summaryrefslogtreecommitdiff
path: root/0.2.7/hardened-php-5.0.4-0.2.7.patch
diff options
context:
space:
mode:
Diffstat (limited to '0.2.7/hardened-php-5.0.4-0.2.7.patch')
-rw-r--r--0.2.7/hardened-php-5.0.4-0.2.7.patch3100
1 files changed, 3100 insertions, 0 deletions
diff --git a/0.2.7/hardened-php-5.0.4-0.2.7.patch b/0.2.7/hardened-php-5.0.4-0.2.7.patch
new file mode 100644
index 0000000..2b1372a
--- /dev/null
+++ b/0.2.7/hardened-php-5.0.4-0.2.7.patch
@@ -0,0 +1,3100 @@
1diff -Nur php-5.0.4/TSRM/TSRM.h hardened-php-5.0.4-0.2.7/TSRM/TSRM.h
2--- php-5.0.4/TSRM/TSRM.h 2005-03-11 12:12:07.000000000 +0100
3+++ hardened-php-5.0.4-0.2.7/TSRM/TSRM.h 2005-04-07 02:04:38.000000000 +0200
4@@ -33,6 +33,13 @@
5 # define TSRM_API
6 #endif
7
8+#if HARDENED_PHP
9+# if HAVE_REALPATH
10+# undef realpath
11+# define realpath php_realpath
12+# endif
13+#endif
14+
15 /* Only compile multi-threading functions if we're in ZTS mode */
16 #ifdef ZTS
17
18@@ -88,6 +95,7 @@
19
20 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
21
22+
23 #ifdef __cplusplus
24 extern "C" {
25 #endif
26diff -Nur php-5.0.4/TSRM/tsrm_virtual_cwd.c hardened-php-5.0.4-0.2.7/TSRM/tsrm_virtual_cwd.c
27--- php-5.0.4/TSRM/tsrm_virtual_cwd.c 2005-03-11 12:09:42.000000000 +0100
28+++ hardened-php-5.0.4-0.2.7/TSRM/tsrm_virtual_cwd.c 2005-04-07 02:04:38.000000000 +0200
29@@ -197,6 +197,165 @@
30 return p;
31 }
32
33+#if HARDENED_PHP
34+CWD_API char *php_realpath(const char *path, char *resolved)
35+{
36+ struct stat sb;
37+ char *p, *q, *s;
38+ size_t left_len, resolved_len;
39+ unsigned symlinks;
40+ int serrno, slen;
41+ int is_dir = 1;
42+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
43+
44+ serrno = errno;
45+ symlinks = 0;
46+ if (path[0] == '/') {
47+ resolved[0] = '/';
48+ resolved[1] = '\0';
49+ if (path[1] == '\0')
50+ return (resolved);
51+ resolved_len = 1;
52+ left_len = strlcpy(left, path + 1, sizeof(left));
53+ } else {
54+ if (getcwd(resolved, PATH_MAX) == NULL) {
55+ strlcpy(resolved, ".", PATH_MAX);
56+ return (NULL);
57+ }
58+ resolved_len = strlen(resolved);
59+ left_len = strlcpy(left, path, sizeof(left));
60+ }
61+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
62+ errno = ENAMETOOLONG;
63+ return (NULL);
64+ }
65+
66+ /*
67+ * Iterate over path components in `left'.
68+ */
69+ while (left_len != 0) {
70+ /*
71+ * Extract the next path component and adjust `left'
72+ * and its length.
73+ */
74+ p = strchr(left, '/');
75+ s = p ? p : left + left_len;
76+ if (s - left >= sizeof(next_token)) {
77+ errno = ENAMETOOLONG;
78+ return (NULL);
79+ }
80+ memcpy(next_token, left, s - left);
81+ next_token[s - left] = '\0';
82+ left_len -= s - left;
83+ if (p != NULL)
84+ memmove(left, s + 1, left_len + 1);
85+ if (resolved[resolved_len - 1] != '/') {
86+ if (resolved_len + 1 >= PATH_MAX) {
87+ errno = ENAMETOOLONG;
88+ return (NULL);
89+ }
90+ resolved[resolved_len++] = '/';
91+ resolved[resolved_len] = '\0';
92+ }
93+ if (next_token[0] == '\0')
94+ continue;
95+ else if (strcmp(next_token, ".") == 0)
96+ continue;
97+ else if (strcmp(next_token, "..") == 0) {
98+ /*
99+ * Strip the last path component except when we have
100+ * single "/"
101+ */
102+ if (!is_dir) {
103+ errno = ENOENT;
104+ return (NULL);
105+ }
106+ if (resolved_len > 1) {
107+ resolved[resolved_len - 1] = '\0';
108+ q = strrchr(resolved, '/');
109+ *q = '\0';
110+ resolved_len = q - resolved;
111+ }
112+ continue;
113+ }
114+
115+ /*
116+ * Append the next path component and lstat() it. If
117+ * lstat() fails we still can return successfully if
118+ * there are no more path components left.
119+ */
120+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
121+ if (resolved_len >= PATH_MAX) {
122+ errno = ENAMETOOLONG;
123+ return (NULL);
124+ }
125+ if (lstat(resolved, &sb) != 0) {
126+ if (errno == ENOENT && p == NULL) {
127+ errno = serrno;
128+ return (resolved);
129+ }
130+ return (NULL);
131+ }
132+ if (S_ISLNK(sb.st_mode)) {
133+ if (symlinks++ > MAXSYMLINKS) {
134+ errno = ELOOP;
135+ return (NULL);
136+ }
137+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
138+ if (slen < 0)
139+ return (NULL);
140+ symlink[slen] = '\0';
141+ if (symlink[0] == '/') {
142+ resolved[1] = 0;
143+ resolved_len = 1;
144+ } else if (resolved_len > 1) {
145+ /* Strip the last path component. */
146+ resolved[resolved_len - 1] = '\0';
147+ q = strrchr(resolved, '/');
148+ *q = '\0';
149+ resolved_len = q - resolved;
150+ }
151+
152+ /*
153+ * If there are any path components left, then
154+ * append them to symlink. The result is placed
155+ * in `left'.
156+ */
157+ if (p != NULL) {
158+ if (symlink[slen - 1] != '/') {
159+ if (slen + 1 >= sizeof(symlink)) {
160+ errno = ENAMETOOLONG;
161+ return (NULL);
162+ }
163+ symlink[slen] = '/';
164+ symlink[slen + 1] = 0;
165+ }
166+ left_len = strlcat(symlink, left, sizeof(left));
167+ if (left_len >= sizeof(left)) {
168+ errno = ENAMETOOLONG;
169+ return (NULL);
170+ }
171+ }
172+ left_len = strlcpy(left, symlink, sizeof(left));
173+ } else {
174+ if (S_ISDIR(sb.st_mode)) {
175+ is_dir = 1;
176+ } else {
177+ is_dir = 0;
178+ }
179+ }
180+ }
181+
182+ /*
183+ * Remove trailing slash except when the resolved pathname
184+ * is a single "/".
185+ */
186+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
187+ resolved[resolved_len - 1] = '\0';
188+ return (resolved);
189+}
190+#endif
191+
192 CWD_API void virtual_cwd_startup(void)
193 {
194 char cwd[MAXPATHLEN];
195@@ -321,8 +480,7 @@
196 path = resolved_path;
197 path_length = strlen(path);
198 } else {
199- /* disable for now
200- return 1; */
201+ return 1;
202 }
203 }
204 } else { /* Concat current directory with relative path and then run realpath() on it */
205@@ -348,9 +506,8 @@
206 path = resolved_path;
207 path_length = strlen(path);
208 } else {
209- /* disable for now
210 free(tmp);
211- return 1; */
212+ return 1;
213 }
214 }
215 free(tmp);
216diff -Nur php-5.0.4/TSRM/tsrm_virtual_cwd.h hardened-php-5.0.4-0.2.7/TSRM/tsrm_virtual_cwd.h
217--- php-5.0.4/TSRM/tsrm_virtual_cwd.h 2005-03-11 12:07:17.000000000 +0100
218+++ hardened-php-5.0.4-0.2.7/TSRM/tsrm_virtual_cwd.h 2005-04-07 02:04:38.000000000 +0200
219@@ -128,6 +128,22 @@
220
221 typedef int (*verify_path_func)(const cwd_state *);
222
223+#ifndef HAVE_STRLCPY
224+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
225+#undef strlcpy
226+#define strlcpy php_strlcpy
227+#endif
228+
229+#ifndef HAVE_STRLCAT
230+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
231+#undef strlcat
232+#define strlcat php_strlcat
233+#endif
234+
235+
236+#if HARDENED_PHP
237+CWD_API char *php_realpath(const char *path, char *resolved);
238+#endif
239 CWD_API void virtual_cwd_startup(void);
240 CWD_API void virtual_cwd_shutdown(void);
241 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
242diff -Nur php-5.0.4/Zend/zend.c hardened-php-5.0.4-0.2.7/Zend/zend.c
243--- php-5.0.4/Zend/zend.c 2005-03-16 00:47:12.000000000 +0100
244+++ hardened-php-5.0.4-0.2.7/Zend/zend.c 2005-04-07 02:04:38.000000000 +0200
245@@ -54,6 +54,12 @@
246 ZEND_API void (*zend_unblock_interruptions)(void);
247 ZEND_API void (*zend_ticks_function)(int ticks);
248 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
249+#if HARDENED_PHP
250+ZEND_API void (*zend_security_log)(char *str);
251+#endif
252+#if HARDENED_PHP_INC_PROTECT
253+ZEND_API int (*zend_is_valid_include)(zval *z);
254+#endif
255 int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
256
257 void (*zend_on_timeout)(int seconds TSRMLS_DC);
258@@ -545,6 +551,14 @@
259 extern zend_scanner_globals language_scanner_globals;
260 #endif
261
262+ /* Set up Hardened-PHP utility functions first */
263+#if HARDENED_PHP
264+ zend_security_log = utility_functions->security_log_function;
265+#endif
266+#if HARDENED_PHP_INC_PROTECT
267+ zend_is_valid_include = utility_functions->is_valid_include;
268+#endif
269+
270 #ifdef ZTS
271 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
272 #else
273diff -Nur php-5.0.4/Zend/zend.h hardened-php-5.0.4-0.2.7/Zend/zend.h
274--- php-5.0.4/Zend/zend.h 2005-03-10 12:30:44.000000000 +0100
275+++ hardened-php-5.0.4-0.2.7/Zend/zend.h 2005-04-07 02:04:38.000000000 +0200
276@@ -359,6 +359,12 @@
277 void (*on_timeout)(int seconds TSRMLS_DC);
278 int (*stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
279 int (*vspprintf_function)(char **pbuf, size_t max_len, const char *format, va_list ap);
280+#if HARDENED_PHP
281+ void (*security_log_function)(char *str);
282+#endif
283+#if HARDENED_PHP_INC_PROTECT
284+ int (*is_valid_include)(zval *z);
285+#endif
286 } zend_utility_functions;
287
288
289@@ -496,6 +502,16 @@
290 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
291 extern ZEND_API int (*zend_stream_open_function)(const char *filename, zend_file_handle *handle TSRMLS_DC);
292 extern int (*zend_vspprintf)(char **pbuf, size_t max_len, const char *format, va_list ap);
293+#if HARDENED_PHP
294+extern ZEND_API void (*zend_security_log)(char *str);
295+#endif
296+#if HARDENED_PHP_INC_PROTECT
297+extern ZEND_API int (*zend_is_valid_include)(zval *z);
298+#endif
299+
300+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
301+ZEND_API unsigned int zend_canary(void);
302+#endif
303
304
305 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_FORMAT(printf, 2, 3);
306@@ -620,6 +636,10 @@
307 #define ZEND_MAX_RESERVED_RESOURCES 4
308
309
310+#if HARDENED_PHP
311+#include "hardened_globals.h"
312+#endif
313+
314 #endif /* ZEND_H */
315
316 /*
317diff -Nur php-5.0.4/Zend/zend_API.h hardened-php-5.0.4-0.2.7/Zend/zend_API.h
318--- php-5.0.4/Zend/zend_API.h 2005-01-22 13:29:13.000000000 +0100
319+++ hardened-php-5.0.4-0.2.7/Zend/zend_API.h 2005-04-07 02:04:38.000000000 +0200
320@@ -47,6 +47,7 @@
321 #define ZEND_METHOD(classname, name) ZEND_NAMED_FUNCTION(ZEND_FN(classname##_##name))
322
323 #define ZEND_FENTRY(zend_name, name, arg_info, flags) { #zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), flags },
324+#define ZEND_STATIC_FE(zend_name, name, arg_info) { zend_name, name, arg_info, (zend_uint) (sizeof(arg_info)/sizeof(struct _zend_arg_info)-1), 0 },
325
326 #define ZEND_NAMED_FE(zend_name, name, arg_info) ZEND_FENTRY(zend_name, name, arg_info, 0)
327 #define ZEND_FE(name, arg_info) ZEND_FENTRY(name, ZEND_FN(name), arg_info, 0)
328diff -Nur php-5.0.4/Zend/zend_alloc.c hardened-php-5.0.4-0.2.7/Zend/zend_alloc.c
329--- php-5.0.4/Zend/zend_alloc.c 2004-08-27 18:49:54.000000000 +0200
330+++ hardened-php-5.0.4-0.2.7/Zend/zend_alloc.c 2005-04-07 02:12:14.000000000 +0200
331@@ -64,6 +64,11 @@
332 # define END_MAGIC_SIZE 0
333 #endif
334
335+#if HARDENED_PHP_MM_PROTECT
336+# define CANARY_SIZE sizeof(unsigned int)
337+#else
338+# define CANARY_SIZE 0
339+#endif
340
341 # if MEMORY_LIMIT
342 # if ZEND_DEBUG
343@@ -104,9 +109,17 @@
344 if (p==AG(head)) { \
345 AG(head) = p->pNext; \
346 } else { \
347+ if (p != p->pLast->pNext) { \
348+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
349+ exit(1); \
350+ } \
351 p->pLast->pNext = p->pNext; \
352 } \
353 if (p->pNext) { \
354+ if (p != p->pNext->pLast) { \
355+ zend_security_log("linked list corrupt on efree() - heap corruption detected"); \
356+ exit(1); \
357+ } \
358 p->pNext->pLast = p->pLast; \
359 }
360 #else
361@@ -145,6 +158,12 @@
362 DECLARE_CACHE_VARS();
363 TSRMLS_FETCH();
364
365+#if HARDENED_PHP_MM_PROTECT
366+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
367+ zend_security_log("emalloc() - requested size would result in integer overflow");
368+ exit(1);
369+ }
370+#endif
371 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
372
373 #if !ZEND_DISABLE_MEMORY_CACHE
374@@ -163,6 +182,10 @@
375 AG(cache_stats)[CACHE_INDEX][1]++;
376 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
377 #endif
378+#if HARDENED_PHP_MM_PROTECT
379+ p->canary = HG(canary_1);
380+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
381+#endif
382 p->cached = 0;
383 p->size = size;
384 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
385@@ -179,7 +202,7 @@
386 AG(allocated_memory_peak) = AG(allocated_memory);
387 }
388 #endif
389- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
390+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
391 #if !ZEND_DISABLE_MEMORY_CACHE
392 }
393 #endif
394@@ -211,7 +234,10 @@
395 # endif
396 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
397 #endif
398-
399+#if HARDENED_PHP_MM_PROTECT
400+ p->canary = HG(canary_1);
401+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
402+#endif
403 HANDLE_UNBLOCK_INTERRUPTIONS();
404 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
405 }
406@@ -239,6 +265,10 @@
407 }
408 }
409
410+
411+#if HARDENED_PHP
412+ zend_security_log("Possible integer overflow catched by safe_emalloc()");
413+#endif
414 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%zd * %zd + %zd)", nmemb, size, offset);
415 return 0;
416 }
417@@ -247,9 +277,22 @@
418
419 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
420 {
421+#if HARDENED_PHP_MM_PROTECT
422+ unsigned int *canary_2;
423+#endif
424 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
425 DECLARE_CACHE_VARS();
426 TSRMLS_FETCH();
427+
428+#if HARDENED_PHP_MM_PROTECT
429+ canary_2 = (unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
430+ if (p->canary != HG(canary_1) || *canary_2 != HG(canary_2)) {
431+ zend_security_log("canary mismatch on efree() - heap overflow or double efree detected");
432+ exit(1);
433+ }
434+ /* to catch double efree()s */
435+ *canary_2 = p->canary = 0;
436+#endif
437
438 #if defined(ZTS) && TSRM_DEBUG
439 if (p->thread_id != tsrm_thread_id()) {
440@@ -291,23 +334,35 @@
441
442 ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
443 {
444- void *p;
445- int final_size = size*nmemb;
446+ char *p;
447+ size_t _size = nmemb * size;
448+
449+ if (nmemb && (_size/nmemb!=size)) {
450+#if HARDENED_PHP
451+ zend_security_log("Possible integer overflow catched by ecalloc()");
452+#endif
453+ fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
454+#if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
455+ kill(getpid(), SIGSEGV);
456+#else
457+ exit(1);
458+#endif
459+ }
460
461- HANDLE_BLOCK_INTERRUPTIONS();
462- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
463- if (!p) {
464- HANDLE_UNBLOCK_INTERRUPTIONS();
465- return (void *) p;
466+ p = (char *) _emalloc(_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
467+ if (p) {
468+ memset(p, 0, _size);
469 }
470- memset(p, 0, final_size);
471- HANDLE_UNBLOCK_INTERRUPTIONS();
472- return p;
473+
474+ return ((void *)p);
475 }
476
477
478 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
479 {
480+#if HARDENED_PHP_MM_PROTECT
481+ unsigned int canary_2;
482+#endif
483 zend_mem_header *p;
484 zend_mem_header *orig;
485 DECLARE_CACHE_VARS();
486@@ -319,6 +374,14 @@
487
488 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
489
490+#if HARDENED_PHP_MM_PROTECT
491+ canary_2 = *(unsigned int *)(((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE);
492+ if (p->canary != HG(canary_1) || canary_2 != HG(canary_2)) {
493+ zend_security_log("canary mismatch on erealloc() - heap overflow detected");
494+ exit(1);
495+ }
496+#endif
497+
498 #if defined(ZTS) && TSRM_DEBUG
499 if (p->thread_id != tsrm_thread_id()) {
500 void *new_p;
501@@ -342,7 +405,7 @@
502 }
503 #endif
504 REMOVE_POINTER_FROM_LIST(p);
505- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
506+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
507 if (!p) {
508 if (!allow_failure) {
509 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
510@@ -364,6 +427,9 @@
511 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
512 #endif
513
514+#if HARDENED_PHP_MM_PROTECT
515+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
516+#endif
517 p->size = size;
518
519 HANDLE_UNBLOCK_INTERRUPTIONS();
520@@ -439,6 +505,10 @@
521 {
522 AG(head) = NULL;
523
524+#if HARDENED_PHP_MM_PROTECT
525+ HG(canary_1) = zend_canary();
526+ HG(canary_2) = zend_canary();
527+#endif
528 #if MEMORY_LIMIT
529 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
530 AG(allocated_memory) = 0;
531diff -Nur php-5.0.4/Zend/zend_alloc.h hardened-php-5.0.4-0.2.7/Zend/zend_alloc.h
532--- php-5.0.4/Zend/zend_alloc.h 2004-08-11 08:13:12.000000000 +0200
533+++ hardened-php-5.0.4-0.2.7/Zend/zend_alloc.h 2005-04-07 02:04:38.000000000 +0200
534@@ -35,6 +35,9 @@
535 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
536
537 typedef struct _zend_mem_header {
538+#if HARDENED_PHP_MM_PROTECT
539+ unsigned int canary;
540+#endif
541 #if ZEND_DEBUG
542 long magic;
543 char *filename;
544diff -Nur php-5.0.4/Zend/zend_builtin_functions.c hardened-php-5.0.4-0.2.7/Zend/zend_builtin_functions.c
545--- php-5.0.4/Zend/zend_builtin_functions.c 2005-03-14 10:13:14.000000000 +0100
546+++ hardened-php-5.0.4-0.2.7/Zend/zend_builtin_functions.c 2005-04-07 02:04:38.000000000 +0200
547@@ -52,6 +52,9 @@
548 static ZEND_FUNCTION(crash);
549 #endif
550 #endif
551+#if HARDENED_PHP_MM_PROTECT_DEBUG
552+static ZEND_FUNCTION(heap_overflow);
553+#endif
554 static ZEND_FUNCTION(get_included_files);
555 static ZEND_FUNCTION(is_subclass_of);
556 static ZEND_FUNCTION(is_a);
557@@ -111,6 +114,9 @@
558 ZEND_FE(crash, NULL)
559 #endif
560 #endif
561+#if HARDENED_PHP_MM_PROTECT_DEBUG
562+ ZEND_FE(heap_overflow, NULL)
563+#endif
564 ZEND_FE(get_included_files, NULL)
565 ZEND_FALIAS(get_required_files, get_included_files, NULL)
566 ZEND_FE(is_subclass_of, NULL)
567@@ -999,6 +1005,19 @@
568
569 #endif /* ZEND_DEBUG */
570
571+
572+#if HARDENED_PHP_MM_PROTECT_DEBUG
573+ZEND_FUNCTION(heap_overflow)
574+{
575+ char *nowhere = emalloc(10);
576+
577+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
578+
579+ efree(nowhere);
580+}
581+#endif
582+
583+
584 /* {{{ proto array get_included_files(void)
585 Returns an array with the file names that were include_once()'d */
586 ZEND_FUNCTION(get_included_files)
587diff -Nur php-5.0.4/Zend/zend_canary.c hardened-php-5.0.4-0.2.7/Zend/zend_canary.c
588--- php-5.0.4/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
589+++ hardened-php-5.0.4-0.2.7/Zend/zend_canary.c 2005-04-07 02:04:38.000000000 +0200
590@@ -0,0 +1,58 @@
591+/*
592+ +----------------------------------------------------------------------+
593+ | Hardened-PHP |
594+ +----------------------------------------------------------------------+
595+ | Copyright (c) 2004 Stefan Esser |
596+ +----------------------------------------------------------------------+
597+ | This source file is subject to version 2.02 of the PHP license, |
598+ | that is bundled with this package in the file LICENSE, and is |
599+ | available at through the world-wide-web at |
600+ | http://www.php.net/license/2_02.txt. |
601+ | If you did not receive a copy of the PHP license and are unable to |
602+ | obtain it through the world-wide-web, please send a note to |
603+ | license@php.net so we can mail you a copy immediately. |
604+ +----------------------------------------------------------------------+
605+ | Author: Stefan Esser <sesser@php.net> |
606+ +----------------------------------------------------------------------+
607+ */
608+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
609+
610+#include "zend.h"
611+
612+#include <stdio.h>
613+#include <stdlib.h>
614+
615+
616+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
617+
618+/* will be replaced later with more compatible method */
619+ZEND_API unsigned int zend_canary()
620+{
621+ time_t t;
622+ unsigned int canary;
623+ int fd;
624+
625+ fd = open("/dev/urandom", 0);
626+ if (fd != -1) {
627+ int r = read(fd, &canary, sizeof(canary));
628+ close(fd);
629+ if (r == sizeof(canary)) {
630+ return (canary);
631+ }
632+ }
633+ /* not good but we never want to do this */
634+ time(&t);
635+ canary = *(unsigned int *)&t + getpid() << 16;
636+ return (canary);
637+}
638+#endif
639+
640+
641+/*
642+ * Local variables:
643+ * tab-width: 4
644+ * c-basic-offset: 4
645+ * End:
646+ * vim600: sw=4 ts=4 fdm=marker
647+ * vim<600: sw=4 ts=4
648+ */
649diff -Nur php-5.0.4/Zend/zend_execute.c hardened-php-5.0.4-0.2.7/Zend/zend_execute.c
650--- php-5.0.4/Zend/zend_execute.c 2005-03-21 17:22:10.000000000 +0100
651+++ hardened-php-5.0.4-0.2.7/Zend/zend_execute.c 2005-04-07 02:04:38.000000000 +0200
652@@ -3523,7 +3523,12 @@
653 int dummy = 1;
654 zend_file_handle file_handle;
655
656+#if HARDENED_PHP_INC_PROTECT
657+ if (zend_is_valid_include(inc_filename)
658+ && (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC))) {
659+#else
660 if (SUCCESS == zend_stream_open(inc_filename->value.str.val, &file_handle TSRMLS_CC)) {
661+#endif
662
663 if (!file_handle.opened_path) {
664 file_handle.opened_path = estrndup(inc_filename->value.str.val, inc_filename->value.str.len);
665@@ -3548,6 +3553,11 @@
666 break;
667 case ZEND_INCLUDE:
668 case ZEND_REQUIRE:
669+#if HARDENED_PHP_INC_PROTECT
670+ if (!zend_is_valid_include(inc_filename)) {
671+ break;
672+ }
673+#endif
674 new_op_array = compile_filename(opline->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
675 break;
676 case ZEND_EVAL: {
677diff -Nur php-5.0.4/Zend/zend_extensions.h hardened-php-5.0.4-0.2.7/Zend/zend_extensions.h
678--- php-5.0.4/Zend/zend_extensions.h 2004-11-25 21:26:48.000000000 +0100
679+++ hardened-php-5.0.4-0.2.7/Zend/zend_extensions.h 2005-04-07 02:04:38.000000000 +0200
680@@ -24,10 +24,11 @@
681
682 #include "zend_compile.h"
683
684-/* The first number is the engine version and the rest is the date.
685+/* The first number is a flag saying that Hardened-PHP is used
686+ * the second number is the engine version and the rest is the date.
687 * This way engine 2 API no. is always greater than engine 1 API no..
688 */
689-#define ZEND_EXTENSION_API_NO 220040412
690+#define ZEND_EXTENSION_API_NO 1220040412
691
692 typedef struct _zend_extension_version_info {
693 int zend_extension_api_no;
694diff -Nur php-5.0.4/Zend/zend_hash.c hardened-php-5.0.4-0.2.7/Zend/zend_hash.c
695--- php-5.0.4/Zend/zend_hash.c 2004-07-10 09:45:49.000000000 +0200
696+++ hardened-php-5.0.4-0.2.7/Zend/zend_hash.c 2005-04-07 02:06:13.000000000 +0200
697@@ -21,6 +21,18 @@
698
699 #include "zend.h"
700
701+#if HARDENED_PHP_HASH_PROTECT
702+ unsigned int zend_hash_canary = 0x1234567;
703+ zend_bool zend_hash_canary_inited = 0;
704+#endif
705+
706+#define CHECK_HASH_CANARY(hash) \
707+ if (zend_hash_canary != (hash)->canary) { \
708+ zend_security_log("Zend HashTable canary was overwritten"); \
709+ exit(1); \
710+ }
711+
712+
713 #define CONNECT_TO_BUCKET_DLLIST(element, list_head) \
714 (element)->pNext = (list_head); \
715 (element)->pLast = NULL; \
716@@ -138,6 +150,9 @@
717 {
718 uint i = 3;
719 Bucket **tmp;
720+#if HARDENED_PHP_HASH_PROTECT
721+ TSRMLS_FETCH();
722+#endif
723
724 SET_INCONSISTENT(HT_OK);
725
726@@ -147,6 +162,13 @@
727
728 ht->nTableSize = 1 << i;
729 ht->nTableMask = ht->nTableSize - 1;
730+#if HARDENED_PHP_HASH_PROTECT
731+ if (zend_hash_canary_inited==0) {
732+ zend_hash_canary = zend_canary();
733+ zend_hash_canary_inited = 1;
734+ }
735+ ht->canary = zend_hash_canary;
736+#endif
737 ht->pDestructor = pDestructor;
738 ht->arBuckets = NULL;
739 ht->pListHead = NULL;
740@@ -226,6 +248,9 @@
741 }
742 #endif
743 if (ht->pDestructor) {
744+#if HARDENED_PHP_HASH_PROTECT
745+ CHECK_HASH_CANARY(ht);
746+#endif
747 ht->pDestructor(p->pData);
748 }
749 UPDATE_DATA(ht, p, pData, nDataSize);
750@@ -291,6 +316,9 @@
751 }
752 #endif
753 if (ht->pDestructor) {
754+#if HARDENED_PHP_HASH_PROTECT
755+ CHECK_HASH_CANARY(ht);
756+#endif
757 ht->pDestructor(p->pData);
758 }
759 UPDATE_DATA(ht, p, pData, nDataSize);
760@@ -366,6 +394,9 @@
761 }
762 #endif
763 if (ht->pDestructor) {
764+#if HARDENED_PHP_HASH_PROTECT
765+ CHECK_HASH_CANARY(ht);
766+#endif
767 ht->pDestructor(p->pData);
768 }
769 UPDATE_DATA(ht, p, pData, nDataSize);
770@@ -414,7 +445,7 @@
771 IS_CONSISTENT(ht);
772
773 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
774- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
775+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
776 if (t) {
777 HANDLE_BLOCK_INTERRUPTIONS();
778 ht->arBuckets = t;
779@@ -424,6 +455,7 @@
780 HANDLE_UNBLOCK_INTERRUPTIONS();
781 return SUCCESS;
782 }
783+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
784 return FAILURE;
785 }
786 return SUCCESS;
787@@ -487,6 +519,9 @@
788 ht->pInternalPointer = p->pListNext;
789 }
790 if (ht->pDestructor) {
791+#if HARDENED_PHP_HASH_PROTECT
792+ CHECK_HASH_CANARY(ht);
793+#endif
794 ht->pDestructor(p->pData);
795 }
796 if (!p->pDataPtr) {
797@@ -516,6 +551,9 @@
798 q = p;
799 p = p->pListNext;
800 if (ht->pDestructor) {
801+#if HARDENED_PHP_HASH_PROTECT
802+ CHECK_HASH_CANARY(ht);
803+#endif
804 ht->pDestructor(q->pData);
805 }
806 if (!q->pDataPtr && q->pData) {
807@@ -542,6 +580,9 @@
808 q = p;
809 p = p->pListNext;
810 if (ht->pDestructor) {
811+#if HARDENED_PHP_HASH_PROTECT
812+ CHECK_HASH_CANARY(ht);
813+#endif
814 ht->pDestructor(q->pData);
815 }
816 if (!q->pDataPtr && q->pData) {
817@@ -571,6 +612,9 @@
818 HANDLE_BLOCK_INTERRUPTIONS();
819
820 if (ht->pDestructor) {
821+#if HARDENED_PHP_HASH_PROTECT
822+ CHECK_HASH_CANARY(ht);
823+#endif
824 ht->pDestructor(p->pData);
825 }
826 if (!p->pDataPtr) {
827diff -Nur php-5.0.4/Zend/zend_hash.h hardened-php-5.0.4-0.2.7/Zend/zend_hash.h
828--- php-5.0.4/Zend/zend_hash.h 2004-01-08 18:31:47.000000000 +0100
829+++ hardened-php-5.0.4-0.2.7/Zend/zend_hash.h 2005-04-07 02:04:38.000000000 +0200
830@@ -58,6 +58,9 @@
831 } Bucket;
832
833 typedef struct _hashtable {
834+#if HARDENED_PHP_HASH_PROTECT
835+ unsigned int canary;
836+#endif
837 uint nTableSize;
838 uint nTableMask;
839 uint nNumOfElements;
840diff -Nur php-5.0.4/Zend/zend_llist.c hardened-php-5.0.4-0.2.7/Zend/zend_llist.c
841--- php-5.0.4/Zend/zend_llist.c 2004-01-08 18:31:47.000000000 +0100
842+++ hardened-php-5.0.4-0.2.7/Zend/zend_llist.c 2005-04-07 02:04:38.000000000 +0200
843@@ -22,9 +22,34 @@
844 #include "zend.h"
845 #include "zend_llist.h"
846 #include "zend_qsort.h"
847+#include "zend_globals.h"
848+
849+#define CHECK_LIST_CANARY(list) \
850+ if (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t) { \
851+ zend_security_log("linked list canary was overwritten"); \
852+ exit(1); \
853+ }
854+
855+#define CHECK_LISTELEMENT_CANARY(elem) \
856+ if (HG(canary_3) != (elem)->canary) { \
857+ zend_security_log("linked list element canary was overwritten"); \
858+ exit(1); \
859+ }
860+
861
862 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
863 {
864+#if HARDENED_PHP_LL_PROTECT
865+ TSRMLS_FETCH();
866+
867+ if (!HG(ll_canary_inited)) {
868+ HG(canary_3) = zend_canary();
869+ HG(canary_4) = zend_canary();
870+ HG(ll_canary_inited) = 1;
871+ }
872+ l->canary_h = HG(canary_3);
873+ l->canary_t = HG(canary_4);
874+#endif
875 l->head = NULL;
876 l->tail = NULL;
877 l->count = 0;
878@@ -38,6 +63,11 @@
879 {
880 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
881
882+#if HARDENED_PHP_LL_PROTECT
883+ TSRMLS_FETCH();
884+ CHECK_LIST_CANARY(l)
885+ tmp->canary = HG(canary_3);
886+#endif
887 tmp->prev = l->tail;
888 tmp->next = NULL;
889 if (l->tail) {
890@@ -56,6 +86,11 @@
891 {
892 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
893
894+#if HARDENED_PHP_LL_PROTECT
895+ TSRMLS_FETCH();
896+ CHECK_LIST_CANARY(l)
897+ tmp->canary = HG(canary_3);
898+#endif
899 tmp->next = l->head;
900 tmp->prev = NULL;
901 if (l->head) {
902@@ -93,10 +128,20 @@
903 zend_llist_element *current=l->head;
904 zend_llist_element *next;
905
906+#if HARDENED_PHP_LL_PROTECT
907+ TSRMLS_FETCH();
908+ CHECK_LIST_CANARY(l)
909+#endif
910 while (current) {
911+#if HARDENED_PHP_LL_PROTECT
912+ CHECK_LISTELEMENT_CANARY(current)
913+#endif
914 next = current->next;
915 if (compare(current->data, element)) {
916 DEL_LLIST_ELEMENT(current, l);
917+#if HARDENED_PHP_LL_PROTECT
918+ current->canary = 0;
919+#endif
920 break;
921 }
922 current = next;
923@@ -108,7 +153,14 @@
924 {
925 zend_llist_element *current=l->head, *next;
926
927+#if HARDENED_PHP_LL_PROTECT
928+ TSRMLS_FETCH();
929+ CHECK_LIST_CANARY(l)
930+#endif
931 while (current) {
932+#if HARDENED_PHP_LL_PROTECT
933+ CHECK_LISTELEMENT_CANARY(current)
934+#endif
935 next = current->next;
936 if (l->dtor) {
937 l->dtor(current->data);
938@@ -133,7 +185,14 @@
939 zend_llist_element *old_tail;
940 void *data;
941
942+#if HARDENED_PHP_LL_PROTECT
943+ TSRMLS_FETCH();
944+ CHECK_LIST_CANARY(l)
945+#endif
946 if ((old_tail = l->tail)) {
947+#if HARDENED_PHP_LL_PROTECT
948+ CHECK_LISTELEMENT_CANARY(old_tail)
949+#endif
950 if (l->tail->prev) {
951 l->tail->prev->next = NULL;
952 }
953@@ -159,9 +218,16 @@
954 {
955 zend_llist_element *ptr;
956
957+#if HARDENED_PHP_LL_PROTECT
958+ TSRMLS_FETCH();
959+ CHECK_LIST_CANARY(src)
960+#endif
961 zend_llist_init(dst, src->size, src->dtor, src->persistent);
962 ptr = src->head;
963 while (ptr) {
964+#if HARDENED_PHP_LL_PROTECT
965+ CHECK_LISTELEMENT_CANARY(ptr)
966+#endif
967 zend_llist_add_element(dst, ptr->data);
968 ptr = ptr->next;
969 }
970@@ -172,11 +238,21 @@
971 {
972 zend_llist_element *element, *next;
973
974+#if HARDENED_PHP_LL_PROTECT
975+ TSRMLS_FETCH();
976+ CHECK_LIST_CANARY(l)
977+#endif
978 element=l->head;
979 while (element) {
980+#if HARDENED_PHP_LL_PROTECT
981+ CHECK_LISTELEMENT_CANARY(element)
982+#endif
983 next = element->next;
984 if (func(element->data)) {
985 DEL_LLIST_ELEMENT(element, l);
986+#if HARDENED_PHP_LL_PROTECT
987+ element->canary = 0;
988+#endif
989 }
990 element = next;
991 }
992@@ -187,7 +263,13 @@
993 {
994 zend_llist_element *element;
995
996+#if HARDENED_PHP_LL_PROTECT
997+ CHECK_LIST_CANARY(l)
998+#endif
999 for (element=l->head; element; element=element->next) {
1000+#if HARDENED_PHP_LL_PROTECT
1001+ CHECK_LISTELEMENT_CANARY(element)
1002+#endif
1003 func(element->data TSRMLS_CC);
1004 }
1005 }
1006@@ -199,6 +281,9 @@
1007 zend_llist_element **elements;
1008 zend_llist_element *element, **ptr;
1009
1010+#if HARDENED_PHP_LL_PROTECT
1011+ CHECK_LIST_CANARY(l)
1012+#endif
1013 if (l->count <= 0) {
1014 return;
1015 }
1016@@ -208,6 +293,9 @@
1017 ptr = &elements[0];
1018
1019 for (element=l->head; element; element=element->next) {
1020+#if HARDENED_PHP_LL_PROTECT
1021+ CHECK_LISTELEMENT_CANARY(element)
1022+#endif
1023 *ptr++ = element;
1024 }
1025
1026@@ -230,7 +318,13 @@
1027 {
1028 zend_llist_element *element;
1029
1030+#if HARDENED_PHP_LL_PROTECT
1031+ CHECK_LIST_CANARY(l)
1032+#endif
1033 for (element=l->head; element; element=element->next) {
1034+#if HARDENED_PHP_LL_PROTECT
1035+ CHECK_LISTELEMENT_CANARY(element)
1036+#endif
1037 func(element->data, arg TSRMLS_CC);
1038 }
1039 }
1040@@ -241,8 +335,14 @@
1041 zend_llist_element *element;
1042 va_list args;
1043
1044+#if HARDENED_PHP_LL_PROTECT
1045+ CHECK_LIST_CANARY(l)
1046+#endif
1047 va_start(args, num_args);
1048 for (element=l->head; element; element=element->next) {
1049+#if HARDENED_PHP_LL_PROTECT
1050+ CHECK_LISTELEMENT_CANARY(element)
1051+#endif
1052 func(element->data, num_args, args TSRMLS_CC);
1053 }
1054 va_end(args);
1055@@ -251,6 +351,10 @@
1056
1057 ZEND_API int zend_llist_count(zend_llist *l)
1058 {
1059+#if HARDENED_PHP_LL_PROTECT
1060+ TSRMLS_FETCH();
1061+ CHECK_LIST_CANARY(l)
1062+#endif
1063 return l->count;
1064 }
1065
1066@@ -259,8 +363,15 @@
1067 {
1068 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1069
1070+#if HARDENED_PHP_LL_PROTECT
1071+ TSRMLS_FETCH();
1072+ CHECK_LIST_CANARY(l)
1073+#endif
1074 *current = l->head;
1075 if (*current) {
1076+#if HARDENED_PHP_LL_PROTECT
1077+ CHECK_LISTELEMENT_CANARY(*current)
1078+#endif
1079 return (*current)->data;
1080 } else {
1081 return NULL;
1082@@ -272,8 +383,15 @@
1083 {
1084 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1085
1086+#if HARDENED_PHP_LL_PROTECT
1087+ TSRMLS_FETCH();
1088+ CHECK_LIST_CANARY(l)
1089+#endif
1090 *current = l->tail;
1091 if (*current) {
1092+#if HARDENED_PHP_LL_PROTECT
1093+ CHECK_LISTELEMENT_CANARY(*current)
1094+#endif
1095 return (*current)->data;
1096 } else {
1097 return NULL;
1098@@ -285,9 +403,19 @@
1099 {
1100 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1101
1102+#if HARDENED_PHP_LL_PROTECT
1103+ TSRMLS_FETCH();
1104+ CHECK_LIST_CANARY(l)
1105+#endif
1106 if (*current) {
1107+#if HARDENED_PHP_LL_PROTECT
1108+ CHECK_LISTELEMENT_CANARY(*current)
1109+#endif
1110 *current = (*current)->next;
1111 if (*current) {
1112+#if HARDENED_PHP_LL_PROTECT
1113+ CHECK_LISTELEMENT_CANARY(*current)
1114+#endif
1115 return (*current)->data;
1116 }
1117 }
1118@@ -299,9 +427,19 @@
1119 {
1120 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
1121
1122+#if HARDENED_PHP_LL_PROTECT
1123+ TSRMLS_FETCH();
1124+ CHECK_LIST_CANARY(l)
1125+#endif
1126 if (*current) {
1127+#if HARDENED_PHP_LL_PROTECT
1128+ CHECK_LISTELEMENT_CANARY(*current)
1129+#endif
1130 *current = (*current)->prev;
1131 if (*current) {
1132+#if HARDENED_PHP_LL_PROTECT
1133+ CHECK_LISTELEMENT_CANARY(*current)
1134+#endif
1135 return (*current)->data;
1136 }
1137 }
1138diff -Nur php-5.0.4/Zend/zend_llist.h hardened-php-5.0.4-0.2.7/Zend/zend_llist.h
1139--- php-5.0.4/Zend/zend_llist.h 2004-01-08 18:31:47.000000000 +0100
1140+++ hardened-php-5.0.4-0.2.7/Zend/zend_llist.h 2005-04-07 02:04:38.000000000 +0200
1141@@ -23,6 +23,9 @@
1142 #define ZEND_LLIST_H
1143
1144 typedef struct _zend_llist_element {
1145+#if HARDENED_PHP_LL_PROTECT
1146+ unsigned int canary;
1147+#endif
1148 struct _zend_llist_element *next;
1149 struct _zend_llist_element *prev;
1150 char data[1]; /* Needs to always be last in the struct */
1151@@ -35,6 +38,9 @@
1152 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
1153
1154 typedef struct _zend_llist {
1155+#if HARDENED_PHP_LL_PROTECT
1156+ unsigned int canary_h; /* head */
1157+#endif
1158 zend_llist_element *head;
1159 zend_llist_element *tail;
1160 size_t count;
1161@@ -42,6 +48,9 @@
1162 llist_dtor_func_t dtor;
1163 unsigned char persistent;
1164 zend_llist_element *traverse_ptr;
1165+#if HARDENED_PHP_LL_PROTECT
1166+ unsigned int canary_t; /* tail */
1167+#endif
1168 } zend_llist;
1169
1170 typedef zend_llist_element* zend_llist_position;
1171diff -Nur php-5.0.4/Zend/zend_modules.h hardened-php-5.0.4-0.2.7/Zend/zend_modules.h
1172--- php-5.0.4/Zend/zend_modules.h 2005-03-16 00:47:12.000000000 +0100
1173+++ hardened-php-5.0.4-0.2.7/Zend/zend_modules.h 2005-04-07 02:04:38.000000000 +0200
1174@@ -38,7 +38,7 @@
1175 extern struct _zend_arg_info fourth_arg_force_ref[5];
1176 extern struct _zend_arg_info all_args_by_ref[1];
1177
1178-#define ZEND_MODULE_API_NO 20041030
1179+#define ZEND_MODULE_API_NO 1020041030
1180 #ifdef ZTS
1181 #define USING_ZTS 1
1182 #else
1183diff -Nur php-5.0.4/acinclude.m4 hardened-php-5.0.4-0.2.7/acinclude.m4
1184--- php-5.0.4/acinclude.m4 2005-01-25 14:02:45.000000000 +0100
1185+++ hardened-php-5.0.4-0.2.7/acinclude.m4 2005-04-07 02:04:39.000000000 +0200
1186@@ -1169,6 +1169,36 @@
1187 fi
1188 ])
1189
1190+dnl
1191+dnl Check for broken realpath()
1192+dnl
1193+dnl realpath("/etc/hosts/../passwd",XXX) should not return
1194+dnl "/etc/passwd"
1195+dnl
1196+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
1197+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
1198+ AC_TRY_RUN([
1199+main() {
1200+ char buf[4096+1];
1201+ buf[0] = 0;
1202+ realpath("/etc/hosts/../passwd", buf);
1203+ exit(strcmp(buf, "/etc/passwd")==0);
1204+}
1205+ ],[
1206+ ac_cv_broken_realpath=no
1207+ ],[
1208+ ac_cv_broken_realpath=yes
1209+ ],[
1210+ ac_cv_broken_realpath=no
1211+ ])
1212+ ])
1213+ if test "$ac_cv_broken_realpath" = "yes"; then
1214+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
1215+ else
1216+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
1217+ fi
1218+])
1219+
1220 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
1221 dnl
1222 dnl Basically sets up the link-stage for building module-name
1223diff -Nur php-5.0.4/configure hardened-php-5.0.4-0.2.7/configure
1224--- php-5.0.4/configure 2005-04-03 11:42:50.000000000 +0200
1225+++ hardened-php-5.0.4-0.2.7/configure 2005-04-07 02:04:39.000000000 +0200
1226@@ -401,6 +401,16 @@
1227 ac_default_prefix=/usr/local
1228 # Any additions from configure.in:
1229 ac_help="$ac_help
1230+ --disable-hardened-php-mm-protect Disable the Memory Manager protection."
1231+ac_help="$ac_help
1232+ --disable-hardened-php-ll-protect Disable the Linked List protection."
1233+ac_help="$ac_help
1234+ --disable-hardened-php-inc-protect Disable include/require protection."
1235+ac_help="$ac_help
1236+ --disable-hardened-php-fmt-protect Disable format string protection."
1237+ac_help="$ac_help
1238+ --disable-hardened-php-hash-protect Disable Zend HashTable DTOR protection."
1239+ac_help="$ac_help
1240
1241 SAPI modules:
1242 "
1243@@ -857,6 +867,8 @@
1244 ac_help="$ac_help
1245 --disable-tokenizer Disable tokenizer support"
1246 ac_help="$ac_help
1247+ --disable-varfilter Disable Hardened-PHP's variable filter"
1248+ac_help="$ac_help
1249 --enable-wddx Enable WDDX support."
1250 ac_help="$ac_help
1251 --disable-xml Disable XML support."
1252@@ -2749,6 +2761,157 @@
1253
1254
1255
1256+# Check whether --enable-hardened-php-mm-protect or --disable-hardened-php-mm-protect was given.
1257+if test "${enable_hardened_php_mm_protect+set}" = set; then
1258+ enableval="$enable_hardened_php_mm_protect"
1259+
1260+ DO_HARDENED_PHP_MM_PROTECT=$enableval
1261+
1262+else
1263+
1264+ DO_HARDENED_PHP_MM_PROTECT=yes
1265+
1266+fi
1267+
1268+
1269+# Check whether --enable-hardened-php-ll-protect or --disable-hardened-php-ll-protect was given.
1270+if test "${enable_hardened_php_ll_protect+set}" = set; then
1271+ enableval="$enable_hardened_php_ll_protect"
1272+
1273+ DO_HARDENED_PHP_LL_PROTECT=$enableval
1274+
1275+else
1276+
1277+ DO_HARDENED_PHP_LL_PROTECT=yes
1278+
1279+fi
1280+
1281+
1282+# Check whether --enable-hardened-php-inc-protect or --disable-hardened-php-inc-protect was given.
1283+if test "${enable_hardened_php_inc_protect+set}" = set; then
1284+ enableval="$enable_hardened_php_inc_protect"
1285+
1286+ DO_HARDENED_PHP_INC_PROTECT=$enableval
1287+
1288+else
1289+
1290+ DO_HARDENED_PHP_INC_PROTECT=yes
1291+
1292+fi
1293+
1294+
1295+# Check whether --enable-hardened-php-fmt-protect or --disable-hardened-php-fmt-protect was given.
1296+if test "${enable_hardened_php_fmt_protect+set}" = set; then
1297+ enableval="$enable_hardened_php_fmt_protect"
1298+
1299+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
1300+
1301+else
1302+
1303+ DO_HARDENED_PHP_FMT_PROTECT=yes
1304+
1305+fi
1306+
1307+
1308+# Check whether --enable-hardened-php-hash-protect or --disable-hardened-php-hash-protect was given.
1309+if test "${enable_hardened_php_hash_protect+set}" = set; then
1310+ enableval="$enable_hardened_php_hash_protect"
1311+
1312+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
1313+
1314+else
1315+
1316+ DO_HARDENED_PHP_HASH_PROTECT=yes
1317+
1318+fi
1319+
1320+
1321+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
1322+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
1323+echo "$ac_t""$DO_HARDENED_PHP_MM_PROTECT" 1>&6
1324+
1325+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
1326+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
1327+echo "$ac_t""$DO_HARDENED_PHP_LL_PROTECT" 1>&6
1328+
1329+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
1330+echo "configure:2733: checking whether to protect include/require statements" >&5
1331+echo "$ac_t""$DO_HARDENED_PHP_INC_PROTECT" 1>&6
1332+
1333+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
1334+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
1335+echo "$ac_t""$DO_HARDENED_PHP_FMT_PROTECT" 1>&6
1336+
1337+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
1338+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
1339+echo "$ac_t""$DO_HARDENED_PHP_HASH_PROTECT" 1>&6
1340+
1341+
1342+cat >> confdefs.h <<\EOF
1343+#define HARDENED_PHP 1
1344+EOF
1345+
1346+
1347+
1348+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
1349+ cat >> confdefs.h <<\EOF
1350+#define HARDENED_PHP_MM_PROTECT 1
1351+EOF
1352+
1353+else
1354+ cat >> confdefs.h <<\EOF
1355+#define HARDENED_PHP_MM_PROTECT 0
1356+EOF
1357+
1358+fi
1359+
1360+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
1361+ cat >> confdefs.h <<\EOF
1362+#define HARDENED_PHP_LL_PROTECT 1
1363+EOF
1364+
1365+else
1366+ cat >> confdefs.h <<\EOF
1367+#define HARDENED_PHP_LL_PROTECT 0
1368+EOF
1369+
1370+fi
1371+
1372+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
1373+ cat >> confdefs.h <<\EOF
1374+#define HARDENED_PHP_INC_PROTECT 1
1375+EOF
1376+
1377+else
1378+ cat >> confdefs.h <<\EOF
1379+#define HARDENED_PHP_INC_PROTECT 0
1380+EOF
1381+
1382+fi
1383+
1384+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
1385+ cat >> confdefs.h <<\EOF
1386+#define HARDENED_PHP_FMT_PROTECT 1
1387+EOF
1388+
1389+else
1390+ cat >> confdefs.h <<\EOF
1391+#define HARDENED_PHP_FMT_PROTECT 0
1392+EOF
1393+
1394+fi
1395+
1396+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
1397+ cat >> confdefs.h <<\EOF
1398+#define HARDENED_PHP_HASH_PROTECT 1
1399+EOF
1400+
1401+else
1402+ cat >> confdefs.h <<\EOF
1403+#define HARDENED_PHP_HASH_PROTECT 0
1404+EOF
1405+
1406+fi
1407
1408
1409
1410@@ -17390,6 +17553,62 @@
1411 fi
1412
1413
1414+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
1415+echo "configure:14928: checking whether realpath is broken" >&5
1416+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
1417+ echo $ac_n "(cached) $ac_c" 1>&6
1418+else
1419+
1420+ if test "$cross_compiling" = yes; then
1421+
1422+ ac_cv_broken_realpath=no
1423+
1424+else
1425+ cat > conftest.$ac_ext <<EOF
1426+#line 14939 "configure"
1427+#include "confdefs.h"
1428+
1429+main() {
1430+ char buf[4096+1];
1431+ buf[0] = 0;
1432+ realpath("/etc/hosts/../passwd", buf);
1433+ exit(strcmp(buf, "/etc/passwd")==0);
1434+}
1435+
1436+EOF
1437+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
1438+then
1439+
1440+ ac_cv_broken_realpath=no
1441+
1442+else
1443+ echo "configure: failed program was:" >&5
1444+ cat conftest.$ac_ext >&5
1445+ rm -fr conftest*
1446+
1447+ ac_cv_broken_realpath=yes
1448+
1449+fi
1450+rm -fr conftest*
1451+fi
1452+
1453+
1454+fi
1455+
1456+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
1457+ if test "$ac_cv_broken_realpath" = "yes"; then
1458+ cat >> confdefs.h <<\EOF
1459+#define PHP_BROKEN_REALPATH 1
1460+EOF
1461+
1462+ else
1463+ cat >> confdefs.h <<\EOF
1464+#define PHP_BROKEN_REALPATH 0
1465+EOF
1466+
1467+ fi
1468+
1469+
1470 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
1471 echo "configure:17395: checking for declared timezone" >&5
1472 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
1473@@ -86878,6 +87097,265 @@
1474 fi
1475
1476
1477+echo $ac_n "checking whether to enable Hardened-PHP's variable filter""... $ac_c" 1>&6
1478+echo "configure:82041: checking whether to enable Hardened-PHP's variable filter" >&5
1479+# Check whether --enable-varfilter or --disable-varfilter was given.
1480+if test "${enable_varfilter+set}" = set; then
1481+ enableval="$enable_varfilter"
1482+ PHP_VARFILTER=$enableval
1483+else
1484+
1485+ PHP_VARFILTER=yes
1486+
1487+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
1488+ PHP_VARFILTER=$PHP_ENABLE_ALL
1489+ fi
1490+
1491+fi
1492+
1493+
1494+
1495+ext_output="yes, shared"
1496+ext_shared=yes
1497+case $PHP_VARFILTER in
1498+shared,*)
1499+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
1500+ ;;
1501+shared)
1502+ PHP_VARFILTER=yes
1503+ ;;
1504+no)
1505+ ext_output=no
1506+ ext_shared=no
1507+ ;;
1508+*)
1509+ ext_output=yes
1510+ ext_shared=no
1511+ ;;
1512+esac
1513+
1514+
1515+
1516+echo "$ac_t""$ext_output" 1>&6
1517+
1518+
1519+
1520+
1521+if test "$PHP_VARFILTER" != "no"; then
1522+ cat >> confdefs.h <<\EOF
1523+#define HAVE_VARFILTER 1
1524+EOF
1525+
1526+
1527+ ext_builddir=ext/varfilter
1528+ ext_srcdir=$abs_srcdir/ext/varfilter
1529+
1530+ ac_extra=
1531+
1532+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
1533+
1534+
1535+
1536+ case ext/varfilter in
1537+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1538+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1539+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1540+ esac
1541+
1542+
1543+
1544+ b_c_pre=$php_c_pre
1545+ b_cxx_pre=$php_cxx_pre
1546+ b_c_meta=$php_c_meta
1547+ b_cxx_meta=$php_cxx_meta
1548+ b_c_post=$php_c_post
1549+ b_cxx_post=$php_cxx_post
1550+ b_lo=$php_lo
1551+
1552+
1553+ old_IFS=$IFS
1554+ for ac_src in varfilter.c; do
1555+
1556+ IFS=.
1557+ set $ac_src
1558+ ac_obj=$1
1559+ IFS=$old_IFS
1560+
1561+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1562+
1563+ case $ac_src in
1564+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1565+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1566+ esac
1567+
1568+ cat >>Makefile.objects<<EOF
1569+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1570+ $ac_comp
1571+EOF
1572+ done
1573+
1574+
1575+ EXT_STATIC="$EXT_STATIC varfilter"
1576+ if test "$ext_shared" != "nocli"; then
1577+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1578+ fi
1579+ else
1580+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
1581+
1582+ case ext/varfilter in
1583+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1584+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1585+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1586+ esac
1587+
1588+
1589+
1590+ b_c_pre=$shared_c_pre
1591+ b_cxx_pre=$shared_cxx_pre
1592+ b_c_meta=$shared_c_meta
1593+ b_cxx_meta=$shared_cxx_meta
1594+ b_c_post=$shared_c_post
1595+ b_cxx_post=$shared_cxx_post
1596+ b_lo=$shared_lo
1597+
1598+
1599+ old_IFS=$IFS
1600+ for ac_src in varfilter.c; do
1601+
1602+ IFS=.
1603+ set $ac_src
1604+ ac_obj=$1
1605+ IFS=$old_IFS
1606+
1607+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
1608+
1609+ case $ac_src in
1610+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1611+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1612+ esac
1613+
1614+ cat >>Makefile.objects<<EOF
1615+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1616+ $ac_comp
1617+EOF
1618+ done
1619+
1620+
1621+ install_modules="install-modules"
1622+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
1623+
1624+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
1625+
1626+ cat >>Makefile.objects<<EOF
1627+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
1628+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
1629+
1630+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
1631+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
1632+
1633+EOF
1634+
1635+ cat >> confdefs.h <<EOF
1636+#define COMPILE_DL_VARFILTER 1
1637+EOF
1638+
1639+ fi
1640+ fi
1641+
1642+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
1643+ if test "$PHP_SAPI" = "cgi"; then
1644+
1645+
1646+ case ext/varfilter in
1647+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1648+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1649+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1650+ esac
1651+
1652+
1653+
1654+ b_c_pre=$php_c_pre
1655+ b_cxx_pre=$php_cxx_pre
1656+ b_c_meta=$php_c_meta
1657+ b_cxx_meta=$php_cxx_meta
1658+ b_c_post=$php_c_post
1659+ b_cxx_post=$php_cxx_post
1660+ b_lo=$php_lo
1661+
1662+
1663+ old_IFS=$IFS
1664+ for ac_src in varfilter.c; do
1665+
1666+ IFS=.
1667+ set $ac_src
1668+ ac_obj=$1
1669+ IFS=$old_IFS
1670+
1671+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
1672+
1673+ case $ac_src in
1674+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1675+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1676+ esac
1677+
1678+ cat >>Makefile.objects<<EOF
1679+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1680+ $ac_comp
1681+EOF
1682+ done
1683+
1684+
1685+ EXT_STATIC="$EXT_STATIC varfilter"
1686+ else
1687+
1688+
1689+ case ext/varfilter in
1690+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
1691+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
1692+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
1693+ esac
1694+
1695+
1696+
1697+ b_c_pre=$php_c_pre
1698+ b_cxx_pre=$php_cxx_pre
1699+ b_c_meta=$php_c_meta
1700+ b_cxx_meta=$php_cxx_meta
1701+ b_c_post=$php_c_post
1702+ b_cxx_post=$php_cxx_post
1703+ b_lo=$php_lo
1704+
1705+
1706+ old_IFS=$IFS
1707+ for ac_src in varfilter.c; do
1708+
1709+ IFS=.
1710+ set $ac_src
1711+ ac_obj=$1
1712+ IFS=$old_IFS
1713+
1714+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
1715+
1716+ case $ac_src in
1717+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
1718+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
1719+ esac
1720+
1721+ cat >>Makefile.objects<<EOF
1722+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
1723+ $ac_comp
1724+EOF
1725+ done
1726+
1727+
1728+ fi
1729+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
1730+ fi
1731+
1732+ BUILD_DIR="$BUILD_DIR $ext_builddir"
1733+
1734+
1735+fi
1736
1737
1738 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
1739@@ -97351,7 +97829,7 @@
1740 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1741 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1742 network.c php_open_temporary_file.c php_logos.c \
1743- output.c ; do
1744+ output.c hardened_php.c ; do
1745
1746 IFS=.
1747 set $ac_src
1748@@ -97579,7 +98057,7 @@
1749 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1750 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1751 zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
1752- zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c; do
1753+ zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c; do
1754
1755 IFS=.
1756 set $ac_src
1757diff -Nur php-5.0.4/configure.in hardened-php-5.0.4-0.2.7/configure.in
1758--- php-5.0.4/configure.in 2005-03-30 23:43:12.000000000 +0200
1759+++ hardened-php-5.0.4-0.2.7/configure.in 2005-04-07 02:04:39.000000000 +0200
1760@@ -235,7 +235,7 @@
1761 sinclude(Zend/acinclude.m4)
1762 sinclude(Zend/Zend.m4)
1763 sinclude(TSRM/tsrm.m4)
1764-
1765+sinclude(main/hardened_php.m4)
1766
1767
1768 divert(2)
1769@@ -620,6 +620,7 @@
1770 AC_FUNC_ALLOCA
1771 dnl PHP_AC_BROKEN_SPRINTF
1772 dnl PHP_AC_BROKEN_SNPRINTF
1773+PHP_AC_BROKEN_REALPATH
1774 PHP_DECLARED_TIMEZONE
1775 PHP_TIME_R_TYPE
1776 PHP_READDIR_R_TYPE
1777@@ -1262,7 +1263,7 @@
1778 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
1779 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
1780 network.c php_open_temporary_file.c php_logos.c \
1781- output.c )
1782+ output.c hardened_php.c )
1783
1784 PHP_ADD_SOURCES(main/streams, streams.c cast.c memory.c filter.c \
1785 plain_wrapper.c userspace.c transports.c xp_socket.c mmap.c)
1786@@ -1280,7 +1281,7 @@
1787 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
1788 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
1789 zend_ini.c zend_qsort.c zend_multibyte.c zend_ts_hash.c zend_stream.c \
1790- zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c)
1791+ zend_iterators.c zend_interfaces.c zend_exceptions.c zend_strtod.c zend_canary.c )
1792
1793 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
1794 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c \
1795diff -Nur php-5.0.4/ext/standard/array.c hardened-php-5.0.4-0.2.7/ext/standard/array.c
1796--- php-5.0.4/ext/standard/array.c 2005-03-12 11:12:49.000000000 +0100
1797+++ hardened-php-5.0.4-0.2.7/ext/standard/array.c 2005-04-07 02:04:39.000000000 +0200
1798@@ -1255,6 +1255,31 @@
1799 }
1800 }
1801 }
1802+
1803+ if (var_name[0] == 'H') {
1804+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
1805+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
1806+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
1807+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
1808+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
1809+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
1810+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)) {
1811+ return 0;
1812+ }
1813+ } else if (var_name[0] == '_') {
1814+ if ((strcmp(var_name, "_COOKIE")==0)||
1815+ (strcmp(var_name, "_ENV")==0)||
1816+ (strcmp(var_name, "_FILES")==0)||
1817+ (strcmp(var_name, "_GET")==0)||
1818+ (strcmp(var_name, "_POST")==0)||
1819+ (strcmp(var_name, "_REQUEST")==0)||
1820+ (strcmp(var_name, "_SESSION")==0)||
1821+ (strcmp(var_name, "_SERVER")==0)) {
1822+ return 0;
1823+ }
1824+ } else if (strcmp(var_name, "GLOBALS")==0) {
1825+ return 0;
1826+ }
1827
1828 return 1;
1829 }
1830diff -Nur php-5.0.4/ext/standard/basic_functions.c hardened-php-5.0.4-0.2.7/ext/standard/basic_functions.c
1831--- php-5.0.4/ext/standard/basic_functions.c 2005-03-10 13:10:57.000000000 +0100
1832+++ hardened-php-5.0.4-0.2.7/ext/standard/basic_functions.c 2005-04-07 02:04:39.000000000 +0200
1833@@ -617,7 +617,7 @@
1834 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
1835
1836 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1837- PHP_FE(realpath, NULL)
1838+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
1839 #endif
1840
1841 #ifdef HAVE_FNMATCH
1842@@ -3124,6 +3124,34 @@
1843 memcpy(new_key, prefix, prefix_len);
1844 memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
1845
1846+ if (new_key[0] == 'H') {
1847+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
1848+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
1849+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
1850+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
1851+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
1852+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
1853+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)) {
1854+ efree(new_key);
1855+ return 0;
1856+ }
1857+ } else if (new_key[0] == '_') {
1858+ if ((strcmp(new_key, "_COOKIE")==0)||
1859+ (strcmp(new_key, "_ENV")==0)||
1860+ (strcmp(new_key, "_FILES")==0)||
1861+ (strcmp(new_key, "_GET")==0)||
1862+ (strcmp(new_key, "_POST")==0)||
1863+ (strcmp(new_key, "_REQUEST")==0)||
1864+ (strcmp(new_key, "_SESSION")==0)||
1865+ (strcmp(new_key, "_SERVER")==0)) {
1866+ efree(new_key);
1867+ return 0;
1868+ }
1869+ } else if (strcmp(new_key, "GLOBALS")==0) {
1870+ efree(new_key);
1871+ return 0;
1872+ }
1873+
1874 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1875 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1876
1877diff -Nur php-5.0.4/ext/standard/file.c hardened-php-5.0.4-0.2.7/ext/standard/file.c
1878--- php-5.0.4/ext/standard/file.c 2005-03-27 17:53:30.000000000 +0200
1879+++ hardened-php-5.0.4-0.2.7/ext/standard/file.c 2005-04-07 02:04:39.000000000 +0200
1880@@ -2044,7 +2044,7 @@
1881 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1882 /* {{{ proto string realpath(string path)
1883 Return the resolved path */
1884-PHP_FUNCTION(realpath)
1885+PHP_FUNCTION(real_path)
1886 {
1887 zval **path;
1888 char resolved_path_buff[MAXPATHLEN];
1889diff -Nur php-5.0.4/ext/standard/file.h hardened-php-5.0.4-0.2.7/ext/standard/file.h
1890--- php-5.0.4/ext/standard/file.h 2004-06-21 23:08:05.000000000 +0200
1891+++ hardened-php-5.0.4-0.2.7/ext/standard/file.h 2005-04-07 02:04:39.000000000 +0200
1892@@ -60,7 +60,7 @@
1893 PHP_FUNCTION(fd_set);
1894 PHP_FUNCTION(fd_isset);
1895 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1896-PHP_FUNCTION(realpath);
1897+PHP_FUNCTION(real_path);
1898 PHP_FUNCTION(fnmatch);
1899 #endif
1900 PHP_NAMED_FUNCTION(php_if_ftruncate);
1901diff -Nur php-5.0.4/ext/standard/info.c hardened-php-5.0.4-0.2.7/ext/standard/info.c
1902--- php-5.0.4/ext/standard/info.c 2004-05-02 15:23:30.000000000 +0200
1903+++ hardened-php-5.0.4-0.2.7/ext/standard/info.c 2005-04-07 02:04:39.000000000 +0200
1904@@ -394,7 +394,7 @@
1905
1906 if (flag & PHP_INFO_GENERAL) {
1907 char *zend_version = get_zend_version();
1908- char temp_api[10];
1909+ char temp_api[11];
1910 char *logo_guid;
1911
1912 php_uname = php_get_uname('a');
1913@@ -415,11 +415,22 @@
1914 PUTS("\" alt=\"PHP Logo\" /></a>");
1915 }
1916
1917+#if HARDENED_PHP
1918+ if (!sapi_module.phpinfo_as_text) {
1919+ php_printf("<h1 class=\"p\">Hardened-PHP Version %s/%s</h1>\n", PHP_VERSION, HARDENED_PHP_VERSION);
1920+ } else {
1921+ char temp_ver[40];
1922+
1923+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENED_PHP_VERSION);
1924+ php_info_print_table_row(2, "Hardened-PHP Version", temp_ver);
1925+ }
1926+#else
1927 if (!sapi_module.phpinfo_as_text) {
1928 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
1929 } else {
1930 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
1931- }
1932+ }
1933+#endif
1934 php_info_print_box_end();
1935 php_info_print_table_start();
1936 php_info_print_table_row(2, "System", php_uname );
1937diff -Nur php-5.0.4/ext/varfilter/CREDITS hardened-php-5.0.4-0.2.7/ext/varfilter/CREDITS
1938--- php-5.0.4/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
1939+++ hardened-php-5.0.4-0.2.7/ext/varfilter/CREDITS 2005-04-07 02:04:39.000000000 +0200
1940@@ -0,0 +1,2 @@
1941+varfilter
1942+Stefan Esser
1943\ No newline at end of file
1944diff -Nur php-5.0.4/ext/varfilter/config.m4 hardened-php-5.0.4-0.2.7/ext/varfilter/config.m4
1945--- php-5.0.4/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
1946+++ hardened-php-5.0.4-0.2.7/ext/varfilter/config.m4 2005-04-07 02:04:39.000000000 +0200
1947@@ -0,0 +1,11 @@
1948+dnl
1949+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
1950+dnl
1951+
1952+PHP_ARG_ENABLE(varfilter, whether to enable Hardened-PHP's variable filter,
1953+[ --disable-varfilter Disable Hardened-PHP's variable filter], yes)
1954+
1955+if test "$PHP_VARFILTER" != "no"; then
1956+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
1957+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
1958+fi
1959diff -Nur php-5.0.4/ext/varfilter/php_varfilter.h hardened-php-5.0.4-0.2.7/ext/varfilter/php_varfilter.h
1960--- php-5.0.4/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
1961+++ hardened-php-5.0.4-0.2.7/ext/varfilter/php_varfilter.h 2005-04-07 02:04:39.000000000 +0200
1962@@ -0,0 +1,72 @@
1963+/*
1964+ +----------------------------------------------------------------------+
1965+ | PHP Version 4 |
1966+ +----------------------------------------------------------------------+
1967+ | Copyright (c) 1997-2003 The PHP Group |
1968+ +----------------------------------------------------------------------+
1969+ | This source file is subject to version 2.02 of the PHP license, |
1970+ | that is bundled with this package in the file LICENSE, and is |
1971+ | available at through the world-wide-web at |
1972+ | http://www.php.net/license/2_02.txt. |
1973+ | If you did not receive a copy of the PHP license and are unable to |
1974+ | obtain it through the world-wide-web, please send a note to |
1975+ | license@php.net so we can mail you a copy immediately. |
1976+ +----------------------------------------------------------------------+
1977+ | Author: Stefan Esser |
1978+ +----------------------------------------------------------------------+
1979+
1980+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
1981+*/
1982+
1983+#ifndef PHP_VARFILTER_H
1984+#define PHP_VARFILTER_H
1985+
1986+extern zend_module_entry varfilter_module_entry;
1987+#define phpext_varfilter_ptr &varfilter_module_entry
1988+
1989+#ifdef PHP_WIN32
1990+#define PHP_VARFILTER_API __declspec(dllexport)
1991+#else
1992+#define PHP_VARFILTER_API
1993+#endif
1994+
1995+#ifdef ZTS
1996+#include "TSRM.h"
1997+#endif
1998+
1999+#include "SAPI.h"
2000+
2001+PHP_MINIT_FUNCTION(varfilter);
2002+PHP_MSHUTDOWN_FUNCTION(varfilter);
2003+PHP_RINIT_FUNCTION(varfilter);
2004+PHP_RSHUTDOWN_FUNCTION(varfilter);
2005+PHP_MINFO_FUNCTION(varfilter);
2006+
2007+
2008+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
2009+ long max_request_variables;
2010+ long cur_request_variables;
2011+ long max_varname_length;
2012+ long max_value_length;
2013+ long max_array_depth;
2014+ZEND_END_MODULE_GLOBALS(varfilter)
2015+
2016+
2017+#ifdef ZTS
2018+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
2019+#else
2020+#define VARFILTER_G(v) (varfilter_globals.v)
2021+#endif
2022+
2023+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
2024+
2025+#endif /* PHP_VARFILTER_H */
2026+
2027+
2028+/*
2029+ * Local variables:
2030+ * tab-width: 4
2031+ * c-basic-offset: 4
2032+ * indent-tabs-mode: t
2033+ * End:
2034+ */
2035diff -Nur php-5.0.4/ext/varfilter/varfilter.c hardened-php-5.0.4-0.2.7/ext/varfilter/varfilter.c
2036--- php-5.0.4/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
2037+++ hardened-php-5.0.4-0.2.7/ext/varfilter/varfilter.c 2005-04-07 02:04:39.000000000 +0200
2038@@ -0,0 +1,196 @@
2039+/*
2040+ +----------------------------------------------------------------------+
2041+ | PHP Version 4 |
2042+ +----------------------------------------------------------------------+
2043+ | Copyright (c) 1997-2003 The PHP Group |
2044+ +----------------------------------------------------------------------+
2045+ | This source file is subject to version 2.02 of the PHP license, |
2046+ | that is bundled with this package in the file LICENSE, and is |
2047+ | available at through the world-wide-web at |
2048+ | http://www.php.net/license/2_02.txt. |
2049+ | If you did not receive a copy of the PHP license and are unable to |
2050+ | obtain it through the world-wide-web, please send a note to |
2051+ | license@php.net so we can mail you a copy immediately. |
2052+ +----------------------------------------------------------------------+
2053+ | Author: |
2054+ +----------------------------------------------------------------------+
2055+
2056+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
2057+*/
2058+
2059+#ifdef HAVE_CONFIG_H
2060+#include "config.h"
2061+#endif
2062+
2063+#include "php.h"
2064+#include "php_ini.h"
2065+#include "ext/standard/info.h"
2066+#include "php_varfilter.h"
2067+#include "hardened_php.h"
2068+
2069+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
2070+
2071+/* True global resources - no need for thread safety here */
2072+static int le_varfilter;
2073+
2074+/* {{{ varfilter_module_entry
2075+ */
2076+zend_module_entry varfilter_module_entry = {
2077+#if ZEND_MODULE_API_NO >= 20010901
2078+ STANDARD_MODULE_HEADER,
2079+#endif
2080+ "varfilter",
2081+ NULL,
2082+ PHP_MINIT(varfilter),
2083+ PHP_MSHUTDOWN(varfilter),
2084+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
2085+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
2086+ PHP_MINFO(varfilter),
2087+#if ZEND_MODULE_API_NO >= 20010901
2088+ "0.2.0", /* Replace with version number for your extension */
2089+#endif
2090+ STANDARD_MODULE_PROPERTIES
2091+};
2092+/* }}} */
2093+
2094+#ifdef COMPILE_DL_VARFILTER
2095+ZEND_GET_MODULE(varfilter)
2096+#endif
2097+
2098+/* {{{ PHP_INI
2099+ */
2100+PHP_INI_BEGIN()
2101+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_SYSTEM, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
2102+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_SYSTEM, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
2103+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "10000", PHP_INI_SYSTEM, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
2104+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_SYSTEM, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
2105+PHP_INI_END()
2106+/* }}} */
2107+
2108+/* {{{ php_varfilter_init_globals
2109+ */
2110+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
2111+{
2112+ varfilter_globals->max_request_variables = 200;
2113+ varfilter_globals->cur_request_variables = 0;
2114+ varfilter_globals->max_varname_length = 64;
2115+ varfilter_globals->max_value_length = 10000;
2116+ varfilter_globals->max_array_depth = 100;
2117+}
2118+/* }}} */
2119+
2120+/* {{{ PHP_MINIT_FUNCTION
2121+ */
2122+PHP_MINIT_FUNCTION(varfilter)
2123+{
2124+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
2125+ REGISTER_INI_ENTRIES();
2126+
2127+ sapi_register_input_filter(varfilter_input_filter);
2128+ return SUCCESS;
2129+}
2130+/* }}} */
2131+
2132+/* {{{ PHP_MSHUTDOWN_FUNCTION
2133+ */
2134+PHP_MSHUTDOWN_FUNCTION(varfilter)
2135+{
2136+ UNREGISTER_INI_ENTRIES();
2137+
2138+ return SUCCESS;
2139+}
2140+/* }}} */
2141+
2142+/* Remove if there's nothing to do at request start */
2143+/* {{{ PHP_RINIT_FUNCTION
2144+ */
2145+PHP_RINIT_FUNCTION(varfilter)
2146+{
2147+ VARFILTER_G(cur_request_variables) = 0;
2148+
2149+ return SUCCESS;
2150+}
2151+/* }}} */
2152+
2153+/* Remove if there's nothing to do at request end */
2154+/* {{{ PHP_RSHUTDOWN_FUNCTION
2155+ */
2156+PHP_RSHUTDOWN_FUNCTION(varfilter)
2157+{
2158+ return SUCCESS;
2159+}
2160+/* }}} */
2161+
2162+/* {{{ PHP_MINFO_FUNCTION
2163+ */
2164+PHP_MINFO_FUNCTION(varfilter)
2165+{
2166+ php_info_print_table_start();
2167+ php_info_print_table_header(2, "Hardened-PHP's variable filter support", "enabled");
2168+ php_info_print_table_end();
2169+
2170+ DISPLAY_INI_ENTRIES();
2171+}
2172+/* }}} */
2173+
2174+/* {{{ SAPI_INPUT_FILTER_FUNC
2175+ */
2176+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
2177+{
2178+ char *index;
2179+ unsigned int var_len, depth = 0;
2180+
2181+ /* Drop this variable if the limit is reached */
2182+ if (VARFILTER_G(max_request_variables) == VARFILTER_G(cur_request_variables)) {
2183+ php_security_log("tried to register too many variables");
2184+ return 0;
2185+ }
2186+
2187+ /* Drop this variable if it exceeds the value length limit */
2188+ if (VARFILTER_G(max_value_length) < val_len) {
2189+ php_security_log("tried to register a variable with a too long value");
2190+ return 0;
2191+ }
2192+
2193+ /* Find length of variable name */
2194+ index = strchr(var, '[');
2195+ var_len = index ? index-var : strlen(var);
2196+
2197+ /* Drop this variable if it exceeds the varname length limit */
2198+ if (VARFILTER_G(max_varname_length) < var_len) {
2199+ php_security_log("tried to register a variable with a too long variable name");
2200+ return 0;
2201+ }
2202+
2203+ /* Find out array depth */
2204+ while (index) {
2205+ depth++;
2206+ index = strchr(index+1, '[');
2207+ }
2208+
2209+ /* Drop this variable if it exceeds the array depth limit */
2210+ if (VARFILTER_G(max_array_depth) < depth) {
2211+ php_security_log("tried to register a too deep array variable");
2212+ return 0;
2213+ }
2214+
2215+ /* Okay let PHP register this variable */
2216+ VARFILTER_G(cur_request_variables)++;
2217+
2218+ if (new_val_len) {
2219+ *new_val_len = val_len;
2220+ }
2221+
2222+ return 1;
2223+}
2224+/* }}} */
2225+
2226+
2227+/*
2228+ * Local variables:
2229+ * tab-width: 4
2230+ * c-basic-offset: 4
2231+ * End:
2232+ * vim600: noet sw=4 ts=4 fdm=marker
2233+ * vim<600: noet sw=4 ts=4
2234+ */
2235diff -Nur php-5.0.4/main/SAPI.c hardened-php-5.0.4-0.2.7/main/SAPI.c
2236--- php-5.0.4/main/SAPI.c 2005-02-22 15:46:15.000000000 +0100
2237+++ hardened-php-5.0.4-0.2.7/main/SAPI.c 2005-04-07 02:04:39.000000000 +0200
2238@@ -821,6 +821,12 @@
2239 zend_hash_del(&known_post_content_types, post_entry->content_type, post_entry->content_type_len+1);
2240 }
2241
2242+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
2243+{
2244+ sapi_module.input_filter = input_filter;
2245+ return SUCCESS;
2246+}
2247+
2248
2249 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D))
2250 {
2251@@ -835,11 +841,6 @@
2252 return SUCCESS;
2253 }
2254
2255-SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
2256-{
2257- sapi_module.input_filter = input_filter;
2258- return SUCCESS;
2259-}
2260
2261 SAPI_API int sapi_flush(TSRMLS_D)
2262 {
2263diff -Nur php-5.0.4/main/SAPI.h hardened-php-5.0.4-0.2.7/main/SAPI.h
2264--- php-5.0.4/main/SAPI.h 2004-01-08 18:33:04.000000000 +0100
2265+++ hardened-php-5.0.4-0.2.7/main/SAPI.h 2005-04-07 02:04:39.000000000 +0200
2266@@ -103,9 +103,14 @@
2267 char *current_user;
2268 int current_user_length;
2269
2270- /* this is necessary for CLI module */
2271- int argc;
2272- char **argv;
2273+ /* this is necessary for CLI module */
2274+ int argc;
2275+ char **argv;
2276+
2277+#if HARDENED_PHP
2278+ /* this is necessary for IP logging */
2279+ char ip_address[64];
2280+#endif
2281 } sapi_request_info;
2282
2283
2284@@ -270,7 +275,11 @@
2285
2286 #define SAPI_DEFAULT_MIMETYPE "text/html"
2287 #define SAPI_DEFAULT_CHARSET ""
2288+#if HARDENED_PHP
2289+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: Hardened-PHP/" PHP_VERSION
2290+#else
2291 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
2292+#endif
2293
2294 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
2295 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
2296diff -Nur php-5.0.4/main/fopen_wrappers.c hardened-php-5.0.4-0.2.7/main/fopen_wrappers.c
2297--- php-5.0.4/main/fopen_wrappers.c 2005-03-11 07:55:22.000000000 +0100
2298+++ hardened-php-5.0.4-0.2.7/main/fopen_wrappers.c 2005-04-07 02:05:49.000000000 +0200
2299@@ -163,6 +163,21 @@
2300 char *pathbuf;
2301 char *ptr;
2302 char *end;
2303+ char path_copy[MAXPATHLEN];
2304+ int path_len;
2305+
2306+ /* Special case path ends with a trailing slash */
2307+ path_len = strlen(path);
2308+ if (path_len >= MAXPATHLEN) {
2309+ errno = EPERM; /* we deny permission to open it */
2310+ return -1;
2311+ }
2312+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
2313+ memcpy(path_copy, path, path_len+1);
2314+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
2315+ path_copy[path_len] = '\0';
2316+ path = (const char *)&path_copy;
2317+ }
2318
2319 pathbuf = estrdup(PG(open_basedir));
2320
2321diff -Nur php-5.0.4/main/hardened_globals.h hardened-php-5.0.4-0.2.7/main/hardened_globals.h
2322--- php-5.0.4/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
2323+++ hardened-php-5.0.4-0.2.7/main/hardened_globals.h 2005-04-07 02:04:39.000000000 +0200
2324@@ -0,0 +1,54 @@
2325+/*
2326+ +----------------------------------------------------------------------+
2327+ | Hardened-PHP |
2328+ +----------------------------------------------------------------------+
2329+ | Copyright (c) 2004 Stefan Esser |
2330+ +----------------------------------------------------------------------+
2331+ | This source file is subject to version 2.02 of the PHP license, |
2332+ | that is bundled with this package in the file LICENSE, and is |
2333+ | available at through the world-wide-web at |
2334+ | http://www.php.net/license/2_02.txt. |
2335+ | If you did not receive a copy of the PHP license and are unable to |
2336+ | obtain it through the world-wide-web, please send a note to |
2337+ | license@php.net so we can mail you a copy immediately. |
2338+ +----------------------------------------------------------------------+
2339+ | Author: Stefan Esser <sesser@php.net> |
2340+ +----------------------------------------------------------------------+
2341+ */
2342+
2343+#ifndef HARDENED_GLOBALS_H
2344+#define HARDENED_GLOBALS_H
2345+
2346+typedef struct _hardened_globals hardened_globals_struct;
2347+
2348+#ifdef ZTS
2349+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
2350+extern int hardened_globals_id;
2351+#else
2352+# define HG(v) (hardened_globals.v)
2353+extern struct _hardened_globals hardened_globals;
2354+#endif
2355+
2356+
2357+struct _hardened_globals {
2358+#if HARDENED_PHP_MM_PROTECT
2359+ unsigned int canary_1;
2360+ unsigned int canary_2;
2361+#endif
2362+#if HARDENED_PHP_LL_PROTECT
2363+ unsigned int canary_3;
2364+ unsigned int canary_4;
2365+ unsigned int ll_canary_inited;
2366+#endif
2367+ unsigned int dummy;
2368+};
2369+
2370+
2371+#endif /* HARDENED_GLOBALS_H */
2372+
2373+/*
2374+ * Local variables:
2375+ * tab-width: 4
2376+ * c-basic-offset: 4
2377+ * End:
2378+ */
2379diff -Nur php-5.0.4/main/hardened_php.c hardened-php-5.0.4-0.2.7/main/hardened_php.c
2380--- php-5.0.4/main/hardened_php.c 1970-01-01 01:00:00.000000000 +0100
2381+++ hardened-php-5.0.4-0.2.7/main/hardened_php.c 2005-04-07 02:04:39.000000000 +0200
2382@@ -0,0 +1,205 @@
2383+/*
2384+ +----------------------------------------------------------------------+
2385+ | Hardened-PHP |
2386+ +----------------------------------------------------------------------+
2387+ | Copyright (c) 2004 Stefan Esser |
2388+ +----------------------------------------------------------------------+
2389+ | This source file is subject to version 2.02 of the PHP license, |
2390+ | that is bundled with this package in the file LICENSE, and is |
2391+ | available at through the world-wide-web at |
2392+ | http://www.php.net/license/2_02.txt. |
2393+ | If you did not receive a copy of the PHP license and are unable to |
2394+ | obtain it through the world-wide-web, please send a note to |
2395+ | license@php.net so we can mail you a copy immediately. |
2396+ +----------------------------------------------------------------------+
2397+ | Author: Stefan Esser <sesser@php.net> |
2398+ +----------------------------------------------------------------------+
2399+ */
2400+/* $Id: hardened_php.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
2401+
2402+#include "php.h"
2403+
2404+#include <stdio.h>
2405+#include <stdlib.h>
2406+
2407+#if HAVE_UNISTD_H
2408+#include <unistd.h>
2409+#endif
2410+#include "SAPI.h"
2411+#include "php_globals.h"
2412+
2413+#if HARDENED_PHP
2414+
2415+#ifdef HAVE_SYS_SOCKET_H
2416+#include <sys/socket.h>
2417+#endif
2418+
2419+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
2420+#undef AF_UNIX
2421+#endif
2422+
2423+#if defined(AF_UNIX)
2424+#include <sys/un.h>
2425+#endif
2426+
2427+#define SYSLOG_PATH "/dev/log"
2428+
2429+#include "snprintf.h"
2430+
2431+#ifdef ZTS
2432+#include "hardened_globals.h"
2433+int hardened_globals_id;
2434+#else
2435+struct _hardened_globals hardened_globals;
2436+#endif
2437+
2438+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
2439+{
2440+ memset(hardened_globals, 0, sizeof(*hardened_globals));
2441+}
2442+
2443+PHPAPI void hardened_startup()
2444+{
2445+#ifdef ZTS
2446+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
2447+#else
2448+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
2449+#endif
2450+}
2451+
2452+PHPAPI void php_security_log(char *str)
2453+{
2454+#if defined(AF_UNIX)
2455+ int s, r;
2456+ struct sockaddr_un saun;
2457+ char buf[1024];
2458+ char *ip_address;
2459+ char *fname;
2460+ TSRMLS_FETCH();
2461+
2462+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
2463+ if (ip_address == NULL) {
2464+ ip_address = "REMOTE_ADDR not set";
2465+ }
2466+
2467+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
2468+
2469+ ap_php_snprintf(buf, 1024, "php security-alert: %s (attacker '%s', file '%s')\n", str, ip_address, fname);
2470+
2471+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
2472+ if (s == -1) {
2473+ return;
2474+ }
2475+
2476+ memset(&saun, 0, sizeof(saun));
2477+ saun.sun_family = AF_UNIX;
2478+ strcpy(saun.sun_path, SYSLOG_PATH);
2479+ /*saun.sun_len = sizeof(saun);*/
2480+
2481+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2482+ if (r) {
2483+ close(s);
2484+ s = socket(AF_UNIX, SOCK_STREAM, 0);
2485+ if (s == -1) {
2486+ return;
2487+ }
2488+
2489+ memset(&saun, 0, sizeof(saun));
2490+ saun.sun_family = AF_UNIX;
2491+ strcpy(saun.sun_path, SYSLOG_PATH);
2492+ /*saun.sun_len = sizeof(saun);*/
2493+
2494+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
2495+ if (r) {
2496+ close(s);
2497+ return;
2498+ }
2499+ }
2500+ send(s, buf, strlen(buf), 0);
2501+
2502+ close(s);
2503+#endif
2504+}
2505+#endif
2506+
2507+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2508+
2509+/* will be replaced later with more compatible method */
2510+PHPAPI unsigned int php_canary()
2511+{
2512+ time_t t;
2513+ unsigned int canary;
2514+ int fd;
2515+
2516+ fd = open("/dev/urandom", 0);
2517+ if (fd != -1) {
2518+ int r = read(fd, &canary, sizeof(canary));
2519+ close(fd);
2520+ if (r == sizeof(canary)) {
2521+ return (canary);
2522+ }
2523+ }
2524+ /* not good but we never want to do this */
2525+ time(&t);
2526+ canary = *(unsigned int *)&t + getpid() << 16;
2527+ return (canary);
2528+}
2529+#endif
2530+
2531+#if HARDENED_PHP_INC_PROTECT
2532+
2533+PHPAPI int php_is_valid_include(zval *z)
2534+{
2535+ char *filename;
2536+ int len;
2537+ TSRMLS_FETCH();
2538+
2539+ /* must be of type string */
2540+ if (z->type != IS_STRING || z->value.str.val == NULL) {
2541+ return (0);
2542+ }
2543+
2544+ /* short cut */
2545+ filename = z->value.str.val;
2546+ len = z->value.str.len;
2547+
2548+ /* 1. must be shorter than MAXPATHLEN */
2549+ if (len > MAXPATHLEN) {
2550+ php_security_log("Include filename longer than MAXPATHLEN chars");
2551+ return (0);
2552+ }
2553+
2554+ /* 2. must not be cutted */
2555+ if (len != strlen(filename)) {
2556+ php_security_log("Include filename has a \\0 cut");
2557+ return (0);
2558+ }
2559+
2560+ /* 3. must not be a URL */
2561+ if (strstr(filename, "://")) {
2562+ php_security_log("Include filename is an URL");
2563+ return (0);
2564+ }
2565+
2566+ /* 4. must not be an uploaded file */
2567+ if (SG(rfc1867_uploaded_files)) {
2568+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
2569+ php_security_log("Include filename is an uploaded file");
2570+ return (0);
2571+ }
2572+ }
2573+
2574+ /* passed all tests */
2575+ return (1);
2576+}
2577+
2578+#endif
2579+
2580+/*
2581+ * Local variables:
2582+ * tab-width: 4
2583+ * c-basic-offset: 4
2584+ * End:
2585+ * vim600: sw=4 ts=4 fdm=marker
2586+ * vim<600: sw=4 ts=4
2587+ */
2588diff -Nur php-5.0.4/main/hardened_php.h hardened-php-5.0.4-0.2.7/main/hardened_php.h
2589--- php-5.0.4/main/hardened_php.h 1970-01-01 01:00:00.000000000 +0100
2590+++ hardened-php-5.0.4-0.2.7/main/hardened_php.h 2005-04-07 02:05:01.000000000 +0200
2591@@ -0,0 +1,45 @@
2592+/*
2593+ +----------------------------------------------------------------------+
2594+ | Hardened-PHP |
2595+ +----------------------------------------------------------------------+
2596+ | Copyright (c) 2004 Stefan Esser |
2597+ +----------------------------------------------------------------------+
2598+ | This source file is subject to version 2.02 of the PHP license, |
2599+ | that is bundled with this package in the file LICENSE, and is |
2600+ | available at through the world-wide-web at |
2601+ | http://www.php.net/license/2_02.txt. |
2602+ | If you did not receive a copy of the PHP license and are unable to |
2603+ | obtain it through the world-wide-web, please send a note to |
2604+ | license@php.net so we can mail you a copy immediately. |
2605+ +----------------------------------------------------------------------+
2606+ | Author: Stefan Esser <sesser@php.net> |
2607+ +----------------------------------------------------------------------+
2608+ */
2609+
2610+#ifndef HARDENED_PHP_H
2611+#define HARDENED_PHP_H
2612+
2613+#include "zend.h"
2614+
2615+#if HARDENED_PHP
2616+PHPAPI void php_security_log(char *str);
2617+PHPAPI void hardened_startup();
2618+#define HARDENED_PHP_VERSION "0.2.7"
2619+#endif
2620+
2621+#if HARDENED_PHP_MM_PROTECT || HARDENED_PHP_LL_PROTECT || HARDENED_PHP_HASH_PROTECT
2622+PHPAPI unsigned int php_canary();
2623+#endif
2624+
2625+#if HARDENED_PHP_INC_PROTECT
2626+PHPAPI int php_is_valid_include(zval *z);
2627+#endif
2628+
2629+#endif /* HARDENED_PHP_H */
2630+
2631+/*
2632+ * Local variables:
2633+ * tab-width: 4
2634+ * c-basic-offset: 4
2635+ * End:
2636+ */
2637diff -Nur php-5.0.4/main/hardened_php.m4 hardened-php-5.0.4-0.2.7/main/hardened_php.m4
2638--- php-5.0.4/main/hardened_php.m4 1970-01-01 01:00:00.000000000 +0100
2639+++ hardened-php-5.0.4-0.2.7/main/hardened_php.m4 2005-04-07 02:04:39.000000000 +0200
2640@@ -0,0 +1,95 @@
2641+dnl
2642+dnl $Id: hardened_php.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
2643+dnl
2644+dnl This file contains Hardened-PHP specific autoconf functions.
2645+dnl
2646+
2647+AC_ARG_ENABLE(hardened-php-mm-protect,
2648+[ --disable-hardened-php-mm-protect Disable the Memory Manager protection.],[
2649+ DO_HARDENED_PHP_MM_PROTECT=$enableval
2650+],[
2651+ DO_HARDENED_PHP_MM_PROTECT=yes
2652+])
2653+
2654+AC_ARG_ENABLE(hardened-php-ll-protect,
2655+[ --disable-hardened-php-ll-protect Disable the Linked List protection.],[
2656+ DO_HARDENED_PHP_LL_PROTECT=$enableval
2657+],[
2658+ DO_HARDENED_PHP_LL_PROTECT=yes
2659+])
2660+
2661+AC_ARG_ENABLE(hardened-php-inc-protect,
2662+[ --disable-hardened-php-inc-protect Disable include/require protection.],[
2663+ DO_HARDENED_PHP_INC_PROTECT=$enableval
2664+],[
2665+ DO_HARDENED_PHP_INC_PROTECT=yes
2666+])
2667+
2668+AC_ARG_ENABLE(hardened-php-fmt-protect,
2669+[ --disable-hardened-php-fmt-protect Disable format string protection.],[
2670+ DO_HARDENED_PHP_FMT_PROTECT=$enableval
2671+],[
2672+ DO_HARDENED_PHP_FMT_PROTECT=yes
2673+])
2674+
2675+AC_ARG_ENABLE(hardened-php-hash-protect,
2676+[ --disable-hardened-php-hash-protect Disable HashTable destructor protection.],[
2677+ DO_HARDENED_PHP_HASH_PROTECT=$enableval
2678+],[
2679+ DO_HARDENED_PHP_HASH_PROTECT=yes
2680+])
2681+
2682+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
2683+AC_MSG_RESULT($DO_HARDENED_PHP_MM_PROTECT)
2684+
2685+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
2686+AC_MSG_RESULT($DO_HARDENED_PHP_LL_PROTECT)
2687+
2688+AC_MSG_CHECKING(whether to protect include/require statements)
2689+AC_MSG_RESULT($DO_HARDENED_PHP_INC_PROTECT)
2690+
2691+AC_MSG_CHECKING(whether to protect PHP Format String functions)
2692+AC_MSG_RESULT($DO_HARDENED_PHP_FMT_PROTECT)
2693+
2694+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
2695+AC_MSG_RESULT($DO_HARDENED_PHP_HASH_PROTECT)
2696+
2697+
2698+AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2699+
2700+
2701+if test "$DO_HARDENED_PHP_MM_PROTECT" = "yes"; then
2702+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2703+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 1, [Memory Manager Protection])
2704+else
2705+ AC_DEFINE(HARDENED_PHP_MM_PROTECT, 0, [Memory Manager Protection])
2706+fi
2707+
2708+if test "$DO_HARDENED_PHP_LL_PROTECT" = "yes"; then
2709+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2710+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 1, [Linked List Protection])
2711+else
2712+ AC_DEFINE(HARDENED_PHP_LL_PROTECT, 0, [Linked List Protection])
2713+fi
2714+
2715+if test "$DO_HARDENED_PHP_INC_PROTECT" = "yes"; then
2716+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2717+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 1, [Include/Require Protection])
2718+else
2719+ AC_DEFINE(HARDENED_PHP_INC_PROTECT, 0, [Include/Require Protection])
2720+fi
2721+
2722+if test "$DO_HARDENED_PHP_FMT_PROTECT" = "yes"; then
2723+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2724+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 1, [Fmt String Protection])
2725+else
2726+ AC_DEFINE(HARDENED_PHP_FMT_PROTECT, 0, [Fmt String Protection])
2727+fi
2728+
2729+if test "$DO_HARDENED_PHP_HASH_PROTECT" = "yes"; then
2730+dnl AC_DEFINE(HARDENED_PHP, 1, [Hardened-PHP])
2731+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 1, [HashTable DTOR Protection])
2732+else
2733+ AC_DEFINE(HARDENED_PHP_HASH_PROTECT, 0, [HashTable DTOR Protection])
2734+fi
2735+
2736diff -Nur php-5.0.4/main/main.c hardened-php-5.0.4-0.2.7/main/main.c
2737--- php-5.0.4/main/main.c 2005-03-24 02:11:35.000000000 +0100
2738+++ hardened-php-5.0.4-0.2.7/main/main.c 2005-04-07 02:04:39.000000000 +0200
2739@@ -92,6 +92,10 @@
2740
2741 #include "SAPI.h"
2742 #include "rfc1867.h"
2743+#if HARDENED_PHP
2744+#include "hardened_globals.h"
2745+#endif
2746+
2747 /* }}} */
2748
2749 #ifndef ZTS
2750@@ -116,10 +120,33 @@
2751 */
2752 static PHP_INI_MH(OnChangeMemoryLimit)
2753 {
2754+#if HARDENED_PHP
2755+ long orig_memory_limit;
2756+
2757+ if (entry->modified) {
2758+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
2759+ } else {
2760+ orig_memory_limit = 1<<30;
2761+ }
2762+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
2763+ orig_memory_limit = 1<<30;
2764+ }
2765+#endif
2766 if (new_value) {
2767 PG(memory_limit) = zend_atoi(new_value, new_value_length);
2768+#if HARDENED_PHP
2769+ if (PG(memory_limit) > orig_memory_limit) {
2770+ PG(memory_limit) = orig_memory_limit;
2771+ php_security_log("script tried to increase memory_limit above allowed value");
2772+ return FAILURE;
2773+ }
2774+#endif
2775 } else {
2776+#if HARDENED_PHP
2777+ PG(memory_limit) = orig_memory_limit;
2778+#else
2779 PG(memory_limit) = 1<<30; /* effectively, no limit */
2780+#endif
2781 }
2782 return zend_set_memory_limit(PG(memory_limit));
2783 }
2784@@ -1313,6 +1340,10 @@
2785 tsrm_ls = ts_resource(0);
2786 #endif
2787
2788+#if HARDENED_PHP
2789+ hardened_startup();
2790+#endif
2791+
2792 module_shutdown = 0;
2793 module_startup = 1;
2794 sapi_initialize_empty_request(TSRMLS_C);
2795@@ -1326,6 +1357,12 @@
2796
2797 php_output_startup();
2798
2799+#if HARDENED_PHP_INC_PROTECT
2800+ zuf.is_valid_include = php_is_valid_include;
2801+#endif
2802+#if HARDENED_PHP
2803+ zuf.security_log_function = php_security_log;
2804+#endif
2805 zuf.error_function = php_error_cb;
2806 zuf.printf_function = php_printf;
2807 zuf.write_function = php_body_write_wrapper;
2808@@ -1429,6 +1466,10 @@
2809 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
2810 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
2811 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
2812+#if HARDENED_PHP
2813+ REGISTER_MAIN_LONG_CONSTANT("HARDENED_PHP", 1, CONST_PERSISTENT | CONST_CS);
2814+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENED_PHP_VERSION", HARDENED_PHP_VERSION, sizeof(HARDENED_PHP_VERSION)-1, CONST_PERSISTENT | CONST_CS);
2815+#endif
2816 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
2817 php_output_register_constants(TSRMLS_C);
2818 php_rfc1867_register_constants(TSRMLS_C);
2819diff -Nur php-5.0.4/main/php.h hardened-php-5.0.4-0.2.7/main/php.h
2820--- php-5.0.4/main/php.h 2005-03-14 10:41:39.000000000 +0100
2821+++ hardened-php-5.0.4-0.2.7/main/php.h 2005-04-07 02:04:39.000000000 +0200
2822@@ -35,11 +35,19 @@
2823 #include "zend_qsort.h"
2824 #include "php_compat.h"
2825
2826+
2827 #include "zend_API.h"
2828
2829 #undef sprintf
2830 #define sprintf php_sprintf
2831
2832+#if HARDENED_PHP
2833+#if HAVE_REALPATH
2834+#undef realpath
2835+#define realpath php_realpath
2836+#endif
2837+#endif
2838+
2839 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
2840 #undef PHP_DEBUG
2841 #define PHP_DEBUG ZEND_DEBUG
2842@@ -341,6 +349,7 @@
2843 #define PHP_FUNCTION ZEND_FUNCTION
2844 #define PHP_METHOD ZEND_METHOD
2845
2846+#define PHP_STATIC_FE ZEND_STATIC_FE
2847 #define PHP_NAMED_FE ZEND_NAMED_FE
2848 #define PHP_FE ZEND_FE
2849 #define PHP_FALIAS ZEND_FALIAS
2850@@ -446,6 +455,10 @@
2851 #endif
2852 #endif /* !XtOffsetOf */
2853
2854+#if HARDENED_PHP
2855+#include "hardened_php.h"
2856+#endif
2857+
2858 #endif
2859
2860 /*
2861diff -Nur php-5.0.4/main/php_config.h.in hardened-php-5.0.4-0.2.7/main/php_config.h.in
2862--- php-5.0.4/main/php_config.h.in 2005-04-03 11:42:53.000000000 +0200
2863+++ hardened-php-5.0.4-0.2.7/main/php_config.h.in 2005-04-07 02:04:39.000000000 +0200
2864@@ -746,6 +746,39 @@
2865 /* hardcode for each of the cross compiler host */
2866 #undef PHP_UNAME
2867
2868+/* Hardened-PHP */
2869+#undef HARDENED_PHP
2870+
2871+/* Memory Manager Protection */
2872+#undef HARDENED_PHP_MM_PROTECT
2873+
2874+/* Memory Manager Protection */
2875+#undef HARDENED_PHP_MM_PROTECT
2876+
2877+/* Linked List Protection */
2878+#undef HARDENED_PHP_LL_PROTECT
2879+
2880+/* Linked List Protection */
2881+#undef HARDENED_PHP_LL_PROTECT
2882+
2883+/* Include/Require Protection */
2884+#undef HARDENED_PHP_INC_PROTECT
2885+
2886+/* Include/Require Protection */
2887+#undef HARDENED_PHP_INC_PROTECT
2888+
2889+/* Fmt String Protection */
2890+#undef HARDENED_PHP_FMT_PROTECT
2891+
2892+/* Fmt String Protection */
2893+#undef HARDENED_PHP_FMT_PROTECT
2894+
2895+/* HashTable DTOR Protection */
2896+#undef HARDENED_PHP_HASH_PROTECT
2897+
2898+/* HashTable DTOR Protection */
2899+#undef HARDENED_PHP_HASH_PROTECT
2900+
2901 /* Whether you have AOLserver */
2902 #undef HAVE_AOLSERVER
2903
2904@@ -1077,6 +1110,12 @@
2905 /* Define if you have the getaddrinfo function */
2906 #undef HAVE_GETADDRINFO
2907
2908+/* Whether realpath is broken */
2909+#undef PHP_BROKEN_REALPATH
2910+
2911+/* Whether realpath is broken */
2912+#undef PHP_BROKEN_REALPATH
2913+
2914 /* Whether system headers declare timezone */
2915 #undef HAVE_DECLARED_TIMEZONE
2916
2917diff -Nur php-5.0.4/main/snprintf.c hardened-php-5.0.4-0.2.7/main/snprintf.c
2918--- php-5.0.4/main/snprintf.c 2004-11-16 00:14:40.000000000 +0100
2919+++ hardened-php-5.0.4-0.2.7/main/snprintf.c 2005-04-07 02:04:39.000000000 +0200
2920@@ -1013,7 +1013,11 @@
2921
2922
2923 case 'n':
2924+#if HARDENED_PHP_FMT_PROTECT
2925+ php_security_log("'n' specifier within format string");
2926+#else
2927 *(va_arg(ap, int *)) = cc;
2928+#endif
2929 break;
2930
2931 /*
2932diff -Nur php-5.0.4/main/spprintf.c hardened-php-5.0.4-0.2.7/main/spprintf.c
2933--- php-5.0.4/main/spprintf.c 2004-04-16 01:04:49.000000000 +0200
2934+++ hardened-php-5.0.4-0.2.7/main/spprintf.c 2005-04-07 02:04:39.000000000 +0200
2935@@ -630,7 +630,11 @@
2936
2937
2938 case 'n':
2939+#if HARDENED_PHP_FMT_PROTECT
2940+ php_security_log("'n' specifier within format string");
2941+#else
2942 *(va_arg(ap, int *)) = xbuf->len;
2943+#endif
2944 break;
2945
2946 /*
2947diff -Nur php-5.0.4/php.ini-dist hardened-php-5.0.4-0.2.7/php.ini-dist
2948--- php-5.0.4/php.ini-dist 2005-03-01 01:25:09.000000000 +0100
2949+++ hardened-php-5.0.4-0.2.7/php.ini-dist 2005-04-07 02:04:39.000000000 +0200
2950@@ -1187,6 +1187,23 @@
2951 ; instead of original one.
2952 soap.wsdl_cache_ttl=86400
2953
2954+[varfilter]
2955+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2956+; Hardened-PHP's variable filter
2957+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2958+
2959+; Maximum number of input variables per request
2960+varfilter.max_request_variables = 200
2961+
2962+; Maximum characters in input variable names
2963+varfilter.max_varname_length = 64
2964+
2965+; Maximum length of input variable values
2966+varfilter.max_value_length = 10000
2967+
2968+; Maximum depth of input variable arrays
2969+varfilter.max_array_depth = 100
2970+
2971 ; Local Variables:
2972 ; tab-width: 4
2973 ; End:
2974diff -Nur php-5.0.4/php.ini-recommended hardened-php-5.0.4-0.2.7/php.ini-recommended
2975--- php-5.0.4/php.ini-recommended 2005-03-01 01:25:09.000000000 +0100
2976+++ hardened-php-5.0.4-0.2.7/php.ini-recommended 2005-04-07 02:04:39.000000000 +0200
2977@@ -1245,6 +1245,23 @@
2978 ; instead of original one.
2979 soap.wsdl_cache_ttl=86400
2980
2981+[varfilter]
2982+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2983+; Hardened-PHP's variable filter
2984+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
2985+
2986+; Maximum number of input variables per request
2987+varfilter.max_request_variables = 200
2988+
2989+; Maximum characters in input variable names
2990+varfilter.max_varname_length = 64
2991+
2992+; Maximum length of input variable values
2993+varfilter.max_value_length = 10000
2994+
2995+; Maximum depth of input variable arrays
2996+varfilter.max_array_depth = 100
2997+
2998 ; Local Variables:
2999 ; tab-width: 4
3000 ; End:
3001diff -Nur php-5.0.4/sapi/apache/mod_php5.c hardened-php-5.0.4-0.2.7/sapi/apache/mod_php5.c
3002--- php-5.0.4/sapi/apache/mod_php5.c 2004-07-14 11:43:26.000000000 +0200
3003+++ hardened-php-5.0.4-0.2.7/sapi/apache/mod_php5.c 2005-04-07 02:04:39.000000000 +0200
3004@@ -447,7 +447,7 @@
3005 sapi_apache_get_fd,
3006 sapi_apache_force_http_10,
3007 sapi_apache_get_target_uid,
3008- sapi_apache_get_target_gid
3009+ sapi_apache_get_target_gid,
3010 };
3011 /* }}} */
3012
3013@@ -899,7 +899,11 @@
3014 {
3015 TSRMLS_FETCH();
3016 if (PG(expose_php)) {
3017+#if HARDENED_PHP
3018+ ap_add_version_component("Hardened-PHP/" PHP_VERSION);
3019+#else
3020 ap_add_version_component("PHP/" PHP_VERSION);
3021+#endif
3022 }
3023 }
3024 #endif
3025diff -Nur php-5.0.4/sapi/apache2filter/sapi_apache2.c hardened-php-5.0.4-0.2.7/sapi/apache2filter/sapi_apache2.c
3026--- php-5.0.4/sapi/apache2filter/sapi_apache2.c 2005-01-07 07:28:24.000000000 +0100
3027+++ hardened-php-5.0.4-0.2.7/sapi/apache2filter/sapi_apache2.c 2005-04-07 02:04:39.000000000 +0200
3028@@ -572,7 +572,11 @@
3029 {
3030 TSRMLS_FETCH();
3031 if (PG(expose_php)) {
3032+#if HARDENED_PHP
3033+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3034+#else
3035 ap_add_version_component(p, "PHP/" PHP_VERSION);
3036+#endif
3037 }
3038 }
3039
3040diff -Nur php-5.0.4/sapi/apache2handler/sapi_apache2.c hardened-php-5.0.4-0.2.7/sapi/apache2handler/sapi_apache2.c
3041--- php-5.0.4/sapi/apache2handler/sapi_apache2.c 2005-03-10 12:23:57.000000000 +0100
3042+++ hardened-php-5.0.4-0.2.7/sapi/apache2handler/sapi_apache2.c 2005-04-07 02:04:39.000000000 +0200
3043@@ -340,7 +340,11 @@
3044 {
3045 TSRMLS_FETCH();
3046 if (PG(expose_php)) {
3047+#if HARDENED_PHP
3048+ ap_add_version_component(p, "Hardened-PHP/" PHP_VERSION);
3049+#else
3050 ap_add_version_component(p, "PHP/" PHP_VERSION);
3051+#endif
3052 }
3053 }
3054
3055diff -Nur php-5.0.4/sapi/cgi/cgi_main.c hardened-php-5.0.4-0.2.7/sapi/cgi/cgi_main.c
3056--- php-5.0.4/sapi/cgi/cgi_main.c 2005-02-11 03:06:48.000000000 +0100
3057+++ hardened-php-5.0.4-0.2.7/sapi/cgi/cgi_main.c 2005-04-07 02:04:39.000000000 +0200
3058@@ -1414,11 +1414,19 @@
3059 SG(headers_sent) = 1;
3060 SG(request_info).no_headers = 1;
3061 }
3062+#if HARDENED_PHP
3063+#if ZEND_DEBUG
3064+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3065+#else
3066+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3067+#endif
3068+#else
3069 #if ZEND_DEBUG
3070 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3071 #else
3072 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3073 #endif
3074+#endif
3075 php_end_ob_buffers(1 TSRMLS_CC);
3076 exit(1);
3077 break;
3078diff -Nur php-5.0.4/sapi/cli/php_cli.c hardened-php-5.0.4-0.2.7/sapi/cli/php_cli.c
3079--- php-5.0.4/sapi/cli/php_cli.c 2005-03-22 16:09:20.000000000 +0100
3080+++ hardened-php-5.0.4-0.2.7/sapi/cli/php_cli.c 2005-04-07 02:04:39.000000000 +0200
3081@@ -694,11 +694,19 @@
3082 if (php_request_startup(TSRMLS_C)==FAILURE) {
3083 goto err;
3084 }
3085+#if HARDENED_PHP
3086+#if ZEND_DEBUG
3087+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3088+#else
3089+ php_printf("Hardened-PHP %s/%s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENED_PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3090+#endif
3091+#else
3092 #if ZEND_DEBUG
3093 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3094 #else
3095 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
3096 #endif
3097+#endif
3098 php_end_ob_buffers(1 TSRMLS_CC);
3099 exit_status=1;
3100 goto out;