat() fails we still can return successfully if
6254+ * there are no more path components left.
6255+ */
6256+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
6257+ if (resolved_len >= PATH_MAX) {
6258+ errno = ENAMETOOLONG;
6259+ return (NULL);
6260+ }
6261+ if (lstat(resolved, &sb) != 0) {
6262+ if (errno == ENOENT && p == NULL) {
6263+ errno = serrno;
6264+ return (resolved);
6265+ }
6266+ return (NULL);
6267+ }
6268+ if (S_ISLNK(sb.st_mode)) {
6269+ if (symlinks++ > MAXSYMLINKS) {
6270+ errno = ELOOP;
6271+ return (NULL);
6272+ }
6273+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
6274+ if (slen < 0)
6275+ return (NULL);
6276+ symlink[slen] = '\0';
6277+ if (symlink[0] == '/') {
6278+ resolved[1] = 0;
6279+ resolved_len = 1;
6280+ } else if (resolved_len > 1) {
6281+ /* Strip the last path component. */
6282+ resolved[resolved_len - 1] = '\0';
6283+ q = strrchr(resolved, '/');
6284+ *q = '\0';
6285+ resolved_len = q - resolved;
6286+ }
6287+
6288+ /*
6289+ * If there are any path components left, then
6290+ * append them to symlink. The result is placed
6291+ * in `left'.
6292+ */
6293+ if (p != NULL) {
6294+ if (symlink[slen - 1] != '/') {
6295+ if (slen + 1 >= sizeof(symlink)) {
6296+ errno = ENAMETOOLONG;
6297+ return (NULL);
6298+ }
6299+ symlink[slen] = '/';
6300+ symlink[slen + 1] = 0;
6301+ }
6302+ left_len = strlcat(symlink, left, sizeof(left));
6303+ if (left_len >= sizeof(left)) {
6304+ errno = ENAMETOOLONG;
6305+ return (NULL);
6306+ }
6307+ }
6308+ left_len = strlcpy(left, symlink, sizeof(left));
6309+ } else {
6310+ if (S_ISDIR(sb.st_mode)) {
6311+ is_dir = 1;
6312+ } else {
6313+ is_dir = 0;
6314+ }
6315+ }
6316+ }
6317+
6318+ /*
6319+ * Remove trailing slash except when the resolved pathname
6320+ * is a single "/".
6321+ */
6322+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
6323+ resolved[resolved_len - 1] = '\0';
6324+ return (resolved);
6325+}
6326+#endif
6327+
6328 CWD_API void virtual_cwd_startup(void)
6329 {
6330 char cwd[MAXPATHLEN];
6331@@ -300,8 +459,11 @@
6332
6333 if (path_length == 0)
6334 return (0);
6335- if (path_length >= MAXPATHLEN)
6336+ if (path_length >= MAXPATHLEN) {
6337+ state->cwd[0] = 0;
6338+ state->cwd_length = 0;
6339 return (1);
6340+ }
6341
6342 #if !defined(TSRM_WIN32) && !defined(NETWARE)
6343 /* cwd_length can be 0 when getcwd() fails.
6344@@ -313,8 +475,9 @@
6345 path = resolved_path;
6346 path_length = strlen(path);
6347 } else {
6348- /* disable for now
6349- return 1; */
6350+ state->cwd[0] = 0;
6351+ state->cwd_length = 0;
6352+ return 1;
6353 }
6354 }
6355 } else { /* Concat current directory with relative path and then run realpath() on it */
6356@@ -323,6 +486,8 @@
6357
6358 ptr = tmp = (char *) malloc(state->cwd_length+path_length+sizeof("/"));
6359 if (!tmp) {
6360+ state->cwd[0] = 0;
6361+ state->cwd_length = 0;
6362 return 1;
6363 }
6364 memcpy(ptr, state->cwd, state->cwd_length);
6365@@ -332,6 +497,8 @@
6366 ptr += path_length;
6367 *ptr = '\0';
6368 if (strlen(tmp) >= MAXPATHLEN) {
6369+ state->cwd[0] = 0;
6370+ state->cwd_length = 0;
6371 free(tmp);
6372 return 1;
6373 }
6374@@ -340,9 +507,10 @@
6375 path = resolved_path;
6376 path_length = strlen(path);
6377 } else {
6378- /* disable for now
6379+ state->cwd[0] = 0;
6380+ state->cwd_length = 0;
6381 free(tmp);
6382- return 1; */
6383+ return 1;
6384 }
6385 }
6386 free(tmp);
6387diff -Nura php-4.4.2/TSRM/tsrm_virtual_cwd.h hardening-patch-4.4.2-0.4.9/TSRM/tsrm_virtual_cwd.h
6388--- php-4.4.2/TSRM/tsrm_virtual_cwd.h 2006-01-01 14:46:49.000000000 +0100
6389+++ hardening-patch-4.4.2-0.4.9/TSRM/tsrm_virtual_cwd.h 2006-05-02 16:46:34.000000000 +0200
6390@@ -128,6 +128,22 @@
6391
6392 typedef int (*verify_path_func)(const cwd_state *);
6393
6394+#ifndef HAVE_STRLCPY
6395+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
6396+#undef strlcpy
6397+#define strlcpy php_strlcpy
6398+#endif
6399+
6400+#ifndef HAVE_STRLCAT
6401+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
6402+#undef strlcat
6403+#define strlcat php_strlcat
6404+#endif
6405+
6406+
6407+#if HARDENING_PATCH
6408+CWD_API char *php_realpath(const char *path, char *resolved);
6409+#endif
6410 CWD_API void virtual_cwd_startup(void);
6411 CWD_API void virtual_cwd_shutdown(void);
6412 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
6413diff -Nura php-4.4.2/Zend/zend_alloc.c hardening-patch-4.4.2-0.4.9/Zend/zend_alloc.c
6414--- php-4.4.2/Zend/zend_alloc.c 2006-01-01 14:46:49.000000000 +0100
6415+++ hardening-patch-4.4.2-0.4.9/Zend/zend_alloc.c 2006-05-02 16:46:34.000000000 +0200
6416@@ -56,6 +56,11 @@
6417 # define END_MAGIC_SIZE 0
6418 #endif
6419
6420+#if HARDENING_PATCH_MM_PROTECT
6421+# define CANARY_SIZE sizeof(unsigned int)
6422+#else
6423+# define CANARY_SIZE 0
6424+#endif
6425
6426 # if MEMORY_LIMIT
6427 # if ZEND_DEBUG
6428@@ -96,9 +101,17 @@
6429 if (p==AG(head)) { \
6430 AG(head) = p->pNext; \
6431 } else { \
6432+ if (p != p->pLast->pNext) { \
6433+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6434+ exit(1); \
6435+ } \
6436 p->pLast->pNext = p->pNext; \
6437 } \
6438 if (p->pNext) { \
6439+ if (p != p->pNext->pLast) { \
6440+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6441+ exit(1); \
6442+ } \
6443 p->pNext->pLast = p->pLast; \
6444 }
6445
6446@@ -130,6 +143,12 @@
6447 DECLARE_CACHE_VARS();
6448 TSRMLS_FETCH();
6449
6450+#if HARDENING_PATCH_MM_PROTECT
6451+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
6452+ zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
6453+ exit(1);
6454+ }
6455+#endif
6456 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
6457
6458 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
6459@@ -147,6 +166,10 @@
6460 AG(cache_stats)[CACHE_INDEX][1]++;
6461 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6462 #endif
6463+#if HARDENING_PATCH_MM_PROTECT
6464+ p->canary = HG(canary_1);
6465+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6466+#endif
6467 p->cached = 0;
6468 p->size = size;
6469 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6470@@ -162,7 +185,7 @@
6471 AG(allocated_memory_peak) = AG(allocated_memory);
6472 }
6473 #endif
6474- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
6475+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
6476 }
6477
6478 HANDLE_BLOCK_INTERRUPTIONS();
6479@@ -192,7 +215,10 @@
6480 # endif
6481 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6482 #endif
6483-
6484+#if HARDENING_PATCH_MM_PROTECT
6485+ p->canary = HG(canary_1);
6486+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6487+#endif
6488 HANDLE_UNBLOCK_INTERRUPTIONS();
6489 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6490 }
6491@@ -219,17 +245,36 @@
6492 return emalloc_rel(lval + offset);
6493 }
6494 }
6495-
6496+
6497+#if HARDENING_PATCH
6498+ zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
6499+#endif
6500 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
6501 return 0;
6502 }
6503
6504 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6505 {
6506+#if HARDENING_PATCH_MM_PROTECT
6507+ unsigned int canary_2;
6508+#endif
6509 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
6510 DECLARE_CACHE_VARS();
6511 TSRMLS_FETCH();
6512
6513+#if HARDENING_PATCH_MM_PROTECT
6514+ if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
6515+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6516+ if (canary_2 != HG(canary_2)) {
6517+efree_canary_mismatch:
6518+ zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
6519+ exit(1);
6520+ }
6521+ /* to catch double efree()s */
6522+ memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
6523+ p->canary = 0;
6524+#endif
6525+
6526 #if defined(ZTS) && TSRM_DEBUG
6527 if (p->thread_id != tsrm_thread_id()) {
6528 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
6529@@ -274,6 +319,9 @@
6530 size_t _size = nmemb * size;
6531
6532 if (nmemb && (_size/nmemb!=size)) {
6533+#if HARDENING_PATCH
6534+ zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
6535+#endif
6536 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
6537 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
6538 kill(getpid(), SIGSEGV);
6539@@ -293,6 +341,9 @@
6540
6541 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6542 {
6543+#if HARDENING_PATCH_MM_PROTECT
6544+ unsigned int canary_2;
6545+#endif
6546 zend_mem_header *p;
6547 zend_mem_header *orig;
6548 DECLARE_CACHE_VARS();
6549@@ -304,6 +355,16 @@
6550
6551 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
6552
6553+#if HARDENING_PATCH_MM_PROTECT
6554+ if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
6555+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6556+ if (canary_2 != HG(canary_2)) {
6557+erealloc_canary_mismatch:
6558+ zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
6559+ exit(1);
6560+ }
6561+#endif
6562+
6563 #if defined(ZTS) && TSRM_DEBUG
6564 if (p->thread_id != tsrm_thread_id()) {
6565 void *new_p;
6566@@ -327,7 +388,7 @@
6567 }
6568 #endif
6569 REMOVE_POINTER_FROM_LIST(p);
6570- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
6571+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
6572 if (!p) {
6573 if (!allow_failure) {
6574 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
6575@@ -349,6 +410,9 @@
6576 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6577 #endif
6578
6579+#if HARDENING_PATCH_MM_PROTECT
6580+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6581+#endif
6582 p->size = size;
6583
6584 HANDLE_UNBLOCK_INTERRUPTIONS();
6585@@ -423,6 +487,10 @@
6586 {
6587 AG(head) = NULL;
6588
6589+#if HARDENING_PATCH_MM_PROTECT
6590+ HG(canary_1) = zend_canary();
6591+ HG(canary_2) = zend_canary();
6592+#endif
6593 #if MEMORY_LIMIT
6594 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
6595 AG(allocated_memory) = 0;
6596diff -Nura php-4.4.2/Zend/zend_alloc.h hardening-patch-4.4.2-0.4.9/Zend/zend_alloc.h
6597--- php-4.4.2/Zend/zend_alloc.h 2006-01-01 14:46:49.000000000 +0100
6598+++ hardening-patch-4.4.2-0.4.9/Zend/zend_alloc.h 2006-05-02 16:46:34.000000000 +0200
6599@@ -32,6 +32,9 @@
6600 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
6601
6602 typedef struct _zend_mem_header {
6603+#if HARDENING_PATCH_MM_PROTECT
6604+ unsigned int canary;
6605+#endif
6606 #if ZEND_DEBUG
6607 long magic;
6608 char *filename;
6609diff -Nura php-4.4.2/Zend/zend_builtin_functions.c hardening-patch-4.4.2-0.4.9/Zend/zend_builtin_functions.c
6610--- php-4.4.2/Zend/zend_builtin_functions.c 2006-01-01 14:46:49.000000000 +0100
6611+++ hardening-patch-4.4.2-0.4.9/Zend/zend_builtin_functions.c 2006-05-02 16:46:34.000000000 +0200
6612@@ -49,6 +49,9 @@
6613 static ZEND_FUNCTION(crash);
6614 #endif
6615 #endif
6616+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6617+static ZEND_FUNCTION(heap_overflow);
6618+#endif
6619 static ZEND_FUNCTION(get_included_files);
6620 static ZEND_FUNCTION(is_subclass_of);
6621 static ZEND_FUNCTION(is_a);
6622@@ -101,6 +104,9 @@
6623 ZEND_FE(crash, NULL)
6624 #endif
6625 #endif
6626+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6627+ ZEND_FE(heap_overflow, NULL)
6628+#endif
6629 ZEND_FE(get_included_files, NULL)
6630 ZEND_FALIAS(get_required_files, get_included_files, NULL)
6631 ZEND_FE(is_subclass_of, NULL)
6632@@ -805,6 +811,19 @@
6633
6634 #endif /* ZEND_DEBUG */
6635
6636+
6637+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6638+ZEND_FUNCTION(heap_overflow)
6639+{
6640+ char *nowhere = emalloc(10);
6641+
6642+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
6643+
6644+ efree(nowhere);
6645+}
6646+#endif
6647+
6648+
6649 /* {{{ proto array get_included_files(void)
6650 Returns an array with the file names that were include_once()'d */
6651 ZEND_FUNCTION(get_included_files)
6652diff -Nura php-4.4.2/Zend/zend.c hardening-patch-4.4.2-0.4.9/Zend/zend.c
6653--- php-4.4.2/Zend/zend.c 2006-01-01 14:46:49.000000000 +0100
6654+++ hardening-patch-4.4.2-0.4.9/Zend/zend.c 2006-05-02 16:46:34.000000000 +0200
6655@@ -53,6 +53,12 @@
6656 ZEND_API void (*zend_unblock_interruptions)(void);
6657 ZEND_API void (*zend_ticks_function)(int ticks);
6658 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
6659+#if HARDENING_PATCH
6660+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
6661+#endif
6662+#if HARDENING_PATCH_INC_PROTECT
6663+ZEND_API int (*zend_is_valid_include)(zval *z);
6664+#endif
6665
6666 void (*zend_on_timeout)(int seconds TSRMLS_DC);
6667
6668@@ -70,9 +76,390 @@
6669 return SUCCESS;
6670 }
6671
6672+#if HARDENING_PATCH
6673+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
6674+{
6675+ if (!new_value) {
6676+ EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
6677+ } else {
6678+ EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
6679+ }
6680+ return SUCCESS;
6681+}
6682+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
6683+{
6684+ if (!new_value) {
6685+ EG(hphp_log_syslog_facility) = LOG_USER;
6686+ } else {
6687+ EG(hphp_log_syslog_facility) = atoi(new_value);
6688+ }
6689+ return SUCCESS;
6690+}
6691+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
6692+{
6693+ if (!new_value) {
6694+ EG(hphp_log_syslog_priority) = LOG_ALERT;
6695+ } else {
6696+ EG(hphp_log_syslog_priority) = atoi(new_value);
6697+ }
6698+ return SUCCESS;
6699+}
6700+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
6701+{
6702+ if (!new_value) {
6703+ EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
6704+ } else {
6705+ EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
6706+ }
6707+ return SUCCESS;
6708+}
6709+static ZEND_INI_MH(OnUpdateHPHP_log_script)
6710+{
6711+ if (!new_value) {
6712+ EG(hphp_log_script) = S_ALL & (~S_MEMORY) & (~S_INTERNAL);
6713+ } else {
6714+ EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
6715+ }
6716+ return SUCCESS;
6717+}
6718+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
6719+{
6720+ if (EG(hphp_log_scriptname)) {
6721+ pefree(EG(hphp_log_scriptname),1);
6722+ }
6723+ EG(hphp_log_scriptname) = NULL;
6724+ if (new_value) {
6725+ EG(hphp_log_scriptname) = pestrdup(new_value,1);
6726+ }
6727+ return SUCCESS;
6728+}
6729+
6730+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
6731+{
6732+ char *s = NULL, *e, *val;
6733+ unsigned long dummy = 1;
6734+
6735+ if (!new_value) {
6736+include_whitelist_destroy:
6737+ if (HG(include_whitelist)) {
6738+ zend_hash_destroy(HG(include_whitelist));
6739+ pefree(HG(include_whitelist),1);
6740+ }
6741+ HG(include_whitelist) = NULL;
6742+ return SUCCESS;
6743+ }
6744+ if (!(*new_value)) {
6745+ goto include_whitelist_destroy;
6746+ }
6747+
6748+ HG(include_whitelist) = pemalloc(sizeof(HashTable), 1);
6749+ zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 1);
6750+
6751+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6752+ e = val;
6753+
6754+ while (*e) {
6755+ switch (*e) {
6756+ case ' ':
6757+ case ',':
6758+ if (s) {
6759+ *e = '\0';
6760+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6761+ s = NULL;
6762+ }
6763+ break;
6764+ default:
6765+ if (!s) {
6766+ s = e;
6767+ }
6768+ break;
6769+ }
6770+ e++;
6771+ }
6772+ if (s) {
6773+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6774+ }
6775+ efree(val);
6776+
6777+ return SUCCESS;
6778+}
6779+
6780+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
6781+{
6782+ char *s = NULL, *e, *val;
6783+ unsigned long dummy = 1;
6784+
6785+ if (!new_value) {
6786+include_blacklist_destroy:
6787+ if (HG(include_blacklist)) {
6788+ zend_hash_destroy(HG(include_blacklist));
6789+ pefree(HG(include_blacklist),1);
6790+ }
6791+ HG(include_blacklist) = NULL;
6792+ return SUCCESS;
6793+ }
6794+ if (!(*new_value)) {
6795+ goto include_blacklist_destroy;
6796+ }
6797+
6798+ HG(include_blacklist) = pemalloc(sizeof(HashTable), 1);
6799+ zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 1);
6800+
6801+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6802+ e = val;
6803+
6804+ while (*e) {
6805+ switch (*e) {
6806+ case ' ':
6807+ case ',':
6808+ if (s) {
6809+ *e = '\0';
6810+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6811+ s = NULL;
6812+ }
6813+ break;
6814+ default:
6815+ if (!s) {
6816+ s = e;
6817+ }
6818+ break;
6819+ }
6820+ e++;
6821+ }
6822+ if (s) {
6823+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6824+ }
6825+ efree(val);
6826+
6827+ return SUCCESS;
6828+}
6829+
6830+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
6831+{
6832+ char *s = NULL, *e, *val;
6833+ unsigned long dummy = 1;
6834+
6835+ if (!new_value) {
6836+eval_whitelist_destroy:
6837+ if (HG(eval_whitelist)) {
6838+ zend_hash_destroy(HG(eval_whitelist));
6839+ pefree(HG(eval_whitelist),1);
6840+ }
6841+ HG(eval_whitelist) = NULL;
6842+ return SUCCESS;
6843+ }
6844+ if (!(*new_value)) {
6845+ goto eval_whitelist_destroy;
6846+ }
6847+
6848+ HG(eval_whitelist) = pemalloc(sizeof(HashTable), 1);
6849+ zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 1);
6850+
6851+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6852+ e = val;
6853+
6854+ while (*e) {
6855+ switch (*e) {
6856+ case ' ':
6857+ case ',':
6858+ if (s) {
6859+ *e = '\0';
6860+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6861+ s = NULL;
6862+ }
6863+ break;
6864+ default:
6865+ if (!s) {
6866+ s = e;
6867+ }
6868+ break;
6869+ }
6870+ e++;
6871+ }
6872+ if (s) {
6873+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6874+ }
6875+ efree(val);
6876+
6877+ return SUCCESS;
6878+}
6879+
6880+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
6881+{
6882+ char *s = NULL, *e, *val;
6883+ unsigned long dummy = 1;
6884+
6885+ if (!new_value) {
6886+eval_blacklist_destroy:
6887+ if (HG(eval_blacklist)) {
6888+ zend_hash_destroy(HG(eval_blacklist));
6889+ pefree(HG(eval_blacklist), 1);
6890+ }
6891+ HG(eval_blacklist) = NULL;
6892+ return SUCCESS;
6893+ }
6894+ if (!(*new_value)) {
6895+ goto eval_blacklist_destroy;
6896+ }
6897+
6898+ HG(eval_blacklist) = pemalloc(sizeof(HashTable), 1);
6899+ zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 1);
6900+
6901+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6902+ e = val;
6903+
6904+ while (*e) {
6905+ switch (*e) {
6906+ case ' ':
6907+ case ',':
6908+ if (s) {
6909+ *e = '\0';
6910+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6911+ s = NULL;
6912+ }
6913+ break;
6914+ default:
6915+ if (!s) {
6916+ s = e;
6917+ }
6918+ break;
6919+ }
6920+ e++;
6921+ }
6922+ if (s) {
6923+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6924+ }
6925+ efree(val);
6926+
6927+
6928+ return SUCCESS;
6929+}
6930+
6931+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
6932+{
6933+ char *s = NULL, *e, *val;
6934+ unsigned long dummy = 1;
6935+
6936+ if (!new_value) {
6937+func_whitelist_destroy:
6938+ if (HG(func_whitelist)) {
6939+ zend_hash_destroy(HG(func_whitelist));
6940+ pefree(HG(func_whitelist),1);
6941+ }
6942+ HG(func_whitelist) = NULL;
6943+ return SUCCESS;
6944+ }
6945+ if (!(*new_value)) {
6946+ goto func_whitelist_destroy;
6947+ }
6948+
6949+ HG(func_whitelist) = pemalloc(sizeof(HashTable), 1);
6950+ zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 1);
6951+
6952+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6953+ e = val;
6954+
6955+ while (*e) {
6956+ switch (*e) {
6957+ case ' ':
6958+ case ',':
6959+ if (s) {
6960+ *e = '\0';
6961+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6962+ s = NULL;
6963+ }
6964+ break;
6965+ default:
6966+ if (!s) {
6967+ s = e;
6968+ }
6969+ break;
6970+ }
6971+ e++;
6972+ }
6973+ if (s) {
6974+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6975+ }
6976+ efree(val);
6977+
6978+ return SUCCESS;
6979+}
6980+
6981+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
6982+{
6983+ char *s = NULL, *e, *val;
6984+ unsigned long dummy = 1;
6985+
6986+ if (!new_value) {
6987+func_blacklist_destroy:
6988+ if (HG(func_blacklist)) {
6989+ zend_hash_destroy(HG(func_blacklist));
6990+ pefree(HG(func_blacklist),1);
6991+ }
6992+ HG(func_blacklist) = NULL;
6993+ return SUCCESS;
6994+ }
6995+ if (!(*new_value)) {
6996+ goto func_blacklist_destroy;
6997+ }
6998+
6999+ HG(func_blacklist) = pemalloc(sizeof(HashTable), 1);
7000+ zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 1);
7001+
7002+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7003+ e = val;
7004+
7005+ while (*e) {
7006+ switch (*e) {
7007+ case ' ':
7008+ case ',':
7009+ if (s) {
7010+ *e = '\0';
7011+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7012+ s = NULL;
7013+ }
7014+ break;
7015+ default:
7016+ if (!s) {
7017+ s = e;
7018+ }
7019+ break;
7020+ }
7021+ e++;
7022+ }
7023+ if (s) {
7024+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7025+ }
7026+ efree(val);
7027+
7028+
7029+ return SUCCESS;
7030+}
7031+
7032+#endif
7033
7034 ZEND_INI_BEGIN()
7035 ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting)
7036+#if HARDENING_PATCH
7037+ ZEND_INI_ENTRY("hphp.log.syslog", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog)
7038+ ZEND_INI_ENTRY("hphp.log.syslog.facility", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_facility)
7039+ ZEND_INI_ENTRY("hphp.log.syslog.priority", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_priority)
7040+ ZEND_INI_ENTRY("hphp.log.sapi", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_sapi)
7041+ ZEND_INI_ENTRY("hphp.log.script", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_script)
7042+ ZEND_INI_ENTRY("hphp.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_scriptname)
7043+ STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for", "0", ZEND_INI_SYSTEM, OnUpdateBool, hphp_log_use_x_forwarded_for, zend_executor_globals, executor_globals)
7044+
7045+ ZEND_INI_ENTRY("hphp.executor.include.whitelist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_whitelist)
7046+ ZEND_INI_ENTRY("hphp.executor.include.blacklist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_blacklist)
7047+ ZEND_INI_ENTRY("hphp.executor.eval.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_whitelist)
7048+ ZEND_INI_ENTRY("hphp.executor.eval.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_blacklist)
7049+ ZEND_INI_ENTRY("hphp.executor.func.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_whitelist)
7050+ ZEND_INI_ENTRY("hphp.executor.func.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_blacklist)
7051+
7052+ STD_ZEND_INI_ENTRY("hphp.executor.max_depth", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
7053+ STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_sql_bailout_on_error, hardened_globals_struct, hardened_globals)
7054+ STD_ZEND_INI_BOOLEAN("hphp.multiheader", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_multiheader, hardened_globals_struct, hardened_globals)
7055+#endif
7056 ZEND_INI_END()
7057
7058
7059@@ -354,8 +741,12 @@
7060 zend_init_rsrc_plist(TSRMLS_C);
7061 EG(lambda_count)=0;
7062 EG(user_error_handler) = NULL;
7063+ EG(in_code_type) = 0;
7064 EG(in_execution) = 0;
7065 EG(current_execute_data) = NULL;
7066+#if HARDENING_PATCH
7067+ EG(hphp_log_scriptname) = NULL;
7068+#endif
7069 }
7070
7071
7072@@ -420,6 +811,14 @@
7073 extern zend_scanner_globals language_scanner_globals;
7074 #endif
7075
7076+ /* Set up Hardening-Patch utility functions first */
7077+#if HARDENING_PATCH
7078+ zend_security_log = utility_functions->security_log_function;
7079+#endif
7080+#if HARDENING_PATCH_INC_PROTECT
7081+ zend_is_valid_include = utility_functions->is_valid_include;
7082+#endif
7083+
7084 #ifdef ZTS
7085 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
7086 #else
7087@@ -619,6 +1018,7 @@
7088 }
7089 CG(unclean_shutdown) = 1;
7090 CG(in_compilation) = EG(in_execution) = 0;
7091+ EG(in_code_type) = 0;
7092 EG(current_execute_data) = NULL;
7093 longjmp(EG(bailout), FAILURE);
7094 }
7095diff -Nura php-4.4.2/Zend/zend_canary.c hardening-patch-4.4.2-0.4.9/Zend/zend_canary.c
7096--- php-4.4.2/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
7097+++ hardening-patch-4.4.2-0.4.9/Zend/zend_canary.c 2006-05-02 16:46:34.000000000 +0200
7098@@ -0,0 +1,58 @@
7099+/*
7100+ +----------------------------------------------------------------------+
7101+ | Hardening-Patch for PHP |
7102+ +----------------------------------------------------------------------+
7103+ | Copyright (c) 2004-2005 Stefan Esser |
7104+ +----------------------------------------------------------------------+
7105+ | This source file is subject to version 2.02 of the PHP license, |
7106+ | that is bundled with this package in the file LICENSE, and is |
7107+ | available at through the world-wide-web at |
7108+ | http://www.php.net/license/2_02.txt. |
7109+ | If you did not receive a copy of the PHP license and are unable to |
7110+ | obtain it through the world-wide-web, please send a note to |
7111+ | license@php.net so we can mail you a copy immediately. |
7112+ +----------------------------------------------------------------------+
7113+ | Author: Stefan Esser <sesser@hardened-php.net> |
7114+ +----------------------------------------------------------------------+
7115+ */
7116+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
7117+
7118+#include "zend.h"
7119+
7120+#include <stdio.h>
7121+#include <stdlib.h>
7122+
7123+
7124+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7125+
7126+/* will be replaced later with more compatible method */
7127+ZEND_API unsigned int zend_canary()
7128+{
7129+ time_t t;
7130+ unsigned int canary;
7131+ int fd;
7132+
7133+ fd = open("/dev/urandom", 0);
7134+ if (fd != -1) {
7135+ int r = read(fd, &canary, sizeof(canary));
7136+ close(fd);
7137+ if (r == sizeof(canary)) {
7138+ return (canary);
7139+ }
7140+ }
7141+ /* not good but we never want to do this */
7142+ time(&t);
7143+ canary = *(unsigned int *)&t + getpid() << 16;
7144+ return (canary);
7145+}
7146+#endif
7147+
7148+
7149+/*
7150+ * Local variables:
7151+ * tab-width: 4
7152+ * c-basic-offset: 4
7153+ * End:
7154+ * vim600: sw=4 ts=4 fdm=marker
7155+ * vim<600: sw=4 ts=4
7156+ */
7157diff -Nura php-4.4.2/Zend/zend_compile.c hardening-patch-4.4.2-0.4.9/Zend/zend_compile.c
7158--- php-4.4.2/Zend/zend_compile.c 2006-01-01 14:46:49.000000000 +0100
7159+++ hardening-patch-4.4.2-0.4.9/Zend/zend_compile.c 2006-05-02 16:46:34.000000000 +0200
7160@@ -768,6 +768,13 @@
7161 op_array.function_name = name;
7162 op_array.arg_types = NULL;
7163 op_array.return_reference = return_reference;
7164+#if HARDENING_PATCH
7165+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7166+ op_array.created_by_eval = 1;
7167+ } else {
7168+ op_array.created_by_eval = 0;
7169+ }
7170+#endif
7171
7172 if (is_method) {
7173 if (zend_hash_add(&CG(active_class_entry)->function_table, name, name_len+1, &op_array, sizeof(zend_op_array), (void **) &CG(active_op_array)) == FAILURE) {
7174diff -Nura php-4.4.2/Zend/zend_compile.h hardening-patch-4.4.2-0.4.9/Zend/zend_compile.h
7175--- php-4.4.2/Zend/zend_compile.h 2006-01-01 14:46:49.000000000 +0100
7176+++ hardening-patch-4.4.2-0.4.9/Zend/zend_compile.h 2006-05-02 16:46:34.000000000 +0200
7177@@ -106,6 +106,9 @@
7178 char *filename;
7179
7180 void *reserved[ZEND_MAX_RESERVED_RESOURCES];
7181+#if HARDENING_PATCH
7182+ zend_bool created_by_eval;
7183+#endif
7184 };
7185
7186
7187@@ -549,6 +552,7 @@
7188 #define ZEND_USER_FUNCTION 2
7189 #define ZEND_OVERLOADED_FUNCTION 3
7190 #define ZEND_EVAL_CODE 4
7191+#define ZEND_SANDBOX_CODE 6
7192
7193 #define ZEND_INTERNAL_CLASS 1
7194 #define ZEND_USER_CLASS 2
7195diff -Nura php-4.4.2/Zend/zend_constants.c hardening-patch-4.4.2-0.4.9/Zend/zend_constants.c
7196--- php-4.4.2/Zend/zend_constants.c 2006-01-01 14:46:49.000000000 +0100
7197+++ hardening-patch-4.4.2-0.4.9/Zend/zend_constants.c 2006-05-02 16:46:34.000000000 +0200
7198@@ -111,6 +111,73 @@
7199 REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
7200
7201 REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
7202+#if HARDENING_PATCH
7203+ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
7204+ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
7205+ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
7206+ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
7207+ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
7208+ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
7209+ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
7210+ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
7211+ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
7212+
7213+ /* error levels */
7214+ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
7215+ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
7216+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
7217+ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT);
7218+ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
7219+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
7220+ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
7221+ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
7222+ /* facility: type of program logging the message */
7223+ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
7224+ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
7225+ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
7226+ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
7227+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
7228+ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
7229+ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
7230+#ifdef LOG_NEWS
7231+ /* No LOG_NEWS on HP-UX */
7232+ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
7233+#endif
7234+#ifdef LOG_UUCP
7235+ /* No LOG_UUCP on HP-UX */
7236+ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
7237+#endif
7238+#ifdef LOG_CRON
7239+ /* apparently some systems don't have this one */
7240+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
7241+#endif
7242+#ifdef LOG_AUTHPRIV
7243+ /* AIX doesn't have LOG_AUTHPRIV */
7244+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
7245+#endif
7246+#if !defined(PHP_WIN32) && !defined(NETWARE)
7247+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
7248+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
7249+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
7250+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
7251+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
7252+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
7253+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
7254+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
7255+#endif
7256+ /* options */
7257+ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
7258+ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
7259+ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
7260+ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
7261+#ifdef LOG_NOWAIT
7262+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
7263+#endif
7264+#ifdef LOG_PERROR
7265+ /* AIX doesn't have LOG_PERROR */
7266+ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
7267+#endif
7268+#endif
7269
7270 /* true/false constants */
7271 {
7272diff -Nura php-4.4.2/Zend/zend_errors.h hardening-patch-4.4.2-0.4.9/Zend/zend_errors.h
7273--- php-4.4.2/Zend/zend_errors.h 2006-01-01 14:46:49.000000000 +0100
7274+++ hardening-patch-4.4.2-0.4.9/Zend/zend_errors.h 2006-05-02 16:46:34.000000000 +0200
7275@@ -36,5 +36,17 @@
7276 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
7277 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
7278
7279+#if HARDENING_PATCH
7280+#define S_MEMORY (1<<0L)
7281+#define S_VARS (1<<1L)
7282+#define S_FILES (1<<2L)
7283+#define S_INCLUDE (1<<3L)
7284+#define S_SQL (1<<4L)
7285+#define S_EXECUTOR (1<<5L)
7286+#define S_MISC (1<<30L)
7287+#define S_INTERNAL (1<<29L)
7288+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MISC | S_SQL | S_EXECUTOR)
7289+#endif
7290+
7291 #endif /* ZEND_ERRORS_H */
7292
7293diff -Nura php-4.4.2/Zend/zend_execute_API.c hardening-patch-4.4.2-0.4.9/Zend/zend_execute_API.c
7294--- php-4.4.2/Zend/zend_execute_API.c 2006-01-01 14:46:49.000000000 +0100
7295+++ hardening-patch-4.4.2-0.4.9/Zend/zend_execute_API.c 2006-05-02 16:46:34.000000000 +0200
7296@@ -142,6 +142,7 @@
7297 EG(class_table) = CG(class_table);
7298
7299 EG(in_execution) = 0;
7300+ EG(in_code_type) = 0;
7301
7302 zend_ptr_stack_init(&EG(argument_stack));
7303
7304@@ -431,12 +432,14 @@
7305 zend_execute_data execute_data;
7306
7307 /* Initialize execute_data */
7308+ memset(&execute_data, 0, sizeof(execute_data));
7309 EX(fbc) = NULL;
7310 EX(object).ptr = NULL;
7311 EX(ce) = NULL;
7312 EX(Ts) = NULL;
7313 EX(op_array) = NULL;
7314 EX(opline) = NULL;
7315+ EX(execute_depth) = 0;
7316
7317 *retval_ptr_ptr = NULL;
7318
7319@@ -494,6 +497,39 @@
7320 zval_dtor(&function_name_copy);
7321 return FAILURE;
7322 }
7323+#if HARDENING_PATCH
7324+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
7325+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7326+ if (HG(eval_whitelist) != NULL) {
7327+ if (!zend_hash_exists(HG(eval_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7328+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_copy.value.str.val);
7329+ zval_dtor(&function_name_copy);
7330+ zend_bailout();
7331+ }
7332+ } else if (HG(eval_blacklist) != NULL) {
7333+ if (zend_hash_exists(HG(eval_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7334+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_copy.value.str.val);
7335+ zval_dtor(&function_name_copy);
7336+ zend_bailout();
7337+ }
7338+ }
7339+ }
7340+
7341+ if (HG(func_whitelist) != NULL) {
7342+ if (!zend_hash_exists(HG(func_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7343+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_copy.value.str.val);
7344+ zval_dtor(&function_name_copy);
7345+ zend_bailout();
7346+ }
7347+ } else if (HG(func_blacklist) != NULL) {
7348+ if (zend_hash_exists(HG(func_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7349+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_copy.value.str.val);
7350+ zval_dtor(&function_name_copy);
7351+ zend_bailout();
7352+ }
7353+ }
7354+ }
7355+#endif
7356 zval_dtor(&function_name_copy);
7357
7358 for (i=0; i<param_count; i++) {
7359@@ -606,8 +642,7 @@
7360 return SUCCESS;
7361 }
7362
7363-
7364-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7365+ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
7366 {
7367 zval pv;
7368 zend_op_array *new_op_array;
7369@@ -640,6 +675,7 @@
7370 zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
7371 zend_op **original_opline_ptr = EG(opline_ptr);
7372
7373+ new_op_array->type = type;
7374 EG(return_value_ptr_ptr) = &local_retval_ptr;
7375 EG(active_op_array) = new_op_array;
7376 EG(no_extensions)=1;
7377@@ -673,6 +709,10 @@
7378 return retval;
7379 }
7380
7381+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7382+{
7383+ return (zend_eval_string_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
7384+}
7385
7386 void execute_new_code(TSRMLS_D)
7387 {
7388diff -Nura php-4.4.2/Zend/zend_execute.c hardening-patch-4.4.2-0.4.9/Zend/zend_execute.c
7389--- php-4.4.2/Zend/zend_execute.c 2006-01-01 14:46:49.000000000 +0100
7390+++ hardening-patch-4.4.2-0.4.9/Zend/zend_execute.c 2006-05-02 16:46:34.000000000 +0200
7391@@ -1042,6 +1042,7 @@
7392 zend_execute_data execute_data;
7393
7394 /* Initialize execute_data */
7395+ memset(&execute_data, 0, sizeof(execute_data));
7396 EX(fbc) = NULL;
7397 EX(ce) = NULL;
7398 EX(object).ptr = NULL;
7399@@ -1053,9 +1054,21 @@
7400 }
7401 EX(prev_execute_data) = EG(current_execute_data);
7402 EX(original_in_execution)=EG(in_execution);
7403+ EX(original_in_code_type)=EG(in_code_type);
7404
7405 EG(current_execute_data) = &execute_data;
7406
7407+#if HARDENING_PATCH
7408+ EX(execute_depth) = 0;
7409+
7410+ if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval) && EG(in_code_type) != ZEND_SANDBOX_CODE) {
7411+ EG(in_code_type) = ZEND_EVAL_CODE;
7412+ } else if (op_array->type == ZEND_SANDBOX_CODE) {
7413+ EG(in_code_type) = ZEND_SANDBOX_CODE;
7414+ op_array->type = ZEND_EVAL_CODE;
7415+ }
7416+#endif
7417+
7418 EG(in_execution) = 1;
7419 if (op_array->start_op) {
7420 EX(opline) = op_array->start_op;
7421@@ -1087,6 +1100,19 @@
7422 }
7423 }
7424
7425+#if HARDENING_PATCH
7426+ if (EX(prev_execute_data) == NULL) {
7427+ EX(execute_depth) = 0;
7428+ } else {
7429+ EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
7430+ }
7431+
7432+ if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
7433+ zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
7434+ zend_bailout();
7435+ }
7436+#endif
7437+
7438 while (1) {
7439 #ifdef ZEND_WIN32
7440 if (EG(timed_out)) {
7441@@ -1634,6 +1660,36 @@
7442 if (zend_hash_find(active_function_table, function_name->value.str.val, function_name->value.str.len+1, (void **) &function)==FAILURE) {
7443 zend_error(E_ERROR, "Call to undefined function: %s()", function_name->value.str.val);
7444 }
7445+#if HARDENING_PATCH
7446+ if (active_function_table == EG(function_table)) {
7447+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7448+ if (HG(eval_whitelist) != NULL) {
7449+ if (!zend_hash_exists(HG(eval_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7450+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name->value.str.val);
7451+ zend_bailout();
7452+ }
7453+ } else if (HG(eval_blacklist) != NULL) {
7454+ if (zend_hash_exists(HG(eval_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7455+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name->value.str.val);
7456+ zend_bailout();
7457+ }
7458+ }
7459+ }
7460+
7461+ if (HG(func_whitelist) != NULL) {
7462+ if (!zend_hash_exists(HG(func_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7463+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name->value.str.val);
7464+ zend_bailout();
7465+ }
7466+ } else if (HG(func_blacklist) != NULL) {
7467+ if (zend_hash_exists(HG(func_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7468+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name->value.str.val);
7469+ zend_bailout();
7470+ }
7471+ }
7472+ }
7473+#endif
7474+
7475 zval_dtor(&tmp);
7476 EX(fbc) = function;
7477 overloaded_function_call_cont:
7478@@ -1649,6 +1705,35 @@
7479 if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
7480 zend_error(E_ERROR, "Unknown function: %s()", fname->value.str.val);
7481 }
7482+#if HARDENING_PATCH
7483+ if (EX(function_state).function->type==ZEND_INTERNAL_FUNCTION) {
7484+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7485+ if (HG(eval_whitelist) != NULL) {
7486+ if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7487+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
7488+ zend_bailout();
7489+ }
7490+ } else if (HG(eval_blacklist) != NULL) {
7491+ if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7492+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
7493+ zend_bailout();
7494+ }
7495+ }
7496+ }
7497+
7498+ if (HG(func_whitelist) != NULL) {
7499+ if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7500+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
7501+ zend_bailout();
7502+ }
7503+ } else if (HG(func_blacklist) != NULL) {
7504+ if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7505+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
7506+ zend_bailout();
7507+ }
7508+ }
7509+ }
7510+#endif
7511 FREE_OP(EX(Ts), &EX(opline)->op1, EG(free_op1));
7512 zend_ptr_stack_n_push(&EG(arg_types_stack), 2, EX(object).ptr, EX(ce));
7513 EX(object).ptr = NULL;
7514@@ -1821,6 +1906,7 @@
7515 efree(EX(Ts));
7516 }
7517 EG(in_execution) = EX(original_in_execution);
7518+ EG(in_code_type) = EX(original_in_code_type);
7519 EG(current_execute_data) = EX(prev_execute_data);
7520 return;
7521 }
7522@@ -2210,7 +2296,12 @@
7523 int dummy = 1;
7524 zend_file_handle file_handle = {0};
7525
7526+#if HARDENING_PATCH_INC_PROTECT
7527+ if (zend_is_valid_include(inc_filename)
7528+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7529+#else
7530 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7531+#endif
7532 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
7533
7534 file_handle.filename = inc_filename->value.str.val;
7535@@ -2239,6 +2330,11 @@
7536 break;
7537 case ZEND_INCLUDE:
7538 case ZEND_REQUIRE:
7539+#if HARDENING_PATCH_INC_PROTECT
7540+ if (!zend_is_valid_include(inc_filename)) {
7541+ break;
7542+ }
7543+#endif
7544 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
7545 break;
7546 case ZEND_EVAL: {
7547diff -Nura php-4.4.2/Zend/zend_execute_globals.h hardening-patch-4.4.2-0.4.9/Zend/zend_execute_globals.h
7548--- php-4.4.2/Zend/zend_execute_globals.h 2006-01-01 14:46:49.000000000 +0100
7549+++ hardening-patch-4.4.2-0.4.9/Zend/zend_execute_globals.h 2006-05-02 16:46:34.000000000 +0200
7550@@ -60,6 +60,8 @@
7551 object_info object;
7552 temp_variable *Ts;
7553 zend_bool original_in_execution;
7554+ zend_uint original_in_code_type;
7555+ zend_uint execute_depth;
7556 zend_op_array *op_array;
7557 struct _zend_execute_data *prev_execute_data;
7558 } zend_execute_data;
7559diff -Nura php-4.4.2/Zend/zend_extensions.c hardening-patch-4.4.2-0.4.9/Zend/zend_extensions.c
7560--- php-4.4.2/Zend/zend_extensions.c 2006-01-01 14:46:49.000000000 +0100
7561+++ hardening-patch-4.4.2-0.4.9/Zend/zend_extensions.c 2006-05-02 16:46:34.000000000 +0200
7562@@ -54,23 +54,44 @@
7563 return FAILURE;
7564 }
7565
7566+ /* check if module is compiled against Hardening-Patch */
7567+ if (extension_version_info->zend_extension_api_no < 1000000000) {
7568+ fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
7569+ "The Hardening-Patch version %d is installed.\n\n",
7570+ new_extension->name,
7571+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7572+ DL_UNLOAD(handle);
7573+ return FAILURE;
7574+ }
7575+
7576+
7577+ /* check if module is compiled against correct Hardening-Patch version */
7578+ if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
7579+ fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
7580+ "The Hardening-Patch version %d is installed.\n\n",
7581+ new_extension->name,
7582+ extension_version_info->zend_extension_api_no,
7583+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7584+ DL_UNLOAD(handle);
7585+ return FAILURE;
7586+ }
7587
7588 /* allow extension to proclaim compatibility with any Zend version */
7589- if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7590- if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7591+ if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7592+ if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7593 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7594 "The Zend Engine API version %d which is installed, is outdated.\n\n",
7595 new_extension->name,
7596- extension_version_info->zend_extension_api_no,
7597+ extension_version_info->real_zend_extension_api_no,
7598 ZEND_EXTENSION_API_NO);
7599 DL_UNLOAD(handle);
7600 return FAILURE;
7601- } else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7602+ } else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7603 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7604 "The Zend Engine API version %d which is installed, is newer.\n"
7605 "Contact %s at %s for a later version of %s.\n\n",
7606 new_extension->name,
7607- extension_version_info->zend_extension_api_no,
7608+ extension_version_info->real_zend_extension_api_no,
7609 ZEND_EXTENSION_API_NO,
7610 new_extension->author,
7611 new_extension->URL,
7612diff -Nura php-4.4.2/Zend/zend_extensions.h hardening-patch-4.4.2-0.4.9/Zend/zend_extensions.h
7613--- php-4.4.2/Zend/zend_extensions.h 2006-01-01 14:46:49.000000000 +0100
7614+++ hardening-patch-4.4.2-0.4.9/Zend/zend_extensions.h 2006-05-02 16:46:34.000000000 +0200
7615@@ -23,6 +23,9 @@
7616
7617 #include "zend_compile.h"
7618
7619+/* Create own API version number for Hardening-Patch */
7620+
7621+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO 1001050805
7622 #define ZEND_EXTENSION_API_NO 20050606
7623
7624 typedef struct _zend_extension_version_info {
7625@@ -30,6 +33,7 @@
7626 char *required_zend_version;
7627 unsigned char thread_safe;
7628 unsigned char debug;
7629+ int real_zend_extension_api_no;
7630 } zend_extension_version_info;
7631
7632
7633@@ -96,7 +100,7 @@
7634
7635
7636 #define ZEND_EXTENSION() \
7637- ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
7638+ ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
7639
7640 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7641 #define COMPAT_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7642diff -Nura php-4.4.2/Zend/zend_globals.h hardening-patch-4.4.2-0.4.9/Zend/zend_globals.h
7643--- php-4.4.2/Zend/zend_globals.h 2006-01-01 14:46:49.000000000 +0100
7644+++ hardening-patch-4.4.2-0.4.9/Zend/zend_globals.h 2006-05-02 16:46:34.000000000 +0200
7645@@ -163,6 +163,16 @@
7646
7647 int error_reporting;
7648 int orig_error_reporting;
7649+#if HARDENING_PATCH
7650+ int hphp_log_syslog;
7651+ int hphp_log_syslog_facility;
7652+ int hphp_log_syslog_priority;
7653+ int hphp_log_sapi;
7654+ int hphp_log_script;
7655+ char *hphp_log_scriptname;
7656+ zend_bool hphp_log_use_x_forwarded_for;
7657+ long hphp_executor_max_depth;
7658+#endif
7659 int exit_status;
7660
7661 zend_op_array *active_op_array;
7662@@ -176,6 +186,7 @@
7663 int ticks_count;
7664
7665 zend_bool in_execution;
7666+ zend_uint in_code_type;
7667 zend_bool bailout_set;
7668 zend_bool full_tables_cleanup;
7669
7670diff -Nura php-4.4.2/Zend/zend.h hardening-patch-4.4.2-0.4.9/Zend/zend.h
7671--- php-4.4.2/Zend/zend.h 2006-01-01 14:46:49.000000000 +0100
7672+++ hardening-patch-4.4.2-0.4.9/Zend/zend.h 2006-05-02 16:46:34.000000000 +0200
7673@@ -274,9 +274,10 @@
7674 struct _zval_struct {
7675 /* Variable information */
7676 zvalue_value value; /* value */
7677+ zend_uint refcount;
7678+ zend_ushort flags;
7679 zend_uchar type; /* active type */
7680 zend_uchar is_ref;
7681- zend_ushort refcount;
7682 };
7683
7684
7685@@ -337,6 +338,12 @@
7686 void (*ticks_function)(int ticks);
7687 void (*on_timeout)(int seconds TSRMLS_DC);
7688 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
7689+#if HARDENING_PATCH
7690+ void (*security_log_function)(int loglevel, char *fmt, ...);
7691+#endif
7692+#if HARDENING_PATCH_INC_PROTECT
7693+ int (*is_valid_include)(zval *z);
7694+#endif
7695 } zend_utility_functions;
7696
7697
7698@@ -468,7 +475,16 @@
7699 extern ZEND_API void (*zend_ticks_function)(int ticks);
7700 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
7701 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
7702+#if HARDENING_PATCH
7703+extern ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
7704+#endif
7705+#if HARDENING_PATCH_INC_PROTECT
7706+extern ZEND_API int (*zend_is_valid_include)(zval *z);
7707+#endif
7708
7709+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7710+ZEND_API unsigned int zend_canary(void);
7711+#endif
7712
7713 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
7714
7715@@ -575,6 +591,11 @@
7716
7717 #define ZEND_MAX_RESERVED_RESOURCES 4
7718
7719+#if HARDENING_PATCH
7720+#include "hardened_globals.h"
7721+#include "php_syslog.h"
7722+#endif
7723+
7724 #endif /* ZEND_H */
7725
7726 /*
7727diff -Nura php-4.4.2/Zend/zend_hash.c hardening-patch-4.4.2-0.4.9/Zend/zend_hash.c
7728--- php-4.4.2/Zend/zend_hash.c 2006-01-01 14:46:49.000000000 +0100
7729+++ hardening-patch-4.4.2-0.4.9/Zend/zend_hash.c 2006-05-02 16:47:25.000000000 +0200
7730@@ -26,6 +26,17 @@
7731 # include <stdlib.h>
7732 #endif
7733
7734+#if HARDENING_PATCH_HASH_PROTECT
7735+ unsigned int zend_hash_canary = 0x1234567;
7736+ zend_bool zend_hash_canary_inited = 0;
7737+#endif
7738+
7739+#define CHECK_HASH_CANARY(hash) \
7740+ if (zend_hash_canary != (hash)->canary) { \
7741+ zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
7742+ exit(1); \
7743+ }
7744+
7745 #define HANDLE_NUMERIC(key, length, func) { \
7746 register char *tmp=key; \
7747 \
7748@@ -175,6 +186,9 @@
7749 {
7750 uint i = 3;
7751 Bucket **tmp;
7752+#if HARDENING_PATCH_HASH_PROTECT
7753+ TSRMLS_FETCH();
7754+#endif
7755
7756 SET_INCONSISTENT(HT_OK);
7757
7758@@ -184,6 +198,13 @@
7759
7760 ht->nTableSize = 1 << i;
7761 ht->nTableMask = ht->nTableSize - 1;
7762+#if HARDENING_PATCH_HASH_PROTECT
7763+ if (zend_hash_canary_inited==0) {
7764+ zend_hash_canary = zend_canary();
7765+ zend_hash_canary_inited = 1;
7766+ }
7767+ ht->canary = zend_hash_canary;
7768+#endif
7769 ht->pDestructor = pDestructor;
7770 ht->pListHead = NULL;
7771 ht->pListTail = NULL;
7772@@ -259,6 +280,9 @@
7773 }
7774 #endif
7775 if (ht->pDestructor) {
7776+#if HARDENING_PATCH_HASH_PROTECT
7777+ CHECK_HASH_CANARY(ht);
7778+#endif
7779 ht->pDestructor(p->pData);
7780 }
7781 UPDATE_DATA(ht, p, pData, nDataSize);
7782@@ -327,6 +351,9 @@
7783 }
7784 #endif
7785 if (ht->pDestructor) {
7786+#if HARDENING_PATCH_HASH_PROTECT
7787+ CHECK_HASH_CANARY(ht);
7788+#endif
7789 ht->pDestructor(p->pData);
7790 }
7791 UPDATE_DATA(ht, p, pData, nDataSize);
7792@@ -402,6 +429,9 @@
7793 }
7794 #endif
7795 if (ht->pDestructor) {
7796+#if HARDENING_PATCH_HASH_PROTECT
7797+ CHECK_HASH_CANARY(ht);
7798+#endif
7799 ht->pDestructor(p->pData);
7800 }
7801 UPDATE_DATA(ht, p, pData, nDataSize);
7802@@ -450,7 +480,7 @@
7803 IS_CONSISTENT(ht);
7804
7805 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
7806- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7807+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7808 if (t) {
7809 HANDLE_BLOCK_INTERRUPTIONS();
7810 ht->arBuckets = t;
7811@@ -460,6 +490,7 @@
7812 HANDLE_UNBLOCK_INTERRUPTIONS();
7813 return SUCCESS;
7814 }
7815+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
7816 return FAILURE;
7817 }
7818 return SUCCESS;
7819@@ -491,15 +522,17 @@
7820 IS_CONSISTENT(ht);
7821
7822 if (flag == HASH_DEL_KEY) {
7823- HANDLE_NUMERIC(arKey, nKeyLength, zend_hash_del_key_or_index(ht, arKey, nKeyLength, idx, HASH_DEL_INDEX));
7824+ HANDLE_NUMERIC(arKey, nKeyLength, zend_hash_del_key_or_index(ht, NULL, 0, idx, HASH_DEL_INDEX));
7825 h = zend_inline_hash_func(arKey, nKeyLength);
7826 }
7827 nIndex = h & ht->nTableMask;
7828
7829 p = ht->arBuckets[nIndex];
7830 while (p != NULL) {
7831- if ((p->h == h) && ((p->nKeyLength == 0) || /* Numeric index */
7832- ((p->nKeyLength == nKeyLength) && (!memcmp(p->arKey, arKey, nKeyLength))))) {
7833+ if ((p->h == h)
7834+ && (p->nKeyLength == nKeyLength)
7835+ && ((p->nKeyLength == 0) /* Numeric index (short circuits the memcmp() check) */
7836+ || !memcmp(p->arKey, arKey, nKeyLength))) { /* String index */
7837 HANDLE_BLOCK_INTERRUPTIONS();
7838 if (p == ht->arBuckets[nIndex]) {
7839 ht->arBuckets[nIndex] = p->pNext;
7840@@ -524,6 +557,9 @@
7841 ht->pInternalPointer = p->pListNext;
7842 }
7843 if (ht->pDestructor) {
7844+#if HARDENING_PATCH_HASH_PROTECT
7845+ CHECK_HASH_CANARY(ht);
7846+#endif
7847 ht->pDestructor(p->pData);
7848 }
7849 if (!p->pDataPtr) {
7850@@ -553,6 +589,9 @@
7851 q = p;
7852 p = p->pListNext;
7853 if (ht->pDestructor) {
7854+#if HARDENING_PATCH_HASH_PROTECT
7855+ CHECK_HASH_CANARY(ht);
7856+#endif
7857 ht->pDestructor(q->pData);
7858 }
7859 if (!q->pDataPtr && q->pData) {
7860@@ -579,6 +618,9 @@
7861 q = p;
7862 p = p->pListNext;
7863 if (ht->pDestructor) {
7864+#if HARDENING_PATCH_HASH_PROTECT
7865+ CHECK_HASH_CANARY(ht);
7866+#endif
7867 ht->pDestructor(q->pData);
7868 }
7869 if (!q->pDataPtr && q->pData) {
7870@@ -608,6 +650,9 @@
7871 HANDLE_BLOCK_INTERRUPTIONS();
7872
7873 if (ht->pDestructor) {
7874+#if HARDENING_PATCH_HASH_PROTECT
7875+ CHECK_HASH_CANARY(ht);
7876+#endif
7877 ht->pDestructor(p->pData);
7878 }
7879 if (!p->pDataPtr) {
7880diff -Nura php-4.4.2/Zend/zend_hash.h hardening-patch-4.4.2-0.4.9/Zend/zend_hash.h
7881--- php-4.4.2/Zend/zend_hash.h 2006-01-01 14:46:49.000000000 +0100
7882+++ hardening-patch-4.4.2-0.4.9/Zend/zend_hash.h 2006-05-02 16:46:34.000000000 +0200
7883@@ -54,6 +54,9 @@
7884 } Bucket;
7885
7886 typedef struct _hashtable {
7887+#if HARDENING_PATCH_HASH_PROTECT
7888+ unsigned int canary;
7889+#endif
7890 uint nTableSize;
7891 uint nTableMask;
7892 uint nNumOfElements;
7893diff -Nura php-4.4.2/Zend/zend_ini.h hardening-patch-4.4.2-0.4.9/Zend/zend_ini.h
7894--- php-4.4.2/Zend/zend_ini.h 2005-01-09 18:00:16.000000000 +0100
7895+++ hardening-patch-4.4.2-0.4.9/Zend/zend_ini.h 2006-05-02 16:46:34.000000000 +0200
7896@@ -174,6 +174,7 @@
7897 /* Standard message handlers */
7898 BEGIN_EXTERN_C()
7899 ZEND_API ZEND_INI_MH(OnUpdateBool);
7900+#define OnUpdateLong OnUpdateInt
7901 ZEND_API ZEND_INI_MH(OnUpdateInt);
7902 ZEND_API ZEND_INI_MH(OnUpdateReal);
7903 ZEND_API ZEND_INI_MH(OnUpdateString);
7904diff -Nura php-4.4.2/Zend/zend_language_scanner.l hardening-patch-4.4.2-0.4.9/Zend/zend_language_scanner.l
7905--- php-4.4.2/Zend/zend_language_scanner.l 2006-01-01 14:46:49.000000000 +0100
7906+++ hardening-patch-4.4.2-0.4.9/Zend/zend_language_scanner.l 2006-05-02 16:46:34.000000000 +0200
7907@@ -393,6 +393,13 @@
7908 compilation_successful=0;
7909 } else {
7910 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7911+#if HARDENING_PATCH
7912+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7913+ op_array->created_by_eval = 1;
7914+ } else {
7915+ op_array->created_by_eval = 0;
7916+ }
7917+#endif
7918 CG(in_compilation) = 1;
7919 CG(active_op_array) = op_array;
7920 compiler_result = zendparse(TSRMLS_C);
7921diff -Nura php-4.4.2/Zend/zend_language_scanner.c hardening-patch-4.4.2-0.4.9/Zend/zend_language_scanner.c
7922--- php-4.4.2/Zend/zend_language_scanner.c 2006-01-12 19:24:28.000000000 +0100
7923+++ hardening-patch-4.4.2-0.4.9/Zend/zend_language_scanner.c 2006-05-02 16:46:34.000000000 +0200
7924@@ -3036,6 +3036,13 @@
7925 compilation_successful=0;
7926 } else {
7927 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7928+#if HARDENING_PATCH
7929+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7930+ op_array->created_by_eval = 1;
7931+ } else {
7932+ op_array->created_by_eval = 0;
7933+ }
7934+#endif
7935 CG(in_compilation) = 1;
7936 CG(active_op_array) = op_array;
7937 compiler_result = zendparse(TSRMLS_C);
7938diff -Nura php-4.4.2/Zend/zend_llist.c hardening-patch-4.4.2-0.4.9/Zend/zend_llist.c
7939--- php-4.4.2/Zend/zend_llist.c 2006-01-01 14:46:49.000000000 +0100
7940+++ hardening-patch-4.4.2-0.4.9/Zend/zend_llist.c 2006-05-02 16:46:34.000000000 +0200
7941@@ -21,9 +21,49 @@
7942 #include "zend.h"
7943 #include "zend_llist.h"
7944 #include "zend_qsort.h"
7945+#include "zend_globals.h"
7946+
7947+#if HARDENING_PATCH_LL_PROTECT
7948+ unsigned int zend_llist_canary_1 = 0x1234567;
7949+ unsigned int zend_llist_canary_2 = 0x1553425;
7950+ zend_bool zend_llist_canary_inited = 0;
7951+#endif
7952+
7953+#define CHECK_LIST_CANARY(list) \
7954+ if (((list)->persistent && (zend_llist_canary_1 != (list)->canary_h || zend_llist_canary_2 != (list)->canary_t)) \
7955+ ||(!(list)->persistent && (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t))) { \
7956+ zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
7957+ exit(1); \
7958+ }
7959+
7960+#define CHECK_LISTELEMENT_CANARY(elem, list) \
7961+ if (((list)->persistent && zend_llist_canary_1 != (elem)->canary)||(!(list)->persistent && HG(canary_3) != (elem)->canary)) { \
7962+ zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
7963+ exit(1); \
7964+ }
7965+
7966
7967 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
7968 {
7969+#if HARDENING_PATCH_LL_PROTECT
7970+ TSRMLS_FETCH();
7971+
7972+ if (persistent) {
7973+ if (!zend_llist_canary_inited) {
7974+ /* do not change order to ensure thread safety */
7975+ zend_llist_canary_1 = zend_canary();
7976+ zend_llist_canary_2 = zend_canary();
7977+ zend_llist_canary_inited = 1;
7978+ }
7979+ } else
7980+ if (!HG(ll_canary_inited)) {
7981+ HG(canary_3) = zend_canary();
7982+ HG(canary_4) = zend_canary();
7983+ HG(ll_canary_inited) = 1;
7984+ }
7985+ l->canary_h = persistent ? zend_llist_canary_1 : HG(canary_3);
7986+ l->canary_t = persistent ? zend_llist_canary_2 : HG(canary_4);
7987+#endif
7988 l->head = NULL;
7989 l->tail = NULL;
7990 l->count = 0;
7991@@ -37,6 +77,11 @@
7992 {
7993 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
7994
7995+#if HARDENING_PATCH_LL_PROTECT
7996+ TSRMLS_FETCH();
7997+ CHECK_LIST_CANARY(l)
7998+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
7999+#endif
8000 tmp->prev = l->tail;
8001 tmp->next = NULL;
8002 if (l->tail) {
8003@@ -55,6 +100,11 @@
8004 {
8005 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
8006
8007+#if HARDENING_PATCH_LL_PROTECT
8008+ TSRMLS_FETCH();
8009+ CHECK_LIST_CANARY(l)
8010+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
8011+#endif
8012 tmp->next = l->head;
8013 tmp->prev = NULL;
8014 if (l->head) {
8015@@ -91,10 +141,20 @@
8016 zend_llist_element *current=l->head;
8017 zend_llist_element *next;
8018
8019+#if HARDENING_PATCH_LL_PROTECT
8020+ TSRMLS_FETCH();
8021+ CHECK_LIST_CANARY(l)
8022+#endif
8023 while (current) {
8024+#if HARDENING_PATCH_LL_PROTECT
8025+ CHECK_LISTELEMENT_CANARY(current, l)
8026+#endif
8027 next = current->next;
8028 if (compare(current->data, element)) {
8029 DEL_LLIST_ELEMENT(current, l);
8030+#if HARDENING_PATCH_LL_PROTECT
8031+ current->canary = 0;
8032+#endif
8033 break;
8034 }
8035 current = next;
8036@@ -106,7 +166,14 @@
8037 {
8038 zend_llist_element *current=l->head, *next;
8039
8040+#if HARDENING_PATCH_LL_PROTECT
8041+ TSRMLS_FETCH();
8042+ CHECK_LIST_CANARY(l)
8043+#endif
8044 while (current) {
8045+#if HARDENING_PATCH_LL_PROTECT
8046+ CHECK_LISTELEMENT_CANARY(current, l)
8047+#endif
8048 next = current->next;
8049 if (l->dtor) {
8050 l->dtor(current->data);
8051@@ -131,7 +198,14 @@
8052 zend_llist_element *old_tail;
8053 void *data;
8054
8055+#if HARDENING_PATCH_LL_PROTECT
8056+ TSRMLS_FETCH();
8057+ CHECK_LIST_CANARY(l)
8058+#endif
8059 if ((old_tail = l->tail)) {
8060+#if HARDENING_PATCH_LL_PROTECT
8061+ CHECK_LISTELEMENT_CANARY(old_tail, l)
8062+#endif
8063 if (l->tail->prev) {
8064 l->tail->prev->next = NULL;
8065 }
8066@@ -157,9 +231,16 @@
8067 {
8068 zend_llist_element *ptr;
8069
8070+#if HARDENING_PATCH_LL_PROTECT
8071+ TSRMLS_FETCH();
8072+ CHECK_LIST_CANARY(src)
8073+#endif
8074 zend_llist_init(dst, src->size, src->dtor, src->persistent);
8075 ptr = src->head;
8076 while (ptr) {
8077+#if HARDENING_PATCH_LL_PROTECT
8078+ CHECK_LISTELEMENT_CANARY(ptr, src)
8079+#endif
8080 zend_llist_add_element(dst, ptr->data);
8081 ptr = ptr->next;
8082 }
8083@@ -170,11 +251,21 @@
8084 {
8085 zend_llist_element *element, *next;
8086
8087+#if HARDENING_PATCH_LL_PROTECT
8088+ TSRMLS_FETCH();
8089+ CHECK_LIST_CANARY(l)
8090+#endif
8091 element=l->head;
8092 while (element) {
8093+#if HARDENING_PATCH_LL_PROTECT
8094+ CHECK_LISTELEMENT_CANARY(element, l)
8095+#endif
8096 next = element->next;
8097 if (func(element->data)) {
8098 DEL_LLIST_ELEMENT(element, l);
8099+#if HARDENING_PATCH_LL_PROTECT
8100+ element->canary = 0;
8101+#endif
8102 }
8103 element = next;
8104 }
8105@@ -185,7 +276,13 @@
8106 {
8107 zend_llist_element *element;
8108
8109+#if HARDENING_PATCH_LL_PROTECT
8110+ CHECK_LIST_CANARY(l)
8111+#endif
8112 for (element=l->head; element; element=element->next) {
8113+#if HARDENING_PATCH_LL_PROTECT
8114+ CHECK_LISTELEMENT_CANARY(element, l)
8115+#endif
8116 func(element->data TSRMLS_CC);
8117 }
8118 }
8119@@ -197,6 +294,9 @@
8120 zend_llist_element **elements;
8121 zend_llist_element *element, **ptr;
8122
8123+#if HARDENING_PATCH_LL_PROTECT
8124+ CHECK_LIST_CANARY(l)
8125+#endif
8126 if (l->count <= 0) {
8127 return;
8128 }
8129@@ -206,6 +306,9 @@
8130 ptr = &elements[0];
8131
8132 for (element=l->head; element; element=element->next) {
8133+#if HARDENING_PATCH_LL_PROTECT
8134+ CHECK_LISTELEMENT_CANARY(element, l)
8135+#endif
8136 *ptr++ = element;
8137 }
8138
8139@@ -228,7 +331,13 @@
8140 {
8141 zend_llist_element *element;
8142
8143+#if HARDENING_PATCH_LL_PROTECT
8144+ CHECK_LIST_CANARY(l)
8145+#endif
8146 for (element=l->head; element; element=element->next) {
8147+#if HARDENING_PATCH_LL_PROTECT
8148+ CHECK_LISTELEMENT_CANARY(element, l)
8149+#endif
8150 func(element->data, arg TSRMLS_CC);
8151 }
8152 }
8153@@ -239,8 +348,14 @@
8154 zend_llist_element *element;
8155 va_list args;
8156
8157+#if HARDENING_PATCH_LL_PROTECT
8158+ CHECK_LIST_CANARY(l)
8159+#endif
8160 va_start(args, num_args);
8161 for (element=l->head; element; element=element->next) {
8162+#if HARDENING_PATCH_LL_PROTECT
8163+ CHECK_LISTELEMENT_CANARY(element, l)
8164+#endif
8165 func(element->data, num_args, args TSRMLS_CC);
8166 }
8167 va_end(args);
8168@@ -249,6 +364,10 @@
8169
8170 ZEND_API int zend_llist_count(zend_llist *l)
8171 {
8172+#if HARDENING_PATCH_LL_PROTECT
8173+ TSRMLS_FETCH();
8174+ CHECK_LIST_CANARY(l)
8175+#endif
8176 return l->count;
8177 }
8178
8179@@ -256,8 +375,15 @@
8180 {
8181 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8182
8183+#if HARDENING_PATCH_LL_PROTECT
8184+ TSRMLS_FETCH();
8185+ CHECK_LIST_CANARY(l)
8186+#endif
8187 *current = l->head;
8188 if (*current) {
8189+#if HARDENING_PATCH_LL_PROTECT
8190+ CHECK_LISTELEMENT_CANARY(*current, l)
8191+#endif
8192 return (*current)->data;
8193 } else {
8194 return NULL;
8195@@ -269,8 +395,15 @@
8196 {
8197 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8198
8199+#if HARDENING_PATCH_LL_PROTECT
8200+ TSRMLS_FETCH();
8201+ CHECK_LIST_CANARY(l)
8202+#endif
8203 *current = l->tail;
8204 if (*current) {
8205+#if HARDENING_PATCH_LL_PROTECT
8206+ CHECK_LISTELEMENT_CANARY(*current, l)
8207+#endif
8208 return (*current)->data;
8209 } else {
8210 return NULL;
8211@@ -282,9 +415,19 @@
8212 {
8213 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8214
8215+#if HARDENING_PATCH_LL_PROTECT
8216+ TSRMLS_FETCH();
8217+ CHECK_LIST_CANARY(l)
8218+#endif
8219 if (*current) {
8220+#if HARDENING_PATCH_LL_PROTECT
8221+ CHECK_LISTELEMENT_CANARY(*current, l)
8222+#endif
8223 *current = (*current)->next;
8224 if (*current) {
8225+#if HARDENING_PATCH_LL_PROTECT
8226+ CHECK_LISTELEMENT_CANARY(*current, l)
8227+#endif
8228 return (*current)->data;
8229 }
8230 }
8231@@ -296,9 +439,19 @@
8232 {
8233 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8234
8235+#if HARDENING_PATCH_LL_PROTECT
8236+ TSRMLS_FETCH();
8237+ CHECK_LIST_CANARY(l)
8238+#endif
8239 if (*current) {
8240+#if HARDENING_PATCH_LL_PROTECT
8241+ CHECK_LISTELEMENT_CANARY(*current, l)
8242+#endif
8243 *current = (*current)->prev;
8244 if (*current) {
8245+#if HARDENING_PATCH_LL_PROTECT
8246+ CHECK_LISTELEMENT_CANARY(*current, l)
8247+#endif
8248 return (*current)->data;
8249 }
8250 }
8251diff -Nura php-4.4.2/Zend/zend_llist.h hardening-patch-4.4.2-0.4.9/Zend/zend_llist.h
8252--- php-4.4.2/Zend/zend_llist.h 2006-01-01 14:46:49.000000000 +0100
8253+++ hardening-patch-4.4.2-0.4.9/Zend/zend_llist.h 2006-05-02 16:46:34.000000000 +0200
8254@@ -24,6 +24,9 @@
8255 #include <stdlib.h>
8256
8257 typedef struct _zend_llist_element {
8258+#if HARDENING_PATCH_LL_PROTECT
8259+ unsigned int canary, padding;
8260+#endif
8261 struct _zend_llist_element *next;
8262 struct _zend_llist_element *prev;
8263 char data[1]; /* Needs to always be last in the struct */
8264@@ -36,6 +39,9 @@
8265 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
8266
8267 typedef struct _zend_llist {
8268+#if HARDENING_PATCH_LL_PROTECT
8269+ unsigned int canary_h; /* head */
8270+#endif
8271 zend_llist_element *head;
8272 zend_llist_element *tail;
8273 size_t size;
8274@@ -43,6 +49,9 @@
8275 llist_dtor_func_t dtor;
8276 unsigned char persistent;
8277 zend_llist_element *traverse_ptr;
8278+#if HARDENING_PATCH_LL_PROTECT
8279+ unsigned int canary_t; /* tail */
8280+#endif
8281 } zend_llist;
8282
8283 typedef zend_llist_element* zend_llist_position;
8284diff -Nura php-4.4.2/Zend/zend_modules.h hardening-patch-4.4.2-0.4.9/Zend/zend_modules.h
8285--- php-4.4.2/Zend/zend_modules.h 2006-01-01 14:46:49.000000000 +0100
8286+++ hardening-patch-4.4.2-0.4.9/Zend/zend_modules.h 2006-05-02 16:46:34.000000000 +0200
8287@@ -34,6 +34,7 @@
8288 ZEND_API extern unsigned char second_arg_force_ref[];
8289 ZEND_API extern unsigned char third_arg_force_ref[];
8290
8291+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1001051112
8292 #define ZEND_MODULE_API_NO 20020429
8293 #ifdef ZTS
8294 #define USING_ZTS 1
8295@@ -41,9 +42,9 @@
8296 #define USING_ZTS 0
8297 #endif
8298
8299-#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8300+#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8301
8302-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
8303+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
8304
8305 #define STANDARD_MODULE_PROPERTIES \
8306 NULL, NULL, STANDARD_MODULE_PROPERTIES_EX
8307@@ -75,6 +76,7 @@
8308 unsigned char type;
8309 void *handle;
8310 int module_number;
8311+ unsigned int real_zend_api;
8312 };
8313
8314
8315diff -Nura php-4.4.2/Zend/zend_opcode.c hardening-patch-4.4.2-0.4.9/Zend/zend_opcode.c
8316--- php-4.4.2/Zend/zend_opcode.c 2006-01-01 14:46:49.000000000 +0100
8317+++ hardening-patch-4.4.2-0.4.9/Zend/zend_opcode.c 2006-05-02 16:46:34.000000000 +0200
8318@@ -88,6 +88,9 @@
8319 op_array->done_pass_two = 0;
8320
8321 op_array->start_op = NULL;
8322+#if HARDENING_PATCH
8323+ op_array->created_by_eval = 0;
8324+#endif
8325
8326 zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
8327 }
8328diff -Nura php-4.4.2/Zend/zend_operators.c hardening-patch-4.4.2-0.4.9/Zend/zend_operators.c
8329--- php-4.4.2/Zend/zend_operators.c 2006-01-01 14:46:49.000000000 +0100
8330+++ hardening-patch-4.4.2-0.4.9/Zend/zend_operators.c 2006-05-02 16:46:34.000000000 +0200
8331@@ -1604,6 +1604,20 @@
8332 return (op->value.lval ? 1 : 0);
8333 }
8334
8335+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length)
8336+{
8337+ register unsigned char *str = (unsigned char*)source;
8338+ register unsigned char *result = (unsigned char*)dest;
8339+ register unsigned char *end = str + length;
8340+
8341+ while (str < end) {
8342+ *result++ = tolower((int)*str++);
8343+ }
8344+ *result = *end;
8345+
8346+ return dest;
8347+}
8348+
8349 ZEND_API void zend_str_tolower(char *str, unsigned int length)
8350 {
8351 register char *p=str, *end=p+length;
8352diff -Nura php-4.4.2/Zend/zend_operators.h hardening-patch-4.4.2-0.4.9/Zend/zend_operators.h
8353--- php-4.4.2/Zend/zend_operators.h 2006-01-01 14:46:49.000000000 +0100
8354+++ hardening-patch-4.4.2-0.4.9/Zend/zend_operators.h 2006-05-02 16:46:34.000000000 +0200
8355@@ -174,6 +174,14 @@
8356 #endif
8357
8358 ZEND_API void zend_str_tolower(char *str, unsigned int length);
8359+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length);
8360+
8361+static inline char *
8362+zend_str_tolower_dup(const char *source, unsigned int length)
8363+{
8364+ return zend_str_tolower_copy((char *)emalloc(length+1), source, length);
8365+}
8366+
8367 ZEND_API int zend_binary_zval_strcmp(zval *s1, zval *s2);
8368 ZEND_API int zend_binary_zval_strncmp(zval *s1, zval *s2, zval *s3);
8369 ZEND_API int zend_binary_zval_strcasecmp(zval *s1, zval *s2);