summaryrefslogtreecommitdiff
path: root/0.4.10/hardening-patch-4.4.2-0.4.10.patch
diff options
context:
space:
mode:
Diffstat (limited to '0.4.10/hardening-patch-4.4.2-0.4.10.patch')
-rw-r--r--0.4.10/hardening-patch-4.4.2-0.4.10.patch8393
1 files changed, 8393 insertions, 0 deletions
diff --git a/0.4.10/hardening-patch-4.4.2-0.4.10.patch b/0.4.10/hardening-patch-4.4.2-0.4.10.patch
new file mode 100644
index 0000000..ddeca58
--- /dev/null
+++ b/0.4.10/hardening-patch-4.4.2-0.4.10.patch
@@ -0,0 +1,8393 @@
1diff -Nura php-4.4.2/acinclude.m4 hardening-patch-4.4.2-0.4.10/acinclude.m4
2--- php-4.4.2/acinclude.m4 2005-12-19 23:29:11.000000000 +0100
3+++ hardening-patch-4.4.2-0.4.10/acinclude.m4 2006-05-11 10:36:02.000000000 +0200
4@@ -1186,6 +1186,36 @@
5 fi
6 ])
7
8+dnl
9+dnl Check for broken realpath()
10+dnl
11+dnl realpath("/etc/hosts/../passwd",XXX) should not return
12+dnl "/etc/passwd"
13+dnl
14+AC_DEFUN([PHP_AC_BROKEN_REALPATH],[
15+ AC_CACHE_CHECK(whether realpath is broken, ac_cv_broken_realpath,[
16+ AC_TRY_RUN([
17+main() {
18+ char buf[4096+1];
19+ buf[0] = 0;
20+ realpath("/etc/hosts/../passwd", buf);
21+ exit(strcmp(buf, "/etc/passwd")==0);
22+}
23+ ],[
24+ ac_cv_broken_realpath=no
25+ ],[
26+ ac_cv_broken_realpath=yes
27+ ],[
28+ ac_cv_broken_realpath=no
29+ ])
30+ ])
31+ if test "$ac_cv_broken_realpath" = "yes"; then
32+ AC_DEFINE(PHP_BROKEN_REALPATH, 1, [Whether realpath is broken])
33+ else
34+ AC_DEFINE(PHP_BROKEN_REALPATH, 0, [Whether realpath is broken])
35+ fi
36+])
37+
38 dnl PHP_SHARED_MODULE(module-name, object-var, build-dir, cxx)
39 dnl
40 dnl Basically sets up the link-stage for building module-name
41diff -Nura php-4.4.2/Changelog.hphp hardening-patch-4.4.2-0.4.10/Changelog.hphp
42--- php-4.4.2/Changelog.hphp 1970-01-01 01:00:00.000000000 +0100
43+++ hardening-patch-4.4.2-0.4.10/Changelog.hphp 2006-05-11 10:42:30.000000000 +0200
44@@ -0,0 +1,11 @@
45+Changelog of the Hardening-Patch
46+--------------------------------
47+
48+0.4.10 - 11. May 2006
49+
50+ PHP4:
51+ [+] info.c: backport from 5.1.4 contained TSRMLS macro that had to be removed
52+
53+ PHP4+5:
54+ [+] fopen_wrappers.c: fix for a trailing slash problem with open_basedir
55+
56diff -Nura php-4.4.2/configure hardening-patch-4.4.2-0.4.10/configure
57--- php-4.4.2/configure 2006-01-12 19:24:23.000000000 +0100
58+++ hardening-patch-4.4.2-0.4.10/configure 2006-05-11 10:36:02.000000000 +0200
59@@ -402,6 +402,16 @@
60 ac_default_prefix=/usr/local
61 # Any additions from configure.in:
62 ac_help="$ac_help
63+ --disable-hardening-patch-mm-protect Disable the Memory Manager protection."
64+ac_help="$ac_help
65+ --disable-hardening-patch-ll-protect Disable the Linked List protection."
66+ac_help="$ac_help
67+ --disable-hardening-patch-inc-protect Disable include/require protection."
68+ac_help="$ac_help
69+ --disable-hardening-patch-fmt-protect Disable format string protection."
70+ac_help="$ac_help
71+ --disable-hardening-patch-hash-protect Disable Zend HashTable DTOR protection."
72+ac_help="$ac_help
73
74 SAPI modules:
75 "
76@@ -854,6 +864,8 @@
77 ac_help="$ac_help
78 --disable-tokenizer Disable tokenizer support"
79 ac_help="$ac_help
80+ --disable-varfilter Disable Hardening-Patch's variable filter"
81+ac_help="$ac_help
82 --enable-wddx Enable WDDX support."
83 ac_help="$ac_help
84 --disable-xml Disable XML support using bundled expat lib"
85@@ -2942,6 +2954,157 @@
86
87
88
89+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
90+if test "${enable_hardening_patch_mm_protect+set}" = set; then
91+ enableval="$enable_hardening_patch_mm_protect"
92+
93+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
94+
95+else
96+
97+ DO_HARDENING_PATCH_MM_PROTECT=yes
98+
99+fi
100+
101+
102+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
103+if test "${enable_hardening_patch_ll_protect+set}" = set; then
104+ enableval="$enable_hardening_patch_ll_protect"
105+
106+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
107+
108+else
109+
110+ DO_HARDENING_PATCH_LL_PROTECT=yes
111+
112+fi
113+
114+
115+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
116+if test "${enable_hardening_patch_inc_protect+set}" = set; then
117+ enableval="$enable_hardening_patch_inc_protect"
118+
119+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
120+
121+else
122+
123+ DO_HARDENING_PATCH_INC_PROTECT=yes
124+
125+fi
126+
127+
128+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
129+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
130+ enableval="$enable_hardening_patch_fmt_protect"
131+
132+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
133+
134+else
135+
136+ DO_HARDENING_PATCH_FMT_PROTECT=yes
137+
138+fi
139+
140+
141+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
142+if test "${enable_hardening_patch_hash_protect+set}" = set; then
143+ enableval="$enable_hardening_patch_hash_protect"
144+
145+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
146+
147+else
148+
149+ DO_HARDENING_PATCH_HASH_PROTECT=yes
150+
151+fi
152+
153+
154+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
155+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
156+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
157+
158+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
159+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
160+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
161+
162+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
163+echo "configure:2733: checking whether to protect include/require statements" >&5
164+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
165+
166+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
167+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
168+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
169+
170+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
171+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
172+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
173+
174+
175+cat >> confdefs.h <<\EOF
176+#define HARDENING_PATCH 1
177+EOF
178+
179+
180+
181+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
182+ cat >> confdefs.h <<\EOF
183+#define HARDENING_PATCH_MM_PROTECT 1
184+EOF
185+
186+else
187+ cat >> confdefs.h <<\EOF
188+#define HARDENING_PATCH_MM_PROTECT 0
189+EOF
190+
191+fi
192+
193+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
194+ cat >> confdefs.h <<\EOF
195+#define HARDENING_PATCH_LL_PROTECT 1
196+EOF
197+
198+else
199+ cat >> confdefs.h <<\EOF
200+#define HARDENING_PATCH_LL_PROTECT 0
201+EOF
202+
203+fi
204+
205+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
206+ cat >> confdefs.h <<\EOF
207+#define HARDENING_PATCH_INC_PROTECT 1
208+EOF
209+
210+else
211+ cat >> confdefs.h <<\EOF
212+#define HARDENING_PATCH_INC_PROTECT 0
213+EOF
214+
215+fi
216+
217+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
218+ cat >> confdefs.h <<\EOF
219+#define HARDENING_PATCH_FMT_PROTECT 1
220+EOF
221+
222+else
223+ cat >> confdefs.h <<\EOF
224+#define HARDENING_PATCH_FMT_PROTECT 0
225+EOF
226+
227+fi
228+
229+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
230+ cat >> confdefs.h <<\EOF
231+#define HARDENING_PATCH_HASH_PROTECT 1
232+EOF
233+
234+else
235+ cat >> confdefs.h <<\EOF
236+#define HARDENING_PATCH_HASH_PROTECT 0
237+EOF
238+
239+fi
240
241
242
243@@ -16017,6 +16180,62 @@
244 fi
245
246
247+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
248+echo "configure:14928: checking whether realpath is broken" >&5
249+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
250+ echo $ac_n "(cached) $ac_c" 1>&6
251+else
252+
253+ if test "$cross_compiling" = yes; then
254+
255+ ac_cv_broken_realpath=no
256+
257+else
258+ cat > conftest.$ac_ext <<EOF
259+#line 14939 "configure"
260+#include "confdefs.h"
261+
262+main() {
263+ char buf[4096+1];
264+ buf[0] = 0;
265+ realpath("/etc/hosts/../passwd", buf);
266+ exit(strcmp(buf, "/etc/passwd")==0);
267+}
268+
269+EOF
270+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
271+then
272+
273+ ac_cv_broken_realpath=no
274+
275+else
276+ echo "configure: failed program was:" >&5
277+ cat conftest.$ac_ext >&5
278+ rm -fr conftest*
279+
280+ ac_cv_broken_realpath=yes
281+
282+fi
283+rm -fr conftest*
284+fi
285+
286+
287+fi
288+
289+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
290+ if test "$ac_cv_broken_realpath" = "yes"; then
291+ cat >> confdefs.h <<\EOF
292+#define PHP_BROKEN_REALPATH 1
293+EOF
294+
295+ else
296+ cat >> confdefs.h <<\EOF
297+#define PHP_BROKEN_REALPATH 0
298+EOF
299+
300+ fi
301+
302+
303 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
304 echo "configure:16022: checking for declared timezone" >&5
305 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
306@@ -86718,7 +86937,7 @@
307 if test "$ac_cv_crypt_blowfish" = "yes"; then
308 ac_result=1
309 else
310- ac_result=0
311+ ac_result=1
312 fi
313 cat >> confdefs.h <<EOF
314 #define PHP_BLOWFISH_CRYPT $ac_result
315@@ -87420,7 +87639,7 @@
316 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
317 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
318 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
319- var_unserializer.c ftok.c aggregation.c sha1.c ; do
320+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
321
322 IFS=.
323 set $ac_src
324@@ -87475,7 +87694,7 @@
325 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
326 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
327 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
328- var_unserializer.c ftok.c aggregation.c sha1.c ; do
329+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
330
331 IFS=.
332 set $ac_src
333@@ -87601,7 +87820,7 @@
334 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
335 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
336 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
337- var_unserializer.c ftok.c aggregation.c sha1.c ; do
338+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
339
340 IFS=.
341 set $ac_src
342@@ -87653,7 +87872,7 @@
343 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
344 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
345 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
346- var_unserializer.c ftok.c aggregation.c sha1.c ; do
347+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
348
349 IFS=.
350 set $ac_src
351@@ -91124,6 +91343,265 @@
352 fi
353
354
355+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
356+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
357+# Check whether --enable-varfilter or --disable-varfilter was given.
358+if test "${enable_varfilter+set}" = set; then
359+ enableval="$enable_varfilter"
360+ PHP_VARFILTER=$enableval
361+else
362+
363+ PHP_VARFILTER=yes
364+
365+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
366+ PHP_VARFILTER=$PHP_ENABLE_ALL
367+ fi
368+
369+fi
370+
371+
372+
373+ext_output="yes, shared"
374+ext_shared=yes
375+case $PHP_VARFILTER in
376+shared,*)
377+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
378+ ;;
379+shared)
380+ PHP_VARFILTER=yes
381+ ;;
382+no)
383+ ext_output=no
384+ ext_shared=no
385+ ;;
386+*)
387+ ext_output=yes
388+ ext_shared=no
389+ ;;
390+esac
391+
392+
393+
394+echo "$ac_t""$ext_output" 1>&6
395+
396+
397+
398+
399+if test "$PHP_VARFILTER" != "no"; then
400+ cat >> confdefs.h <<\EOF
401+#define HAVE_VARFILTER 1
402+EOF
403+
404+
405+ ext_builddir=ext/varfilter
406+ ext_srcdir=$abs_srcdir/ext/varfilter
407+
408+ ac_extra=
409+
410+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
411+
412+
413+
414+ case ext/varfilter in
415+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
416+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
417+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
418+ esac
419+
420+
421+
422+ b_c_pre=$php_c_pre
423+ b_cxx_pre=$php_cxx_pre
424+ b_c_meta=$php_c_meta
425+ b_cxx_meta=$php_cxx_meta
426+ b_c_post=$php_c_post
427+ b_cxx_post=$php_cxx_post
428+ b_lo=$php_lo
429+
430+
431+ old_IFS=$IFS
432+ for ac_src in varfilter.c; do
433+
434+ IFS=.
435+ set $ac_src
436+ ac_obj=$1
437+ IFS=$old_IFS
438+
439+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
440+
441+ case $ac_src in
442+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
443+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
444+ esac
445+
446+ cat >>Makefile.objects<<EOF
447+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
448+ $ac_comp
449+EOF
450+ done
451+
452+
453+ EXT_STATIC="$EXT_STATIC varfilter"
454+ if test "$ext_shared" != "nocli"; then
455+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
456+ fi
457+ else
458+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
459+
460+ case ext/varfilter in
461+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
462+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
463+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
464+ esac
465+
466+
467+
468+ b_c_pre=$shared_c_pre
469+ b_cxx_pre=$shared_cxx_pre
470+ b_c_meta=$shared_c_meta
471+ b_cxx_meta=$shared_cxx_meta
472+ b_c_post=$shared_c_post
473+ b_cxx_post=$shared_cxx_post
474+ b_lo=$shared_lo
475+
476+
477+ old_IFS=$IFS
478+ for ac_src in varfilter.c; do
479+
480+ IFS=.
481+ set $ac_src
482+ ac_obj=$1
483+ IFS=$old_IFS
484+
485+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
486+
487+ case $ac_src in
488+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
489+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
490+ esac
491+
492+ cat >>Makefile.objects<<EOF
493+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
494+ $ac_comp
495+EOF
496+ done
497+
498+
499+ install_modules="install-modules"
500+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
501+
502+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
503+
504+ cat >>Makefile.objects<<EOF
505+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
506+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
507+
508+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
509+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
510+
511+EOF
512+
513+ cat >> confdefs.h <<EOF
514+#define COMPILE_DL_VARFILTER 1
515+EOF
516+
517+ fi
518+ fi
519+
520+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
521+ if test "$PHP_SAPI" = "cgi"; then
522+
523+
524+ case ext/varfilter in
525+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
526+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
527+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
528+ esac
529+
530+
531+
532+ b_c_pre=$php_c_pre
533+ b_cxx_pre=$php_cxx_pre
534+ b_c_meta=$php_c_meta
535+ b_cxx_meta=$php_cxx_meta
536+ b_c_post=$php_c_post
537+ b_cxx_post=$php_cxx_post
538+ b_lo=$php_lo
539+
540+
541+ old_IFS=$IFS
542+ for ac_src in varfilter.c; do
543+
544+ IFS=.
545+ set $ac_src
546+ ac_obj=$1
547+ IFS=$old_IFS
548+
549+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
550+
551+ case $ac_src in
552+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
553+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
554+ esac
555+
556+ cat >>Makefile.objects<<EOF
557+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
558+ $ac_comp
559+EOF
560+ done
561+
562+
563+ EXT_STATIC="$EXT_STATIC varfilter"
564+ else
565+
566+
567+ case ext/varfilter in
568+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
569+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
570+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
571+ esac
572+
573+
574+
575+ b_c_pre=$php_c_pre
576+ b_cxx_pre=$php_cxx_pre
577+ b_c_meta=$php_c_meta
578+ b_cxx_meta=$php_cxx_meta
579+ b_c_post=$php_c_post
580+ b_cxx_post=$php_cxx_post
581+ b_lo=$php_lo
582+
583+
584+ old_IFS=$IFS
585+ for ac_src in varfilter.c; do
586+
587+ IFS=.
588+ set $ac_src
589+ ac_obj=$1
590+ IFS=$old_IFS
591+
592+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
593+
594+ case $ac_src in
595+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
596+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
597+ esac
598+
599+ cat >>Makefile.objects<<EOF
600+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
601+ $ac_comp
602+EOF
603+ done
604+
605+
606+ fi
607+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
608+ fi
609+
610+ BUILD_DIR="$BUILD_DIR $ext_builddir"
611+
612+
613+fi
614
615
616 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
617@@ -104088,7 +104566,7 @@
618 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
619 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
620 streams.c network.c php_open_temporary_file.c php_logos.c \
621- output.c memory_streams.c user_streams.c; do
622+ output.c memory_streams.c user_streams.c hardening_patch.c; do
623
624 IFS=.
625 set $ac_src
626@@ -104273,7 +104751,7 @@
627 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
628 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
629 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
630- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
631+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
632
633 IFS=.
634 set $ac_src
635diff -Nura php-4.4.2/configure.in hardening-patch-4.4.2-0.4.10/configure.in
636--- php-4.4.2/configure.in 2006-01-12 18:52:29.000000000 +0100
637+++ hardening-patch-4.4.2-0.4.10/configure.in 2006-05-11 10:36:02.000000000 +0200
638@@ -247,7 +247,7 @@
639 sinclude(Zend/acinclude.m4)
640 sinclude(Zend/Zend.m4)
641 sinclude(TSRM/tsrm.m4)
642-
643+sinclude(main/hardening_patch.m4)
644
645
646 divert(2)
647@@ -621,6 +621,7 @@
648 AC_FUNC_ALLOCA
649 dnl PHP_AC_BROKEN_SPRINTF
650 dnl PHP_AC_BROKEN_SNPRINTF
651+PHP_AC_BROKEN_REALPATH
652 PHP_DECLARED_TIMEZONE
653 PHP_TIME_R_TYPE
654 PHP_READDIR_R_TYPE
655@@ -1260,7 +1261,7 @@
656 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
657 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
658 streams.c network.c php_open_temporary_file.c php_logos.c \
659- output.c memory_streams.c user_streams.c)
660+ output.c memory_streams.c user_streams.c hardening_patch.c)
661 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
662 case $host_alias in
663 *netware*)
664@@ -1281,7 +1282,7 @@
665 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
666 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
667 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
668- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
669+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
670
671 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
672 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
673diff -Nura php-4.4.2/ext/curl/curl.c hardening-patch-4.4.2-0.4.10/ext/curl/curl.c
674--- php-4.4.2/ext/curl/curl.c 2006-01-05 19:03:18.000000000 +0100
675+++ hardening-patch-4.4.2-0.4.10/ext/curl/curl.c 2006-05-11 10:36:02.000000000 +0200
676@@ -111,7 +111,7 @@
677
678 #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
679 if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
680- strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
681+ strncasecmp(str, "file:", sizeof("file:") - 1) == 0) \
682 { \
683 php_url *tmp_url; \
684 \
685diff -Nura php-4.4.2/ext/fbsql/php_fbsql.c hardening-patch-4.4.2-0.4.10/ext/fbsql/php_fbsql.c
686--- php-4.4.2/ext/fbsql/php_fbsql.c 2006-01-01 14:46:52.000000000 +0100
687+++ hardening-patch-4.4.2-0.4.10/ext/fbsql/php_fbsql.c 2006-05-11 10:36:02.000000000 +0200
688@@ -1797,8 +1797,24 @@
689 }
690 else if (fbcmdErrorsFound(md))
691 {
692+#if HARDENING_PATCH
693+ char* query_copy;
694+ int i;
695+#endif
696 FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
697 char* emg = fbcemdAllErrorMessages(emd);
698+#if HARDENING_PATCH
699+ query_copy=estrdup(query_copy);
700+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
701+ php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
702+ efree(query_copy);
703+ if (HG(hphp_sql_bailout_on_error)) {
704+ free(emg);
705+ fbcemdRelease(emd);
706+ result = 0;
707+ zend_bailout();
708+ }
709+#endif
710 if (FB_SQL_G(generateWarnings))
711 {
712 if (emg)
713diff -Nura php-4.4.2/ext/mbstring/mbstring.c hardening-patch-4.4.2-0.4.10/ext/mbstring/mbstring.c
714--- php-4.4.2/ext/mbstring/mbstring.c 2006-01-01 14:46:54.000000000 +0100
715+++ hardening-patch-4.4.2-0.4.10/ext/mbstring/mbstring.c 2006-05-11 10:36:02.000000000 +0200
716@@ -1488,6 +1488,7 @@
717 char *strtok_buf = NULL, **val_list;
718 zval *array_ptr = (zval *) arg;
719 int n, num, val_len, *len_list;
720+ unsigned int new_val_len;
721 enum mbfl_no_encoding from_encoding;
722 mbfl_string string, resvar, resval;
723 mbfl_encoding_detector *identd = NULL;
724@@ -1610,8 +1611,14 @@
725 val_len = len_list[n];
726 }
727 n++;
728- /* add variable to symbol table */
729- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
730+ /* we need val to be emalloc()ed */
731+ val = estrndup(val, val_len);
732+ if (sapi_module.input_filter(info->data_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
733+ /* add variable to symbol table */
734+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
735+ }
736+ efree(val);
737+
738 if (convd != NULL){
739 mbfl_string_clear(&resvar);
740 mbfl_string_clear(&resval);
741diff -Nura php-4.4.2/ext/mysql/php_mysql.c hardening-patch-4.4.2-0.4.10/ext/mysql/php_mysql.c
742--- php-4.4.2/ext/mysql/php_mysql.c 2006-01-01 14:46:55.000000000 +0100
743+++ hardening-patch-4.4.2-0.4.10/ext/mysql/php_mysql.c 2006-05-11 10:36:02.000000000 +0200
744@@ -1218,6 +1218,8 @@
745 {
746 php_mysql_conn *mysql;
747 MYSQL_RES *mysql_result;
748+ char *copy_query;
749+ int i;
750
751 ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
752
753@@ -1268,6 +1270,13 @@
754 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
755 }
756 }
757+ copy_query = estrdup(Z_STRVAL_PP(query));
758+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
759+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
760+ efree(copy_query);
761+ if (HG(hphp_sql_bailout_on_error)) {
762+ zend_bailout();
763+ }
764 RETURN_FALSE;
765 }
766 #else
767@@ -1275,12 +1284,20 @@
768 /* check possible error */
769 if (MySG(trace_mode)){
770 if (mysql_errno(&mysql->conn)){
771- php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, mysql_error(&mysql->conn));
772+ php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
773 }
774 }
775+ copy_query = estrdup(Z_STRVAL_PP(query));
776+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
777+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
778+ efree(copy_query);
779+ if (HG(hphp_sql_bailout_on_error)) {
780+ zend_bailout();
781+ }
782 RETURN_FALSE;
783 }
784 #endif
785+
786 if(use_store == MYSQL_USE_RESULT) {
787 mysql_result=mysql_use_result(&mysql->conn);
788 } else {
789diff -Nura php-4.4.2/ext/pgsql/pgsql.c hardening-patch-4.4.2-0.4.10/ext/pgsql/pgsql.c
790--- php-4.4.2/ext/pgsql/pgsql.c 2006-01-01 14:46:56.000000000 +0100
791+++ hardening-patch-4.4.2-0.4.10/ext/pgsql/pgsql.c 2006-05-11 10:36:02.000000000 +0200
792@@ -1001,10 +1001,28 @@
793 case PGRES_EMPTY_QUERY:
794 case PGRES_BAD_RESPONSE:
795 case PGRES_NONFATAL_ERROR:
796- case PGRES_FATAL_ERROR:
797- PHP_PQ_ERROR("Query failed: %s", pgsql);
798- PQclear(pgsql_result);
799- RETURN_FALSE;
800+ case PGRES_FATAL_ERROR:
801+ {
802+#if HARDENING_PATCH
803+ int i;
804+ char *query_copy;
805+#endif
806+ char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
807+ PQclear(pgsql_result);
808+#if HARDENING_PATCH
809+ query_copy = estrdup(Z_STRVAL_PP(query));
810+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
811+ php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
812+ efree(query_copy);
813+ if (HG(hphp_sql_bailout_on_error)) {
814+ efree(msgbuf);
815+ zend_bailout();
816+ }
817+#endif
818+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
819+ efree(msgbuf);
820+ RETURN_FALSE;
821+ }
822 break;
823 case PGRES_COMMAND_OK: /* successful command that did not return rows */
824 default:
825diff -Nura php-4.4.2/ext/session/mod_files.c hardening-patch-4.4.2-0.4.10/ext/session/mod_files.c
826--- php-4.4.2/ext/session/mod_files.c 2006-01-01 14:46:56.000000000 +0100
827+++ hardening-patch-4.4.2-0.4.10/ext/session/mod_files.c 2006-05-11 10:36:02.000000000 +0200
828@@ -16,7 +16,7 @@
829 +----------------------------------------------------------------------+
830 */
831
832-/* $Id: mod_files.c,v 1.83.2.9.2.2 2006/01/01 13:46:56 sniper Exp $ */
833+/* $Id: mod_files.c,v 1.83.2.9.2.3 2006/04/17 23:29:37 iliaa Exp $ */
834
835 #include "php.h"
836
837@@ -364,10 +364,12 @@
838 if (!ps_files_path_create(buf, sizeof(buf), data, key))
839 return FAILURE;
840
841- ps_files_close(data);
842+ if (data->fd != -1) {
843+ ps_files_close(data);
844
845- if (VCWD_UNLINK(buf) == -1) {
846- return FAILURE;
847+ if (VCWD_UNLINK(buf) == -1) {
848+ return FAILURE;
849+ }
850 }
851
852 return SUCCESS;
853@@ -389,6 +391,34 @@
854 return SUCCESS;
855 }
856
857+PS_VALIDATE_SID_FUNC(files)
858+{
859+ char buf[MAXPATHLEN];
860+ int fd;
861+ PS_FILES_DATA;
862+
863+ if (!ps_files_valid_key(key)) {
864+ return FAILURE;
865+ }
866+
867+ if (!PS(use_strict_mode)) {
868+ return SUCCESS;
869+ }
870+
871+ if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
872+ return FAILURE;
873+ }
874+
875+ fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, 0600);
876+
877+ if (fd != -1) {
878+ close(fd);
879+ return SUCCESS;
880+ }
881+
882+ return FAILURE;
883+}
884+
885 /*
886 * Local variables:
887 * tab-width: 4
888diff -Nura php-4.4.2/ext/session/mod_mm.c hardening-patch-4.4.2-0.4.10/ext/session/mod_mm.c
889--- php-4.4.2/ext/session/mod_mm.c 2006-01-01 14:46:56.000000000 +0100
890+++ hardening-patch-4.4.2-0.4.10/ext/session/mod_mm.c 2006-05-11 10:36:02.000000000 +0200
891@@ -425,6 +425,42 @@
892 return SUCCESS;
893 }
894
895+PS_VALIDATE_SID_FUNC(mm)
896+{
897+ PS_MM_DATA;
898+ ps_sd *sd;
899+ const char *p;
900+ char c;
901+ int ret = SUCCESS;
902+
903+ for (p = key; (c = *p); p++) {
904+ /* valid characters are a..z,A..Z,0..9 */
905+ if (!((c >= 'a' && c <= 'z')
906+ || (c >= 'A' && c <= 'Z')
907+ || (c >= '0' && c <= '9')
908+ || c == ','
909+ || c == '-')) {
910+ return FAILURE;
911+ }
912+ }
913+
914+ if (!PS(use_strict_mode)) {
915+ return SUCCESS;
916+ }
917+
918+ mm_lock(data->mm, MM_LOCK_RD);
919+
920+ sd = ps_sd_lookup(data, key, 0);
921+ if (sd) {
922+ mm_unlock(data->mm);
923+ return SUCCESS;
924+ }
925+
926+ mm_unlock(data->mm);
927+
928+ return FAILURE;
929+}
930+
931 #endif
932
933 /*
934diff -Nura php-4.4.2/ext/session/mod_user.c hardening-patch-4.4.2-0.4.10/ext/session/mod_user.c
935--- php-4.4.2/ext/session/mod_user.c 2006-01-01 14:46:56.000000000 +0100
936+++ hardening-patch-4.4.2-0.4.10/ext/session/mod_user.c 2006-05-11 10:36:02.000000000 +0200
937@@ -23,7 +23,7 @@
938 #include "mod_user.h"
939
940 ps_module ps_mod_user = {
941- PS_MOD(user)
942+ PS_MOD_SID(user)
943 };
944
945 #define SESS_ZVAL_LONG(val, a) \
946@@ -174,6 +174,83 @@
947 FINISH;
948 }
949
950+PS_CREATE_SID_FUNC(user)
951+{
952+ int i;
953+ char *val = NULL;
954+ zval *retval;
955+ ps_user *mdata = PS_GET_MOD_DATA();
956+
957+ if (!mdata)
958+ return estrndup("", 0);
959+
960+ if (PSF(create) == NULL || ZVAL_IS_NULL(PSF(create))) {
961+ return php_session_create_id(mod_data, newlen TSRMLS_CC);
962+ }
963+ retval = ps_call_handler(PSF(create), 0, NULL TSRMLS_CC);
964+
965+ if (retval) {
966+ if (Z_TYPE_P(retval) == IS_STRING) {
967+ val = estrndup(Z_STRVAL_P(retval), Z_STRLEN_P(retval));
968+ } else {
969+ val = estrndup("", 0);
970+ }
971+ zval_ptr_dtor(&retval);
972+ } else {
973+ val = estrndup("", 0);
974+ }
975+
976+ return val;
977+}
978+
979+static int ps_user_valid_key(const char *key TSRMLS_DC)
980+{
981+ size_t len;
982+ const char *p;
983+ char c;
984+ int ret = SUCCESS;
985+
986+ for (p = key; (c = *p); p++) {
987+ /* valid characters are a..z,A..Z,0..9 */
988+ if (!((c >= 'a' && c <= 'z')
989+ || (c >= 'A' && c <= 'Z')
990+ || (c >= '0' && c <= '9')
991+ || c == ','
992+ || c == '-')) {
993+ ret = FAILURE;
994+ break;
995+ }
996+ }
997+
998+ len = p - key;
999+
1000+ if (len == 0)
1001+ ret = FAILURE;
1002+
1003+ return ret;
1004+}
1005+
1006+PS_VALIDATE_SID_FUNC(user)
1007+{
1008+ zval *args[1];
1009+ STDVARS;
1010+
1011+ if (PSF(validate) == NULL || ZVAL_IS_NULL(PSF(validate))) {
1012+ return ps_user_valid_key(key TSRMLS_CC);
1013+ }
1014+ SESS_ZVAL_STRING(key, args[0]);
1015+
1016+ retval = ps_call_handler(PSF(validate), 1, args TSRMLS_CC);
1017+
1018+ if (retval) {
1019+ convert_to_long(retval);
1020+ ret = Z_LVAL_P(retval) ? SUCCESS : FAILURE;
1021+ zval_ptr_dtor(&retval);
1022+ }
1023+
1024+ return ret;
1025+}
1026+
1027 /*
1028 * Local variables:
1029 * tab-width: 4
1030diff -Nura php-4.4.2/ext/session/mod_user.h hardening-patch-4.4.2-0.4.10/ext/session/mod_user.h
1031--- php-4.4.2/ext/session/mod_user.h 2006-01-01 14:46:56.000000000 +0100
1032+++ hardening-patch-4.4.2-0.4.10/ext/session/mod_user.h 2006-05-11 10:36:02.000000000 +0200
1033@@ -22,7 +22,7 @@
1034 #define MOD_USER_H
1035
1036 typedef union {
1037- zval *names[6];
1038+ zval *names[8];
1039 struct {
1040 zval *ps_open;
1041 zval *ps_close;
1042@@ -30,6 +30,8 @@
1043 zval *ps_write;
1044 zval *ps_destroy;
1045 zval *ps_gc;
1046+ zval *ps_create;
1047+ zval *ps_validate;
1048 } name;
1049 } ps_user;
1050
1051diff -Nura php-4.4.2/ext/session/php_session.h hardening-patch-4.4.2-0.4.10/ext/session/php_session.h
1052--- php-4.4.2/ext/session/php_session.h 2006-01-01 14:46:56.000000000 +0100
1053+++ hardening-patch-4.4.2-0.4.10/ext/session/php_session.h 2006-05-11 10:36:02.000000000 +0200
1054@@ -23,7 +23,7 @@
1055
1056 #include "ext/standard/php_var.h"
1057
1058-#define PHP_SESSION_API 20020330
1059+#define PHP_SESSION_API 20051121
1060
1061 #define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
1062 #define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
1063@@ -32,6 +32,7 @@
1064 #define PS_DESTROY_ARGS void **mod_data, const char *key TSRMLS_DC
1065 #define PS_GC_ARGS void **mod_data, int maxlifetime, int *nrdels TSRMLS_DC
1066 #define PS_CREATE_SID_ARGS void **mod_data, int *newlen TSRMLS_DC
1067+#define PS_VALIDATE_SID_ARGS void **mod_data, const char *key TSRMLS_DC
1068
1069 /* default create id function */
1070 char *php_session_create_id(PS_CREATE_SID_ARGS);
1071@@ -45,6 +46,7 @@
1072 int (*s_destroy)(PS_DESTROY_ARGS);
1073 int (*s_gc)(PS_GC_ARGS);
1074 char *(*s_create_sid)(PS_CREATE_SID_ARGS);
1075+ int (*s_validate_sid)(PS_VALIDATE_SID_ARGS);
1076 } ps_module;
1077
1078 #define PS_GET_MOD_DATA() *mod_data
1079@@ -57,6 +59,7 @@
1080 #define PS_DESTROY_FUNC(x) int ps_delete_##x(PS_DESTROY_ARGS)
1081 #define PS_GC_FUNC(x) int ps_gc_##x(PS_GC_ARGS)
1082 #define PS_CREATE_SID_FUNC(x) char *ps_create_sid_##x(PS_CREATE_SID_ARGS)
1083+#define PS_VALIDATE_SID_FUNC(x) int ps_validate_sid_##x(PS_VALIDATE_SID_ARGS)
1084
1085 #define PS_FUNCS(x) \
1086 PS_OPEN_FUNC(x); \
1087@@ -65,11 +68,12 @@
1088 PS_WRITE_FUNC(x); \
1089 PS_DESTROY_FUNC(x); \
1090 PS_GC_FUNC(x); \
1091- PS_CREATE_SID_FUNC(x)
1092+ PS_CREATE_SID_FUNC(x); \
1093+ PS_VALIDATE_SID_FUNC(x)
1094
1095 #define PS_MOD(x) \
1096 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1097- ps_delete_##x, ps_gc_##x, php_session_create_id
1098+ ps_delete_##x, ps_gc_##x, php_session_create_id, ps_validate_sid_##x
1099
1100 /* SID enabled module handler definitions */
1101 #define PS_FUNCS_SID(x) \
1102@@ -79,11 +83,12 @@
1103 PS_WRITE_FUNC(x); \
1104 PS_DESTROY_FUNC(x); \
1105 PS_GC_FUNC(x); \
1106- PS_CREATE_SID_FUNC(x)
1107+ PS_CREATE_SID_FUNC(x); \
1108+ PS_VALIDATE_SID(x)
1109
1110 #define PS_MOD_SID(x) \
1111 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1112- ps_delete_##x, ps_gc_##x, ps_create_sid_##x
1113+ ps_delete_##x, ps_gc_##x, ps_create_sid_##x, ps_validate_sid_##x
1114
1115 typedef enum {
1116 php_session_disabled,
1117@@ -120,6 +125,7 @@
1118 zend_bool use_only_cookies;
1119 zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
1120 zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
1121+ zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */
1122 int send_cookie;
1123 int define_sid;
1124 } php_ps_globals;
1125diff -Nura php-4.4.2/ext/session/session.c hardening-patch-4.4.2-0.4.10/ext/session/session.c
1126--- php-4.4.2/ext/session/session.c 2006-01-01 14:46:56.000000000 +0100
1127+++ hardening-patch-4.4.2-0.4.10/ext/session/session.c 2006-05-11 10:36:02.000000000 +0200
1128@@ -17,7 +17,7 @@
1129 +----------------------------------------------------------------------+
1130 */
1131
1132-/* $Id: session.c,v 1.336.2.53.2.4 2006/01/01 13:46:56 sniper Exp $ */
1133+/* $Id: session.c,v 1.336.2.53.2.5 2006/01/15 16:52:10 iliaa Exp $ */
1134
1135 #ifdef HAVE_CONFIG_H
1136 #include "config.h"
1137@@ -155,6 +155,7 @@
1138 STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals)
1139 STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals)
1140 STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
1141+ STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals)
1142 STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
1143 STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
1144 STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals)
1145@@ -626,6 +627,12 @@
1146 char *val;
1147 int vallen;
1148
1149+ /* check session name for invalid characters */
1150+ if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
1151+ efree(PS(id));
1152+ PS(id) = NULL;
1153+ }
1154+
1155 if (!PS(mod)) {
1156 php_error_docref(NULL TSRMLS_CC, E_ERROR, "No storage module chosen - failed to initialize session.");
1157 return;
1158@@ -637,6 +644,15 @@
1159 return;
1160 }
1161
1162+ /* If there is an ID, use session module to verify it */
1163+ if (PS(id)) {
1164+ if (PS(mod)->s_validate_sid(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1165+ efree(PS(id));
1166+ PS(id) = NULL;
1167+ PS(send_cookie) = 1;
1168+ }
1169+ }
1170+
1171 /* If there is no ID, use session module to create one */
1172 if (!PS(id))
1173 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1174@@ -1256,22 +1272,31 @@
1175 }
1176 /* }}} */
1177
1178-/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc)
1179+/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc[, string create, string validate])
1180 Sets user-level functions */
1181 PHP_FUNCTION(session_set_save_handler)
1182 {
1183- zval **args[6];
1184- int i;
1185+ zval **args[8];
1186+ int i, numargs;
1187 ps_user *mdata;
1188 char *name;
1189
1190+ numargs = ZEND_NUM_ARGS();
1191+ args[6] = NULL;
1192+ args[7] = NULL;
1193+
1194+ if (numargs < 6 || numargs > 8 || zend_get_parameters_array_ex(numargs, args) == FAILURE)
1195+ WRONG_PARAM_COUNT;
1196 if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
1197 WRONG_PARAM_COUNT;
1198
1199 if (PS(session_status) != php_session_none)
1200 RETURN_FALSE;
1201
1202- for (i = 0; i < 6; i++) {
1203+ for (i = 0; i < 8; i++) {
1204+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1205+ continue;
1206+ }
1207 if (!zend_is_callable(*args[i], 0, &name)) {
1208 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
1209 efree(name);
1210@@ -1284,7 +1309,11 @@
1211
1212 mdata = emalloc(sizeof(*mdata));
1213
1214- for (i = 0; i < 6; i++) {
1215+ for (i = 0; i < 8; i++) {
1216+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1217+ mdata->names[i] = NULL;
1218+ continue;
1219+ }
1220 ZVAL_ADDREF(*args[i]);
1221 mdata->names[i] = *args[i];
1222 }
1223@@ -1345,8 +1374,20 @@
1224 Update the current session id with a newly generated one. */
1225 PHP_FUNCTION(session_regenerate_id)
1226 {
1227+ zend_bool del_ses = 0;
1228+
1229+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &del_ses) == FAILURE) {
1230+ WRONG_PARAM_COUNT;
1231+ }
1232+
1233 if (PS(session_status) == php_session_active) {
1234- if (PS(id)) efree(PS(id));
1235+ if (PS(id)) {
1236+ if (del_ses && PS(mod)->s_destroy(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1237+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Session object destruction failed");
1238+ RETURN_FALSE;
1239+ }
1240+ efree(PS(id));
1241+ }
1242
1243 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1244
1245diff -Nura php-4.4.2/ext/session/tests/014.phpt hardening-patch-4.4.2-0.4.10/ext/session/tests/014.phpt
1246--- php-4.4.2/ext/session/tests/014.phpt 2002-11-26 00:19:18.000000000 +0100
1247+++ hardening-patch-4.4.2-0.4.10/ext/session/tests/014.phpt 2006-05-11 10:36:02.000000000 +0200
1248@@ -5,6 +5,7 @@
1249 --INI--
1250 session.use_trans_sid=1
1251 session.use_cookies=0
1252+session.use_strict_mode=0
1253 session.cache_limiter=
1254 register_globals=1
1255 session.bug_compat_42=1
1256diff -Nura php-4.4.2/ext/session/tests/015.phpt hardening-patch-4.4.2-0.4.10/ext/session/tests/015.phpt
1257--- php-4.4.2/ext/session/tests/015.phpt 2002-11-26 00:19:19.000000000 +0100
1258+++ hardening-patch-4.4.2-0.4.10/ext/session/tests/015.phpt 2006-05-11 10:36:02.000000000 +0200
1259@@ -5,6 +5,7 @@
1260 --INI--
1261 session.use_trans_sid=1
1262 session.use_cookies=0
1263+session.use_strict_mode=0
1264 session.cache_limiter=
1265 arg_separator.output=&
1266 session.name=PHPSESSID
1267diff -Nura php-4.4.2/ext/session/tests/018.phpt hardening-patch-4.4.2-0.4.10/ext/session/tests/018.phpt
1268--- php-4.4.2/ext/session/tests/018.phpt 2002-11-26 00:19:19.000000000 +0100
1269+++ hardening-patch-4.4.2-0.4.10/ext/session/tests/018.phpt 2006-05-11 10:36:02.000000000 +0200
1270@@ -4,6 +4,7 @@
1271 <?php include('skipif.inc'); ?>
1272 --INI--
1273 session.use_cookies=0
1274+session.use_strict_mode=0
1275 session.cache_limiter=
1276 session.use_trans_sid=1
1277 session.name=PHPSESSID
1278diff -Nura php-4.4.2/ext/session/tests/020.phpt hardening-patch-4.4.2-0.4.10/ext/session/tests/020.phpt
1279--- php-4.4.2/ext/session/tests/020.phpt 2002-11-26 00:19:19.000000000 +0100
1280+++ hardening-patch-4.4.2-0.4.10/ext/session/tests/020.phpt 2006-05-11 10:36:02.000000000 +0200
1281@@ -4,6 +4,7 @@
1282 <?php include('skipif.inc'); ?>
1283 --INI--
1284 session.use_cookies=0
1285+session.use_strict_mode=0
1286 session.cache_limiter=
1287 session.use_trans_sid=1
1288 arg_separator.output=&amp;
1289diff -Nura php-4.4.2/ext/session/tests/021.phpt hardening-patch-4.4.2-0.4.10/ext/session/tests/021.phpt
1290--- php-4.4.2/ext/session/tests/021.phpt 2002-11-26 00:19:19.000000000 +0100
1291+++ hardening-patch-4.4.2-0.4.10/ext/session/tests/021.phpt 2006-05-11 10:36:02.000000000 +0200
1292@@ -4,6 +4,7 @@
1293 <?php include('skipif.inc'); ?>
1294 --INI--
1295 session.use_cookies=0
1296+session.use_strict_mode=0
1297 session.cache_limiter=
1298 session.use_trans_sid=1
1299 url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
1300diff -Nura php-4.4.2/ext/standard/array.c hardening-patch-4.4.2-0.4.10/ext/standard/array.c
1301--- php-4.4.2/ext/standard/array.c 2006-01-01 14:46:57.000000000 +0100
1302+++ hardening-patch-4.4.2-0.4.10/ext/standard/array.c 2006-05-11 10:36:02.000000000 +0200
1303@@ -1162,6 +1162,32 @@
1304 }
1305 }
1306 }
1307+
1308+ if (var_name[0] == 'H') {
1309+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
1310+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
1311+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
1312+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
1313+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
1314+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
1315+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
1316+ (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
1317+ return 0;
1318+ }
1319+ } else if (var_name[0] == '_') {
1320+ if ((strcmp(var_name, "_COOKIE")==0)||
1321+ (strcmp(var_name, "_ENV")==0)||
1322+ (strcmp(var_name, "_FILES")==0)||
1323+ (strcmp(var_name, "_GET")==0)||
1324+ (strcmp(var_name, "_POST")==0)||
1325+ (strcmp(var_name, "_REQUEST")==0)||
1326+ (strcmp(var_name, "_SESSION")==0)||
1327+ (strcmp(var_name, "_SERVER")==0)) {
1328+ return 0;
1329+ }
1330+ } else if (strcmp(var_name, "GLOBALS")==0) {
1331+ return 0;
1332+ }
1333
1334 return 1;
1335 }
1336diff -Nura php-4.4.2/ext/standard/basic_functions.c hardening-patch-4.4.2-0.4.10/ext/standard/basic_functions.c
1337--- php-4.4.2/ext/standard/basic_functions.c 2006-01-01 14:46:57.000000000 +0100
1338+++ hardening-patch-4.4.2-0.4.10/ext/standard/basic_functions.c 2006-05-11 10:36:02.000000000 +0200
1339@@ -107,12 +107,14 @@
1340 typedef struct _php_shutdown_function_entry {
1341 zval **arguments;
1342 int arg_count;
1343+ zend_bool created_by_eval;
1344 } php_shutdown_function_entry;
1345
1346 typedef struct _user_tick_function_entry {
1347 zval **arguments;
1348 int arg_count;
1349 int calling;
1350+ zend_bool created_by_eval;
1351 } user_tick_function_entry;
1352
1353 /* some prototypes for local functions */
1354@@ -295,6 +297,8 @@
1355 PHP_FE(get_html_translation_table, NULL)
1356 PHP_FE(sha1, NULL)
1357 PHP_FE(sha1_file, NULL)
1358+ PHP_FE(sha256, NULL)
1359+ PHP_FE(sha256_file, NULL)
1360 PHP_NAMED_FE(md5,php_if_md5, NULL)
1361 PHP_NAMED_FE(md5_file,php_if_md5_file, NULL)
1362 PHP_NAMED_FE(crc32,php_if_crc32, NULL)
1363@@ -676,7 +680,7 @@
1364 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
1365
1366 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1367- PHP_FE(realpath, NULL)
1368+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
1369 #endif
1370
1371 #ifdef HAVE_FNMATCH
1372@@ -2096,6 +2100,13 @@
1373 {
1374 zval retval;
1375 char *function_name = NULL;
1376+#if HARDENING_PATCH
1377+ zend_uint orig_code_type = EG(in_code_type);
1378+
1379+ if (shutdown_function_entry->created_by_eval) {
1380+ EG(in_code_type) = ZEND_EVAL_CODE;
1381+ }
1382+#endif
1383
1384 if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
1385 php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
1386@@ -2111,6 +2122,9 @@
1387 if (function_name) {
1388 efree(function_name);
1389 }
1390+#if HARDENING_PATCH
1391+ EG(in_code_type) = orig_code_type;
1392+#endif
1393 return 0;
1394 }
1395
1396@@ -2118,6 +2132,13 @@
1397 {
1398 zval retval;
1399 zval *function = tick_fe->arguments[0];
1400+#if HARDENING_PATCH
1401+ zend_uint orig_code_type = EG(in_code_type);
1402+
1403+ if (tick_fe->created_by_eval) {
1404+ EG(in_code_type) = ZEND_EVAL_CODE;
1405+ }
1406+#endif
1407
1408 /* Prevent reentrant calls to the same user ticks function */
1409 if (! tick_fe->calling) {
1410@@ -2149,6 +2170,9 @@
1411
1412 tick_fe->calling = 0;
1413 }
1414+#if HARDENING_PATCH
1415+ EG(in_code_type) = orig_code_type;
1416+#endif
1417 }
1418
1419 static void run_user_tick_functions(int tick_count)
1420@@ -2216,6 +2240,13 @@
1421 if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count, shutdown_function_entry.arguments) == FAILURE) {
1422 RETURN_FALSE;
1423 }
1424+#if HARDENING_PATCH
1425+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1426+ shutdown_function_entry.created_by_eval = 1;
1427+ } else {
1428+ shutdown_function_entry.created_by_eval = 0;
1429+ }
1430+#endif
1431
1432 /* Prevent entering of anything but valid callback (syntax check only!) */
1433 if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
1434@@ -2753,6 +2784,13 @@
1435 }
1436
1437 tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
1438+#if HARDENING_PATCH
1439+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1440+ tick_fe.created_by_eval = 1;
1441+ } else {
1442+ tick_fe.created_by_eval = 0;
1443+ }
1444+#endif
1445
1446 if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
1447 RETURN_FALSE;
1448@@ -3050,6 +3088,35 @@
1449 new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
1450 }
1451
1452+ if (new_key[0] == 'H') {
1453+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
1454+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
1455+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
1456+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
1457+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
1458+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
1459+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
1460+ (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
1461+ efree(new_key);
1462+ return 0;
1463+ }
1464+ } else if (new_key[0] == '_') {
1465+ if ((strcmp(new_key, "_COOKIE")==0)||
1466+ (strcmp(new_key, "_ENV")==0)||
1467+ (strcmp(new_key, "_FILES")==0)||
1468+ (strcmp(new_key, "_GET")==0)||
1469+ (strcmp(new_key, "_POST")==0)||
1470+ (strcmp(new_key, "_REQUEST")==0)||
1471+ (strcmp(new_key, "_SESSION")==0)||
1472+ (strcmp(new_key, "_SERVER")==0)) {
1473+ efree(new_key);
1474+ return 0;
1475+ }
1476+ } else if (strcmp(new_key, "GLOBALS")==0) {
1477+ efree(new_key);
1478+ return 0;
1479+ }
1480+
1481 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1482 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1483
1484diff -Nura php-4.4.2/ext/standard/config.m4 hardening-patch-4.4.2-0.4.10/ext/standard/config.m4
1485--- php-4.4.2/ext/standard/config.m4 2004-12-30 08:02:18.000000000 +0100
1486+++ hardening-patch-4.4.2-0.4.10/ext/standard/config.m4 2006-05-11 10:36:02.000000000 +0200
1487@@ -203,7 +203,7 @@
1488 if test "$ac_cv_crypt_blowfish" = "yes"; then
1489 ac_result=1
1490 else
1491- ac_result=0
1492+ ac_result=1
1493 fi
1494 AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
1495 ])
1496@@ -419,6 +419,6 @@
1497 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
1498 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
1499 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
1500- var_unserializer.c ftok.c aggregation.c sha1.c )
1501+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c )
1502
1503 PHP_ADD_MAKEFILE_FRAGMENT
1504diff -Nura php-4.4.2/ext/standard/crypt_blowfish.c hardening-patch-4.4.2-0.4.10/ext/standard/crypt_blowfish.c
1505--- php-4.4.2/ext/standard/crypt_blowfish.c 1970-01-01 01:00:00.000000000 +0100
1506+++ hardening-patch-4.4.2-0.4.10/ext/standard/crypt_blowfish.c 2006-05-11 10:36:02.000000000 +0200
1507@@ -0,0 +1,748 @@
1508+/*
1509+ * This code comes from John the Ripper password cracker, with reentrant
1510+ * and crypt(3) interfaces added, but optimizations specific to password
1511+ * cracking removed.
1512+ *
1513+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
1514+ * placed in the public domain.
1515+ *
1516+ * There's absolutely no warranty.
1517+ *
1518+ * It is my intent that you should be able to use this on your system,
1519+ * as a part of a software package, or anywhere else to improve security,
1520+ * ensure compatibility, or for any other purpose. I would appreciate
1521+ * it if you give credit where it is due and keep your modifications in
1522+ * the public domain as well, but I don't require that in order to let
1523+ * you place this code and any modifications you make under a license
1524+ * of your choice.
1525+ *
1526+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
1527+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
1528+ * ideas. The password hashing algorithm was designed by David Mazieres
1529+ * <dm at lcs.mit.edu>.
1530+ *
1531+ * There's a paper on the algorithm that explains its design decisions:
1532+ *
1533+ * http://www.usenix.org/events/usenix99/provos.html
1534+ *
1535+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
1536+ * Blowfish library (I can't be sure if I would think of something if I
1537+ * hadn't seen his code).
1538+ */
1539+
1540+#include <string.h>
1541+
1542+#include <errno.h>
1543+#ifndef __set_errno
1544+#define __set_errno(val) errno = (val)
1545+#endif
1546+
1547+#undef __CONST
1548+#ifdef __GNUC__
1549+#define __CONST __const
1550+#else
1551+#define __CONST
1552+#endif
1553+
1554+#ifdef __i386__
1555+#define BF_ASM 0
1556+#define BF_SCALE 1
1557+#elif defined(__alpha__) || defined(__hppa__)
1558+#define BF_ASM 0
1559+#define BF_SCALE 1
1560+#else
1561+#define BF_ASM 0
1562+#define BF_SCALE 0
1563+#endif
1564+
1565+typedef unsigned int BF_word;
1566+
1567+/* Number of Blowfish rounds, this is also hardcoded into a few places */
1568+#define BF_N 16
1569+
1570+typedef BF_word BF_key[BF_N + 2];
1571+
1572+typedef struct {
1573+ BF_word S[4][0x100];
1574+ BF_key P;
1575+} BF_ctx;
1576+
1577+/*
1578+ * Magic IV for 64 Blowfish encryptions that we do at the end.
1579+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
1580+ */
1581+static BF_word BF_magic_w[6] = {
1582+ 0x4F727068, 0x65616E42, 0x65686F6C,
1583+ 0x64657253, 0x63727944, 0x6F756274
1584+};
1585+
1586+/*
1587+ * P-box and S-box tables initialized with digits of Pi.
1588+ */
1589+static BF_ctx BF_init_state = {
1590+ {
1591+ {
1592+ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
1593+ 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
1594+ 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
1595+ 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
1596+ 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
1597+ 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
1598+ 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
1599+ 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
1600+ 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
1601+ 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
1602+ 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
1603+ 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
1604+ 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
1605+ 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
1606+ 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
1607+ 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
1608+ 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
1609+ 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
1610+ 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
1611+ 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
1612+ 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
1613+ 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
1614+ 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
1615+ 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
1616+ 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
1617+ 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
1618+ 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
1619+ 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
1620+ 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
1621+ 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
1622+ 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
1623+ 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
1624+ 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
1625+ 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
1626+ 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
1627+ 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
1628+ 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
1629+ 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
1630+ 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
1631+ 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
1632+ 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
1633+ 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
1634+ 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
1635+ 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
1636+ 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
1637+ 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
1638+ 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
1639+ 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
1640+ 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
1641+ 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
1642+ 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
1643+ 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
1644+ 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
1645+ 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
1646+ 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
1647+ 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
1648+ 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
1649+ 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
1650+ 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
1651+ 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
1652+ 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
1653+ 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
1654+ 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
1655+ 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
1656+ }, {
1657+ 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
1658+ 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
1659+ 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
1660+ 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
1661+ 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
1662+ 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
1663+ 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
1664+ 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
1665+ 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
1666+ 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
1667+ 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
1668+ 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
1669+ 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
1670+ 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
1671+ 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
1672+ 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
1673+ 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
1674+ 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
1675+ 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
1676+ 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
1677+ 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
1678+ 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
1679+ 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
1680+ 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
1681+ 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
1682+ 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
1683+ 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
1684+ 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
1685+ 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
1686+ 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
1687+ 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
1688+ 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
1689+ 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
1690+ 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
1691+ 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
1692+ 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
1693+ 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
1694+ 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
1695+ 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
1696+ 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
1697+ 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
1698+ 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
1699+ 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
1700+ 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
1701+ 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
1702+ 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
1703+ 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
1704+ 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
1705+ 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
1706+ 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
1707+ 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
1708+ 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
1709+ 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
1710+ 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
1711+ 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
1712+ 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
1713+ 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
1714+ 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
1715+ 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
1716+ 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
1717+ 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
1718+ 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
1719+ 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
1720+ 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
1721+ }, {
1722+ 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
1723+ 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
1724+ 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
1725+ 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
1726+ 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
1727+ 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
1728+ 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
1729+ 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
1730+ 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
1731+ 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
1732+ 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
1733+ 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
1734+ 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
1735+ 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
1736+ 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
1737+ 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
1738+ 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
1739+ 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
1740+ 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
1741+ 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
1742+ 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
1743+ 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
1744+ 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
1745+ 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
1746+ 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
1747+ 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
1748+ 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
1749+ 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
1750+ 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
1751+ 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
1752+ 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
1753+ 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
1754+ 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
1755+ 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
1756+ 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
1757+ 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
1758+ 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
1759+ 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
1760+ 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
1761+ 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
1762+ 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
1763+ 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
1764+ 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
1765+ 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
1766+ 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
1767+ 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
1768+ 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
1769+ 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
1770+ 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
1771+ 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
1772+ 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
1773+ 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
1774+ 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
1775+ 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
1776+ 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
1777+ 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
1778+ 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
1779+ 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
1780+ 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
1781+ 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
1782+ 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
1783+ 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
1784+ 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
1785+ 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
1786+ }, {
1787+ 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
1788+ 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
1789+ 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
1790+ 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
1791+ 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
1792+ 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
1793+ 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
1794+ 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
1795+ 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
1796+ 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
1797+ 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
1798+ 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
1799+ 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
1800+ 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
1801+ 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
1802+ 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
1803+ 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
1804+ 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
1805+ 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
1806+ 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
1807+ 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
1808+ 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
1809+ 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
1810+ 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
1811+ 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
1812+ 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
1813+ 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
1814+ 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
1815+ 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
1816+ 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
1817+ 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
1818+ 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
1819+ 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
1820+ 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
1821+ 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
1822+ 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
1823+ 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
1824+ 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
1825+ 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
1826+ 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
1827+ 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
1828+ 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
1829+ 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
1830+ 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
1831+ 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
1832+ 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
1833+ 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
1834+ 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
1835+ 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
1836+ 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
1837+ 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
1838+ 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
1839+ 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
1840+ 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
1841+ 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
1842+ 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
1843+ 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
1844+ 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
1845+ 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
1846+ 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
1847+ 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
1848+ 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
1849+ 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
1850+ 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
1851+ }
1852+ }, {
1853+ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
1854+ 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
1855+ 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
1856+ 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
1857+ 0x9216d5d9, 0x8979fb1b
1858+ }
1859+};
1860+
1861+static unsigned char BF_itoa64[64 + 1] =
1862+ "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
1863+
1864+static unsigned char BF_atoi64[0x60] = {
1865+ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
1866+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
1867+ 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
1868+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
1869+ 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
1870+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
1871+};
1872+
1873+/*
1874+ * This may be optimized out if built with function inlining and no BF_ASM.
1875+ */
1876+static void clean(void *data, int size)
1877+{
1878+#if BF_ASM
1879+ extern void _BF_clean(void *data);
1880+#endif
1881+ memset(data, 0, size);
1882+#if BF_ASM
1883+ _BF_clean(data);
1884+#endif
1885+}
1886+
1887+#define BF_safe_atoi64(dst, src) \
1888+{ \
1889+ tmp = (unsigned char)(src); \
1890+ if (tmp == '$') break; \
1891+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
1892+ tmp = BF_atoi64[tmp]; \
1893+ if (tmp > 63) return -1; \
1894+ (dst) = tmp; \
1895+}
1896+
1897+static int BF_decode(BF_word *dst, __CONST char *src, int size)
1898+{
1899+ unsigned char *dptr = (unsigned char *)dst;
1900+ unsigned char *end = dptr + size;
1901+ unsigned char *sptr = (unsigned char *)src;
1902+ unsigned int tmp, c1, c2, c3, c4;
1903+
1904+ do {
1905+ BF_safe_atoi64(c1, *sptr++);
1906+ BF_safe_atoi64(c2, *sptr++);
1907+ *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
1908+ if (dptr >= end) break;
1909+
1910+ BF_safe_atoi64(c3, *sptr++);
1911+ *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
1912+ if (dptr >= end) break;
1913+
1914+ BF_safe_atoi64(c4, *sptr++);
1915+ *dptr++ = ((c3 & 0x03) << 6) | c4;
1916+ } while (dptr < end);
1917+
1918+ while (dptr < end)
1919+ *dptr++ = 0;
1920+
1921+ return 0;
1922+}
1923+
1924+static void BF_encode(char *dst, __CONST BF_word *src, int size)
1925+{
1926+ unsigned char *sptr = (unsigned char *)src;
1927+ unsigned char *end = sptr + size;
1928+ unsigned char *dptr = (unsigned char *)dst;
1929+ unsigned int c1, c2;
1930+
1931+ do {
1932+ c1 = *sptr++;
1933+ *dptr++ = BF_itoa64[c1 >> 2];
1934+ c1 = (c1 & 0x03) << 4;
1935+ if (sptr >= end) {
1936+ *dptr++ = BF_itoa64[c1];
1937+ break;
1938+ }
1939+
1940+ c2 = *sptr++;
1941+ c1 |= c2 >> 4;
1942+ *dptr++ = BF_itoa64[c1];
1943+ c1 = (c2 & 0x0f) << 2;
1944+ if (sptr >= end) {
1945+ *dptr++ = BF_itoa64[c1];
1946+ break;
1947+ }
1948+
1949+ c2 = *sptr++;
1950+ c1 |= c2 >> 6;
1951+ *dptr++ = BF_itoa64[c1];
1952+ *dptr++ = BF_itoa64[c2 & 0x3f];
1953+ } while (sptr < end);
1954+}
1955+
1956+static void BF_swap(BF_word *x, int count)
1957+{
1958+ static int endianness_check = 1;
1959+ char *is_little_endian = (char *)&endianness_check;
1960+ BF_word tmp;
1961+
1962+ if (*is_little_endian)
1963+ do {
1964+ tmp = *x;
1965+ tmp = (tmp << 16) | (tmp >> 16);
1966+ *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
1967+ } while (--count);
1968+}
1969+
1970+#if BF_SCALE
1971+/* Architectures which can shift addresses left by 2 bits with no extra cost */
1972+#define BF_ROUND(L, R, N) \
1973+ tmp1 = L & 0xFF; \
1974+ tmp2 = L >> 8; \
1975+ tmp2 &= 0xFF; \
1976+ tmp3 = L >> 16; \
1977+ tmp3 &= 0xFF; \
1978+ tmp4 = L >> 24; \
1979+ tmp1 = data.ctx.S[3][tmp1]; \
1980+ tmp2 = data.ctx.S[2][tmp2]; \
1981+ tmp3 = data.ctx.S[1][tmp3]; \
1982+ tmp3 += data.ctx.S[0][tmp4]; \
1983+ tmp3 ^= tmp2; \
1984+ R ^= data.ctx.P[N + 1]; \
1985+ tmp3 += tmp1; \
1986+ R ^= tmp3;
1987+#else
1988+/* Architectures with no complicated addressing modes supported */
1989+#define BF_INDEX(S, i) \
1990+ (*((BF_word *)(((unsigned char *)S) + (i))))
1991+#define BF_ROUND(L, R, N) \
1992+ tmp1 = L & 0xFF; \
1993+ tmp1 <<= 2; \
1994+ tmp2 = L >> 6; \
1995+ tmp2 &= 0x3FC; \
1996+ tmp3 = L >> 14; \
1997+ tmp3 &= 0x3FC; \
1998+ tmp4 = L >> 22; \
1999+ tmp4 &= 0x3FC; \
2000+ tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
2001+ tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
2002+ tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
2003+ tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
2004+ tmp3 ^= tmp2; \
2005+ R ^= data.ctx.P[N + 1]; \
2006+ tmp3 += tmp1; \
2007+ R ^= tmp3;
2008+#endif
2009+
2010+/*
2011+ * Encrypt one block, BF_N is hardcoded here.
2012+ */
2013+#define BF_ENCRYPT \
2014+ L ^= data.ctx.P[0]; \
2015+ BF_ROUND(L, R, 0); \
2016+ BF_ROUND(R, L, 1); \
2017+ BF_ROUND(L, R, 2); \
2018+ BF_ROUND(R, L, 3); \
2019+ BF_ROUND(L, R, 4); \
2020+ BF_ROUND(R, L, 5); \
2021+ BF_ROUND(L, R, 6); \
2022+ BF_ROUND(R, L, 7); \
2023+ BF_ROUND(L, R, 8); \
2024+ BF_ROUND(R, L, 9); \
2025+ BF_ROUND(L, R, 10); \
2026+ BF_ROUND(R, L, 11); \
2027+ BF_ROUND(L, R, 12); \
2028+ BF_ROUND(R, L, 13); \
2029+ BF_ROUND(L, R, 14); \
2030+ BF_ROUND(R, L, 15); \
2031+ tmp4 = R; \
2032+ R = L; \
2033+ L = tmp4 ^ data.ctx.P[BF_N + 1];
2034+
2035+#if BF_ASM
2036+#define BF_body() \
2037+ _BF_body_r(&data.ctx);
2038+#else
2039+#define BF_body() \
2040+ L = R = 0; \
2041+ ptr = data.ctx.P; \
2042+ do { \
2043+ ptr += 2; \
2044+ BF_ENCRYPT; \
2045+ *(ptr - 2) = L; \
2046+ *(ptr - 1) = R; \
2047+ } while (ptr < &data.ctx.P[BF_N + 2]); \
2048+\
2049+ ptr = data.ctx.S[0]; \
2050+ do { \
2051+ ptr += 2; \
2052+ BF_ENCRYPT; \
2053+ *(ptr - 2) = L; \
2054+ *(ptr - 1) = R; \
2055+ } while (ptr < &data.ctx.S[3][0xFF]);
2056+#endif
2057+
2058+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
2059+{
2060+ __CONST char *ptr = key;
2061+ int i, j;
2062+ BF_word tmp;
2063+
2064+ for (i = 0; i < BF_N + 2; i++) {
2065+ tmp = 0;
2066+ for (j = 0; j < 4; j++) {
2067+ tmp <<= 8;
2068+ tmp |= *ptr;
2069+
2070+ if (!*ptr) ptr = key; else ptr++;
2071+ }
2072+
2073+ expanded[i] = tmp;
2074+ initial[i] = BF_init_state.P[i] ^ tmp;
2075+ }
2076+}
2077+
2078+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
2079+ char *output, int size)
2080+{
2081+#if BF_ASM
2082+ extern void _BF_body_r(BF_ctx *ctx);
2083+#endif
2084+ struct {
2085+ BF_ctx ctx;
2086+ BF_key expanded_key;
2087+ union {
2088+ BF_word salt[4];
2089+ BF_word output[6];
2090+ } binary;
2091+ } data;
2092+ BF_word L, R;
2093+ BF_word tmp1, tmp2, tmp3, tmp4;
2094+ BF_word *ptr;
2095+ BF_word count;
2096+ int i;
2097+
2098+ if (size < 7 + 22 + 31 + 1) {
2099+ __set_errno(ERANGE);
2100+ return NULL;
2101+ }
2102+
2103+ if (setting[0] != '$' ||
2104+ setting[1] != '2' ||
2105+ setting[2] != 'a' ||
2106+ setting[3] != '$' ||
2107+ setting[4] < '0' || setting[4] > '3' ||
2108+ setting[5] < '0' || setting[5] > '9' ||
2109+ setting[6] != '$') {
2110+ __set_errno(EINVAL);
2111+ return NULL;
2112+ }
2113+
2114+ count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
2115+ if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
2116+ clean(data.binary.salt, sizeof(data.binary.salt));
2117+ __set_errno(EINVAL);
2118+ return NULL;
2119+ }
2120+
2121+ BF_swap(data.binary.salt, 4);
2122+
2123+ BF_set_key(key, data.expanded_key, data.ctx.P);
2124+
2125+ memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
2126+
2127+ L = R = 0;
2128+ for (i = 0; i < BF_N + 2; i += 2) {
2129+ L ^= data.binary.salt[i & 2];
2130+ R ^= data.binary.salt[(i & 2) + 1];
2131+ BF_ENCRYPT;
2132+ data.ctx.P[i] = L;
2133+ data.ctx.P[i + 1] = R;
2134+ }
2135+
2136+ ptr = data.ctx.S[0];
2137+ do {
2138+ ptr += 4;
2139+ L ^= data.binary.salt[(BF_N + 2) & 3];
2140+ R ^= data.binary.salt[(BF_N + 3) & 3];
2141+ BF_ENCRYPT;
2142+ *(ptr - 4) = L;
2143+ *(ptr - 3) = R;
2144+
2145+ L ^= data.binary.salt[(BF_N + 4) & 3];
2146+ R ^= data.binary.salt[(BF_N + 5) & 3];
2147+ BF_ENCRYPT;
2148+ *(ptr - 2) = L;
2149+ *(ptr - 1) = R;
2150+ } while (ptr < &data.ctx.S[3][0xFF]);
2151+
2152+ do {
2153+ data.ctx.P[0] ^= data.expanded_key[0];
2154+ data.ctx.P[1] ^= data.expanded_key[1];
2155+ data.ctx.P[2] ^= data.expanded_key[2];
2156+ data.ctx.P[3] ^= data.expanded_key[3];
2157+ data.ctx.P[4] ^= data.expanded_key[4];
2158+ data.ctx.P[5] ^= data.expanded_key[5];
2159+ data.ctx.P[6] ^= data.expanded_key[6];
2160+ data.ctx.P[7] ^= data.expanded_key[7];
2161+ data.ctx.P[8] ^= data.expanded_key[8];
2162+ data.ctx.P[9] ^= data.expanded_key[9];
2163+ data.ctx.P[10] ^= data.expanded_key[10];
2164+ data.ctx.P[11] ^= data.expanded_key[11];
2165+ data.ctx.P[12] ^= data.expanded_key[12];
2166+ data.ctx.P[13] ^= data.expanded_key[13];
2167+ data.ctx.P[14] ^= data.expanded_key[14];
2168+ data.ctx.P[15] ^= data.expanded_key[15];
2169+ data.ctx.P[16] ^= data.expanded_key[16];
2170+ data.ctx.P[17] ^= data.expanded_key[17];
2171+
2172+ BF_body();
2173+
2174+ tmp1 = data.binary.salt[0];
2175+ tmp2 = data.binary.salt[1];
2176+ tmp3 = data.binary.salt[2];
2177+ tmp4 = data.binary.salt[3];
2178+ data.ctx.P[0] ^= tmp1;
2179+ data.ctx.P[1] ^= tmp2;
2180+ data.ctx.P[2] ^= tmp3;
2181+ data.ctx.P[3] ^= tmp4;
2182+ data.ctx.P[4] ^= tmp1;
2183+ data.ctx.P[5] ^= tmp2;
2184+ data.ctx.P[6] ^= tmp3;
2185+ data.ctx.P[7] ^= tmp4;
2186+ data.ctx.P[8] ^= tmp1;
2187+ data.ctx.P[9] ^= tmp2;
2188+ data.ctx.P[10] ^= tmp3;
2189+ data.ctx.P[11] ^= tmp4;
2190+ data.ctx.P[12] ^= tmp1;
2191+ data.ctx.P[13] ^= tmp2;
2192+ data.ctx.P[14] ^= tmp3;
2193+ data.ctx.P[15] ^= tmp4;
2194+ data.ctx.P[16] ^= tmp1;
2195+ data.ctx.P[17] ^= tmp2;
2196+
2197+ BF_body();
2198+ } while (--count);
2199+
2200+ for (i = 0; i < 6; i += 2) {
2201+ L = BF_magic_w[i];
2202+ R = BF_magic_w[i + 1];
2203+
2204+ count = 64;
2205+ do {
2206+ BF_ENCRYPT;
2207+ } while (--count);
2208+
2209+ data.binary.output[i] = L;
2210+ data.binary.output[i + 1] = R;
2211+ }
2212+
2213+ memcpy(output, setting, 7 + 22 - 1);
2214+ output[7 + 22 - 1] = BF_itoa64[(int)
2215+ BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
2216+
2217+/* This has to be bug-compatible with the original implementation, so
2218+ * only encode 23 of the 24 bytes. :-) */
2219+ BF_swap(data.binary.output, 6);
2220+ BF_encode(&output[7 + 22], data.binary.output, 23);
2221+ output[7 + 22 + 31] = '\0';
2222+
2223+/* Overwrite the most obvious sensitive data we have on the stack. Note
2224+ * that this does not guarantee there's no sensitive data left on the
2225+ * stack and/or in registers; I'm not aware of portable code that does. */
2226+ clean(&data, sizeof(data));
2227+
2228+ return output;
2229+}
2230+
2231+char *_crypt_gensalt_blowfish_rn(unsigned long count,
2232+ __CONST char *input, int size, char *output, int output_size)
2233+{
2234+ if (size < 16 || output_size < 7 + 22 + 1 ||
2235+ (count && (count < 4 || count > 31))) {
2236+ if (output_size > 0) output[0] = '\0';
2237+ __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
2238+ return NULL;
2239+ }
2240+
2241+ if (!count) count = 5;
2242+
2243+ output[0] = '$';
2244+ output[1] = '2';
2245+ output[2] = 'a';
2246+ output[3] = '$';
2247+ output[4] = '0' + count / 10;
2248+ output[5] = '0' + count % 10;
2249+ output[6] = '$';
2250+
2251+ BF_encode(&output[7], (BF_word *)input, 16);
2252+ output[7 + 22] = '\0';
2253+
2254+ return output;
2255+}
2256diff -Nura php-4.4.2/ext/standard/crypt.c hardening-patch-4.4.2-0.4.10/ext/standard/crypt.c
2257--- php-4.4.2/ext/standard/crypt.c 2006-01-01 14:46:57.000000000 +0100
2258+++ hardening-patch-4.4.2-0.4.10/ext/standard/crypt.c 2006-05-11 10:36:02.000000000 +0200
2259@@ -100,6 +100,8 @@
2260 return SUCCESS;
2261 }
2262
2263+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
2264+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
2265
2266 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
2267
2268@@ -135,7 +137,14 @@
2269
2270 /* The automatic salt generation only covers standard DES and md5-crypt */
2271 if(!*salt) {
2272-#if PHP_MD5_CRYPT
2273+#if PHP_BLOWFISH_CRYPT
2274+ char randat[16];
2275+ int i;
2276+
2277+ for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
2278+
2279+ _crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
2280+#elif PHP_MD5_CRYPT
2281 strcpy(salt, "$1$");
2282 php_to64(&salt[3], PHP_CRYPT_RAND, 4);
2283 php_to64(&salt[7], PHP_CRYPT_RAND, 4);
2284@@ -145,8 +154,24 @@
2285 salt[2] = '\0';
2286 #endif
2287 }
2288-
2289- RETVAL_STRING(crypt(str, salt), 1);
2290+
2291+ if (salt[0] == '$' &&
2292+ salt[1] == '2' &&
2293+ salt[2] == 'a' &&
2294+ salt[3] == '$' &&
2295+ salt[4] >= '0' && salt[4] <= '3' &&
2296+ salt[5] >= '0' && salt[5] <= '9' &&
2297+ salt[6] == '$') {
2298+
2299+ char output[PHP_MAX_SALT_LEN+1];
2300+
2301+ output[0] = 0;
2302+ _crypt_blowfish_rn(str, salt, output, sizeof(output));
2303+ RETVAL_STRING(output, 1);
2304+
2305+ } else {
2306+ RETVAL_STRING(crypt(str, salt), 1);
2307+ }
2308 }
2309 /* }}} */
2310 #endif
2311diff -Nura php-4.4.2/ext/standard/dl.c hardening-patch-4.4.2-0.4.10/ext/standard/dl.c
2312--- php-4.4.2/ext/standard/dl.c 2006-01-01 14:46:57.000000000 +0100
2313+++ hardening-patch-4.4.2-0.4.10/ext/standard/dl.c 2006-05-11 10:36:02.000000000 +0200
2314@@ -160,8 +160,35 @@
2315 RETURN_FALSE;
2316 }
2317 module_entry = get_module();
2318+
2319+ /* check if Hardening-Patch is installed */
2320+ if (module_entry->zend_api < 1000000000) {
2321+ php_error_docref(NULL TSRMLS_CC, error_type,
2322+ "%s: Unable to initialize module\n"
2323+ "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
2324+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2325+ "These options need to match\n",
2326+ module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
2327+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2328+ DL_UNLOAD(handle);
2329+ RETURN_FALSE;
2330+ }
2331+
2332+ /* check if correct Hardening-Patch is installed */
2333+ if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
2334+ php_error_docref(NULL TSRMLS_CC, error_type,
2335+ "%s: Unable to initialize module\n"
2336+ "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2337+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2338+ "These options need to match\n",
2339+ module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
2340+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2341+ DL_UNLOAD(handle);
2342+ RETURN_FALSE;
2343+ }
2344+
2345 if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
2346- || (module_entry->zend_api != ZEND_MODULE_API_NO)) {
2347+ || (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
2348 /* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
2349 struct pre_4_1_0_module_entry {
2350 char *name;
2351@@ -195,7 +222,7 @@
2352 zts = ((struct pre_4_1_0_module_entry *)module_entry)->zts;
2353 } else {
2354 name = module_entry->name;
2355- zend_api = module_entry->zend_api;
2356+ zend_api = module_entry->real_zend_api;
2357 zend_debug = module_entry->zend_debug;
2358 zts = module_entry->zts;
2359 }
2360diff -Nura php-4.4.2/ext/standard/file.c hardening-patch-4.4.2-0.4.10/ext/standard/file.c
2361--- php-4.4.2/ext/standard/file.c 2006-01-01 14:46:57.000000000 +0100
2362+++ hardening-patch-4.4.2-0.4.10/ext/standard/file.c 2006-05-11 10:36:02.000000000 +0200
2363@@ -21,7 +21,7 @@
2364 +----------------------------------------------------------------------+
2365 */
2366
2367-/* $Id: file.c,v 1.279.2.70.2.3 2006/01/01 13:46:57 sniper Exp $ */
2368+/* $Id: file.c,v 1.279.2.70.2.7 2006/04/14 17:46:59 pollita Exp $ */
2369
2370 /* Synced with php 3.0 revision 1.218 1999-06-16 [ssb] */
2371
2372@@ -552,7 +552,7 @@
2373 pval **arg1, **arg2;
2374 char *d;
2375 char *opened_path;
2376- char p[64];
2377+ char *p;
2378 FILE *fp;
2379
2380 if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
2381@@ -566,7 +566,11 @@
2382 }
2383
2384 d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
2385- strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
2386+
2387+ p = php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0);
2388+ if (strlen(p) > 64) {
2389+ p[63] = '\0';
2390+ }
2391
2392 if ((fp = php_open_temporary_file(d, p, &opened_path TSRMLS_CC))) {
2393 fclose(fp);
2394@@ -574,6 +578,7 @@
2395 } else {
2396 RETVAL_FALSE;
2397 }
2398+ efree(p);
2399 efree(d);
2400 }
2401 /* }}} */
2402@@ -819,7 +824,7 @@
2403
2404 /* If seconds is not set to null, build the timeval, else we wait indefinitely */
2405 if (sec != NULL) {
2406- convert_to_long_ex(&sec);
2407+ convert_to_long(sec);
2408
2409 if (usec > 999999) {
2410 tv.tv_sec = Z_LVAL_P(sec) + (usec / 1000000);
2411@@ -2196,7 +2201,7 @@
2412 safe_to_copy:
2413
2414 srcstream = php_stream_open_wrapper(src, "rb",
2415- STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS,
2416+ ENFORCE_SAFE_MODE | REPORT_ERRORS,
2417 NULL);
2418
2419 if (!srcstream)
2420@@ -2522,7 +2527,7 @@
2421 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2422 /* {{{ proto string realpath(string path)
2423 Return the resolved path */
2424-PHP_FUNCTION(realpath)
2425+PHP_FUNCTION(real_path)
2426 {
2427 zval **path;
2428 char resolved_path_buff[MAXPATHLEN];
2429diff -Nura php-4.4.2/ext/standard/file.h hardening-patch-4.4.2-0.4.10/ext/standard/file.h
2430--- php-4.4.2/ext/standard/file.h 2006-01-01 14:46:57.000000000 +0100
2431+++ hardening-patch-4.4.2-0.4.10/ext/standard/file.h 2006-05-11 10:36:02.000000000 +0200
2432@@ -64,7 +64,7 @@
2433 PHP_FUNCTION(fd_set);
2434 PHP_FUNCTION(fd_isset);
2435 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2436-PHP_FUNCTION(realpath);
2437+PHP_FUNCTION(real_path);
2438 #endif
2439 #ifdef HAVE_FNMATCH
2440 PHP_FUNCTION(fnmatch);
2441diff -Nura php-4.4.2/ext/standard/head.c hardening-patch-4.4.2-0.4.10/ext/standard/head.c
2442--- php-4.4.2/ext/standard/head.c 2006-01-01 14:46:57.000000000 +0100
2443+++ hardening-patch-4.4.2-0.4.10/ext/standard/head.c 2006-05-11 10:36:02.000000000 +0200
2444@@ -44,7 +44,7 @@
2445 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
2446 &ctr.line_len, &rep, &ctr.response_code) == FAILURE)
2447 return;
2448-
2449+
2450 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
2451 }
2452 /* }}} */
2453diff -Nura php-4.4.2/ext/standard/html.c hardening-patch-4.4.2-0.4.10/ext/standard/html.c
2454--- php-4.4.2/ext/standard/html.c 2006-01-01 14:46:57.000000000 +0100
2455+++ hardening-patch-4.4.2-0.4.10/ext/standard/html.c 2006-05-11 10:36:02.000000000 +0200
2456@@ -18,7 +18,7 @@
2457 +----------------------------------------------------------------------+
2458 */
2459
2460-/* $Id: html.c,v 1.63.2.23.2.1 2006/01/01 13:46:57 sniper Exp $ */
2461+/* $Id: html.c,v 1.63.2.23.2.2 2006/02/25 21:33:06 rasmus Exp $ */
2462
2463 /*
2464 * HTML entity resources:
2465@@ -793,7 +793,7 @@
2466 enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
2467 unsigned char replacement[15];
2468
2469- ret = estrdup(old);
2470+ ret = estrndup(old, oldlen);
2471 retlen = oldlen;
2472 if (!retlen) {
2473 goto empty_source;
2474diff -Nura php-4.4.2/ext/standard/info.c hardening-patch-4.4.2-0.4.10/ext/standard/info.c
2475--- php-4.4.2/ext/standard/info.c 2006-01-01 14:46:57.000000000 +0100
2476+++ hardening-patch-4.4.2-0.4.10/ext/standard/info.c 2006-05-11 10:38:59.000000000 +0200
2477@@ -58,6 +58,23 @@
2478
2479 PHPAPI extern char *php_ini_opened_path;
2480 PHPAPI extern char *php_ini_scanned_files;
2481+
2482+static int php_info_write_wrapper(const char *str, uint str_length)
2483+{
2484+ int new_len, written;
2485+ char *elem_esc;
2486+
2487+ TSRMLS_FETCH();
2488+
2489+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
2490+
2491+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
2492+
2493+ efree(elem_esc);
2494+
2495+ return written;
2496+}
2497+
2498
2499 /* {{{ _display_module_info
2500 */
2501@@ -133,23 +150,12 @@
2502 PUTS(" => ");
2503 }
2504 if (Z_TYPE_PP(tmp) == IS_ARRAY) {
2505- zval *tmp3;
2506- MAKE_STD_ZVAL(tmp3);
2507 if (!sapi_module.phpinfo_as_text) {
2508 PUTS("<pre>");
2509- }
2510- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
2511- zend_print_zval_r(*tmp, 0);
2512- php_ob_get_buffer(tmp3 TSRMLS_CC);
2513- php_end_ob_buffer(0, 0 TSRMLS_CC);
2514-
2515- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
2516- PUTS(elem_esc);
2517- efree(elem_esc);
2518- zval_ptr_dtor(&tmp3);
2519-
2520- if (!sapi_module.phpinfo_as_text) {
2521+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
2522 PUTS("</pre>");
2523+ } else {
2524+ zend_print_zval_r(*tmp, 0);
2525 }
2526 } else if (Z_TYPE_PP(tmp) != IS_STRING) {
2527 tmp2 = **tmp;
2528@@ -408,7 +414,7 @@
2529
2530 if (flag & PHP_INFO_GENERAL) {
2531 char *zend_version = get_zend_version();
2532- char temp_api[9];
2533+ char temp_api[11];
2534
2535 php_uname = php_get_uname('a');
2536
2537@@ -430,11 +436,22 @@
2538 }
2539 }
2540
2541+#if HARDENING_PATCH
2542+ if (!sapi_module.phpinfo_as_text) {
2543+ php_printf("<h1 class=\"p\">PHP Version %s with <a href=\"http://www.hardened-php.net\">Hardening-Patch</a> %s</h1>\n", PHP_VERSION, HARDENING_PATCH_VERSION);
2544+ } else {
2545+ char temp_ver[40];
2546+
2547+ snprintf(temp_ver, sizeof(temp_ver), "%s/%s", PHP_VERSION, HARDENING_PATCH_VERSION);
2548+ php_info_print_table_row(2, "PHP/Hardening-Patch Version", temp_ver);
2549+ }
2550+#else
2551 if (!sapi_module.phpinfo_as_text) {
2552 php_printf("<h1 class=\"p\">PHP Version %s</h1>\n", PHP_VERSION);
2553 } else {
2554 php_info_print_table_row(2, "PHP Version", PHP_VERSION);
2555 }
2556+#endif
2557 php_info_print_box_end();
2558 php_info_print_table_start();
2559 php_info_print_table_row(2, "System", php_uname );
2560diff -Nura php-4.4.2/ext/standard/pack.c hardening-patch-4.4.2-0.4.10/ext/standard/pack.c
2561--- php-4.4.2/ext/standard/pack.c 2006-01-01 14:46:57.000000000 +0100
2562+++ hardening-patch-4.4.2-0.4.10/ext/standard/pack.c 2006-05-11 10:36:02.000000000 +0200
2563@@ -15,7 +15,7 @@
2564 | Author: Chris Schneider <cschneid@relog.ch> |
2565 +----------------------------------------------------------------------+
2566 */
2567-/* $Id: pack.c,v 1.40.2.7.2.4 2006/01/01 13:46:57 sniper Exp $ */
2568+/* $Id: pack.c,v 1.40.2.7.2.5 2006/01/26 15:47:31 iliaa Exp $ */
2569
2570 #include "php.h"
2571
2572@@ -693,7 +693,9 @@
2573 len = size * 2;
2574 }
2575
2576- len -= argb % 2;
2577+ if (argb > 0) {
2578+ len -= argb % 2;
2579+ }
2580
2581 buf = emalloc(len + 1);
2582
2583diff -Nura php-4.4.2/ext/standard/php_standard.h hardening-patch-4.4.2-0.4.10/ext/standard/php_standard.h
2584--- php-4.4.2/ext/standard/php_standard.h 2006-01-01 14:46:58.000000000 +0100
2585+++ hardening-patch-4.4.2-0.4.10/ext/standard/php_standard.h 2006-05-11 10:36:02.000000000 +0200
2586@@ -28,6 +28,7 @@
2587 #include "php_mail.h"
2588 #include "md5.h"
2589 #include "sha1.h"
2590+#include "sha256.h"
2591 #include "html.h"
2592 #include "exec.h"
2593 #include "file.h"
2594diff -Nura php-4.4.2/ext/standard/sha256.c hardening-patch-4.4.2-0.4.10/ext/standard/sha256.c
2595--- php-4.4.2/ext/standard/sha256.c 1970-01-01 01:00:00.000000000 +0100
2596+++ hardening-patch-4.4.2-0.4.10/ext/standard/sha256.c 2006-05-11 10:36:02.000000000 +0200
2597@@ -0,0 +1,398 @@
2598+/*
2599+ +----------------------------------------------------------------------+
2600+ | PHP Version 5 |
2601+ +----------------------------------------------------------------------+
2602+ | Copyright (c) 1997-2004 The PHP Group |
2603+ +----------------------------------------------------------------------+
2604+ | This source file is subject to version 3.0 of the PHP license, |
2605+ | that is bundled with this package in the file LICENSE, and is |
2606+ | available through the world-wide-web at the following url: |
2607+ | http://www.php.net/license/3_0.txt. |
2608+ | If you did not receive a copy of the PHP license and are unable to |
2609+ | obtain it through the world-wide-web, please send a note to |
2610+ | license@php.net so we can mail you a copy immediately. |
2611+ +----------------------------------------------------------------------+
2612+ | Author: Stefan Esser <sesser@php.net> |
2613+ +----------------------------------------------------------------------+
2614+*/
2615+
2616+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
2617+
2618+#include <stdio.h>
2619+#include "php.h"
2620+
2621+/* This code is heavily based on the PHP md5/sha1 implementations */
2622+
2623+#include "sha256.h"
2624+
2625+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
2626+{
2627+ int i;
2628+
2629+ for (i = 0; i < 32; i++) {
2630+ sprintf(sha256str, "%02x", digest[i]);
2631+ sha256str += 2;
2632+ }
2633+
2634+ *sha256str = '\0';
2635+}
2636+
2637+/* {{{ proto string sha256(string str [, bool raw_output])
2638+ Calculate the sha256 hash of a string */
2639+PHP_FUNCTION(sha256)
2640+{
2641+ char *arg;
2642+ int arg_len;
2643+ zend_bool raw_output = 0;
2644+ char sha256str[65];
2645+ PHP_SHA256_CTX context;
2646+ unsigned char digest[32];
2647+
2648+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2649+ return;
2650+ }
2651+
2652+ sha256str[0] = '\0';
2653+ PHP_SHA256Init(&context);
2654+ PHP_SHA256Update(&context, arg, arg_len);
2655+ PHP_SHA256Final(digest, &context);
2656+ if (raw_output) {
2657+ RETURN_STRINGL(digest, 32, 1);
2658+ } else {
2659+ make_sha256_digest(sha256str, digest);
2660+ RETVAL_STRING(sha256str, 1);
2661+ }
2662+
2663+}
2664+
2665+/* }}} */
2666+
2667+/* {{{ proto string sha256_file(string filename [, bool raw_output])
2668+ Calculate the sha256 hash of given filename */
2669+PHP_FUNCTION(sha256_file)
2670+{
2671+ char *arg;
2672+ int arg_len;
2673+ zend_bool raw_output = 0;
2674+ char sha256str[65];
2675+ unsigned char buf[1024];
2676+ unsigned char digest[32];
2677+ PHP_SHA256_CTX context;
2678+ int n;
2679+ FILE *fp;
2680+
2681+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
2682+ return;
2683+ }
2684+
2685+ if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
2686+ RETURN_FALSE;
2687+ }
2688+
2689+ if (php_check_open_basedir(arg TSRMLS_CC)) {
2690+ RETURN_FALSE;
2691+ }
2692+
2693+ if ((fp = VCWD_FOPEN(arg, "rb")) == NULL) {
2694+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open file");
2695+ RETURN_FALSE;
2696+ }
2697+
2698+ PHP_SHA256Init(&context);
2699+
2700+ while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
2701+ PHP_SHA256Update(&context, buf, n);
2702+ }
2703+
2704+ PHP_SHA256Final(digest, &context);
2705+
2706+ if (ferror(fp)) {
2707+ fclose(fp);
2708+ RETURN_FALSE;
2709+ }
2710+
2711+ fclose(fp);
2712+
2713+ if (raw_output) {
2714+ RETURN_STRINGL(digest, 32, 1);
2715+ } else {
2716+ make_sha256_digest(sha256str, digest);
2717+ RETVAL_STRING(sha256str, 1);
2718+ }
2719+}
2720+/* }}} */
2721+
2722+
2723+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
2724+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
2725+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
2726+
2727+static unsigned char PADDING[64] =
2728+{
2729+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2730+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2731+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
2732+};
2733+
2734+/* F, G, H and I are basic SHA256 functions.
2735+ */
2736+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
2737+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
2738+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
2739+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
2740+
2741+/* ROTATE_RIGHT rotates x right n bits.
2742+ */
2743+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
2744+
2745+/* W[i]
2746+ */
2747+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
2748+ tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
2749+ (x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) )
2750+
2751+/* ROUND function of sha256
2752+ */
2753+
2754+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
2755+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
2756+ (h) = F((a)) + G((a), (b), (c)) + t1; \
2757+ (d) += t1; \
2758+ }
2759+
2760+
2761+/* {{{ PHP_SHA256Init
2762+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
2763+ */
2764+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX * context)
2765+{
2766+ context->count[0] = context->count[1] = 0;
2767+ /* Load magic initialization constants.
2768+ */
2769+ context->state[0] = 0x6a09e667;
2770+ context->state[1] = 0xbb67ae85;
2771+ context->state[2] = 0x3c6ef372;
2772+ context->state[3] = 0xa54ff53a;
2773+ context->state[4] = 0x510e527f;
2774+ context->state[5] = 0x9b05688c;
2775+ context->state[6] = 0x1f83d9ab;
2776+ context->state[7] = 0x5be0cd19;
2777+}
2778+/* }}} */
2779+
2780+/* {{{ PHP_SHA256Update
2781+ SHA256 block update operation. Continues an SHA256 message-digest
2782+ operation, processing another message block, and updating the
2783+ context.
2784+ */
2785+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
2786+ unsigned int inputLen)
2787+{
2788+ unsigned int i, index, partLen;
2789+
2790+ /* Compute number of bytes mod 64 */
2791+ index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
2792+
2793+ /* Update number of bits */
2794+ if ((context->count[0] += ((php_uint32) inputLen << 3))
2795+ < ((php_uint32) inputLen << 3))
2796+ context->count[1]++;
2797+ context->count[1] += ((php_uint32) inputLen >> 29);
2798+
2799+ partLen = 64 - index;
2800+
2801+ /* Transform as many times as possible.
2802+ */
2803+ if (inputLen >= partLen) {
2804+ memcpy
2805+ ((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
2806+ SHA256Transform(context->state, context->buffer);
2807+
2808+ for (i = partLen; i + 63 < inputLen; i += 64)
2809+ SHA256Transform(context->state, &input[i]);
2810+
2811+ index = 0;
2812+ } else
2813+ i = 0;
2814+
2815+ /* Buffer remaining input */
2816+ memcpy
2817+ ((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
2818+ inputLen - i);
2819+}
2820+/* }}} */
2821+
2822+/* {{{ PHP_SHA256Final
2823+ SHA256 finalization. Ends an SHA256 message-digest operation, writing the
2824+ the message digest and zeroizing the context.
2825+ */
2826+PHPAPI void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
2827+{
2828+ unsigned char bits[8];
2829+ unsigned int index, padLen;
2830+
2831+ /* Save number of bits */
2832+ bits[7] = context->count[0] & 0xFF;
2833+ bits[6] = (context->count[0] >> 8) & 0xFF;
2834+ bits[5] = (context->count[0] >> 16) & 0xFF;
2835+ bits[4] = (context->count[0] >> 24) & 0xFF;
2836+ bits[3] = context->count[1] & 0xFF;
2837+ bits[2] = (context->count[1] >> 8) & 0xFF;
2838+ bits[1] = (context->count[1] >> 16) & 0xFF;
2839+ bits[0] = (context->count[1] >> 24) & 0xFF;
2840+
2841+ /* Pad out to 56 mod 64.
2842+ */
2843+ index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
2844+ padLen = (index < 56) ? (56 - index) : (120 - index);
2845+ PHP_SHA256Update(context, PADDING, padLen);
2846+
2847+ /* Append length (before padding) */
2848+ PHP_SHA256Update(context, bits, 8);
2849+
2850+ /* Store state in digest */
2851+ SHA256Encode(digest, context->state, 32);
2852+
2853+ /* Zeroize sensitive information.
2854+ */
2855+ memset((unsigned char*) context, 0, sizeof(*context));
2856+}
2857+/* }}} */
2858+
2859+/* {{{ SHA256Transform
2860+ * SHA256 basic transformation. Transforms state based on block.
2861+ */
2862+static void SHA256Transform(state, block)
2863+php_uint32 state[8];
2864+const unsigned char block[64];
2865+{
2866+ php_uint32 a = state[0], b = state[1], c = state[2];
2867+ php_uint32 d = state[3], e = state[4], f = state[5];
2868+ php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
2869+
2870+ SHA256Decode(x, block, 64);
2871+
2872+ ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
2873+ ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
2874+ ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
2875+ ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
2876+ ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
2877+ ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
2878+ ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
2879+ ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
2880+ ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
2881+ ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
2882+ ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
2883+ ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
2884+ ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
2885+ ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
2886+ ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
2887+ ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
2888+ ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
2889+ ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
2890+ ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
2891+ ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
2892+ ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
2893+ ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
2894+ ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
2895+ ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
2896+ ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
2897+ ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
2898+ ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
2899+ ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
2900+ ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
2901+ ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
2902+ ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
2903+ ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
2904+ ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
2905+ ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
2906+ ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
2907+ ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
2908+ ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
2909+ ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
2910+ ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
2911+ ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
2912+ ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
2913+ ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
2914+ ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
2915+ ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
2916+ ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
2917+ ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
2918+ ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
2919+ ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
2920+ ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
2921+ ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
2922+ ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
2923+ ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
2924+ ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
2925+ ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
2926+ ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
2927+ ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
2928+ ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
2929+ ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
2930+ ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
2931+ ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
2932+ ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
2933+ ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
2934+ ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
2935+ ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
2936+
2937+ state[0] += a;
2938+ state[1] += b;
2939+ state[2] += c;
2940+ state[3] += d;
2941+ state[4] += e;
2942+ state[5] += f;
2943+ state[6] += g;
2944+ state[7] += h;
2945+
2946+ /* Zeroize sensitive information. */
2947+ memset((unsigned char*) x, 0, sizeof(x));
2948+}
2949+/* }}} */
2950+
2951+/* {{{ SHA256Encode
2952+ Encodes input (php_uint32) into output (unsigned char). Assumes len is
2953+ a multiple of 4.
2954+ */
2955+static void SHA256Encode(output, input, len)
2956+unsigned char *output;
2957+php_uint32 *input;
2958+unsigned int len;
2959+{
2960+ unsigned int i, j;
2961+
2962+ for (i = 0, j = 0; j < len; i++, j += 4) {
2963+ output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
2964+ output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
2965+ output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
2966+ output[j + 3] = (unsigned char) (input[i] & 0xff);
2967+ }
2968+}
2969+/* }}} */
2970+
2971+/* {{{ SHA256Decode
2972+ Decodes input (unsigned char) into output (php_uint32). Assumes len is
2973+ a multiple of 4.
2974+ */
2975+static void SHA256Decode(output, input, len)
2976+php_uint32 *output;
2977+const unsigned char *input;
2978+unsigned int len;
2979+{
2980+ unsigned int i, j;
2981+
2982+ for (i = 0, j = 0; j < len; i++, j += 4)
2983+ output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
2984+ (((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
2985+}
2986+/* }}} */
2987+
2988+/*
2989+ * Local variables:
2990+ * tab-width: 4
2991+ * c-basic-offset: 4
2992+ * End:
2993+ * vim600: sw=4 ts=4 fdm=marker
2994+ * vim<600: sw=4 ts=4
2995+ */
2996diff -Nura php-4.4.2/ext/standard/sha256.h hardening-patch-4.4.2-0.4.10/ext/standard/sha256.h
2997--- php-4.4.2/ext/standard/sha256.h 1970-01-01 01:00:00.000000000 +0100
2998+++ hardening-patch-4.4.2-0.4.10/ext/standard/sha256.h 2006-05-11 10:36:02.000000000 +0200
2999@@ -0,0 +1,40 @@
3000+/*
3001+ +----------------------------------------------------------------------+
3002+ | PHP Version 5 |
3003+ +----------------------------------------------------------------------+
3004+ | Copyright (c) 1997-2004 The PHP Group |
3005+ +----------------------------------------------------------------------+
3006+ | This source file is subject to version 3.0 of the PHP license, |
3007+ | that is bundled with this package in the file LICENSE, and is |
3008+ | available through the world-wide-web at the following url: |
3009+ | http://www.php.net/license/3_0.txt. |
3010+ | If you did not receive a copy of the PHP license and are unable to |
3011+ | obtain it through the world-wide-web, please send a note to |
3012+ | license@php.net so we can mail you a copy immediately. |
3013+ +----------------------------------------------------------------------+
3014+ | Author: Stefan Esser <sesser@php.net> |
3015+ +----------------------------------------------------------------------+
3016+*/
3017+
3018+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
3019+
3020+#ifndef SHA256_H
3021+#define SHA256_H
3022+
3023+#include "ext/standard/basic_functions.h"
3024+
3025+/* SHA1 context. */
3026+typedef struct {
3027+ php_uint32 state[8]; /* state (ABCD) */
3028+ php_uint32 count[2]; /* number of bits, modulo 2^64 (lsb first) */
3029+ unsigned char buffer[64]; /* input buffer */
3030+} PHP_SHA256_CTX;
3031+
3032+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX *);
3033+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
3034+PHPAPI void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
3035+
3036+PHP_FUNCTION(sha256);
3037+PHP_FUNCTION(sha256_file);
3038+
3039+#endif
3040diff -Nura php-4.4.2/ext/standard/string.c hardening-patch-4.4.2-0.4.10/ext/standard/string.c
3041--- php-4.4.2/ext/standard/string.c 2006-01-01 14:46:58.000000000 +0100
3042+++ hardening-patch-4.4.2-0.4.10/ext/standard/string.c 2006-05-11 10:36:02.000000000 +0200
3043@@ -18,7 +18,7 @@
3044 +----------------------------------------------------------------------+
3045 */
3046
3047-/* $Id: string.c,v 1.333.2.52.2.3 2006/01/01 13:46:58 sniper Exp $ */
3048+/* $Id: string.c,v 1.333.2.52.2.4 2006/03/13 14:41:27 iliaa Exp $ */
3049
3050 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
3051
3052@@ -672,15 +672,13 @@
3053 /* Multiple character line break or forced cut */
3054 if (linelength > 0) {
3055 chk = (int)(textlen/linelength + 1);
3056+ newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
3057 alloced = textlen + chk * breakcharlen + 1;
3058 } else {
3059 chk = textlen;
3060+ newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
3061 alloced = textlen * (breakcharlen + 1) + 1;
3062 }
3063- if (alloced <= 0) {
3064- RETURN_FALSE;
3065- }
3066- newtext = emalloc(alloced);
3067
3068 /* now keep track of the actual new text length */
3069 newtextlen = 0;
3070diff -Nura php-4.4.2/ext/standard/syslog.c hardening-patch-4.4.2-0.4.10/ext/standard/syslog.c
3071--- php-4.4.2/ext/standard/syslog.c 2006-01-01 14:46:58.000000000 +0100
3072+++ hardening-patch-4.4.2-0.4.10/ext/standard/syslog.c 2006-05-11 10:36:02.000000000 +0200
3073@@ -42,6 +42,8 @@
3074 */
3075 PHP_MINIT_FUNCTION(syslog)
3076 {
3077+
3078+#if !HARDENING_PATCH
3079 /* error levels */
3080 REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
3081 REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
3082@@ -97,7 +99,7 @@
3083 /* AIX doesn't have LOG_PERROR */
3084 REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
3085 #endif
3086-
3087+#endif
3088 return SUCCESS;
3089 }
3090 /* }}} */
3091diff -Nura php-4.4.2/ext/standard/url.c hardening-patch-4.4.2-0.4.10/ext/standard/url.c
3092--- php-4.4.2/ext/standard/url.c 2006-01-01 14:46:58.000000000 +0100
3093+++ hardening-patch-4.4.2-0.4.10/ext/standard/url.c 2006-05-11 10:36:02.000000000 +0200
3094@@ -15,7 +15,7 @@
3095 | Author: Jim Winstead <jimw@php.net> |
3096 +----------------------------------------------------------------------+
3097 */
3098-/* $Id: url.c,v 1.58.2.21.2.2 2006/01/01 13:46:58 sniper Exp $ */
3099+/* $Id: url.c,v 1.58.2.21.2.3 2006/02/12 16:43:03 iliaa Exp $ */
3100
3101 #include <stdlib.h>
3102 #include <string.h>
3103@@ -137,7 +137,7 @@
3104 p++;
3105 }
3106
3107- if ((*p) == '\0' || *p == '/') {
3108+ if ((*p == '\0' || *p == '/') && (p - e) < 7) {
3109 goto parse_port;
3110 }
3111
3112diff -Nura php-4.4.2/ext/varfilter/config.m4 hardening-patch-4.4.2-0.4.10/ext/varfilter/config.m4
3113--- php-4.4.2/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
3114+++ hardening-patch-4.4.2-0.4.10/ext/varfilter/config.m4 2006-05-11 10:36:02.000000000 +0200
3115@@ -0,0 +1,11 @@
3116+dnl
3117+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
3118+dnl
3119+
3120+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
3121+[ --disable-varfilter Disable Hardening-Patch's variable filter], yes)
3122+
3123+if test "$PHP_VARFILTER" != "no"; then
3124+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
3125+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
3126+fi
3127diff -Nura php-4.4.2/ext/varfilter/CREDITS hardening-patch-4.4.2-0.4.10/ext/varfilter/CREDITS
3128--- php-4.4.2/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
3129+++ hardening-patch-4.4.2-0.4.10/ext/varfilter/CREDITS 2006-05-11 10:36:02.000000000 +0200
3130@@ -0,0 +1,2 @@
3131+varfilter
3132+Stefan Esser
3133\ Kein Zeilenumbruch am Dateiende.
3134diff -Nura php-4.4.2/ext/varfilter/php_varfilter.h hardening-patch-4.4.2-0.4.10/ext/varfilter/php_varfilter.h
3135--- php-4.4.2/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
3136+++ hardening-patch-4.4.2-0.4.10/ext/varfilter/php_varfilter.h 2006-05-11 10:36:02.000000000 +0200
3137@@ -0,0 +1,144 @@
3138+/*
3139+ +----------------------------------------------------------------------+
3140+ | Hardened-PHP Project's varfilter extension |
3141+ +----------------------------------------------------------------------+
3142+ | Copyright (c) 2004-2005 Stefan Esser |
3143+ +----------------------------------------------------------------------+
3144+ | This source file is subject to version 2.02 of the PHP license, |
3145+ | that is bundled with this package in the file LICENSE, and is |
3146+ | available at through the world-wide-web at |
3147+ | http://www.php.net/license/2_02.txt. |
3148+ | If you did not receive a copy of the PHP license and are unable to |
3149+ | obtain it through the world-wide-web, please send a note to |
3150+ | license@php.net so we can mail you a copy immediately. |
3151+ +----------------------------------------------------------------------+
3152+ | Author: Stefan Esser <sesser@hardened-php.net> |
3153+ +----------------------------------------------------------------------+
3154+
3155+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
3156+*/
3157+
3158+#ifndef PHP_VARFILTER_H
3159+#define PHP_VARFILTER_H
3160+
3161+extern zend_module_entry varfilter_module_entry;
3162+#define phpext_varfilter_ptr &varfilter_module_entry
3163+
3164+#ifdef PHP_WIN32
3165+#define PHP_VARFILTER_API __declspec(dllexport)
3166+#else
3167+#define PHP_VARFILTER_API
3168+#endif
3169+
3170+#ifdef ZTS
3171+#include "TSRM.h"
3172+#endif
3173+
3174+#include "SAPI.h"
3175+
3176+#include "php_variables.h"
3177+
3178+#ifdef ZEND_ENGINE_2
3179+#define HASH_HTTP_GET_VARS 0x2095733f
3180+#define HASH_HTTP_POST_VARS 0xbfee1265
3181+#define HASH_HTTP_COOKIE_VARS 0xaaca9d99
3182+#define HASH_HTTP_ENV_VARS 0x1fe186a8
3183+#define HASH_HTTP_SERVER_VARS 0xc987afd6
3184+#define HASH_HTTP_SESSION_VARS 0x7aba0d43
3185+#define HASH_HTTP_POST_FILES 0x98eb1ddc
3186+#define HASH_HTTP_RAW_POST_DATA 0xdd633fec
3187+#else
3188+#define HASH_HTTP_GET_VARS 0x8d8645bd
3189+#define HASH_HTTP_POST_VARS 0x7c699bf3
3190+#define HASH_HTTP_COOKIE_VARS 0x93ad0d6f
3191+#define HASH_HTTP_ENV_VARS 0x84da3016
3192+#define HASH_HTTP_SERVER_VARS 0x6dbf964e
3193+#define HASH_HTTP_SESSION_VARS 0x322906f5
3194+#define HASH_HTTP_POST_FILES 0xe4e4ce70
3195+#define HASH_HTTP_RAW_POST_DATA 0xe6137a0e
3196+#endif
3197+
3198+PHP_MINIT_FUNCTION(varfilter);
3199+PHP_MSHUTDOWN_FUNCTION(varfilter);
3200+PHP_RINIT_FUNCTION(varfilter);
3201+PHP_RSHUTDOWN_FUNCTION(varfilter);
3202+PHP_MINFO_FUNCTION(varfilter);
3203+
3204+
3205+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
3206+/* request variables */
3207+ long max_request_variables;
3208+ long cur_request_variables;
3209+ long max_varname_length;
3210+ long max_totalname_length;
3211+ long max_value_length;
3212+ long max_array_depth;
3213+ long max_array_index_length;
3214+ zend_bool disallow_nul;
3215+/* cookie variables */
3216+ long max_cookie_vars;
3217+ long cur_cookie_vars;
3218+ long max_cookie_name_length;
3219+ long max_cookie_totalname_length;
3220+ long max_cookie_value_length;
3221+ long max_cookie_array_depth;
3222+ long max_cookie_array_index_length;
3223+ zend_bool disallow_cookie_nul;
3224+/* get variables */
3225+ long max_get_vars;
3226+ long cur_get_vars;
3227+ long max_get_name_length;
3228+ long max_get_totalname_length;
3229+ long max_get_value_length;
3230+ long max_get_array_depth;
3231+ long max_get_array_index_length;
3232+ zend_bool disallow_get_nul;
3233+/* post variables */
3234+ long max_post_vars;
3235+ long cur_post_vars;
3236+ long max_post_name_length;
3237+ long max_post_totalname_length;
3238+ long max_post_value_length;
3239+ long max_post_array_depth;
3240+ long max_post_array_index_length;
3241+ zend_bool disallow_post_nul;
3242+/* fileupload */
3243+ long max_uploads;
3244+ long cur_uploads;
3245+ zend_bool disallow_elf_files;
3246+ char *verification_script;
3247+
3248+ zend_bool no_more_variables;
3249+ zend_bool no_more_get_variables;
3250+ zend_bool no_more_post_variables;
3251+ zend_bool no_more_cookie_variables;
3252+ zend_bool no_more_uploads;
3253+
3254+ZEND_END_MODULE_GLOBALS(varfilter)
3255+
3256+
3257+#ifdef ZTS
3258+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
3259+#else
3260+#define VARFILTER_G(v) (varfilter_globals.v)
3261+#endif
3262+
3263+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
3264+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
3265+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
3266+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
3267+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
3268+SAPI_TREAT_DATA_FUNC(varfilter_treat_data);
3269+
3270+
3271+
3272+#endif /* PHP_VARFILTER_H */
3273+
3274+
3275+/*
3276+ * Local variables:
3277+ * tab-width: 4
3278+ * c-basic-offset: 4
3279+ * indent-tabs-mode: t
3280+ * End:
3281+ */
3282diff -Nura php-4.4.2/ext/varfilter/varfilter.c hardening-patch-4.4.2-0.4.10/ext/varfilter/varfilter.c
3283--- php-4.4.2/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
3284+++ hardening-patch-4.4.2-0.4.10/ext/varfilter/varfilter.c 2006-05-11 10:37:14.000000000 +0200
3285@@ -0,0 +1,915 @@
3286+/*
3287+ +----------------------------------------------------------------------+
3288+ | Hardened-PHP Project's varfilter extension |
3289+ +----------------------------------------------------------------------+
3290+ | Copyright (c) 2004-2005 Stefan Esser |
3291+ +----------------------------------------------------------------------+
3292+ | This source file is subject to version 2.02 of the PHP license, |
3293+ | that is bundled with this package in the file LICENSE, and is |
3294+ | available at through the world-wide-web at |
3295+ | http://www.php.net/license/2_02.txt. |
3296+ | If you did not receive a copy of the PHP license and are unable to |
3297+ | obtain it through the world-wide-web, please send a note to |
3298+ | license@php.net so we can mail you a copy immediately. |
3299+ +----------------------------------------------------------------------+
3300+ | Author: Stefan Esser <sesser@hardened-php.net> |
3301+ +----------------------------------------------------------------------+
3302+
3303+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
3304+*/
3305+
3306+#ifdef HAVE_CONFIG_H
3307+#include "config.h"
3308+#endif
3309+
3310+#include "php.h"
3311+#include "php_ini.h"
3312+#include "ext/standard/info.h"
3313+#include "php_varfilter.h"
3314+#include "hardening_patch.h"
3315+
3316+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
3317+
3318+/* True global resources - no need for thread safety here */
3319+static int le_varfilter;
3320+
3321+static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
3322+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
3323+static zend_bool hooked = 0;
3324+
3325+/* {{{ varfilter_module_entry
3326+ */
3327+zend_module_entry varfilter_module_entry = {
3328+#if ZEND_MODULE_API_NO >= 20010901
3329+ STANDARD_MODULE_HEADER,
3330+#endif
3331+ "varfilter",
3332+ NULL,
3333+ PHP_MINIT(varfilter),
3334+ PHP_MSHUTDOWN(varfilter),
3335+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
3336+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
3337+ PHP_MINFO(varfilter),
3338+#if ZEND_MODULE_API_NO >= 20010901
3339+ "0.4.10", /* Replace with version number for your extension */
3340+#endif
3341+ STANDARD_MODULE_PROPERTIES
3342+};
3343+/* }}} */
3344+
3345+#ifdef COMPILE_DL_VARFILTER
3346+ZEND_GET_MODULE(varfilter)
3347+#endif
3348+
3349+/* {{{ PHP_INI
3350+ */
3351+PHP_INI_BEGIN()
3352+ /* for backward compatibility */
3353+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3354+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3355+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3356+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3357+ STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3358+ STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3359+
3360+ STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3361+ STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3362+ STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3363+ STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3364+ STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3365+ STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3366+ STD_PHP_INI_ENTRY("hphp.request.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_nul, zend_varfilter_globals, varfilter_globals)
3367+
3368+ STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
3369+ STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
3370+ STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
3371+ STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
3372+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
3373+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
3374+ STD_PHP_INI_ENTRY("hphp.cookie.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_cookie_nul, zend_varfilter_globals, varfilter_globals)
3375+
3376+ STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
3377+ STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
3378+ STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
3379+ STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
3380+ STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
3381+ STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
3382+ STD_PHP_INI_ENTRY("hphp.get.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_get_nul, zend_varfilter_globals, varfilter_globals)
3383+
3384+ STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
3385+ STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
3386+ STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
3387+ STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
3388+ STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
3389+ STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
3390+ STD_PHP_INI_ENTRY("hphp.post.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_post_nul, zend_varfilter_globals, varfilter_globals)
3391+
3392+ STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
3393+ STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
3394+ STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
3395+
3396+
3397+PHP_INI_END()
3398+/* }}} */
3399+
3400+/* {{{ php_varfilter_init_globals
3401+ */
3402+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
3403+{
3404+ varfilter_globals->max_request_variables = 200;
3405+ varfilter_globals->max_varname_length = 64;
3406+ varfilter_globals->max_value_length = 10000;
3407+ varfilter_globals->max_array_depth = 100;
3408+ varfilter_globals->max_totalname_length = 256;
3409+ varfilter_globals->max_array_index_length = 64;
3410+ varfilter_globals->disallow_nul = 1;
3411+
3412+ varfilter_globals->max_cookie_vars = 100;
3413+ varfilter_globals->max_cookie_name_length = 64;
3414+ varfilter_globals->max_cookie_totalname_length = 256;
3415+ varfilter_globals->max_cookie_value_length = 10000;
3416+ varfilter_globals->max_cookie_array_depth = 100;
3417+ varfilter_globals->max_cookie_array_index_length = 64;
3418+ varfilter_globals->disallow_cookie_nul = 1;
3419+
3420+ varfilter_globals->max_get_vars = 100;
3421+ varfilter_globals->max_get_name_length = 64;
3422+ varfilter_globals->max_get_totalname_length = 256;
3423+ varfilter_globals->max_get_value_length = 512;
3424+ varfilter_globals->max_get_array_depth = 50;
3425+ varfilter_globals->max_get_array_index_length = 64;
3426+ varfilter_globals->disallow_get_nul = 1;
3427+
3428+ varfilter_globals->max_post_vars = 200;
3429+ varfilter_globals->max_post_name_length = 64;
3430+ varfilter_globals->max_post_totalname_length = 256;
3431+ varfilter_globals->max_post_value_length = 65000;
3432+ varfilter_globals->max_post_array_depth = 100;
3433+ varfilter_globals->max_post_array_index_length = 64;
3434+ varfilter_globals->disallow_post_nul = 1;
3435+
3436+ varfilter_globals->max_uploads = 25;
3437+ varfilter_globals->disallow_elf_files = 1;
3438+ varfilter_globals->verification_script = NULL;
3439+
3440+ varfilter_globals->no_more_variables = 0;
3441+ varfilter_globals->no_more_get_variables = 0;
3442+ varfilter_globals->no_more_post_variables = 0;
3443+ varfilter_globals->no_more_cookie_variables = 0;
3444+ varfilter_globals->no_more_uploads = 0;
3445+
3446+ varfilter_globals->cur_request_variables = 0;
3447+ varfilter_globals->cur_get_vars = 0;
3448+ varfilter_globals->cur_post_vars = 0;
3449+ varfilter_globals->cur_cookie_vars = 0;
3450+
3451+ varfilter_globals->cur_uploads = 0;
3452+
3453+}
3454+/* }}} */
3455+
3456+
3457+void varfilter_register_server_variables(zval *track_vars_array TSRMLS_DC)
3458+{
3459+ HashTable *svars;
3460+ int retval, failure=0;
3461+
3462+ orig_register_server_variables(track_vars_array TSRMLS_CC);
3463+
3464+ svars = Z_ARRVAL_P(track_vars_array);
3465+
3466+ retval = zend_hash_del_key_or_index(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), HASH_HTTP_GET_VARS, HASH_DEL_INDEX);
3467+ if (retval == SUCCESS) failure = 1;
3468+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), HASH_HTTP_POST_VARS, HASH_DEL_INDEX);
3469+ if (retval == SUCCESS) failure = 1;
3470+ retval = zend_hash_del_key_or_index(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), HASH_HTTP_COOKIE_VARS, HASH_DEL_INDEX);
3471+ if (retval == SUCCESS) failure = 1;
3472+ retval = zend_hash_del_key_or_index(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), HASH_HTTP_ENV_VARS, HASH_DEL_INDEX);
3473+ if (retval == SUCCESS) failure = 1;
3474+ retval = zend_hash_del_key_or_index(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), HASH_HTTP_SERVER_VARS, HASH_DEL_INDEX);
3475+ if (retval == SUCCESS) failure = 1;
3476+ retval = zend_hash_del_key_or_index(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), HASH_HTTP_SESSION_VARS, HASH_DEL_INDEX);
3477+ if (retval == SUCCESS) failure = 1;
3478+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), HASH_HTTP_POST_FILES, HASH_DEL_INDEX);
3479+ if (retval == SUCCESS) failure = 1;
3480+ retval = zend_hash_del_key_or_index(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), HASH_HTTP_RAW_POST_DATA, HASH_DEL_INDEX);
3481+ if (retval == SUCCESS) failure = 1;
3482+
3483+ if (failure) {
3484+ php_security_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
3485+ }
3486+}
3487+
3488+int varfilter_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
3489+{
3490+ int retval = SAPI_HEADER_ADD, i;
3491+ char *tmp;
3492+
3493+ if (!HG(hphp_multiheader) && sapi_header && sapi_header->header) {
3494+
3495+ tmp = sapi_header->header;
3496+ for (i=0; i<sapi_header->header_len; i++, tmp++) {
3497+ if (tmp[0] == 0) {
3498+ char *fname = get_active_function_name(TSRMLS_C);
3499+
3500+ if (!fname) {
3501+ fname = "unknown";
3502+ }
3503+
3504+ php_security_log(S_MISC, "%s() - wanted to send a HTTP header with an ASCII NUL in it", fname);
3505+ sapi_header->header_len = i;
3506+ } else if (tmp[0] == '\n' && (i == sapi_header->header_len-1 || (tmp[1] != ' ' && tmp[1] != '\t'))) {
3507+ char *fname = get_active_function_name(TSRMLS_C);
3508+
3509+ if (!fname) {
3510+ fname = "unknown";
3511+ }
3512+
3513+ php_security_log(S_MISC, "%s() - wanted to send multiple HTTP headers at once", fname);
3514+ sapi_header->header_len = i;
3515+ tmp[0] = 0;
3516+ }
3517+ }
3518+ }
3519+
3520+ if (orig_header_handler) {
3521+ retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
3522+ }
3523+
3524+ return retval;
3525+}
3526+
3527+/* {{{ PHP_MINIT_FUNCTION
3528+ */
3529+PHP_MINIT_FUNCTION(varfilter)
3530+{
3531+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
3532+ REGISTER_INI_ENTRIES();
3533+
3534+ if (!hooked) {
3535+ void *temp;
3536+ hooked = 1;
3537+
3538+ temp = (void *)sapi_module.register_server_variables;
3539+ if (temp != varfilter_register_server_variables) {
3540+ orig_register_server_variables = temp;
3541+ }
3542+ temp = (void *)sapi_module.header_handler;
3543+ if (temp != varfilter_header_handler) {
3544+ orig_header_handler = temp;
3545+ }
3546+ }
3547+
3548+ sapi_register_input_filter(varfilter_input_filter);
3549+ sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
3550+ sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
3551+ sapi_register_upload_content_filter(varfilter_upload_content_filter);
3552+ sapi_register_post_upload_filter(varfilter_post_upload_filter);
3553+
3554+ sapi_module.header_handler = varfilter_header_handler;
3555+ sapi_module.register_server_variables = varfilter_register_server_variables;
3556+
3557+
3558+ return SUCCESS;
3559+}
3560+/* }}} */
3561+
3562+/* {{{ PHP_MSHUTDOWN_FUNCTION
3563+ */
3564+PHP_MSHUTDOWN_FUNCTION(varfilter)
3565+{
3566+ UNREGISTER_INI_ENTRIES();
3567+
3568+ return SUCCESS;
3569+}
3570+/* }}} */
3571+
3572+/* Remove if there's nothing to do at request start */
3573+/* {{{ PHP_RINIT_FUNCTION
3574+ */
3575+PHP_RINIT_FUNCTION(varfilter)
3576+{
3577+ VARFILTER_G(cur_request_variables) = 0;
3578+ VARFILTER_G(cur_get_vars) = 0;
3579+ VARFILTER_G(cur_post_vars) = 0;
3580+ VARFILTER_G(cur_cookie_vars) = 0;
3581+
3582+ VARFILTER_G(cur_uploads) = 0;
3583+
3584+ VARFILTER_G(no_more_variables) = 0;
3585+ VARFILTER_G(no_more_get_variables) = 0;
3586+ VARFILTER_G(no_more_post_variables) = 0;
3587+ VARFILTER_G(no_more_cookie_variables) = 0;
3588+ VARFILTER_G(no_more_uploads) = 0;
3589+
3590+ return SUCCESS;
3591+}
3592+/* }}} */
3593+
3594+/* Remove if there's nothing to do at request end */
3595+/* {{{ PHP_RSHUTDOWN_FUNCTION
3596+ */
3597+PHP_RSHUTDOWN_FUNCTION(varfilter)
3598+{
3599+ return SUCCESS;
3600+}
3601+/* }}} */
3602+
3603+/* {{{ PHP_MINFO_FUNCTION
3604+ */
3605+PHP_MINFO_FUNCTION(varfilter)
3606+{
3607+ php_info_print_table_start();
3608+ php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
3609+ php_info_print_table_end();
3610+
3611+ DISPLAY_INI_ENTRIES();
3612+}
3613+/* }}} */
3614+
3615+/* {{{ normalize_varname
3616+ */
3617+static void normalize_varname(char *varname)
3618+{
3619+ char *s=varname, *index=NULL, *indexend=NULL, *p;
3620+
3621+ /* overjump leading space */
3622+ while (*s == ' ') {
3623+ s++;
3624+ }
3625+
3626+ /* and remove it */
3627+ if (s != varname) {
3628+ memmove(varname, s, strlen(s)+1);
3629+ }
3630+
3631+ for (p=varname; *p && *p != '['; p++) {
3632+ switch(*p) {
3633+ case ' ':
3634+ case '.':
3635+ *p='_';
3636+ break;
3637+ }
3638+ }
3639+
3640+ /* find index */
3641+ index = strchr(varname, '[');
3642+ if (index) {
3643+ index++;
3644+ s=index;
3645+ } else {
3646+ return;
3647+ }
3648+
3649+ /* done? */
3650+ while (index) {
3651+
3652+ while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
3653+ index++;
3654+ }
3655+ indexend = strchr(index, ']');
3656+ indexend = indexend ? indexend + 1 : index + strlen(index);
3657+
3658+ if (s != index) {
3659+ memmove(s, index, strlen(index)+1);
3660+ s += indexend-index;
3661+ } else {
3662+ s = indexend;
3663+ }
3664+
3665+ if (*s == '[') {
3666+ s++;
3667+ index = s;
3668+ } else {
3669+ index = NULL;
3670+ }
3671+ }
3672+ *s++='\0';
3673+}
3674+/* }}} */
3675+
3676+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
3677+ */
3678+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
3679+{
3680+ char *index, *prev_index = NULL, *var;
3681+ unsigned int var_len, total_len, depth = 0;
3682+
3683+ var = estrdup(varname);
3684+
3685+ /* Normalize the variable name */
3686+ normalize_varname(var);
3687+
3688+ /* Find length of variable name */
3689+ index = strchr(var, '[');
3690+ total_len = strlen(var);
3691+ var_len = index ? index-var : total_len;
3692+
3693+ /* Drop this variable if it exceeds the varname/total length limit */
3694+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3695+ php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
3696+ goto return_failure;
3697+ }
3698+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3699+ php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
3700+ goto return_failure;
3701+ }
3702+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
3703+ php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
3704+
3705+ goto return_failure;
3706+ }
3707+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
3708+ php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
3709+ goto return_failure;
3710+ }
3711+
3712+ /* Find out array depth */
3713+ while (index) {
3714+ unsigned int index_length;
3715+
3716+ depth++;
3717+ index = strchr(index+1, '[');
3718+
3719+ if (prev_index) {
3720+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
3721+
3722+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
3723+ php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
3724+ goto return_failure;
3725+ }
3726+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
3727+ php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
3728+ goto return_failure;
3729+ }
3730+ prev_index = index;
3731+ }
3732+
3733+ }
3734+
3735+ /* Drop this variable if it exceeds the array depth limit */
3736+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
3737+ php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
3738+ goto return_failure;
3739+ }
3740+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
3741+ php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
3742+ goto return_failure;
3743+ }
3744+
3745+
3746+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
3747+ /* This is to protect several silly scripts that do globalizing themself */
3748+
3749+ switch (var_len) {
3750+ case 18:
3751+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
3752+ break;
3753+ case 17:
3754+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
3755+ break;
3756+ case 16:
3757+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
3758+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
3759+ break;
3760+ case 15:
3761+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
3762+ break;
3763+ case 14:
3764+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
3765+ break;
3766+ case 13:
3767+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
3768+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
3769+ break;
3770+ case 8:
3771+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
3772+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
3773+ break;
3774+ case 7:
3775+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
3776+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
3777+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
3778+ break;
3779+ case 6:
3780+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
3781+ break;
3782+ case 5:
3783+ if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
3784+ break;
3785+ case 4:
3786+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
3787+ if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
3788+ break;
3789+ }
3790+
3791+ efree(var);
3792+ return SUCCESS;
3793+protected_varname2:
3794+ php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
3795+return_failure:
3796+ efree(var);
3797+ return FAILURE;
3798+}
3799+/* }}} */
3800+
3801+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
3802+ */
3803+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
3804+{
3805+ /* Drop if no more variables flag is set */
3806+ if (VARFILTER_G(no_more_uploads)) {
3807+ return FAILURE;
3808+ }
3809+ /* Drop this fileupload if the limit is reached */
3810+ if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
3811+ php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
3812+ VARFILTER_G(no_more_uploads) = 1;
3813+ return FAILURE;
3814+ }
3815+
3816+ return SUCCESS;
3817+}
3818+/* }}} */
3819+
3820+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
3821+ */
3822+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
3823+{
3824+
3825+ if (VARFILTER_G(disallow_elf_files)) {
3826+
3827+ if (offset == 0 && buffer_len > 10) {
3828+
3829+ if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
3830+ php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
3831+ return FAILURE;
3832+ }
3833+ }
3834+
3835+ }
3836+
3837+ return SUCCESS;
3838+}
3839+/* }}} */
3840+
3841+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
3842+ */
3843+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
3844+{
3845+ int retval = SUCCESS;
3846+
3847+ if (VARFILTER_G(verification_script)) {
3848+ char cmd[8192];
3849+ FILE *in;
3850+ int first=1;
3851+
3852+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
3853+
3854+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
3855+ php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
3856+ return FAILURE;
3857+ }
3858+
3859+ retval = FAILURE;
3860+
3861+ /* read and forget the result */
3862+ while (1) {
3863+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
3864+ if (readbytes<=0) {
3865+ break;
3866+ }
3867+ if (first) {
3868+ retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
3869+ first = 0;
3870+ }
3871+ }
3872+ pclose(in);
3873+ }
3874+
3875+ if (retval != SUCCESS) {
3876+ php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
3877+ return FAILURE;
3878+ }
3879+
3880+ VARFILTER_G(cur_uploads)++;
3881+ return SUCCESS;
3882+}
3883+/* }}} */
3884+
3885+/* {{{ SAPI_INPUT_FILTER_FUNC
3886+ */
3887+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
3888+{
3889+ char *index, *prev_index = NULL;
3890+ unsigned int var_len, total_len, depth = 0;
3891+
3892+ /* Drop this variable if the limit was reached */
3893+ switch (arg) {
3894+ case PARSE_GET:
3895+ if (VARFILTER_G(no_more_get_variables)) {
3896+ return 0;
3897+ }
3898+ break;
3899+ case PARSE_POST:
3900+ if (VARFILTER_G(no_more_post_variables)) {
3901+ return 0;
3902+ }
3903+ break;
3904+ case PARSE_COOKIE:
3905+ if (VARFILTER_G(no_more_cookie_variables)) {
3906+ return 0;
3907+ }
3908+ break;
3909+ default: /* we do not want to protect parse_str() and friends */
3910+ if (new_val_len) {
3911+ *new_val_len = val_len;
3912+ }
3913+ return 1;
3914+ }
3915+ if (VARFILTER_G(no_more_variables)) {
3916+ return 0;
3917+ }
3918+
3919+ /* Drop this variable if the limit is now reached */
3920+ if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
3921+ php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
3922+ VARFILTER_G(no_more_variables) = 1;
3923+ return 0;
3924+ }
3925+ switch (arg) {
3926+ case PARSE_GET:
3927+ if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
3928+ php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
3929+ VARFILTER_G(no_more_get_variables) = 1;
3930+ return 0;
3931+ }
3932+ break;
3933+ case PARSE_COOKIE:
3934+ if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
3935+ php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
3936+ VARFILTER_G(no_more_cookie_variables) = 1;
3937+ return 0;
3938+ }
3939+ break;
3940+ case PARSE_POST:
3941+ if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
3942+ php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
3943+ VARFILTER_G(no_more_post_variables) = 1;
3944+ return 0;
3945+ }
3946+ break;
3947+ }
3948+
3949+
3950+ /* Drop this variable if it exceeds the value length limit */
3951+ if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
3952+ php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
3953+ return 0;
3954+ }
3955+ switch (arg) {
3956+ case PARSE_GET:
3957+ if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
3958+ php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
3959+ return 0;
3960+ }
3961+ break;
3962+ case PARSE_COOKIE:
3963+ if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
3964+ php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
3965+ return 0;
3966+ }
3967+ break;
3968+ case PARSE_POST:
3969+ if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
3970+ php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
3971+ return 0;
3972+ }
3973+ break;
3974+ }
3975+
3976+ /* Normalize the variable name */
3977+ normalize_varname(var);
3978+
3979+ /* Find length of variable name */
3980+ index = strchr(var, '[');
3981+ total_len = strlen(var);
3982+ var_len = index ? index-var : total_len;
3983+
3984+ /* Drop this variable if it exceeds the varname/total length limit */
3985+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
3986+ php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
3987+ return 0;
3988+ }
3989+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
3990+ php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
3991+ return 0;
3992+ }
3993+ switch (arg) {
3994+ case PARSE_GET:
3995+ if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
3996+ php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
3997+ return 0;
3998+ }
3999+ if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
4000+ php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
4001+ return 0;
4002+ }
4003+ break;
4004+ case PARSE_COOKIE:
4005+ if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
4006+ php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
4007+ return 0;
4008+ }
4009+ if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
4010+ php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
4011+ return 0;
4012+ }
4013+ break;
4014+ case PARSE_POST:
4015+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
4016+ php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
4017+ return 0;
4018+ }
4019+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
4020+ php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
4021+ return 0;
4022+ }
4023+ break;
4024+ }
4025+
4026+ /* Find out array depth */
4027+ while (index) {
4028+ unsigned int index_length;
4029+
4030+ depth++;
4031+ index = strchr(index+1, '[');
4032+
4033+ if (prev_index) {
4034+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
4035+
4036+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
4037+ php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
4038+ return 0;
4039+ }
4040+ switch (arg) {
4041+ case PARSE_GET:
4042+ if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
4043+ php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
4044+ return 0;
4045+ }
4046+ break;
4047+ case PARSE_COOKIE:
4048+ if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
4049+ php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
4050+ return 0;
4051+ }
4052+ break;
4053+ case PARSE_POST:
4054+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
4055+ php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
4056+ return 0;
4057+ }
4058+ break;
4059+ }
4060+ prev_index = index;
4061+ }
4062+
4063+ }
4064+
4065+ /* Drop this variable if it exceeds the array depth limit */
4066+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
4067+ php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
4068+ return 0;
4069+ }
4070+ switch (arg) {
4071+ case PARSE_GET:
4072+ if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
4073+ php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
4074+ return 0;
4075+ }
4076+ break;
4077+ case PARSE_COOKIE:
4078+ if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
4079+ php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
4080+ return 0;
4081+ }
4082+ break;
4083+ case PARSE_POST:
4084+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
4085+ php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
4086+ return 0;
4087+ }
4088+ break;
4089+ }
4090+
4091+ /* Check if variable value is truncated by a \0 */
4092+
4093+ if (val && *val && val_len != strlen(*val)) {
4094+
4095+ if (VARFILTER_G(disallow_nul)) {
4096+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped %s", var);
4097+ return 0;
4098+ }
4099+ switch (arg) {
4100+ case PARSE_GET:
4101+ if (VARFILTER_G(disallow_get_nul)) {
4102+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped %s", var);
4103+ return 0;
4104+ }
4105+ break;
4106+ case PARSE_COOKIE:
4107+ if (VARFILTER_G(disallow_cookie_nul)) {
4108+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped %s", var);
4109+ return 0;
4110+ }
4111+ break;
4112+ case PARSE_POST:
4113+ if (VARFILTER_G(disallow_post_nul)) {
4114+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped %s", var);
4115+ return 0;
4116+ }
4117+ break;
4118+ }
4119+ }
4120+
4121+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
4122+ /* This is to protect several silly scripts that do globalizing themself */
4123+
4124+ switch (var_len) {
4125+ case 18:
4126+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
4127+ break;
4128+ case 17:
4129+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
4130+ break;
4131+ case 16:
4132+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
4133+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
4134+ break;
4135+ case 15:
4136+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
4137+ break;
4138+ case 14:
4139+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
4140+ break;
4141+ case 13:
4142+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
4143+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
4144+ break;
4145+ case 8:
4146+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
4147+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
4148+ break;
4149+ case 7:
4150+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
4151+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
4152+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
4153+ break;
4154+ case 6:
4155+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
4156+ break;
4157+ case 5:
4158+ if (memcmp(var, "_POST", 5)==0) goto protected_varname;
4159+ break;
4160+ case 4:
4161+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
4162+ if (memcmp(var, "_GET", 4)==0) goto protected_varname;
4163+ break;
4164+ }
4165+
4166+ /* Okay let PHP register this variable */
4167+ VARFILTER_G(cur_request_variables)++;
4168+ switch (arg) {
4169+ case PARSE_GET:
4170+ VARFILTER_G(cur_get_vars)++;
4171+ break;
4172+ case PARSE_COOKIE:
4173+ VARFILTER_G(cur_cookie_vars)++;
4174+ break;
4175+ case PARSE_POST:
4176+ VARFILTER_G(cur_post_vars)++;
4177+ break;
4178+ }
4179+
4180+ if (new_val_len) {
4181+ *new_val_len = val_len;
4182+ }
4183+
4184+ return 1;
4185+protected_varname:
4186+ php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
4187+ return 0;
4188+}
4189+/* }}} */
4190+
4191+/*
4192+ * Local variables:
4193+ * tab-width: 4
4194+ * c-basic-offset: 4
4195+ * End:
4196+ * vim600: noet sw=4 ts=4 fdm=marker
4197+ * vim<600: noet sw=4 ts=4
4198+ */
4199+
4200+
4201diff -Nura php-4.4.2/main/fopen_wrappers.c hardening-patch-4.4.2-0.4.10/main/fopen_wrappers.c
4202--- php-4.4.2/main/fopen_wrappers.c 2006-01-01 14:46:59.000000000 +0100
4203+++ hardening-patch-4.4.2-0.4.10/main/fopen_wrappers.c 2006-05-11 10:37:40.000000000 +0200
4204@@ -116,14 +116,20 @@
4205 }
4206 }
4207
4208+ resolved_name_len = strlen(resolved_name);
4209 if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
4210- resolved_name_len = strlen(resolved_name);
4211 if (resolved_name[resolved_name_len - 1] != PHP_DIR_SEPARATOR) {
4212 resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
4213 resolved_name[++resolved_name_len] = '\0';
4214 }
4215 }
4216
4217+ if (resolved_name_len == resolved_basedir_len - 1) {
4218+ if (resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) {
4219+ resolved_basedir_len--;
4220+ }
4221+ }
4222+
4223 /* Check the path */
4224 #ifdef PHP_WIN32
4225 if (strncasecmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) {
4226@@ -156,6 +162,21 @@
4227 char *pathbuf;
4228 char *ptr;
4229 char *end;
4230+ char path_copy[MAXPATHLEN];
4231+ int path_len;
4232+
4233+ /* Special case path ends with a trailing slash */
4234+ path_len = strlen(path);
4235+ if (path_len >= MAXPATHLEN) {
4236+ errno = EPERM; /* we deny permission to open it */
4237+ return -1;
4238+ }
4239+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
4240+ memcpy(path_copy, path, path_len+1);
4241+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
4242+ path_copy[path_len] = '\0';
4243+ path = (const char *)&path_copy;
4244+ }
4245
4246 pathbuf = estrdup(PG(open_basedir));
4247
4248diff -Nura php-4.4.2/main/hardened_globals.h hardening-patch-4.4.2-0.4.10/main/hardened_globals.h
4249--- php-4.4.2/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
4250+++ hardening-patch-4.4.2-0.4.10/main/hardened_globals.h 2006-05-11 10:36:02.000000000 +0200
4251@@ -0,0 +1,62 @@
4252+/*
4253+ +----------------------------------------------------------------------+
4254+ | Hardening-Patch for PHP |
4255+ +----------------------------------------------------------------------+
4256+ | Copyright (c) 2004-2005 Stefan Esser |
4257+ +----------------------------------------------------------------------+
4258+ | This source file is subject to version 2.02 of the PHP license, |
4259+ | that is bundled with this package in the file LICENSE, and is |
4260+ | available at through the world-wide-web at |
4261+ | http://www.php.net/license/2_02.txt. |
4262+ | If you did not receive a copy of the PHP license and are unable to |
4263+ | obtain it through the world-wide-web, please send a note to |
4264+ | license@php.net so we can mail you a copy immediately. |
4265+ +----------------------------------------------------------------------+
4266+ | Author: Stefan Esser <sesser@hardened-php.net> |
4267+ +----------------------------------------------------------------------+
4268+ */
4269+
4270+#ifndef HARDENED_GLOBALS_H
4271+#define HARDENED_GLOBALS_H
4272+
4273+typedef struct _hardened_globals hardened_globals_struct;
4274+
4275+#ifdef ZTS
4276+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
4277+extern int hardened_globals_id;
4278+#else
4279+# define HG(v) (hardened_globals.v)
4280+extern struct _hardened_globals hardened_globals;
4281+#endif
4282+
4283+
4284+struct _hardened_globals {
4285+#if HARDENING_PATCH_MM_PROTECT
4286+ unsigned int canary_1;
4287+ unsigned int canary_2;
4288+#endif
4289+#if HARDENING_PATCH_LL_PROTECT
4290+ unsigned int canary_3;
4291+ unsigned int canary_4;
4292+ unsigned int ll_canary_inited;
4293+#endif
4294+ zend_bool hphp_sql_bailout_on_error;
4295+ zend_bool hphp_multiheader;
4296+ HashTable *eval_whitelist;
4297+ HashTable *eval_blacklist;
4298+ HashTable *func_whitelist;
4299+ HashTable *func_blacklist;
4300+ HashTable *include_whitelist;
4301+ HashTable *include_blacklist;
4302+ unsigned int dummy;
4303+};
4304+
4305+
4306+#endif /* HARDENED_GLOBALS_H */
4307+
4308+/*
4309+ * Local variables:
4310+ * tab-width: 4
4311+ * c-basic-offset: 4
4312+ * End:
4313+ */
4314diff -Nura php-4.4.2/main/hardening_patch.c hardening-patch-4.4.2-0.4.10/main/hardening_patch.c
4315--- php-4.4.2/main/hardening_patch.c 1970-01-01 01:00:00.000000000 +0100
4316+++ hardening-patch-4.4.2-0.4.10/main/hardening_patch.c 2006-05-11 10:36:02.000000000 +0200
4317@@ -0,0 +1,430 @@
4318+/*
4319+ +----------------------------------------------------------------------+
4320+ | Hardening Patch for PHP |
4321+ +----------------------------------------------------------------------+
4322+ | Copyright (c) 2004-2005 Stefan Esser |
4323+ +----------------------------------------------------------------------+
4324+ | This source file is subject to version 2.02 of the PHP license, |
4325+ | that is bundled with this package in the file LICENSE, and is |
4326+ | available at through the world-wide-web at |
4327+ | http://www.php.net/license/2_02.txt. |
4328+ | If you did not receive a copy of the PHP license and are unable to |
4329+ | obtain it through the world-wide-web, please send a note to |
4330+ | license@php.net so we can mail you a copy immediately. |
4331+ +----------------------------------------------------------------------+
4332+ | Author: Stefan Esser <sesser@hardened-php.net> |
4333+ +----------------------------------------------------------------------+
4334+ */
4335+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
4336+
4337+#include "php.h"
4338+
4339+#include <stdio.h>
4340+#include <stdlib.h>
4341+
4342+#if HAVE_UNISTD_H
4343+#include <unistd.h>
4344+#endif
4345+#include "SAPI.h"
4346+#include "php_globals.h"
4347+
4348+#if HARDENING_PATCH
4349+
4350+#ifdef HAVE_SYS_SOCKET_H
4351+#include <sys/socket.h>
4352+#endif
4353+
4354+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
4355+#undef AF_UNIX
4356+#endif
4357+
4358+#if defined(AF_UNIX)
4359+#include <sys/un.h>
4360+#endif
4361+
4362+#define SYSLOG_PATH "/dev/log"
4363+
4364+#include "snprintf.h"
4365+
4366+#include "hardening_patch.h"
4367+
4368+#ifdef ZTS
4369+#include "hardened_globals.h"
4370+int hardened_globals_id;
4371+#else
4372+struct _hardened_globals hardened_globals;
4373+#endif
4374+
4375+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
4376+{
4377+ memset(hardened_globals, 0, sizeof(*hardened_globals));
4378+}
4379+
4380+
4381+PHPAPI void hardened_startup()
4382+{
4383+#ifdef ZTS
4384+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
4385+#else
4386+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
4387+#endif
4388+}
4389+
4390+PHPAPI void hardened_clear_mm_canaries(TSRMLS_D)
4391+{
4392+ HG(canary_1) = php_canary();
4393+ HG(canary_2) = php_canary();
4394+}
4395+
4396+char *loglevel2string(int loglevel)
4397+{
4398+ switch (loglevel) {
4399+ case S_FILES:
4400+ return "FILES";
4401+ case S_INCLUDE:
4402+ return "INCLUDE";
4403+ case S_MEMORY:
4404+ return "MEMORY";
4405+ case S_MISC:
4406+ return "MISC";
4407+ case S_SQL:
4408+ return "SQL";
4409+ case S_EXECUTOR:
4410+ return "EXECUTOR";
4411+ case S_VARS:
4412+ return "VARS";
4413+ default:
4414+ return "UNKNOWN";
4415+ }
4416+}
4417+
4418+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
4419+{
4420+#if defined(AF_UNIX)
4421+ int s, r, i=0;
4422+ struct sockaddr_un saun;
4423+ char buf[4096+64];
4424+ char error[4096+100];
4425+ char *ip_address;
4426+ char *fname;
4427+ int lineno;
4428+ va_list ap;
4429+ TSRMLS_FETCH();
4430+
4431+ if (EG(hphp_log_use_x_forwarded_for)) {
4432+ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
4433+ if (ip_address == NULL) {
4434+ ip_address = "X-FORWARDED-FOR not set";
4435+ }
4436+ } else {
4437+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
4438+ if (ip_address == NULL) {
4439+ ip_address = "REMOTE_ADDR not set";
4440+ }
4441+ }
4442+
4443+
4444+ va_start(ap, fmt);
4445+ ap_php_vsnprintf(error, sizeof(error), fmt, ap);
4446+ va_end(ap);
4447+ while (error[i]) {
4448+ if (error[i] < 32) error[i] = '.';
4449+ i++;
4450+ }
4451+
4452+ if (zend_is_executing(TSRMLS_C)) {
4453+ lineno = zend_get_executed_lineno(TSRMLS_C);
4454+ fname = zend_get_executed_filename(TSRMLS_C);
4455+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
4456+ } else {
4457+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
4458+ if (fname==NULL) {
4459+ fname = "unknown";
4460+ }
4461+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
4462+ }
4463+
4464+ /* Syslog-Logging disabled? */
4465+ if ((EG(hphp_log_syslog) & loglevel)==0) {
4466+ goto log_sapi;
4467+ }
4468+
4469+ ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
4470+
4471+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
4472+ if (s == -1) {
4473+ goto log_sapi;
4474+ }
4475+
4476+ memset(&saun, 0, sizeof(saun));
4477+ saun.sun_family = AF_UNIX;
4478+ strcpy(saun.sun_path, SYSLOG_PATH);
4479+ /*saun.sun_len = sizeof(saun);*/
4480+
4481+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4482+ if (r) {
4483+ close(s);
4484+ s = socket(AF_UNIX, SOCK_STREAM, 0);
4485+ if (s == -1) {
4486+ goto log_sapi;
4487+ }
4488+
4489+ memset(&saun, 0, sizeof(saun));
4490+ saun.sun_family = AF_UNIX;
4491+ strcpy(saun.sun_path, SYSLOG_PATH);
4492+ /*saun.sun_len = sizeof(saun);*/
4493+
4494+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4495+ if (r) {
4496+ close(s);
4497+ goto log_sapi;
4498+ }
4499+ }
4500+ send(s, error, strlen(error), 0);
4501+
4502+ close(s);
4503+
4504+log_sapi:
4505+ /* SAPI Logging activated? */
4506+ if ((EG(hphp_log_sapi) & loglevel)!=0) {
4507+ sapi_module.log_message(buf);
4508+ }
4509+
4510+log_script:
4511+ /* script logging activaed? */
4512+ if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
4513+ char cmd[8192], *cmdpos, *bufpos;
4514+ FILE *in;
4515+ int space;
4516+
4517+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
4518+ space = sizeof(cmd) - strlen(cmd);
4519+ cmdpos = cmd + strlen(cmd);
4520+ bufpos = buf;
4521+ if (space <= 1) return;
4522+ while (space > 2 && *bufpos) {
4523+ if (*bufpos == '\'') {
4524+ if (space<=5) break;
4525+ *cmdpos++ = '\'';
4526+ *cmdpos++ = '\\';
4527+ *cmdpos++ = '\'';
4528+ *cmdpos++ = '\'';
4529+ bufpos++;
4530+ space-=4;
4531+ } else {
4532+ *cmdpos++ = *bufpos++;
4533+ space--;
4534+ }
4535+ }
4536+ *cmdpos++ = '\'';
4537+ *cmdpos = 0;
4538+
4539+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
4540+ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
4541+ return;
4542+ }
4543+ /* read and forget the result */
4544+ while (1) {
4545+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
4546+ if (readbytes<=0) {
4547+ break;
4548+ }
4549+ }
4550+ pclose(in);
4551+ }
4552+
4553+#endif
4554+}
4555+#endif
4556+
4557+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4558+
4559+/* will be replaced later with more compatible method */
4560+PHPAPI unsigned int php_canary()
4561+{
4562+ time_t t;
4563+ unsigned int canary;
4564+ int fd;
4565+
4566+ fd = open("/dev/urandom", 0);
4567+ if (fd != -1) {
4568+ int r = read(fd, &canary, sizeof(canary));
4569+ close(fd);
4570+ if (r == sizeof(canary)) {
4571+ return (canary);
4572+ }
4573+ }
4574+ /* not good but we never want to do this */
4575+ time(&t);
4576+ canary = *(unsigned int *)&t + getpid() << 16;
4577+ return (canary);
4578+}
4579+#endif
4580+
4581+#if HARDENING_PATCH_INC_PROTECT
4582+
4583+PHPAPI int php_is_valid_include(zval *z)
4584+{
4585+ char *filename;
4586+ int len, i;
4587+ TSRMLS_FETCH();
4588+
4589+ /* must be of type string */
4590+ if (z->type != IS_STRING || z->value.str.val == NULL) {
4591+ return (0);
4592+ }
4593+
4594+ /* short cut */
4595+ filename = z->value.str.val;
4596+ len = z->value.str.len;
4597+
4598+ /* 1. must be shorter than MAXPATHLEN */
4599+ if (len > MAXPATHLEN) {
4600+ char *fname = estrndup(filename, len);
4601+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4602+ php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
4603+ efree(fname);
4604+ return (0);
4605+ }
4606+
4607+ /* 2. must not be cutted */
4608+ if (len != strlen(filename)) {
4609+ char *fname = estrndup(filename, len);
4610+ for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
4611+ php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
4612+ efree(fname);
4613+ return (0);
4614+ }
4615+
4616+ /* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
4617+ if (strstr(filename, "://")) {
4618+ char *fname = estrndup(filename, len);
4619+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
4620+
4621+ /* no black or whitelist then disallow all */
4622+ if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
4623+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
4624+ efree(fname);
4625+ return (0);
4626+ }
4627+
4628+ /* whitelist is stronger than blacklist */
4629+ if (HG(include_whitelist)) {
4630+ char *s, *t, *h, *index;
4631+ uint indexlen;
4632+ ulong numindex;
4633+
4634+ s = filename;
4635+
4636+ do {
4637+ zend_bool isOk = 0;
4638+ int tlen;
4639+
4640+ t = h = strstr(s, "://");
4641+ if (h == NULL) break;
4642+
4643+
4644+ while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
4645+ t--;
4646+ }
4647+
4648+ tlen = strlen(t);
4649+
4650+ zend_hash_internal_pointer_reset(HG(include_whitelist));
4651+ do {
4652+ int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
4653+
4654+ if (r==HASH_KEY_NON_EXISTANT) {
4655+ break;
4656+ }
4657+ if (r==HASH_KEY_IS_STRING) {
4658+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4659+ if (strncmp(t, index, indexlen-1)==0) {
4660+ isOk = 1;
4661+ break;
4662+ }
4663+ }
4664+ }
4665+
4666+ zend_hash_move_forward(HG(include_whitelist));
4667+ } while (1);
4668+
4669+ /* not found in whitelist */
4670+ if (!isOk) {
4671+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
4672+ efree(fname);
4673+ return 0;
4674+ }
4675+
4676+ s = h + 3;
4677+ } while (1);
4678+ } else {
4679+ /* okay then handle the blacklist */
4680+ char *s, *t, *h, *index;
4681+ uint indexlen;
4682+ ulong numindex;
4683+
4684+ s = filename;
4685+
4686+ do {
4687+ int tlen;
4688+
4689+ t = h = strstr(s, "://");
4690+ if (h == NULL) break;
4691+
4692+
4693+ while (t > s) {
4694+ if (isalnum(t[-1]) || t[-1]=='_') t--;
4695+ }
4696+
4697+ tlen = strlen(t);
4698+
4699+ zend_hash_internal_pointer_reset(HG(include_blacklist));
4700+ do {
4701+ int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
4702+
4703+ if (r==HASH_KEY_NON_EXISTANT) {
4704+ break;
4705+ }
4706+ if (r==HASH_KEY_IS_STRING) {
4707+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
4708+ if (strncmp(t, index, indexlen-1)==0) {
4709+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
4710+ efree(fname);
4711+ return 0;
4712+ }
4713+ }
4714+ }
4715+
4716+ zend_hash_move_forward(HG(include_blacklist));
4717+ } while (1);
4718+
4719+ s = h + 3;
4720+ } while (1);
4721+ }
4722+
4723+ efree(fname);
4724+ }
4725+
4726+ /* 4. must not be an uploaded file */
4727+ if (SG(rfc1867_uploaded_files)) {
4728+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
4729+ php_security_log(S_INCLUDE, "Include filename is an uploaded file");
4730+ return (0);
4731+ }
4732+ }
4733+
4734+ /* passed all tests */
4735+ return (1);
4736+}
4737+
4738+#endif
4739+
4740+/*
4741+ * Local variables:
4742+ * tab-width: 4
4743+ * c-basic-offset: 4
4744+ * End:
4745+ * vim600: sw=4 ts=4 fdm=marker
4746+ * vim<600: sw=4 ts=4
4747+ */
4748diff -Nura php-4.4.2/main/hardening_patch.h hardening-patch-4.4.2-0.4.10/main/hardening_patch.h
4749--- php-4.4.2/main/hardening_patch.h 1970-01-01 01:00:00.000000000 +0100
4750+++ hardening-patch-4.4.2-0.4.10/main/hardening_patch.h 2006-05-11 10:37:28.000000000 +0200
4751@@ -0,0 +1,46 @@
4752+/*
4753+ +----------------------------------------------------------------------+
4754+ | Hardening Patch for PHP |
4755+ +----------------------------------------------------------------------+
4756+ | Copyright (c) 2004-2005 Stefan Esser |
4757+ +----------------------------------------------------------------------+
4758+ | This source file is subject to version 2.02 of the PHP license, |
4759+ | that is bundled with this package in the file LICENSE, and is |
4760+ | available at through the world-wide-web at |
4761+ | http://www.php.net/license/2_02.txt. |
4762+ | If you did not receive a copy of the PHP license and are unable to |
4763+ | obtain it through the world-wide-web, please send a note to |
4764+ | license@php.net so we can mail you a copy immediately. |
4765+ +----------------------------------------------------------------------+
4766+ | Author: Stefan Esser <sesser@hardened-php.net> |
4767+ +----------------------------------------------------------------------+
4768+ */
4769+
4770+#ifndef HARDENING_PATCH_H
4771+#define HARDENING_PATCH_H
4772+
4773+#include "zend.h"
4774+
4775+#if HARDENING_PATCH
4776+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
4777+PHPAPI void hardened_startup();
4778+#define HARDENING_PATCH_VERSION "0.4.10"
4779+
4780+#endif
4781+
4782+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4783+PHPAPI unsigned int php_canary();
4784+#endif
4785+
4786+#if HARDENING_PATCH_INC_PROTECT
4787+PHPAPI int php_is_valid_include(zval *z);
4788+#endif
4789+
4790+#endif /* HARDENING_PATCH_H */
4791+
4792+/*
4793+ * Local variables:
4794+ * tab-width: 4
4795+ * c-basic-offset: 4
4796+ * End:
4797+ */
4798diff -Nura php-4.4.2/main/hardening_patch.m4 hardening-patch-4.4.2-0.4.10/main/hardening_patch.m4
4799--- php-4.4.2/main/hardening_patch.m4 1970-01-01 01:00:00.000000000 +0100
4800+++ hardening-patch-4.4.2-0.4.10/main/hardening_patch.m4 2006-05-11 10:36:02.000000000 +0200
4801@@ -0,0 +1,95 @@
4802+dnl
4803+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
4804+dnl
4805+dnl This file contains Hardening Patch for PHP specific autoconf functions.
4806+dnl
4807+
4808+AC_ARG_ENABLE(hardening-patch-mm-protect,
4809+[ --disable-hardening-patch-mm-protect Disable the Memory Manager protection.],[
4810+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
4811+],[
4812+ DO_HARDENING_PATCH_MM_PROTECT=yes
4813+])
4814+
4815+AC_ARG_ENABLE(hardening-patch-ll-protect,
4816+[ --disable-hardening-patch-ll-protect Disable the Linked List protection.],[
4817+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
4818+],[
4819+ DO_HARDENING_PATCH_LL_PROTECT=yes
4820+])
4821+
4822+AC_ARG_ENABLE(hardening-patch-inc-protect,
4823+[ --disable-hardening-patch-inc-protect Disable include/require protection.],[
4824+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
4825+],[
4826+ DO_HARDENING_PATCH_INC_PROTECT=yes
4827+])
4828+
4829+AC_ARG_ENABLE(hardening-patch-fmt-protect,
4830+[ --disable-hardening-patch-fmt-protect Disable format string protection.],[
4831+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
4832+],[
4833+ DO_HARDENING_PATCH_FMT_PROTECT=yes
4834+])
4835+
4836+AC_ARG_ENABLE(hardening-patch-hash-protect,
4837+[ --disable-hardening-patch-hash-protect Disable HashTable destructor protection.],[
4838+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
4839+],[
4840+ DO_HARDENING_PATCH_HASH_PROTECT=yes
4841+])
4842+
4843+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
4844+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
4845+
4846+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
4847+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
4848+
4849+AC_MSG_CHECKING(whether to protect include/require statements)
4850+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
4851+
4852+AC_MSG_CHECKING(whether to protect PHP Format String functions)
4853+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
4854+
4855+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
4856+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
4857+
4858+
4859+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4860+
4861+
4862+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
4863+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4864+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
4865+else
4866+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
4867+fi
4868+
4869+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
4870+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4871+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
4872+else
4873+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
4874+fi
4875+
4876+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
4877+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4878+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
4879+else
4880+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
4881+fi
4882+
4883+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
4884+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4885+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
4886+else
4887+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
4888+fi
4889+
4890+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
4891+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
4892+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
4893+else
4894+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
4895+fi
4896+
4897diff -Nura php-4.4.2/main/main.c hardening-patch-4.4.2-0.4.10/main/main.c
4898--- php-4.4.2/main/main.c 2006-01-01 14:46:59.000000000 +0100
4899+++ hardening-patch-4.4.2-0.4.10/main/main.c 2006-05-11 10:36:02.000000000 +0200
4900@@ -92,6 +92,10 @@
4901 PHPAPI int core_globals_id;
4902 #endif
4903
4904+#if HARDENING_PATCH
4905+#include "hardened_globals.h"
4906+#endif
4907+
4908 #define ERROR_BUF_LEN 1024
4909
4910 typedef struct {
4911@@ -142,10 +146,33 @@
4912 */
4913 static PHP_INI_MH(OnChangeMemoryLimit)
4914 {
4915+#if HARDENING_PATCH
4916+ long orig_memory_limit;
4917+
4918+ if (entry->modified) {
4919+ orig_memory_limit = zend_atoi(entry->orig_value, entry->orig_value_length);
4920+ } else {
4921+ orig_memory_limit = 1<<30;
4922+ }
4923+ if (orig_memory_limit < 0 || orig_memory_limit > (1<<30)) {
4924+ orig_memory_limit = 1<<30;
4925+ }
4926+#endif
4927 if (new_value) {
4928 PG(memory_limit) = zend_atoi(new_value, new_value_length);
4929+#if HARDENING_PATCH
4930+ if (PG(memory_limit) > orig_memory_limit) {
4931+ PG(memory_limit) = orig_memory_limit;
4932+ php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
4933+ return FAILURE;
4934+ }
4935+#endif
4936 } else {
4937+#if HARDENING_PATCH
4938+ PG(memory_limit) = orig_memory_limit;
4939+#else
4940 PG(memory_limit) = 1<<30; /* effectively, no limit */
4941+#endif
4942 }
4943 return zend_set_memory_limit(PG(memory_limit));
4944 }
4945@@ -1008,6 +1035,9 @@
4946
4947 zend_try {
4948 shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC);
4949+#if HARDENING_PATCH
4950+ hardened_clear_mm_canaries(TSRMLS_C);
4951+#endif
4952 } zend_end_try();
4953
4954 zend_try {
4955@@ -1098,6 +1128,10 @@
4956 tsrm_ls = ts_resource(0);
4957 #endif
4958
4959+#if HARDENING_PATCH
4960+ hardened_startup();
4961+#endif
4962+
4963 sapi_initialize_empty_request(TSRMLS_C);
4964 sapi_activate(TSRMLS_C);
4965
4966@@ -1110,6 +1144,12 @@
4967 php_output_startup();
4968 php_output_activate(TSRMLS_C);
4969
4970+#if HARDENING_PATCH_INC_PROTECT
4971+ zuf.is_valid_include = php_is_valid_include;
4972+#endif
4973+#if HARDENING_PATCH
4974+ zuf.security_log_function = php_security_log;
4975+#endif
4976 zuf.error_function = php_error_cb;
4977 zuf.printf_function = php_printf;
4978 zuf.write_function = php_body_write_wrapper;
4979@@ -1211,6 +1251,10 @@
4980 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
4981 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
4982 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
4983+#if HARDENING_PATCH
4984+ REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
4985+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
4986+#endif
4987 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
4988 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
4989 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
4990@@ -1318,7 +1362,7 @@
4991 */
4992 static inline void php_register_server_variables(TSRMLS_D)
4993 {
4994- zval *array_ptr=NULL;
4995+ zval *array_ptr=NULL, *vptr;
4996
4997 ALLOC_ZVAL(array_ptr);
4998 array_init(array_ptr);
4999diff -Nura php-4.4.2/main/php_config.h.in hardening-patch-4.4.2-0.4.10/main/php_config.h.in
5000--- php-4.4.2/main/php_config.h.in 2006-01-12 19:24:28.000000000 +0100
5001+++ hardening-patch-4.4.2-0.4.10/main/php_config.h.in 2006-05-11 10:36:02.000000000 +0200
5002@@ -865,6 +865,39 @@
5003 /* Enabling BIND8 compatibility for Panther */
5004 #undef BIND_8_COMPAT
5005
5006+/* Hardening-Patch */
5007+#undef HARDENING_PATCH
5008+
5009+/* Memory Manager Protection */
5010+#undef HARDENING_PATCH_MM_PROTECT
5011+
5012+/* Memory Manager Protection */
5013+#undef HARDENING_PATCH_MM_PROTECT
5014+
5015+/* Linked List Protection */
5016+#undef HARDENING_PATCH_LL_PROTECT
5017+
5018+/* Linked List Protection */
5019+#undef HARDENING_PATCH_LL_PROTECT
5020+
5021+/* Include/Require Protection */
5022+#undef HARDENING_PATCH_INC_PROTECT
5023+
5024+/* Include/Require Protection */
5025+#undef HARDENING_PATCH_INC_PROTECT
5026+
5027+/* Fmt String Protection */
5028+#undef HARDENING_PATCH_FMT_PROTECT
5029+
5030+/* Fmt String Protection */
5031+#undef HARDENING_PATCH_FMT_PROTECT
5032+
5033+/* HashTable DTOR Protection */
5034+#undef HARDENING_PATCH_HASH_PROTECT
5035+
5036+/* HashTable DTOR Protection */
5037+#undef HARDENING_PATCH_HASH_PROTECT
5038+
5039 /* Whether you have AOLserver */
5040 #undef HAVE_AOLSERVER
5041
5042@@ -1148,6 +1181,12 @@
5043 /* Define if you have the getaddrinfo function */
5044 #undef HAVE_GETADDRINFO
5045
5046+/* Whether realpath is broken */
5047+#undef PHP_BROKEN_REALPATH
5048+
5049+/* Whether realpath is broken */
5050+#undef PHP_BROKEN_REALPATH
5051+
5052 /* Whether system headers declare timezone */
5053 #undef HAVE_DECLARED_TIMEZONE
5054
5055diff -Nura php-4.4.2/main/php_content_types.c hardening-patch-4.4.2-0.4.10/main/php_content_types.c
5056--- php-4.4.2/main/php_content_types.c 2006-01-01 14:46:59.000000000 +0100
5057+++ hardening-patch-4.4.2-0.4.10/main/php_content_types.c 2006-05-11 10:36:02.000000000 +0200
5058@@ -77,6 +77,7 @@
5059 sapi_register_post_entries(php_post_entries);
5060 sapi_register_default_post_reader(php_default_post_reader);
5061 sapi_register_treat_data(php_default_treat_data);
5062+ sapi_register_input_filter(php_default_input_filter);
5063 return SUCCESS;
5064 }
5065 /* }}} */
5066diff -Nura php-4.4.2/main/php.h hardening-patch-4.4.2-0.4.10/main/php.h
5067--- php-4.4.2/main/php.h 2006-01-01 14:46:59.000000000 +0100
5068+++ hardening-patch-4.4.2-0.4.10/main/php.h 2006-05-11 10:36:02.000000000 +0200
5069@@ -35,11 +35,19 @@
5070 #include "zend_qsort.h"
5071 #include "php_compat.h"
5072
5073+
5074 #include "zend_API.h"
5075
5076 #undef sprintf
5077 #define sprintf php_sprintf
5078
5079+#if HARDENING_PATCH
5080+#if HAVE_REALPATH
5081+#undef realpath
5082+#define realpath php_realpath
5083+#endif
5084+#endif
5085+
5086 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
5087 #undef PHP_DEBUG
5088 #define PHP_DEBUG ZEND_DEBUG
5089@@ -409,6 +417,10 @@
5090 #endif
5091 #endif /* !XtOffsetOf */
5092
5093+#if HARDENING_PATCH
5094+#include "hardening_patch.h"
5095+#endif
5096+
5097 #endif
5098
5099 /*
5100diff -Nura php-4.4.2/main/php_variables.c hardening-patch-4.4.2-0.4.10/main/php_variables.c
5101--- php-4.4.2/main/php_variables.c 2006-01-01 14:47:00.000000000 +0100
5102+++ hardening-patch-4.4.2-0.4.10/main/php_variables.c 2006-05-11 10:36:02.000000000 +0200
5103@@ -236,17 +236,28 @@
5104 while (var) {
5105 val = strchr(var, '=');
5106 if (val) { /* have a value */
5107- int val_len;
5108+ unsigned int val_len, new_val_len;
5109
5110 *val++ = '\0';
5111 php_url_decode(var, strlen(var));
5112 val_len = php_url_decode(val, strlen(val));
5113- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5114+ val = estrndup(val, val_len);
5115+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5116+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5117+ }
5118+ efree(val);
5119 }
5120 var = php_strtok_r(NULL, "&", &strtok_buf);
5121 }
5122 }
5123
5124+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
5125+{
5126+ /* TODO: check .ini setting here and apply user-defined input filter */
5127+ *new_val_len = val_len;
5128+ return 1;
5129+}
5130+
5131 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
5132 {
5133 char *res = NULL, *var, *val, *separator=NULL;
5134@@ -324,15 +335,26 @@
5135 while (var) {
5136 val = strchr(var, '=');
5137 if (val) { /* have a value */
5138- int val_len;
5139+ unsigned int val_len, new_val_len;
5140
5141 *val++ = '\0';
5142 php_url_decode(var, strlen(var));
5143 val_len = php_url_decode(val, strlen(val));
5144- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5145+ val = estrndup(val, val_len);
5146+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5147+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5148+ }
5149+ efree(val);
5150 } else {
5151+ unsigned int val_len, new_val_len;
5152+
5153 php_url_decode(var, strlen(var));
5154- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
5155+ val_len = 0;
5156+ val = estrndup("", 0);
5157+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5158+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5159+ }
5160+ efree(val);
5161 }
5162 var = php_strtok_r(NULL, separator, &strtok_buf);
5163 }
5164diff -Nura php-4.4.2/main/rfc1867.c hardening-patch-4.4.2-0.4.10/main/rfc1867.c
5165--- php-4.4.2/main/rfc1867.c 2006-01-01 14:47:00.000000000 +0100
5166+++ hardening-patch-4.4.2-0.4.10/main/rfc1867.c 2006-05-11 10:36:02.000000000 +0200
5167@@ -128,6 +128,8 @@
5168 #define UPLOAD_ERROR_D 4 /* No file uploaded */
5169 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
5170 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
5171+#define UPLOAD_ERROR_X 99 /* Filter forbids upload */
5172+
5173
5174 void php_rfc1867_register_constants(TSRMLS_D)
5175 {
5176@@ -138,6 +140,7 @@
5177 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
5178 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
5179 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
5180+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
5181 }
5182
5183 static void normalize_protected_variable(char *varname TSRMLS_DC)
5184@@ -849,6 +852,7 @@
5185 char buff[FILLUNIT];
5186 char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
5187 int blen=0, wlen=0;
5188+ unsigned long offset;
5189
5190 zend_llist_clean(&header);
5191
5192@@ -897,21 +901,24 @@
5193 if (!filename && param) {
5194
5195 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
5196+ unsigned int new_val_len; /* Dummy variable */
5197
5198 if (!value) {
5199 value = estrdup("");
5200 }
5201
5202+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
5203 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
5204- if (php_mb_encoding_translation(TSRMLS_C)) {
5205- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5206- &num_vars, &num_vars_max TSRMLS_CC);
5207- } else {
5208- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5209- }
5210+ if (php_mb_encoding_translation(TSRMLS_C)) {
5211+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5212+ &num_vars, &num_vars_max TSRMLS_CC);
5213+ } else {
5214+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5215+ }
5216 #else
5217- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5218+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5219 #endif
5220+ }
5221 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
5222 max_file_size = atol(value);
5223 }
5224@@ -963,7 +970,11 @@
5225 tmp++;
5226 }
5227 }
5228-
5229+
5230+ if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
5231+ skip_upload = 1;
5232+ }
5233+
5234 total_bytes = cancel_upload = 0;
5235
5236 if (!skip_upload) {
5237@@ -987,6 +998,11 @@
5238 cancel_upload = UPLOAD_ERROR_D;
5239 }
5240
5241+ if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
5242+ cancel_upload = UPLOAD_ERROR_X;
5243+ }
5244+
5245+ offset = 0;
5246 end = 0;
5247 while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
5248 {
5249@@ -997,6 +1013,11 @@
5250 sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
5251 cancel_upload = UPLOAD_ERROR_B;
5252 } else if (blen > 0) {
5253+
5254+ if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
5255+ cancel_upload = UPLOAD_ERROR_X;
5256+ }
5257+
5258 wlen = write(fd, buff, blen);
5259
5260 if (wlen < blen) {
5261@@ -1004,6 +1025,7 @@
5262 cancel_upload = UPLOAD_ERROR_F;
5263 } else {
5264 total_bytes += wlen;
5265+ offset += wlen;
5266 }
5267 }
5268 }
5269@@ -1025,6 +1047,10 @@
5270 }
5271 #endif
5272
5273+ if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
5274+ cancel_upload = UPLOAD_ERROR_X;
5275+ }
5276+
5277 if (cancel_upload) {
5278 if (temp_filename) {
5279 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
5280diff -Nura php-4.4.2/main/SAPI.c hardening-patch-4.4.2-0.4.10/main/SAPI.c
5281--- php-4.4.2/main/SAPI.c 2006-01-01 14:46:59.000000000 +0100
5282+++ hardening-patch-4.4.2-0.4.10/main/SAPI.c 2006-05-11 10:36:02.000000000 +0200
5283@@ -854,6 +854,37 @@
5284 return SUCCESS;
5285 }
5286
5287+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
5288+{
5289+ sapi_module.input_filter = input_filter;
5290+ return SUCCESS;
5291+}
5292+
5293+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
5294+{
5295+ sapi_module.upload_varname_filter = upload_varname_filter;
5296+ return SUCCESS;
5297+}
5298+
5299+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
5300+{
5301+ sapi_module.pre_upload_filter = pre_upload_filter;
5302+ return SUCCESS;
5303+}
5304+
5305+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
5306+{
5307+ sapi_module.upload_content_filter = upload_content_filter;
5308+ return SUCCESS;
5309+}
5310+
5311+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
5312+{
5313+ sapi_module.post_upload_filter = post_upload_filter;
5314+ return SUCCESS;
5315+}
5316+
5317+
5318
5319 SAPI_API int sapi_flush(TSRMLS_D)
5320 {
5321diff -Nura php-4.4.2/main/SAPI.h hardening-patch-4.4.2-0.4.10/main/SAPI.h
5322--- php-4.4.2/main/SAPI.h 2006-01-01 14:46:59.000000000 +0100
5323+++ hardening-patch-4.4.2-0.4.10/main/SAPI.h 2006-05-11 10:36:02.000000000 +0200
5324@@ -101,9 +101,10 @@
5325 char *current_user;
5326 int current_user_length;
5327
5328- /* this is necessary for CLI module */
5329- int argc;
5330- char **argv;
5331+ /* this is necessary for CLI module */
5332+ int argc;
5333+ char **argv;
5334+
5335 } sapi_request_info;
5336
5337
5338@@ -177,6 +178,10 @@
5339 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
5340 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
5341 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
5342+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
5343+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
5344+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
5345+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
5346
5347 SAPI_API int sapi_flush(TSRMLS_D);
5348 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
5349@@ -238,8 +243,16 @@
5350 int (*get_target_uid)(uid_t * TSRMLS_DC);
5351 int (*get_target_gid)(gid_t * TSRMLS_DC);
5352
5353+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
5354+
5355+ unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
5356+ unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
5357+ unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
5358+ unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
5359+
5360 void (*ini_defaults)(HashTable *configuration_hash);
5361 int phpinfo_as_text;
5362+
5363 };
5364
5365
5366@@ -262,16 +275,27 @@
5367
5368 #define SAPI_DEFAULT_MIMETYPE "text/html"
5369 #define SAPI_DEFAULT_CHARSET ""
5370+
5371+#if HARDENING_PATCH
5372+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
5373+#else
5374 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
5375+#endif
5376
5377 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
5378 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
5379
5380 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
5381+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
5382+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
5383+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
5384+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
5385+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
5386
5387 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
5388 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
5389 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
5390+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
5391
5392 #define STANDARD_SAPI_MODULE_PROPERTIES
5393
5394diff -Nura php-4.4.2/main/snprintf.c hardening-patch-4.4.2-0.4.10/main/snprintf.c
5395--- php-4.4.2/main/snprintf.c 2006-01-01 14:47:00.000000000 +0100
5396+++ hardening-patch-4.4.2-0.4.10/main/snprintf.c 2006-05-11 10:36:02.000000000 +0200
5397@@ -1014,7 +1014,11 @@
5398
5399
5400 case 'n':
5401+#if HARDENING_PATCH_FMT_PROTECT
5402+ php_security_log(S_MISC, "'n' specifier within format string");
5403+#else
5404 *(va_arg(ap, int *)) = cc;
5405+#endif
5406 break;
5407
5408 /*
5409diff -Nura php-4.4.2/main/spprintf.c hardening-patch-4.4.2-0.4.10/main/spprintf.c
5410--- php-4.4.2/main/spprintf.c 2006-01-01 14:47:00.000000000 +0100
5411+++ hardening-patch-4.4.2-0.4.10/main/spprintf.c 2006-05-11 10:36:02.000000000 +0200
5412@@ -630,7 +630,11 @@
5413
5414
5415 case 'n':
5416+#if HARDENING_PATCH_FMT_PROTECT
5417+ php_security_log(S_MISC, "'n' specifier within format string");
5418+#else
5419 *(va_arg(ap, int *)) = xbuf->len;
5420+#endif
5421 break;
5422
5423 /*
5424diff -Nura php-4.4.2/php.ini-dist hardening-patch-4.4.2-0.4.10/php.ini-dist
5425--- php-4.4.2/php.ini-dist 2005-12-30 18:19:43.000000000 +0100
5426+++ hardening-patch-4.4.2-0.4.10/php.ini-dist 2006-05-11 10:36:02.000000000 +0200
5427@@ -1114,6 +1114,209 @@
5428 ;exif.decode_jis_motorola = JIS
5429 ;exif.decode_jis_intel = JIS
5430
5431+[hardening-patch]
5432+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5433+; Hardening-Patch's logging ;
5434+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5435+
5436+;
5437+; hphp.log.syslog - Configures level for alerts reported through syslog
5438+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5439+; hphp.log.script - Configures level for alerts reported through external script
5440+;
5441+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5442+; Or each number up to get desired Hardening-Patch's reporting level
5443+;
5444+; S_ALL - All alerts
5445+; S_MEMORY - All canary violations and the safe unlink protection use this class
5446+; S_VARS - All variable filters trigger this class
5447+; S_FILES - All violation of uploaded files filter use this class
5448+; S_INCLUDE - The protection against malicious include filenames use this class
5449+; S_SQL - Failed SQL queries in MySQL are logged with this class
5450+; S_EXECUTOR - The execution depth protection uses this logging class
5451+; S_MISC - All other log messages (f.e. format string protection) use this class
5452+;
5453+; Example:
5454+;
5455+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5456+; memory alerts through syslog and SQL+Include alerts fo the script
5457+;
5458+;hphp.log.syslog = S_MEMORY
5459+;hphp.log.sapi = S_ALL & ~S_MEMORY
5460+;hphp.log.script = S_INCLUDE | S_SQL
5461+;
5462+; Syslog logging:
5463+;
5464+; - Facility configuration: one of the following facilities
5465+;
5466+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5467+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5468+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5469+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5470+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5471+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5472+; LOG_PERROR
5473+;
5474+; - Priority configuration: one of the followinf priorities
5475+;
5476+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5477+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5478+;
5479+hphp.log.syslog.priority = LOG_ALERT
5480+hphp.log.syslog.facility = LOG_USER
5481+;
5482+; Script logging:
5483+;
5484+;hphp.log.script.name = /home/hphp/log_script
5485+;
5486+; Alert configuration:
5487+;
5488+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5489+;
5490+;hphp.log.use-x-forwarded-for = On
5491+;
5492+
5493+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5494+; Hardening-Patch's Executor options ;
5495+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5496+
5497+; Execution depth limit
5498+;hphp.executor.max_depth = 8000
5499+
5500+; White-/blacklist for function calls during normal execution
5501+;hphp.executor.func.whitelist = ord,chr
5502+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5503+
5504+; White-/blacklist for function calls during eval() execution
5505+;hphp.executor.eval.whitelist = ord,chr
5506+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5507+
5508+; White-/blacklist for URLs allowes in include filenames
5509+;
5510+; - When both options are not set all URLs are forbidden
5511+;
5512+; - When both options are set whitelist is taken and blacklist ignored
5513+;
5514+; - An entry in the lists is either a URL sheme like: http, https
5515+; or the beginning of an URL like: php://input
5516+;
5517+;hphp.executor.include.whitelist = cookietest
5518+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5519+
5520+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5521+; Hardening-Patch's REQUEST variable filters ;
5522+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5523+
5524+; Limits the number of REQUEST variables
5525+hphp.request.max_vars = 200
5526+
5527+; Limits the length of variable names (without indices)
5528+hphp.request.max_varname_length = 64
5529+
5530+; Limits the length of complete variable names (with indices)
5531+hphp.request.max_totalname_length = 256
5532+
5533+; Limits the length of array indices
5534+hphp.request.max_array_index_length = 64
5535+
5536+; Limits the depth of arrays
5537+hphp.request.max_array_depth = 100
5538+
5539+; Limits the length of variable values
5540+hphp.request.max_value_length = 65000
5541+
5542+; Disallow ASCII-NUL characters in input
5543+hphp.request.disallow_nul = 1
5544+
5545+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5546+; Hardening-Patch's COOKIE variable filters ;
5547+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5548+
5549+; Limits the number of COOKIE variables
5550+hphp.cookie.max_vars = 100
5551+
5552+; Limits the length of variable names (without indices)
5553+hphp.cookie.max_name_length = 64
5554+
5555+; Limits the length of complete variable names (with indices)
5556+hphp.cookie.max_totalname_length = 256
5557+
5558+; Limits the length of array indices
5559+hphp.cookie.max_array_index_length = 64
5560+
5561+; Limits the depth of arrays
5562+hphp.cookie.max_array_depth = 100
5563+
5564+; Limits the length of variable values
5565+hphp.cookie.max_value_length = 10000
5566+
5567+; Disallow ASCII-NUL characters in input
5568+hphp.cookie.disallow_nul = 1
5569+
5570+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5571+; Hardening-Patch's GET variable filters ;
5572+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5573+
5574+; Limits the number of COOKIE variables
5575+hphp.get.max_vars = 100
5576+
5577+; Limits the length of variable names (without indices)
5578+hphp.get.max_name_length = 64
5579+
5580+; Limits the length of complete variable names (with indices)
5581+hphp.get.max_totalname_length = 256
5582+
5583+; Limits the length of array indices
5584+hphp.get.max_array_index_length = 64
5585+
5586+; Limits the depth of arrays
5587+hphp.get.max_array_depth = 50
5588+
5589+; Limits the length of variable values
5590+hphp.get.max_value_length = 512
5591+
5592+; Disallow ASCII-NUL characters in input
5593+hphp.get.disallow_nul = 1
5594+
5595+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5596+; Hardening-Patch's POST variable filters ;
5597+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5598+
5599+; Limits the number of POST variables
5600+hphp.post.max_vars = 200
5601+
5602+; Limits the length of variable names (without indices)
5603+hphp.post.max_name_length = 64
5604+
5605+; Limits the length of complete variable names (with indices)
5606+hphp.post.max_totalname_length = 256
5607+
5608+; Limits the length of array indices
5609+hphp.post.max_array_index_length = 64
5610+
5611+; Limits the depth of arrays
5612+hphp.post.max_array_depth = 100
5613+
5614+; Limits the length of variable values
5615+hphp.post.max_value_length = 65000
5616+
5617+; Disallow ASCII-NUL characters in input
5618+hphp.post.disallow_nul = 1
5619+
5620+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5621+; Hardening-Patch's fileupload variable filters ;
5622+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5623+
5624+; Limits the number of uploadable files
5625+hphp.upload.max_uploads = 25
5626+
5627+; Filter out the upload of ELF executables
5628+hphp.upload.disallow_elf_files = On
5629+
5630+; External filterscript for upload verification
5631+;hphp.upload.verification_script = /home/hphp/verify_script
5632+
5633+
5634 ; Local Variables:
5635 ; tab-width: 4
5636 ; End:
5637diff -Nura php-4.4.2/php.ini-recommended hardening-patch-4.4.2-0.4.10/php.ini-recommended
5638--- php-4.4.2/php.ini-recommended 2005-12-30 18:19:43.000000000 +0100
5639+++ hardening-patch-4.4.2-0.4.10/php.ini-recommended 2006-05-11 10:36:02.000000000 +0200
5640@@ -1112,6 +1112,209 @@
5641 ;exif.decode_jis_motorola = JIS
5642 ;exif.decode_jis_intel = JIS
5643
5644+[hardening-patch]
5645+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5646+; Hardening-Patch's logging ;
5647+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5648+
5649+;
5650+; hphp.log.syslog - Configures level for alerts reported through syslog
5651+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5652+; hphp.log.script - Configures level for alerts reported through external script
5653+;
5654+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5655+; Or each number up to get desired Hardening-Patch's reporting level
5656+;
5657+; S_ALL - All alerts
5658+; S_MEMORY - All canary violations and the safe unlink protection use this class
5659+; S_VARS - All variable filters trigger this class
5660+; S_FILES - All violation of uploaded files filter use this class
5661+; S_INCLUDE - The protection against malicious include filenames use this class
5662+; S_SQL - Failed SQL queries in MySQL are logged with this class
5663+; S_EXECUTOR - The execution depth protection uses this logging class
5664+; S_MISC - All other log messages (f.e. format string protection) use this class
5665+;
5666+; Example:
5667+;
5668+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5669+; memory alerts through syslog and SQL+Include alerts fo the script
5670+;
5671+;hphp.log.syslog = S_MEMORY
5672+;hphp.log.sapi = S_ALL & ~S_MEMORY
5673+;hphp.log.script = S_INCLUDE | S_SQL
5674+;
5675+; Syslog logging:
5676+;
5677+; - Facility configuration: one of the following facilities
5678+;
5679+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5680+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5681+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5682+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5683+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5684+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5685+; LOG_PERROR
5686+;
5687+; - Priority configuration: one of the followinf priorities
5688+;
5689+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5690+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5691+;
5692+hphp.log.syslog.priority = LOG_ALERT
5693+hphp.log.syslog.facility = LOG_USER
5694+;
5695+; Script logging:
5696+;
5697+;hphp.log.script.name = /home/hphp/log_script
5698+;
5699+; Alert configuration:
5700+;
5701+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5702+;
5703+;hphp.log.use-x-forwarded-for = On
5704+;
5705+
5706+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5707+; Hardening-Patch's Executor options ;
5708+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5709+
5710+; Execution depth limit
5711+;hphp.executor.max_depth = 8000
5712+
5713+; White-/blacklist for function calls during normal execution
5714+;hphp.executor.func.whitelist = ord,chr
5715+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5716+
5717+; White-/blacklist for function calls during eval() execution
5718+;hphp.executor.eval.whitelist = ord,chr
5719+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5720+
5721+; White-/blacklist for URLs allowes in include filenames
5722+;
5723+; - When both options are not set all URLs are forbidden
5724+;
5725+; - When both options are set whitelist is taken and blacklist ignored
5726+;
5727+; - An entry in the lists is either a URL sheme like: http, https
5728+; or the beginning of an URL like: php://input
5729+;
5730+;hphp.executor.include.whitelist = cookietest
5731+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5732+
5733+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5734+; Hardening-Patch's REQUEST variable filters ;
5735+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5736+
5737+; Limits the number of REQUEST variables
5738+hphp.request.max_vars = 200
5739+
5740+; Limits the length of variable names (without indices)
5741+hphp.request.max_varname_length = 64
5742+
5743+; Limits the length of complete variable names (with indices)
5744+hphp.request.max_totalname_length = 256
5745+
5746+; Limits the length of array indices
5747+hphp.request.max_array_index_length = 64
5748+
5749+; Limits the depth of arrays
5750+hphp.request.max_array_depth = 100
5751+
5752+; Limits the length of variable values
5753+hphp.request.max_value_length = 65000
5754+
5755+; Disallow ASCII-NUL characters in input
5756+hphp.request.disallow_nul = 1
5757+
5758+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5759+; Hardening-Patch's COOKIE variable filters ;
5760+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5761+
5762+; Limits the number of COOKIE variables
5763+hphp.cookie.max_vars = 100
5764+
5765+; Limits the length of variable names (without indices)
5766+hphp.cookie.max_name_length = 64
5767+
5768+; Limits the length of complete variable names (with indices)
5769+hphp.cookie.max_totalname_length = 256
5770+
5771+; Limits the length of array indices
5772+hphp.cookie.max_array_index_length = 64
5773+
5774+; Limits the depth of arrays
5775+hphp.cookie.max_array_depth = 100
5776+
5777+; Limits the length of variable values
5778+hphp.cookie.max_value_length = 10000
5779+
5780+; Disallow ASCII-NUL characters in input
5781+hphp.cookie.disallow_nul = 1
5782+
5783+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5784+; Hardening-Patch's GET variable filters ;
5785+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5786+
5787+; Limits the number of COOKIE variables
5788+hphp.get.max_vars = 100
5789+
5790+; Limits the length of variable names (without indices)
5791+hphp.get.max_name_length = 64
5792+
5793+; Limits the length of complete variable names (with indices)
5794+hphp.get.max_totalname_length = 256
5795+
5796+; Limits the length of array indices
5797+hphp.get.max_array_index_length = 64
5798+
5799+; Limits the depth of arrays
5800+hphp.get.max_array_depth = 50
5801+
5802+; Limits the length of variable values
5803+hphp.get.max_value_length = 512
5804+
5805+; Disallow ASCII-NUL characters in input
5806+hphp.get.disallow_nul = 1
5807+
5808+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5809+; Hardening-Patch's POST variable filters ;
5810+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5811+
5812+; Limits the number of POST variables
5813+hphp.post.max_vars = 200
5814+
5815+; Limits the length of variable names (without indices)
5816+hphp.post.max_name_length = 64
5817+
5818+; Limits the length of complete variable names (with indices)
5819+hphp.post.max_totalname_length = 256
5820+
5821+; Limits the length of array indices
5822+hphp.post.max_array_index_length = 64
5823+
5824+; Limits the depth of arrays
5825+hphp.post.max_array_depth = 100
5826+
5827+; Limits the length of variable values
5828+hphp.post.max_value_length = 65000
5829+
5830+; Disallow ASCII-NUL characters in input
5831+hphp.post.disallow_nul = 1
5832+
5833+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5834+; Hardening-Patch's fileupload variable filters ;
5835+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5836+
5837+; Limits the number of uploadable files
5838+hphp.upload.max_uploads = 25
5839+
5840+; Filter out the upload of ELF executables
5841+hphp.upload.disallow_elf_files = On
5842+
5843+; External filterscript for upload verification
5844+;hphp.upload.verification_script = /home/hphp/verify_script
5845+
5846+
5847 ; Local Variables:
5848 ; tab-width: 4
5849 ; End:
5850diff -Nura php-4.4.2/README.input_filter hardening-patch-4.4.2-0.4.10/README.input_filter
5851--- php-4.4.2/README.input_filter 1970-01-01 01:00:00.000000000 +0100
5852+++ hardening-patch-4.4.2-0.4.10/README.input_filter 2006-05-11 10:36:02.000000000 +0200
5853@@ -0,0 +1,193 @@
5854+Input Filter Support ported from PHP 5
5855+--------------------------------------
5856+
5857+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
5858+and can be quite difficult to prevent. Whenever you accept user data
5859+and somehow display this data back to users, you are likely vulnerable
5860+to XSS hacks.
5861+
5862+The Input Filter support in PHP 5 is aimed at providing the framework
5863+through which a company-wide or site-wide security policy can be
5864+enforced. It is implemented as a SAPI hook and is called from the
5865+treat_data and post handler functions. To implement your own security
5866+policy you will need to write a standard PHP extension.
5867+
5868+A simple implementation might look like the following. This stores the
5869+original raw user data and adds a my_get_raw() function while the normal
5870+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
5871+data. In this simple example all I am doing is calling strip_tags() on
5872+the data. If register_globals is turned on, the default globals that
5873+are created will be stripped ($foo) while a $RAW_foo is created with the
5874+original user input.
5875+
5876+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
5877+ zval *post_array;
5878+ zval *get_array;
5879+ zval *cookie_array;
5880+ZEND_END_MODULE_GLOBALS(my_input_filter)
5881+
5882+#ifdef ZTS
5883+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
5884+#else
5885+#define IF_G(v) (my_input_filter_globals.v)
5886+#endif
5887+
5888+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
5889+
5890+function_entry my_input_filter_functions[] = {
5891+ PHP_FE(my_get_raw, NULL)
5892+ {NULL, NULL, NULL}
5893+};
5894+
5895+zend_module_entry my_input_filter_module_entry = {
5896+ STANDARD_MODULE_HEADER,
5897+ "my_input_filter",
5898+ my_input_filter_functions,
5899+ PHP_MINIT(my_input_filter),
5900+ PHP_MSHUTDOWN(my_input_filter),
5901+ NULL,
5902+ PHP_RSHUTDOWN(my_input_filter),
5903+ PHP_MINFO(my_input_filter),
5904+ "0.1",
5905+ STANDARD_MODULE_PROPERTIES
5906+};
5907+
5908+PHP_MINIT_FUNCTION(my_input_filter)
5909+{
5910+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
5911+
5912+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
5913+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
5914+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
5915+
5916+ sapi_register_input_filter(my_sapi_input_filter);
5917+ return SUCCESS;
5918+}
5919+
5920+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
5921+{
5922+ if(IF_G(get_array)) {
5923+ zval_ptr_dtor(&IF_G(get_array));
5924+ IF_G(get_array) = NULL;
5925+ }
5926+ if(IF_G(post_array)) {
5927+ zval_ptr_dtor(&IF_G(post_array));
5928+ IF_G(post_array) = NULL;
5929+ }
5930+ if(IF_G(cookie_array)) {
5931+ zval_ptr_dtor(&IF_G(cookie_array));
5932+ IF_G(cookie_array) = NULL;
5933+ }
5934+ return SUCCESS;
5935+}
5936+
5937+PHP_MINFO_FUNCTION(my_input_filter)
5938+{
5939+ php_info_print_table_start();
5940+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
5941+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
5942+ php_info_print_table_end();
5943+}
5944+
5945+/* The filter handler. If you return 1 from it, then PHP also registers the
5946+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
5947+ * you can use this if your filter already registers the variable under a
5948+ * different name, or if you just don't want the variable registered at all. */
5949+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
5950+{
5951+ zval new_var;
5952+ zval *array_ptr = NULL;
5953+ char *raw_var;
5954+ int var_len;
5955+
5956+ assert(*val != NULL);
5957+
5958+ switch(arg) {
5959+ case PARSE_GET:
5960+ if(!IF_G(get_array)) {
5961+ ALLOC_ZVAL(array_ptr);
5962+ array_init(array_ptr);
5963+ INIT_PZVAL(array_ptr);
5964+ }
5965+ IF_G(get_array) = array_ptr;
5966+ break;
5967+ case PARSE_POST:
5968+ if(!IF_G(post_array)) {
5969+ ALLOC_ZVAL(array_ptr);
5970+ array_init(array_ptr);
5971+ INIT_PZVAL(array_ptr);
5972+ }
5973+ IF_G(post_array) = array_ptr;
5974+ break;
5975+ case PARSE_COOKIE:
5976+ if(!IF_G(cookie_array)) {
5977+ ALLOC_ZVAL(array_ptr);
5978+ array_init(array_ptr);
5979+ INIT_PZVAL(array_ptr);
5980+ }
5981+ IF_G(cookie_array) = array_ptr;
5982+ break;
5983+ }
5984+ Z_STRLEN(new_var) = val_len;
5985+ Z_STRVAL(new_var) = estrndup(*val, val_len);
5986+ Z_TYPE(new_var) = IS_STRING;
5987+
5988+ var_len = strlen(var);
5989+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
5990+ strcpy(raw_var, "RAW_");
5991+ strlcat(raw_var,var,var_len+5);
5992+
5993+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
5994+
5995+ php_strip_tags(*val, val_len, NULL, NULL, 0);
5996+
5997+ *new_val_len = strlen(*val);
5998+ return 1;
5999+}
6000+
6001+PHP_FUNCTION(my_get_raw)
6002+{
6003+ long arg;
6004+ char *var;
6005+ int var_len;
6006+ zval **tmp;
6007+ zval *array_ptr = NULL;
6008+ HashTable *hash_ptr;
6009+ char *raw_var;
6010+
6011+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
6012+ return;
6013+ }
6014+
6015+ switch(arg) {
6016+ case PARSE_GET:
6017+ array_ptr = IF_G(get_array);
6018+ break;
6019+ case PARSE_POST:
6020+ array_ptr = IF_G(post_array);
6021+ break;
6022+ case PARSE_COOKIE:
6023+ array_ptr = IF_G(post_array);
6024+ break;
6025+ }
6026+
6027+ if(!array_ptr) RETURN_FALSE;
6028+
6029+ /*
6030+ * I'm changing the variable name here because when running with register_globals on,
6031+ * the variable will end up in the global symbol table
6032+ */
6033+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
6034+ strcpy(raw_var, "RAW_");
6035+ strlcat(raw_var,var,var_len+5);
6036+ hash_ptr = HASH_OF(array_ptr);
6037+
6038+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
6039+ *return_value = **tmp;
6040+ zval_copy_ctor(return_value);
6041+ } else {
6042+ RETVAL_FALSE;
6043+ }
6044+ efree(raw_var);
6045+}
6046+
6047diff -Nura php-4.4.2/run-tests.php hardening-patch-4.4.2-0.4.10/run-tests.php
6048--- php-4.4.2/run-tests.php 2006-01-01 14:46:48.000000000 +0100
6049+++ hardening-patch-4.4.2-0.4.10/run-tests.php 2006-05-11 10:36:02.000000000 +0200
6050@@ -152,6 +152,10 @@
6051 'error_reporting=2047',
6052 'display_errors=1',
6053 'log_errors=0',
6054+ 'hphp.executor.include.whitelist=cookietest',
6055+ 'hphp.log.syslog=0',
6056+ 'hphp.log.sapi=0',
6057+ 'hphp.log.script=0',
6058 'html_errors=0',
6059 'track_errors=1',
6060 'report_memleaks=1',
6061diff -Nura php-4.4.2/sapi/apache/mod_php4.c hardening-patch-4.4.2-0.4.10/sapi/apache/mod_php4.c
6062--- php-4.4.2/sapi/apache/mod_php4.c 2006-01-01 14:47:01.000000000 +0100
6063+++ hardening-patch-4.4.2-0.4.10/sapi/apache/mod_php4.c 2006-05-11 10:36:02.000000000 +0200
6064@@ -452,7 +452,7 @@
6065 sapi_apache_get_fd,
6066 sapi_apache_force_http_10,
6067 sapi_apache_get_target_uid,
6068- sapi_apache_get_target_gid
6069+ sapi_apache_get_target_gid,
6070 };
6071 /* }}} */
6072
6073@@ -898,7 +898,11 @@
6074 {
6075 TSRMLS_FETCH();
6076 if (PG(expose_php)) {
6077+#if HARDENING_PATCH
6078+ ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
6079+#else
6080 ap_add_version_component("PHP/" PHP_VERSION);
6081+#endif
6082 }
6083 }
6084 #endif
6085diff -Nura php-4.4.2/sapi/apache2filter/sapi_apache2.c hardening-patch-4.4.2-0.4.10/sapi/apache2filter/sapi_apache2.c
6086--- php-4.4.2/sapi/apache2filter/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6087+++ hardening-patch-4.4.2-0.4.10/sapi/apache2filter/sapi_apache2.c 2006-05-11 10:36:02.000000000 +0200
6088@@ -562,7 +562,11 @@
6089 {
6090 TSRMLS_FETCH();
6091 if (PG(expose_php)) {
6092+#if HARDENING_PATCH
6093+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6094+#else
6095 ap_add_version_component(p, "PHP/" PHP_VERSION);
6096+#endif
6097 }
6098 }
6099
6100diff -Nura php-4.4.2/sapi/apache2handler/sapi_apache2.c hardening-patch-4.4.2-0.4.10/sapi/apache2handler/sapi_apache2.c
6101--- php-4.4.2/sapi/apache2handler/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6102+++ hardening-patch-4.4.2-0.4.10/sapi/apache2handler/sapi_apache2.c 2006-05-11 10:36:02.000000000 +0200
6103@@ -340,7 +340,11 @@
6104 {
6105 TSRMLS_FETCH();
6106 if (PG(expose_php)) {
6107+#if HARDENING_PATCH
6108+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6109+#else
6110 ap_add_version_component(p, "PHP/" PHP_VERSION);
6111+#endif
6112 }
6113 }
6114
6115diff -Nura php-4.4.2/sapi/cgi/cgi_main.c hardening-patch-4.4.2-0.4.10/sapi/cgi/cgi_main.c
6116--- php-4.4.2/sapi/cgi/cgi_main.c 2006-01-01 14:47:01.000000000 +0100
6117+++ hardening-patch-4.4.2-0.4.10/sapi/cgi/cgi_main.c 2006-05-11 10:36:02.000000000 +0200
6118@@ -1432,11 +1432,19 @@
6119 SG(headers_sent) = 1;
6120 SG(request_info).no_headers = 1;
6121 }
6122+#if HARDENING_PATCH
6123+#if ZEND_DEBUG
6124+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6125+#else
6126+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6127+#endif
6128+#else
6129 #if ZEND_DEBUG
6130 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6131 #else
6132 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6133 #endif
6134+#endif
6135 php_end_ob_buffers(1 TSRMLS_CC);
6136 exit(0);
6137 break;
6138diff -Nura php-4.4.2/sapi/cli/php_cli.c hardening-patch-4.4.2-0.4.10/sapi/cli/php_cli.c
6139--- php-4.4.2/sapi/cli/php_cli.c 2006-01-01 14:47:01.000000000 +0100
6140+++ hardening-patch-4.4.2-0.4.10/sapi/cli/php_cli.c 2006-05-11 10:36:02.000000000 +0200
6141@@ -654,11 +654,19 @@
6142 if (php_request_startup(TSRMLS_C)==FAILURE) {
6143 goto err;
6144 }
6145+#if HARDENING_PATCH
6146+#if ZEND_DEBUG
6147+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6148+#else
6149+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6150+#endif
6151+#else
6152 #if ZEND_DEBUG
6153 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6154 #else
6155 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6156 #endif
6157+#endif
6158 php_end_ob_buffers(1 TSRMLS_CC);
6159 exit_status=0;
6160 goto out;
6161diff -Nura php-4.4.2/TSRM/TSRM.h hardening-patch-4.4.2-0.4.10/TSRM/TSRM.h
6162--- php-4.4.2/TSRM/TSRM.h 2005-07-26 15:34:52.000000000 +0200
6163+++ hardening-patch-4.4.2-0.4.10/TSRM/TSRM.h 2006-05-11 10:36:02.000000000 +0200
6164@@ -33,6 +33,13 @@
6165 # define TSRM_API
6166 #endif
6167
6168+#if HARDENING_PATCH
6169+# if HAVE_REALPATH
6170+# undef realpath
6171+# define realpath php_realpath
6172+# endif
6173+#endif
6174+
6175 /* Only compile multi-threading functions if we're in ZTS mode */
6176 #ifdef ZTS
6177
6178@@ -84,6 +91,7 @@
6179
6180 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
6181
6182+
6183 #ifdef __cplusplus
6184 extern "C" {
6185 #endif
6186diff -Nura php-4.4.2/TSRM/tsrm_virtual_cwd.c hardening-patch-4.4.2-0.4.10/TSRM/tsrm_virtual_cwd.c
6187--- php-4.4.2/TSRM/tsrm_virtual_cwd.c 2006-01-01 14:46:48.000000000 +0100
6188+++ hardening-patch-4.4.2-0.4.10/TSRM/tsrm_virtual_cwd.c 2006-05-11 10:36:02.000000000 +0200
6189@@ -179,6 +179,165 @@
6190 return p;
6191 }
6192
6193+#if HARDENING_PATCH
6194+CWD_API char *php_realpath(const char *path, char *resolved)
6195+{
6196+ struct stat sb;
6197+ char *p, *q, *s;
6198+ size_t left_len, resolved_len;
6199+ unsigned symlinks;
6200+ int serrno, slen;
6201+ int is_dir = 1;
6202+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
6203+
6204+ serrno = errno;
6205+ symlinks = 0;
6206+ if (path[0] == '/') {
6207+ resolved[0] = '/';
6208+ resolved[1] = '\0';
6209+ if (path[1] == '\0')
6210+ return (resolved);
6211+ resolved_len = 1;
6212+ left_len = strlcpy(left, path + 1, sizeof(left));
6213+ } else {
6214+ if (getcwd(resolved, PATH_MAX) == NULL) {
6215+ strlcpy(resolved, ".", PATH_MAX);
6216+ return (NULL);
6217+ }
6218+ resolved_len = strlen(resolved);
6219+ left_len = strlcpy(left, path, sizeof(left));
6220+ }
6221+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
6222+ errno = ENAMETOOLONG;
6223+ return (NULL);
6224+ }
6225+
6226+ /*
6227+ * Iterate over path components in `left'.
6228+ */
6229+ while (left_len != 0) {
6230+ /*
6231+ * Extract the next path component and adjust `left'
6232+ * and its length.
6233+ */
6234+ p = strchr(left, '/');
6235+ s = p ? p : left + left_len;
6236+ if (s - left >= sizeof(next_token)) {
6237+ errno = ENAMETOOLONG;
6238+ return (NULL);
6239+ }
6240+ memcpy(next_token, left, s - left);
6241+ next_token[s - left] = '\0';
6242+ left_len -= s - left;
6243+ if (p != NULL)
6244+ memmove(left, s + 1, left_len + 1);
6245+ if (resolved[resolved_len - 1] != '/') {
6246+ if (resolved_len + 1 >= PATH_MAX) {
6247+ errno = ENAMETOOLONG;
6248+ return (NULL);
6249+ }
6250+ resolved[resolved_len++] = '/';
6251+ resolved[resolved_len] = '\0';
6252+ }
6253+ if (next_token[0] == '\0')
6254+ continue;
6255+ else if (strcmp(next_token, ".") == 0)
6256+ continue;
6257+ else if (strcmp(next_token, "..") == 0) {
6258+ /*
6259+ * Strip the last path component except when we have
6260+ * single "/"
6261+ */
6262+ if (!is_dir) {
6263+ errno = ENOENT;
6264+ return (NULL);
6265+ }
6266+ if (resolved_len > 1) {
6267+ resolved[resolved_len - 1] = '\0';
6268+ q = strrchr(resolved, '/');
6269+ *q = '\0';
6270+ resolved_len = q - resolved;
6271+ }
6272+ continue;
6273+ }
6274+
6275+ /*
6276+ * Append the next path component and lstat() it. If
6277+ * lstat() fails we still can return successfully if
6278+ * there are no more path components left.
6279+ */
6280+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
6281+ if (resolved_len >= PATH_MAX) {
6282+ errno = ENAMETOOLONG;
6283+ return (NULL);
6284+ }
6285+ if (lstat(resolved, &sb) != 0) {
6286+ if (errno == ENOENT && p == NULL) {
6287+ errno = serrno;
6288+ return (resolved);
6289+ }
6290+ return (NULL);
6291+ }
6292+ if (S_ISLNK(sb.st_mode)) {
6293+ if (symlinks++ > MAXSYMLINKS) {
6294+ errno = ELOOP;
6295+ return (NULL);
6296+ }
6297+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
6298+ if (slen < 0)
6299+ return (NULL);
6300+ symlink[slen] = '\0';
6301+ if (symlink[0] == '/') {
6302+ resolved[1] = 0;
6303+ resolved_len = 1;
6304+ } else if (resolved_len > 1) {
6305+ /* Strip the last path component. */
6306+ resolved[resolved_len - 1] = '\0';
6307+ q = strrchr(resolved, '/');
6308+ *q = '\0';
6309+ resolved_len = q - resolved;
6310+ }
6311+
6312+ /*
6313+ * If there are any path components left, then
6314+ * append them to symlink. The result is placed
6315+ * in `left'.
6316+ */
6317+ if (p != NULL) {
6318+ if (symlink[slen - 1] != '/') {
6319+ if (slen + 1 >= sizeof(symlink)) {
6320+ errno = ENAMETOOLONG;
6321+ return (NULL);
6322+ }
6323+ symlink[slen] = '/';
6324+ symlink[slen + 1] = 0;
6325+ }
6326+ left_len = strlcat(symlink, left, sizeof(left));
6327+ if (left_len >= sizeof(left)) {
6328+ errno = ENAMETOOLONG;
6329+ return (NULL);
6330+ }
6331+ }
6332+ left_len = strlcpy(left, symlink, sizeof(left));
6333+ } else {
6334+ if (S_ISDIR(sb.st_mode)) {
6335+ is_dir = 1;
6336+ } else {
6337+ is_dir = 0;
6338+ }
6339+ }
6340+ }
6341+
6342+ /*
6343+ * Remove trailing slash except when the resolved pathname
6344+ * is a single "/".
6345+ */
6346+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
6347+ resolved[resolved_len - 1] = '\0';
6348+ return (resolved);
6349+}
6350+#endif
6351+
6352 CWD_API void virtual_cwd_startup(void)
6353 {
6354 char cwd[MAXPATHLEN];
6355@@ -300,8 +459,11 @@
6356
6357 if (path_length == 0)
6358 return (0);
6359- if (path_length >= MAXPATHLEN)
6360+ if (path_length >= MAXPATHLEN) {
6361+ state->cwd[0] = 0;
6362+ state->cwd_length = 0;
6363 return (1);
6364+ }
6365
6366 #if !defined(TSRM_WIN32) && !defined(NETWARE)
6367 /* cwd_length can be 0 when getcwd() fails.
6368@@ -313,8 +475,9 @@
6369 path = resolved_path;
6370 path_length = strlen(path);
6371 } else {
6372- /* disable for now
6373- return 1; */
6374+ state->cwd[0] = 0;
6375+ state->cwd_length = 0;
6376+ return 1;
6377 }
6378 }
6379 } else { /* Concat current directory with relative path and then run realpath() on it */
6380@@ -323,6 +486,8 @@
6381
6382 ptr = tmp = (char *) malloc(state->cwd_length+path_length+sizeof("/"));
6383 if (!tmp) {
6384+ state->cwd[0] = 0;
6385+ state->cwd_length = 0;
6386 return 1;
6387 }
6388 memcpy(ptr, state->cwd, state->cwd_length);
6389@@ -332,6 +497,8 @@
6390 ptr += path_length;
6391 *ptr = '\0';
6392 if (strlen(tmp) >= MAXPATHLEN) {
6393+ state->cwd[0] = 0;
6394+ state->cwd_length = 0;
6395 free(tmp);
6396 return 1;
6397 }
6398@@ -340,9 +507,10 @@
6399 path = resolved_path;
6400 path_length = strlen(path);
6401 } else {
6402- /* disable for now
6403+ state->cwd[0] = 0;
6404+ state->cwd_length = 0;
6405 free(tmp);
6406- return 1; */
6407+ return 1;
6408 }
6409 }
6410 free(tmp);
6411diff -Nura php-4.4.2/TSRM/tsrm_virtual_cwd.h hardening-patch-4.4.2-0.4.10/TSRM/tsrm_virtual_cwd.h
6412--- php-4.4.2/TSRM/tsrm_virtual_cwd.h 2006-01-01 14:46:49.000000000 +0100
6413+++ hardening-patch-4.4.2-0.4.10/TSRM/tsrm_virtual_cwd.h 2006-05-11 10:36:02.000000000 +0200
6414@@ -128,6 +128,22 @@
6415
6416 typedef int (*verify_path_func)(const cwd_state *);
6417
6418+#ifndef HAVE_STRLCPY
6419+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
6420+#undef strlcpy
6421+#define strlcpy php_strlcpy
6422+#endif
6423+
6424+#ifndef HAVE_STRLCAT
6425+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
6426+#undef strlcat
6427+#define strlcat php_strlcat
6428+#endif
6429+
6430+
6431+#if HARDENING_PATCH
6432+CWD_API char *php_realpath(const char *path, char *resolved);
6433+#endif
6434 CWD_API void virtual_cwd_startup(void);
6435 CWD_API void virtual_cwd_shutdown(void);
6436 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
6437diff -Nura php-4.4.2/Zend/zend_alloc.c hardening-patch-4.4.2-0.4.10/Zend/zend_alloc.c
6438--- php-4.4.2/Zend/zend_alloc.c 2006-01-01 14:46:49.000000000 +0100
6439+++ hardening-patch-4.4.2-0.4.10/Zend/zend_alloc.c 2006-05-11 10:36:02.000000000 +0200
6440@@ -56,6 +56,11 @@
6441 # define END_MAGIC_SIZE 0
6442 #endif
6443
6444+#if HARDENING_PATCH_MM_PROTECT
6445+# define CANARY_SIZE sizeof(unsigned int)
6446+#else
6447+# define CANARY_SIZE 0
6448+#endif
6449
6450 # if MEMORY_LIMIT
6451 # if ZEND_DEBUG
6452@@ -96,9 +101,17 @@
6453 if (p==AG(head)) { \
6454 AG(head) = p->pNext; \
6455 } else { \
6456+ if (p != p->pLast->pNext) { \
6457+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6458+ exit(1); \
6459+ } \
6460 p->pLast->pNext = p->pNext; \
6461 } \
6462 if (p->pNext) { \
6463+ if (p != p->pNext->pLast) { \
6464+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6465+ exit(1); \
6466+ } \
6467 p->pNext->pLast = p->pLast; \
6468 }
6469
6470@@ -130,6 +143,12 @@
6471 DECLARE_CACHE_VARS();
6472 TSRMLS_FETCH();
6473
6474+#if HARDENING_PATCH_MM_PROTECT
6475+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
6476+ zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
6477+ exit(1);
6478+ }
6479+#endif
6480 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
6481
6482 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
6483@@ -147,6 +166,10 @@
6484 AG(cache_stats)[CACHE_INDEX][1]++;
6485 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6486 #endif
6487+#if HARDENING_PATCH_MM_PROTECT
6488+ p->canary = HG(canary_1);
6489+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6490+#endif
6491 p->cached = 0;
6492 p->size = size;
6493 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6494@@ -162,7 +185,7 @@
6495 AG(allocated_memory_peak) = AG(allocated_memory);
6496 }
6497 #endif
6498- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
6499+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
6500 }
6501
6502 HANDLE_BLOCK_INTERRUPTIONS();
6503@@ -192,7 +215,10 @@
6504 # endif
6505 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6506 #endif
6507-
6508+#if HARDENING_PATCH_MM_PROTECT
6509+ p->canary = HG(canary_1);
6510+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6511+#endif
6512 HANDLE_UNBLOCK_INTERRUPTIONS();
6513 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
6514 }
6515@@ -219,17 +245,36 @@
6516 return emalloc_rel(lval + offset);
6517 }
6518 }
6519-
6520+
6521+#if HARDENING_PATCH
6522+ zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
6523+#endif
6524 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
6525 return 0;
6526 }
6527
6528 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6529 {
6530+#if HARDENING_PATCH_MM_PROTECT
6531+ unsigned int canary_2;
6532+#endif
6533 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
6534 DECLARE_CACHE_VARS();
6535 TSRMLS_FETCH();
6536
6537+#if HARDENING_PATCH_MM_PROTECT
6538+ if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
6539+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6540+ if (canary_2 != HG(canary_2)) {
6541+efree_canary_mismatch:
6542+ zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
6543+ exit(1);
6544+ }
6545+ /* to catch double efree()s */
6546+ memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
6547+ p->canary = 0;
6548+#endif
6549+
6550 #if defined(ZTS) && TSRM_DEBUG
6551 if (p->thread_id != tsrm_thread_id()) {
6552 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
6553@@ -274,6 +319,9 @@
6554 size_t _size = nmemb * size;
6555
6556 if (nmemb && (_size/nmemb!=size)) {
6557+#if HARDENING_PATCH
6558+ zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
6559+#endif
6560 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
6561 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
6562 kill(getpid(), SIGSEGV);
6563@@ -293,6 +341,9 @@
6564
6565 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
6566 {
6567+#if HARDENING_PATCH_MM_PROTECT
6568+ unsigned int canary_2;
6569+#endif
6570 zend_mem_header *p;
6571 zend_mem_header *orig;
6572 DECLARE_CACHE_VARS();
6573@@ -304,6 +355,16 @@
6574
6575 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
6576
6577+#if HARDENING_PATCH_MM_PROTECT
6578+ if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
6579+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
6580+ if (canary_2 != HG(canary_2)) {
6581+erealloc_canary_mismatch:
6582+ zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
6583+ exit(1);
6584+ }
6585+#endif
6586+
6587 #if defined(ZTS) && TSRM_DEBUG
6588 if (p->thread_id != tsrm_thread_id()) {
6589 void *new_p;
6590@@ -327,7 +388,7 @@
6591 }
6592 #endif
6593 REMOVE_POINTER_FROM_LIST(p);
6594- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
6595+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
6596 if (!p) {
6597 if (!allow_failure) {
6598 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
6599@@ -349,6 +410,9 @@
6600 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
6601 #endif
6602
6603+#if HARDENING_PATCH_MM_PROTECT
6604+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
6605+#endif
6606 p->size = size;
6607
6608 HANDLE_UNBLOCK_INTERRUPTIONS();
6609@@ -423,6 +487,10 @@
6610 {
6611 AG(head) = NULL;
6612
6613+#if HARDENING_PATCH_MM_PROTECT
6614+ HG(canary_1) = zend_canary();
6615+ HG(canary_2) = zend_canary();
6616+#endif
6617 #if MEMORY_LIMIT
6618 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
6619 AG(allocated_memory) = 0;
6620diff -Nura php-4.4.2/Zend/zend_alloc.h hardening-patch-4.4.2-0.4.10/Zend/zend_alloc.h
6621--- php-4.4.2/Zend/zend_alloc.h 2006-01-01 14:46:49.000000000 +0100
6622+++ hardening-patch-4.4.2-0.4.10/Zend/zend_alloc.h 2006-05-11 10:36:02.000000000 +0200
6623@@ -32,6 +32,9 @@
6624 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
6625
6626 typedef struct _zend_mem_header {
6627+#if HARDENING_PATCH_MM_PROTECT
6628+ unsigned int canary;
6629+#endif
6630 #if ZEND_DEBUG
6631 long magic;
6632 char *filename;
6633diff -Nura php-4.4.2/Zend/zend_builtin_functions.c hardening-patch-4.4.2-0.4.10/Zend/zend_builtin_functions.c
6634--- php-4.4.2/Zend/zend_builtin_functions.c 2006-01-01 14:46:49.000000000 +0100
6635+++ hardening-patch-4.4.2-0.4.10/Zend/zend_builtin_functions.c 2006-05-11 10:36:02.000000000 +0200
6636@@ -49,6 +49,9 @@
6637 static ZEND_FUNCTION(crash);
6638 #endif
6639 #endif
6640+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6641+static ZEND_FUNCTION(heap_overflow);
6642+#endif
6643 static ZEND_FUNCTION(get_included_files);
6644 static ZEND_FUNCTION(is_subclass_of);
6645 static ZEND_FUNCTION(is_a);
6646@@ -101,6 +104,9 @@
6647 ZEND_FE(crash, NULL)
6648 #endif
6649 #endif
6650+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6651+ ZEND_FE(heap_overflow, NULL)
6652+#endif
6653 ZEND_FE(get_included_files, NULL)
6654 ZEND_FALIAS(get_required_files, get_included_files, NULL)
6655 ZEND_FE(is_subclass_of, NULL)
6656@@ -805,6 +811,19 @@
6657
6658 #endif /* ZEND_DEBUG */
6659
6660+
6661+#if HARDENING_PATCH_MM_PROTECT_DEBUG
6662+ZEND_FUNCTION(heap_overflow)
6663+{
6664+ char *nowhere = emalloc(10);
6665+
6666+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
6667+
6668+ efree(nowhere);
6669+}
6670+#endif
6671+
6672+
6673 /* {{{ proto array get_included_files(void)
6674 Returns an array with the file names that were include_once()'d */
6675 ZEND_FUNCTION(get_included_files)
6676diff -Nura php-4.4.2/Zend/zend.c hardening-patch-4.4.2-0.4.10/Zend/zend.c
6677--- php-4.4.2/Zend/zend.c 2006-01-01 14:46:49.000000000 +0100
6678+++ hardening-patch-4.4.2-0.4.10/Zend/zend.c 2006-05-11 10:36:02.000000000 +0200
6679@@ -53,6 +53,12 @@
6680 ZEND_API void (*zend_unblock_interruptions)(void);
6681 ZEND_API void (*zend_ticks_function)(int ticks);
6682 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
6683+#if HARDENING_PATCH
6684+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
6685+#endif
6686+#if HARDENING_PATCH_INC_PROTECT
6687+ZEND_API int (*zend_is_valid_include)(zval *z);
6688+#endif
6689
6690 void (*zend_on_timeout)(int seconds TSRMLS_DC);
6691
6692@@ -70,9 +76,390 @@
6693 return SUCCESS;
6694 }
6695
6696+#if HARDENING_PATCH
6697+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
6698+{
6699+ if (!new_value) {
6700+ EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
6701+ } else {
6702+ EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
6703+ }
6704+ return SUCCESS;
6705+}
6706+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
6707+{
6708+ if (!new_value) {
6709+ EG(hphp_log_syslog_facility) = LOG_USER;
6710+ } else {
6711+ EG(hphp_log_syslog_facility) = atoi(new_value);
6712+ }
6713+ return SUCCESS;
6714+}
6715+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
6716+{
6717+ if (!new_value) {
6718+ EG(hphp_log_syslog_priority) = LOG_ALERT;
6719+ } else {
6720+ EG(hphp_log_syslog_priority) = atoi(new_value);
6721+ }
6722+ return SUCCESS;
6723+}
6724+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
6725+{
6726+ if (!new_value) {
6727+ EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
6728+ } else {
6729+ EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
6730+ }
6731+ return SUCCESS;
6732+}
6733+static ZEND_INI_MH(OnUpdateHPHP_log_script)
6734+{
6735+ if (!new_value) {
6736+ EG(hphp_log_script) = S_ALL & (~S_MEMORY) & (~S_INTERNAL);
6737+ } else {
6738+ EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
6739+ }
6740+ return SUCCESS;
6741+}
6742+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
6743+{
6744+ if (EG(hphp_log_scriptname)) {
6745+ pefree(EG(hphp_log_scriptname),1);
6746+ }
6747+ EG(hphp_log_scriptname) = NULL;
6748+ if (new_value) {
6749+ EG(hphp_log_scriptname) = pestrdup(new_value,1);
6750+ }
6751+ return SUCCESS;
6752+}
6753+
6754+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
6755+{
6756+ char *s = NULL, *e, *val;
6757+ unsigned long dummy = 1;
6758+
6759+ if (!new_value) {
6760+include_whitelist_destroy:
6761+ if (HG(include_whitelist)) {
6762+ zend_hash_destroy(HG(include_whitelist));
6763+ pefree(HG(include_whitelist),1);
6764+ }
6765+ HG(include_whitelist) = NULL;
6766+ return SUCCESS;
6767+ }
6768+ if (!(*new_value)) {
6769+ goto include_whitelist_destroy;
6770+ }
6771+
6772+ HG(include_whitelist) = pemalloc(sizeof(HashTable), 1);
6773+ zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 1);
6774+
6775+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6776+ e = val;
6777+
6778+ while (*e) {
6779+ switch (*e) {
6780+ case ' ':
6781+ case ',':
6782+ if (s) {
6783+ *e = '\0';
6784+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6785+ s = NULL;
6786+ }
6787+ break;
6788+ default:
6789+ if (!s) {
6790+ s = e;
6791+ }
6792+ break;
6793+ }
6794+ e++;
6795+ }
6796+ if (s) {
6797+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6798+ }
6799+ efree(val);
6800+
6801+ return SUCCESS;
6802+}
6803+
6804+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
6805+{
6806+ char *s = NULL, *e, *val;
6807+ unsigned long dummy = 1;
6808+
6809+ if (!new_value) {
6810+include_blacklist_destroy:
6811+ if (HG(include_blacklist)) {
6812+ zend_hash_destroy(HG(include_blacklist));
6813+ pefree(HG(include_blacklist),1);
6814+ }
6815+ HG(include_blacklist) = NULL;
6816+ return SUCCESS;
6817+ }
6818+ if (!(*new_value)) {
6819+ goto include_blacklist_destroy;
6820+ }
6821+
6822+ HG(include_blacklist) = pemalloc(sizeof(HashTable), 1);
6823+ zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 1);
6824+
6825+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6826+ e = val;
6827+
6828+ while (*e) {
6829+ switch (*e) {
6830+ case ' ':
6831+ case ',':
6832+ if (s) {
6833+ *e = '\0';
6834+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6835+ s = NULL;
6836+ }
6837+ break;
6838+ default:
6839+ if (!s) {
6840+ s = e;
6841+ }
6842+ break;
6843+ }
6844+ e++;
6845+ }
6846+ if (s) {
6847+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6848+ }
6849+ efree(val);
6850+
6851+ return SUCCESS;
6852+}
6853+
6854+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
6855+{
6856+ char *s = NULL, *e, *val;
6857+ unsigned long dummy = 1;
6858+
6859+ if (!new_value) {
6860+eval_whitelist_destroy:
6861+ if (HG(eval_whitelist)) {
6862+ zend_hash_destroy(HG(eval_whitelist));
6863+ pefree(HG(eval_whitelist),1);
6864+ }
6865+ HG(eval_whitelist) = NULL;
6866+ return SUCCESS;
6867+ }
6868+ if (!(*new_value)) {
6869+ goto eval_whitelist_destroy;
6870+ }
6871+
6872+ HG(eval_whitelist) = pemalloc(sizeof(HashTable), 1);
6873+ zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 1);
6874+
6875+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6876+ e = val;
6877+
6878+ while (*e) {
6879+ switch (*e) {
6880+ case ' ':
6881+ case ',':
6882+ if (s) {
6883+ *e = '\0';
6884+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6885+ s = NULL;
6886+ }
6887+ break;
6888+ default:
6889+ if (!s) {
6890+ s = e;
6891+ }
6892+ break;
6893+ }
6894+ e++;
6895+ }
6896+ if (s) {
6897+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6898+ }
6899+ efree(val);
6900+
6901+ return SUCCESS;
6902+}
6903+
6904+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
6905+{
6906+ char *s = NULL, *e, *val;
6907+ unsigned long dummy = 1;
6908+
6909+ if (!new_value) {
6910+eval_blacklist_destroy:
6911+ if (HG(eval_blacklist)) {
6912+ zend_hash_destroy(HG(eval_blacklist));
6913+ pefree(HG(eval_blacklist), 1);
6914+ }
6915+ HG(eval_blacklist) = NULL;
6916+ return SUCCESS;
6917+ }
6918+ if (!(*new_value)) {
6919+ goto eval_blacklist_destroy;
6920+ }
6921+
6922+ HG(eval_blacklist) = pemalloc(sizeof(HashTable), 1);
6923+ zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 1);
6924+
6925+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6926+ e = val;
6927+
6928+ while (*e) {
6929+ switch (*e) {
6930+ case ' ':
6931+ case ',':
6932+ if (s) {
6933+ *e = '\0';
6934+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6935+ s = NULL;
6936+ }
6937+ break;
6938+ default:
6939+ if (!s) {
6940+ s = e;
6941+ }
6942+ break;
6943+ }
6944+ e++;
6945+ }
6946+ if (s) {
6947+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6948+ }
6949+ efree(val);
6950+
6951+
6952+ return SUCCESS;
6953+}
6954+
6955+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
6956+{
6957+ char *s = NULL, *e, *val;
6958+ unsigned long dummy = 1;
6959+
6960+ if (!new_value) {
6961+func_whitelist_destroy:
6962+ if (HG(func_whitelist)) {
6963+ zend_hash_destroy(HG(func_whitelist));
6964+ pefree(HG(func_whitelist),1);
6965+ }
6966+ HG(func_whitelist) = NULL;
6967+ return SUCCESS;
6968+ }
6969+ if (!(*new_value)) {
6970+ goto func_whitelist_destroy;
6971+ }
6972+
6973+ HG(func_whitelist) = pemalloc(sizeof(HashTable), 1);
6974+ zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 1);
6975+
6976+ val = zend_str_tolower_dup(new_value, strlen(new_value));
6977+ e = val;
6978+
6979+ while (*e) {
6980+ switch (*e) {
6981+ case ' ':
6982+ case ',':
6983+ if (s) {
6984+ *e = '\0';
6985+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6986+ s = NULL;
6987+ }
6988+ break;
6989+ default:
6990+ if (!s) {
6991+ s = e;
6992+ }
6993+ break;
6994+ }
6995+ e++;
6996+ }
6997+ if (s) {
6998+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
6999+ }
7000+ efree(val);
7001+
7002+ return SUCCESS;
7003+}
7004+
7005+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
7006+{
7007+ char *s = NULL, *e, *val;
7008+ unsigned long dummy = 1;
7009+
7010+ if (!new_value) {
7011+func_blacklist_destroy:
7012+ if (HG(func_blacklist)) {
7013+ zend_hash_destroy(HG(func_blacklist));
7014+ pefree(HG(func_blacklist),1);
7015+ }
7016+ HG(func_blacklist) = NULL;
7017+ return SUCCESS;
7018+ }
7019+ if (!(*new_value)) {
7020+ goto func_blacklist_destroy;
7021+ }
7022+
7023+ HG(func_blacklist) = pemalloc(sizeof(HashTable), 1);
7024+ zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 1);
7025+
7026+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7027+ e = val;
7028+
7029+ while (*e) {
7030+ switch (*e) {
7031+ case ' ':
7032+ case ',':
7033+ if (s) {
7034+ *e = '\0';
7035+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7036+ s = NULL;
7037+ }
7038+ break;
7039+ default:
7040+ if (!s) {
7041+ s = e;
7042+ }
7043+ break;
7044+ }
7045+ e++;
7046+ }
7047+ if (s) {
7048+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7049+ }
7050+ efree(val);
7051+
7052+
7053+ return SUCCESS;
7054+}
7055+
7056+#endif
7057
7058 ZEND_INI_BEGIN()
7059 ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting)
7060+#if HARDENING_PATCH
7061+ ZEND_INI_ENTRY("hphp.log.syslog", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog)
7062+ ZEND_INI_ENTRY("hphp.log.syslog.facility", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_facility)
7063+ ZEND_INI_ENTRY("hphp.log.syslog.priority", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_priority)
7064+ ZEND_INI_ENTRY("hphp.log.sapi", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_sapi)
7065+ ZEND_INI_ENTRY("hphp.log.script", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_script)
7066+ ZEND_INI_ENTRY("hphp.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_scriptname)
7067+ STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for", "0", ZEND_INI_SYSTEM, OnUpdateBool, hphp_log_use_x_forwarded_for, zend_executor_globals, executor_globals)
7068+
7069+ ZEND_INI_ENTRY("hphp.executor.include.whitelist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_whitelist)
7070+ ZEND_INI_ENTRY("hphp.executor.include.blacklist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_blacklist)
7071+ ZEND_INI_ENTRY("hphp.executor.eval.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_whitelist)
7072+ ZEND_INI_ENTRY("hphp.executor.eval.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_blacklist)
7073+ ZEND_INI_ENTRY("hphp.executor.func.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_whitelist)
7074+ ZEND_INI_ENTRY("hphp.executor.func.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_blacklist)
7075+
7076+ STD_ZEND_INI_ENTRY("hphp.executor.max_depth", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
7077+ STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_sql_bailout_on_error, hardened_globals_struct, hardened_globals)
7078+ STD_ZEND_INI_BOOLEAN("hphp.multiheader", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_multiheader, hardened_globals_struct, hardened_globals)
7079+#endif
7080 ZEND_INI_END()
7081
7082
7083@@ -354,8 +741,12 @@
7084 zend_init_rsrc_plist(TSRMLS_C);
7085 EG(lambda_count)=0;
7086 EG(user_error_handler) = NULL;
7087+ EG(in_code_type) = 0;
7088 EG(in_execution) = 0;
7089 EG(current_execute_data) = NULL;
7090+#if HARDENING_PATCH
7091+ EG(hphp_log_scriptname) = NULL;
7092+#endif
7093 }
7094
7095
7096@@ -420,6 +811,14 @@
7097 extern zend_scanner_globals language_scanner_globals;
7098 #endif
7099
7100+ /* Set up Hardening-Patch utility functions first */
7101+#if HARDENING_PATCH
7102+ zend_security_log = utility_functions->security_log_function;
7103+#endif
7104+#if HARDENING_PATCH_INC_PROTECT
7105+ zend_is_valid_include = utility_functions->is_valid_include;
7106+#endif
7107+
7108 #ifdef ZTS
7109 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
7110 #else
7111@@ -619,6 +1018,7 @@
7112 }
7113 CG(unclean_shutdown) = 1;
7114 CG(in_compilation) = EG(in_execution) = 0;
7115+ EG(in_code_type) = 0;
7116 EG(current_execute_data) = NULL;
7117 longjmp(EG(bailout), FAILURE);
7118 }
7119diff -Nura php-4.4.2/Zend/zend_canary.c hardening-patch-4.4.2-0.4.10/Zend/zend_canary.c
7120--- php-4.4.2/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
7121+++ hardening-patch-4.4.2-0.4.10/Zend/zend_canary.c 2006-05-11 10:36:02.000000000 +0200
7122@@ -0,0 +1,58 @@
7123+/*
7124+ +----------------------------------------------------------------------+
7125+ | Hardening-Patch for PHP |
7126+ +----------------------------------------------------------------------+
7127+ | Copyright (c) 2004-2005 Stefan Esser |
7128+ +----------------------------------------------------------------------+
7129+ | This source file is subject to version 2.02 of the PHP license, |
7130+ | that is bundled with this package in the file LICENSE, and is |
7131+ | available at through the world-wide-web at |
7132+ | http://www.php.net/license/2_02.txt. |
7133+ | If you did not receive a copy of the PHP license and are unable to |
7134+ | obtain it through the world-wide-web, please send a note to |
7135+ | license@php.net so we can mail you a copy immediately. |
7136+ +----------------------------------------------------------------------+
7137+ | Author: Stefan Esser <sesser@hardened-php.net> |
7138+ +----------------------------------------------------------------------+
7139+ */
7140+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
7141+
7142+#include "zend.h"
7143+
7144+#include <stdio.h>
7145+#include <stdlib.h>
7146+
7147+
7148+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7149+
7150+/* will be replaced later with more compatible method */
7151+ZEND_API unsigned int zend_canary()
7152+{
7153+ time_t t;
7154+ unsigned int canary;
7155+ int fd;
7156+
7157+ fd = open("/dev/urandom", 0);
7158+ if (fd != -1) {
7159+ int r = read(fd, &canary, sizeof(canary));
7160+ close(fd);
7161+ if (r == sizeof(canary)) {
7162+ return (canary);
7163+ }
7164+ }
7165+ /* not good but we never want to do this */
7166+ time(&t);
7167+ canary = *(unsigned int *)&t + getpid() << 16;
7168+ return (canary);
7169+}
7170+#endif
7171+
7172+
7173+/*
7174+ * Local variables:
7175+ * tab-width: 4
7176+ * c-basic-offset: 4
7177+ * End:
7178+ * vim600: sw=4 ts=4 fdm=marker
7179+ * vim<600: sw=4 ts=4
7180+ */
7181diff -Nura php-4.4.2/Zend/zend_compile.c hardening-patch-4.4.2-0.4.10/Zend/zend_compile.c
7182--- php-4.4.2/Zend/zend_compile.c 2006-01-01 14:46:49.000000000 +0100
7183+++ hardening-patch-4.4.2-0.4.10/Zend/zend_compile.c 2006-05-11 10:36:02.000000000 +0200
7184@@ -768,6 +768,13 @@
7185 op_array.function_name = name;
7186 op_array.arg_types = NULL;
7187 op_array.return_reference = return_reference;
7188+#if HARDENING_PATCH
7189+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7190+ op_array.created_by_eval = 1;
7191+ } else {
7192+ op_array.created_by_eval = 0;
7193+ }
7194+#endif
7195
7196 if (is_method) {
7197 if (zend_hash_add(&CG(active_class_entry)->function_table, name, name_len+1, &op_array, sizeof(zend_op_array), (void **) &CG(active_op_array)) == FAILURE) {
7198diff -Nura php-4.4.2/Zend/zend_compile.h hardening-patch-4.4.2-0.4.10/Zend/zend_compile.h
7199--- php-4.4.2/Zend/zend_compile.h 2006-01-01 14:46:49.000000000 +0100
7200+++ hardening-patch-4.4.2-0.4.10/Zend/zend_compile.h 2006-05-11 10:36:02.000000000 +0200
7201@@ -106,6 +106,9 @@
7202 char *filename;
7203
7204 void *reserved[ZEND_MAX_RESERVED_RESOURCES];
7205+#if HARDENING_PATCH
7206+ zend_bool created_by_eval;
7207+#endif
7208 };
7209
7210
7211@@ -549,6 +552,7 @@
7212 #define ZEND_USER_FUNCTION 2
7213 #define ZEND_OVERLOADED_FUNCTION 3
7214 #define ZEND_EVAL_CODE 4
7215+#define ZEND_SANDBOX_CODE 6
7216
7217 #define ZEND_INTERNAL_CLASS 1
7218 #define ZEND_USER_CLASS 2
7219diff -Nura php-4.4.2/Zend/zend_constants.c hardening-patch-4.4.2-0.4.10/Zend/zend_constants.c
7220--- php-4.4.2/Zend/zend_constants.c 2006-01-01 14:46:49.000000000 +0100
7221+++ hardening-patch-4.4.2-0.4.10/Zend/zend_constants.c 2006-05-11 10:36:02.000000000 +0200
7222@@ -111,6 +111,73 @@
7223 REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
7224
7225 REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
7226+#if HARDENING_PATCH
7227+ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
7228+ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
7229+ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
7230+ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
7231+ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
7232+ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
7233+ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
7234+ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
7235+ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
7236+
7237+ /* error levels */
7238+ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
7239+ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
7240+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
7241+ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT);
7242+ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
7243+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
7244+ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
7245+ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
7246+ /* facility: type of program logging the message */
7247+ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
7248+ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
7249+ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
7250+ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
7251+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
7252+ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
7253+ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
7254+#ifdef LOG_NEWS
7255+ /* No LOG_NEWS on HP-UX */
7256+ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
7257+#endif
7258+#ifdef LOG_UUCP
7259+ /* No LOG_UUCP on HP-UX */
7260+ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
7261+#endif
7262+#ifdef LOG_CRON
7263+ /* apparently some systems don't have this one */
7264+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
7265+#endif
7266+#ifdef LOG_AUTHPRIV
7267+ /* AIX doesn't have LOG_AUTHPRIV */
7268+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
7269+#endif
7270+#if !defined(PHP_WIN32) && !defined(NETWARE)
7271+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
7272+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
7273+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
7274+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
7275+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
7276+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
7277+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
7278+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
7279+#endif
7280+ /* options */
7281+ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
7282+ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
7283+ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
7284+ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
7285+#ifdef LOG_NOWAIT
7286+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
7287+#endif
7288+#ifdef LOG_PERROR
7289+ /* AIX doesn't have LOG_PERROR */
7290+ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
7291+#endif
7292+#endif
7293
7294 /* true/false constants */
7295 {
7296diff -Nura php-4.4.2/Zend/zend_errors.h hardening-patch-4.4.2-0.4.10/Zend/zend_errors.h
7297--- php-4.4.2/Zend/zend_errors.h 2006-01-01 14:46:49.000000000 +0100
7298+++ hardening-patch-4.4.2-0.4.10/Zend/zend_errors.h 2006-05-11 10:36:02.000000000 +0200
7299@@ -36,5 +36,17 @@
7300 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
7301 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
7302
7303+#if HARDENING_PATCH
7304+#define S_MEMORY (1<<0L)
7305+#define S_VARS (1<<1L)
7306+#define S_FILES (1<<2L)
7307+#define S_INCLUDE (1<<3L)
7308+#define S_SQL (1<<4L)
7309+#define S_EXECUTOR (1<<5L)
7310+#define S_MISC (1<<30L)
7311+#define S_INTERNAL (1<<29L)
7312+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MISC | S_SQL | S_EXECUTOR)
7313+#endif
7314+
7315 #endif /* ZEND_ERRORS_H */
7316
7317diff -Nura php-4.4.2/Zend/zend_execute_API.c hardening-patch-4.4.2-0.4.10/Zend/zend_execute_API.c
7318--- php-4.4.2/Zend/zend_execute_API.c 2006-01-01 14:46:49.000000000 +0100
7319+++ hardening-patch-4.4.2-0.4.10/Zend/zend_execute_API.c 2006-05-11 10:36:02.000000000 +0200
7320@@ -142,6 +142,7 @@
7321 EG(class_table) = CG(class_table);
7322
7323 EG(in_execution) = 0;
7324+ EG(in_code_type) = 0;
7325
7326 zend_ptr_stack_init(&EG(argument_stack));
7327
7328@@ -431,12 +432,14 @@
7329 zend_execute_data execute_data;
7330
7331 /* Initialize execute_data */
7332+ memset(&execute_data, 0, sizeof(execute_data));
7333 EX(fbc) = NULL;
7334 EX(object).ptr = NULL;
7335 EX(ce) = NULL;
7336 EX(Ts) = NULL;
7337 EX(op_array) = NULL;
7338 EX(opline) = NULL;
7339+ EX(execute_depth) = 0;
7340
7341 *retval_ptr_ptr = NULL;
7342
7343@@ -494,6 +497,39 @@
7344 zval_dtor(&function_name_copy);
7345 return FAILURE;
7346 }
7347+#if HARDENING_PATCH
7348+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
7349+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7350+ if (HG(eval_whitelist) != NULL) {
7351+ if (!zend_hash_exists(HG(eval_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7352+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_copy.value.str.val);
7353+ zval_dtor(&function_name_copy);
7354+ zend_bailout();
7355+ }
7356+ } else if (HG(eval_blacklist) != NULL) {
7357+ if (zend_hash_exists(HG(eval_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7358+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_copy.value.str.val);
7359+ zval_dtor(&function_name_copy);
7360+ zend_bailout();
7361+ }
7362+ }
7363+ }
7364+
7365+ if (HG(func_whitelist) != NULL) {
7366+ if (!zend_hash_exists(HG(func_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7367+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_copy.value.str.val);
7368+ zval_dtor(&function_name_copy);
7369+ zend_bailout();
7370+ }
7371+ } else if (HG(func_blacklist) != NULL) {
7372+ if (zend_hash_exists(HG(func_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7373+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_copy.value.str.val);
7374+ zval_dtor(&function_name_copy);
7375+ zend_bailout();
7376+ }
7377+ }
7378+ }
7379+#endif
7380 zval_dtor(&function_name_copy);
7381
7382 for (i=0; i<param_count; i++) {
7383@@ -606,8 +642,7 @@
7384 return SUCCESS;
7385 }
7386
7387-
7388-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7389+ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
7390 {
7391 zval pv;
7392 zend_op_array *new_op_array;
7393@@ -640,6 +675,7 @@
7394 zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
7395 zend_op **original_opline_ptr = EG(opline_ptr);
7396
7397+ new_op_array->type = type;
7398 EG(return_value_ptr_ptr) = &local_retval_ptr;
7399 EG(active_op_array) = new_op_array;
7400 EG(no_extensions)=1;
7401@@ -673,6 +709,10 @@
7402 return retval;
7403 }
7404
7405+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7406+{
7407+ return (zend_eval_string_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
7408+}
7409
7410 void execute_new_code(TSRMLS_D)
7411 {
7412diff -Nura php-4.4.2/Zend/zend_execute.c hardening-patch-4.4.2-0.4.10/Zend/zend_execute.c
7413--- php-4.4.2/Zend/zend_execute.c 2006-01-01 14:46:49.000000000 +0100
7414+++ hardening-patch-4.4.2-0.4.10/Zend/zend_execute.c 2006-05-11 10:36:02.000000000 +0200
7415@@ -1042,6 +1042,7 @@
7416 zend_execute_data execute_data;
7417
7418 /* Initialize execute_data */
7419+ memset(&execute_data, 0, sizeof(execute_data));
7420 EX(fbc) = NULL;
7421 EX(ce) = NULL;
7422 EX(object).ptr = NULL;
7423@@ -1053,9 +1054,21 @@
7424 }
7425 EX(prev_execute_data) = EG(current_execute_data);
7426 EX(original_in_execution)=EG(in_execution);
7427+ EX(original_in_code_type)=EG(in_code_type);
7428
7429 EG(current_execute_data) = &execute_data;
7430
7431+#if HARDENING_PATCH
7432+ EX(execute_depth) = 0;
7433+
7434+ if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval) && EG(in_code_type) != ZEND_SANDBOX_CODE) {
7435+ EG(in_code_type) = ZEND_EVAL_CODE;
7436+ } else if (op_array->type == ZEND_SANDBOX_CODE) {
7437+ EG(in_code_type) = ZEND_SANDBOX_CODE;
7438+ op_array->type = ZEND_EVAL_CODE;
7439+ }
7440+#endif
7441+
7442 EG(in_execution) = 1;
7443 if (op_array->start_op) {
7444 EX(opline) = op_array->start_op;
7445@@ -1087,6 +1100,19 @@
7446 }
7447 }
7448
7449+#if HARDENING_PATCH
7450+ if (EX(prev_execute_data) == NULL) {
7451+ EX(execute_depth) = 0;
7452+ } else {
7453+ EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
7454+ }
7455+
7456+ if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
7457+ zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
7458+ zend_bailout();
7459+ }
7460+#endif
7461+
7462 while (1) {
7463 #ifdef ZEND_WIN32
7464 if (EG(timed_out)) {
7465@@ -1634,6 +1660,36 @@
7466 if (zend_hash_find(active_function_table, function_name->value.str.val, function_name->value.str.len+1, (void **) &function)==FAILURE) {
7467 zend_error(E_ERROR, "Call to undefined function: %s()", function_name->value.str.val);
7468 }
7469+#if HARDENING_PATCH
7470+ if (active_function_table == EG(function_table)) {
7471+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7472+ if (HG(eval_whitelist) != NULL) {
7473+ if (!zend_hash_exists(HG(eval_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7474+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name->value.str.val);
7475+ zend_bailout();
7476+ }
7477+ } else if (HG(eval_blacklist) != NULL) {
7478+ if (zend_hash_exists(HG(eval_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7479+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name->value.str.val);
7480+ zend_bailout();
7481+ }
7482+ }
7483+ }
7484+
7485+ if (HG(func_whitelist) != NULL) {
7486+ if (!zend_hash_exists(HG(func_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
7487+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name->value.str.val);
7488+ zend_bailout();
7489+ }
7490+ } else if (HG(func_blacklist) != NULL) {
7491+ if (zend_hash_exists(HG(func_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
7492+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name->value.str.val);
7493+ zend_bailout();
7494+ }
7495+ }
7496+ }
7497+#endif
7498+
7499 zval_dtor(&tmp);
7500 EX(fbc) = function;
7501 overloaded_function_call_cont:
7502@@ -1649,6 +1705,35 @@
7503 if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
7504 zend_error(E_ERROR, "Unknown function: %s()", fname->value.str.val);
7505 }
7506+#if HARDENING_PATCH
7507+ if (EX(function_state).function->type==ZEND_INTERNAL_FUNCTION) {
7508+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7509+ if (HG(eval_whitelist) != NULL) {
7510+ if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7511+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
7512+ zend_bailout();
7513+ }
7514+ } else if (HG(eval_blacklist) != NULL) {
7515+ if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7516+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
7517+ zend_bailout();
7518+ }
7519+ }
7520+ }
7521+
7522+ if (HG(func_whitelist) != NULL) {
7523+ if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
7524+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
7525+ zend_bailout();
7526+ }
7527+ } else if (HG(func_blacklist) != NULL) {
7528+ if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
7529+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
7530+ zend_bailout();
7531+ }
7532+ }
7533+ }
7534+#endif
7535 FREE_OP(EX(Ts), &EX(opline)->op1, EG(free_op1));
7536 zend_ptr_stack_n_push(&EG(arg_types_stack), 2, EX(object).ptr, EX(ce));
7537 EX(object).ptr = NULL;
7538@@ -1821,6 +1906,7 @@
7539 efree(EX(Ts));
7540 }
7541 EG(in_execution) = EX(original_in_execution);
7542+ EG(in_code_type) = EX(original_in_code_type);
7543 EG(current_execute_data) = EX(prev_execute_data);
7544 return;
7545 }
7546@@ -2210,7 +2296,12 @@
7547 int dummy = 1;
7548 zend_file_handle file_handle = {0};
7549
7550+#if HARDENING_PATCH_INC_PROTECT
7551+ if (zend_is_valid_include(inc_filename)
7552+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7553+#else
7554 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
7555+#endif
7556 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
7557
7558 file_handle.filename = inc_filename->value.str.val;
7559@@ -2239,6 +2330,11 @@
7560 break;
7561 case ZEND_INCLUDE:
7562 case ZEND_REQUIRE:
7563+#if HARDENING_PATCH_INC_PROTECT
7564+ if (!zend_is_valid_include(inc_filename)) {
7565+ break;
7566+ }
7567+#endif
7568 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
7569 break;
7570 case ZEND_EVAL: {
7571diff -Nura php-4.4.2/Zend/zend_execute_globals.h hardening-patch-4.4.2-0.4.10/Zend/zend_execute_globals.h
7572--- php-4.4.2/Zend/zend_execute_globals.h 2006-01-01 14:46:49.000000000 +0100
7573+++ hardening-patch-4.4.2-0.4.10/Zend/zend_execute_globals.h 2006-05-11 10:36:02.000000000 +0200
7574@@ -60,6 +60,8 @@
7575 object_info object;
7576 temp_variable *Ts;
7577 zend_bool original_in_execution;
7578+ zend_uint original_in_code_type;
7579+ zend_uint execute_depth;
7580 zend_op_array *op_array;
7581 struct _zend_execute_data *prev_execute_data;
7582 } zend_execute_data;
7583diff -Nura php-4.4.2/Zend/zend_extensions.c hardening-patch-4.4.2-0.4.10/Zend/zend_extensions.c
7584--- php-4.4.2/Zend/zend_extensions.c 2006-01-01 14:46:49.000000000 +0100
7585+++ hardening-patch-4.4.2-0.4.10/Zend/zend_extensions.c 2006-05-11 10:36:02.000000000 +0200
7586@@ -54,23 +54,44 @@
7587 return FAILURE;
7588 }
7589
7590+ /* check if module is compiled against Hardening-Patch */
7591+ if (extension_version_info->zend_extension_api_no < 1000000000) {
7592+ fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
7593+ "The Hardening-Patch version %d is installed.\n\n",
7594+ new_extension->name,
7595+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7596+ DL_UNLOAD(handle);
7597+ return FAILURE;
7598+ }
7599+
7600+
7601+ /* check if module is compiled against correct Hardening-Patch version */
7602+ if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
7603+ fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
7604+ "The Hardening-Patch version %d is installed.\n\n",
7605+ new_extension->name,
7606+ extension_version_info->zend_extension_api_no,
7607+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
7608+ DL_UNLOAD(handle);
7609+ return FAILURE;
7610+ }
7611
7612 /* allow extension to proclaim compatibility with any Zend version */
7613- if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7614- if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7615+ if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
7616+ if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
7617 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7618 "The Zend Engine API version %d which is installed, is outdated.\n\n",
7619 new_extension->name,
7620- extension_version_info->zend_extension_api_no,
7621+ extension_version_info->real_zend_extension_api_no,
7622 ZEND_EXTENSION_API_NO);
7623 DL_UNLOAD(handle);
7624 return FAILURE;
7625- } else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7626+ } else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
7627 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
7628 "The Zend Engine API version %d which is installed, is newer.\n"
7629 "Contact %s at %s for a later version of %s.\n\n",
7630 new_extension->name,
7631- extension_version_info->zend_extension_api_no,
7632+ extension_version_info->real_zend_extension_api_no,
7633 ZEND_EXTENSION_API_NO,
7634 new_extension->author,
7635 new_extension->URL,
7636diff -Nura php-4.4.2/Zend/zend_extensions.h hardening-patch-4.4.2-0.4.10/Zend/zend_extensions.h
7637--- php-4.4.2/Zend/zend_extensions.h 2006-01-01 14:46:49.000000000 +0100
7638+++ hardening-patch-4.4.2-0.4.10/Zend/zend_extensions.h 2006-05-11 10:36:02.000000000 +0200
7639@@ -23,6 +23,9 @@
7640
7641 #include "zend_compile.h"
7642
7643+/* Create own API version number for Hardening-Patch */
7644+
7645+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO 1001050805
7646 #define ZEND_EXTENSION_API_NO 20050606
7647
7648 typedef struct _zend_extension_version_info {
7649@@ -30,6 +33,7 @@
7650 char *required_zend_version;
7651 unsigned char thread_safe;
7652 unsigned char debug;
7653+ int real_zend_extension_api_no;
7654 } zend_extension_version_info;
7655
7656
7657@@ -96,7 +100,7 @@
7658
7659
7660 #define ZEND_EXTENSION() \
7661- ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
7662+ ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
7663
7664 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7665 #define COMPAT_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
7666diff -Nura php-4.4.2/Zend/zend_globals.h hardening-patch-4.4.2-0.4.10/Zend/zend_globals.h
7667--- php-4.4.2/Zend/zend_globals.h 2006-01-01 14:46:49.000000000 +0100
7668+++ hardening-patch-4.4.2-0.4.10/Zend/zend_globals.h 2006-05-11 10:36:02.000000000 +0200
7669@@ -163,6 +163,16 @@
7670
7671 int error_reporting;
7672 int orig_error_reporting;
7673+#if HARDENING_PATCH
7674+ int hphp_log_syslog;
7675+ int hphp_log_syslog_facility;
7676+ int hphp_log_syslog_priority;
7677+ int hphp_log_sapi;
7678+ int hphp_log_script;
7679+ char *hphp_log_scriptname;
7680+ zend_bool hphp_log_use_x_forwarded_for;
7681+ long hphp_executor_max_depth;
7682+#endif
7683 int exit_status;
7684
7685 zend_op_array *active_op_array;
7686@@ -176,6 +186,7 @@
7687 int ticks_count;
7688
7689 zend_bool in_execution;
7690+ zend_uint in_code_type;
7691 zend_bool bailout_set;
7692 zend_bool full_tables_cleanup;
7693
7694diff -Nura php-4.4.2/Zend/zend.h hardening-patch-4.4.2-0.4.10/Zend/zend.h
7695--- php-4.4.2/Zend/zend.h 2006-01-01 14:46:49.000000000 +0100
7696+++ hardening-patch-4.4.2-0.4.10/Zend/zend.h 2006-05-11 10:36:02.000000000 +0200
7697@@ -274,9 +274,10 @@
7698 struct _zval_struct {
7699 /* Variable information */
7700 zvalue_value value; /* value */
7701+ zend_uint refcount;
7702+ zend_ushort flags;
7703 zend_uchar type; /* active type */
7704 zend_uchar is_ref;
7705- zend_ushort refcount;
7706 };
7707
7708
7709@@ -337,6 +338,12 @@
7710 void (*ticks_function)(int ticks);
7711 void (*on_timeout)(int seconds TSRMLS_DC);
7712 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
7713+#if HARDENING_PATCH
7714+ void (*security_log_function)(int loglevel, char *fmt, ...);
7715+#endif
7716+#if HARDENING_PATCH_INC_PROTECT
7717+ int (*is_valid_include)(zval *z);
7718+#endif
7719 } zend_utility_functions;
7720
7721
7722@@ -468,7 +475,16 @@
7723 extern ZEND_API void (*zend_ticks_function)(int ticks);
7724 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
7725 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
7726+#if HARDENING_PATCH
7727+extern ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
7728+#endif
7729+#if HARDENING_PATCH_INC_PROTECT
7730+extern ZEND_API int (*zend_is_valid_include)(zval *z);
7731+#endif
7732
7733+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7734+ZEND_API unsigned int zend_canary(void);
7735+#endif
7736
7737 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
7738
7739@@ -575,6 +591,11 @@
7740
7741 #define ZEND_MAX_RESERVED_RESOURCES 4
7742
7743+#if HARDENING_PATCH
7744+#include "hardened_globals.h"
7745+#include "php_syslog.h"
7746+#endif
7747+
7748 #endif /* ZEND_H */
7749
7750 /*
7751diff -Nura php-4.4.2/Zend/zend_hash.c hardening-patch-4.4.2-0.4.10/Zend/zend_hash.c
7752--- php-4.4.2/Zend/zend_hash.c 2006-01-01 14:46:49.000000000 +0100
7753+++ hardening-patch-4.4.2-0.4.10/Zend/zend_hash.c 2006-05-11 10:36:02.000000000 +0200
7754@@ -26,6 +26,17 @@
7755 # include <stdlib.h>
7756 #endif
7757
7758+#if HARDENING_PATCH_HASH_PROTECT
7759+ unsigned int zend_hash_canary = 0x1234567;
7760+ zend_bool zend_hash_canary_inited = 0;
7761+#endif
7762+
7763+#define CHECK_HASH_CANARY(hash) \
7764+ if (zend_hash_canary != (hash)->canary) { \
7765+ zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
7766+ exit(1); \
7767+ }
7768+
7769 #define HANDLE_NUMERIC(key, length, func) { \
7770 register char *tmp=key; \
7771 \
7772@@ -175,6 +186,9 @@
7773 {
7774 uint i = 3;
7775 Bucket **tmp;
7776+#if HARDENING_PATCH_HASH_PROTECT
7777+ TSRMLS_FETCH();
7778+#endif
7779
7780 SET_INCONSISTENT(HT_OK);
7781
7782@@ -184,6 +198,13 @@
7783
7784 ht->nTableSize = 1 << i;
7785 ht->nTableMask = ht->nTableSize - 1;
7786+#if HARDENING_PATCH_HASH_PROTECT
7787+ if (zend_hash_canary_inited==0) {
7788+ zend_hash_canary = zend_canary();
7789+ zend_hash_canary_inited = 1;
7790+ }
7791+ ht->canary = zend_hash_canary;
7792+#endif
7793 ht->pDestructor = pDestructor;
7794 ht->pListHead = NULL;
7795 ht->pListTail = NULL;
7796@@ -259,6 +280,9 @@
7797 }
7798 #endif
7799 if (ht->pDestructor) {
7800+#if HARDENING_PATCH_HASH_PROTECT
7801+ CHECK_HASH_CANARY(ht);
7802+#endif
7803 ht->pDestructor(p->pData);
7804 }
7805 UPDATE_DATA(ht, p, pData, nDataSize);
7806@@ -327,6 +351,9 @@
7807 }
7808 #endif
7809 if (ht->pDestructor) {
7810+#if HARDENING_PATCH_HASH_PROTECT
7811+ CHECK_HASH_CANARY(ht);
7812+#endif
7813 ht->pDestructor(p->pData);
7814 }
7815 UPDATE_DATA(ht, p, pData, nDataSize);
7816@@ -402,6 +429,9 @@
7817 }
7818 #endif
7819 if (ht->pDestructor) {
7820+#if HARDENING_PATCH_HASH_PROTECT
7821+ CHECK_HASH_CANARY(ht);
7822+#endif
7823 ht->pDestructor(p->pData);
7824 }
7825 UPDATE_DATA(ht, p, pData, nDataSize);
7826@@ -450,7 +480,7 @@
7827 IS_CONSISTENT(ht);
7828
7829 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
7830- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7831+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
7832 if (t) {
7833 HANDLE_BLOCK_INTERRUPTIONS();
7834 ht->arBuckets = t;
7835@@ -460,6 +490,7 @@
7836 HANDLE_UNBLOCK_INTERRUPTIONS();
7837 return SUCCESS;
7838 }
7839+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
7840 return FAILURE;
7841 }
7842 return SUCCESS;
7843@@ -491,15 +522,17 @@
7844 IS_CONSISTENT(ht);
7845
7846 if (flag == HASH_DEL_KEY) {
7847- HANDLE_NUMERIC(arKey, nKeyLength, zend_hash_del_key_or_index(ht, arKey, nKeyLength, idx, HASH_DEL_INDEX));
7848+ HANDLE_NUMERIC(arKey, nKeyLength, zend_hash_del_key_or_index(ht, NULL, 0, idx, HASH_DEL_INDEX));
7849 h = zend_inline_hash_func(arKey, nKeyLength);
7850 }
7851 nIndex = h & ht->nTableMask;
7852
7853 p = ht->arBuckets[nIndex];
7854 while (p != NULL) {
7855- if ((p->h == h) && ((p->nKeyLength == 0) || /* Numeric index */
7856- ((p->nKeyLength == nKeyLength) && (!memcmp(p->arKey, arKey, nKeyLength))))) {
7857+ if ((p->h == h)
7858+ && (p->nKeyLength == nKeyLength)
7859+ && ((p->nKeyLength == 0) /* Numeric index (short circuits the memcmp() check) */
7860+ || !memcmp(p->arKey, arKey, nKeyLength))) { /* String index */
7861 HANDLE_BLOCK_INTERRUPTIONS();
7862 if (p == ht->arBuckets[nIndex]) {
7863 ht->arBuckets[nIndex] = p->pNext;
7864@@ -524,6 +557,9 @@
7865 ht->pInternalPointer = p->pListNext;
7866 }
7867 if (ht->pDestructor) {
7868+#if HARDENING_PATCH_HASH_PROTECT
7869+ CHECK_HASH_CANARY(ht);
7870+#endif
7871 ht->pDestructor(p->pData);
7872 }
7873 if (!p->pDataPtr) {
7874@@ -553,6 +589,9 @@
7875 q = p;
7876 p = p->pListNext;
7877 if (ht->pDestructor) {
7878+#if HARDENING_PATCH_HASH_PROTECT
7879+ CHECK_HASH_CANARY(ht);
7880+#endif
7881 ht->pDestructor(q->pData);
7882 }
7883 if (!q->pDataPtr && q->pData) {
7884@@ -579,6 +618,9 @@
7885 q = p;
7886 p = p->pListNext;
7887 if (ht->pDestructor) {
7888+#if HARDENING_PATCH_HASH_PROTECT
7889+ CHECK_HASH_CANARY(ht);
7890+#endif
7891 ht->pDestructor(q->pData);
7892 }
7893 if (!q->pDataPtr && q->pData) {
7894@@ -608,6 +650,9 @@
7895 HANDLE_BLOCK_INTERRUPTIONS();
7896
7897 if (ht->pDestructor) {
7898+#if HARDENING_PATCH_HASH_PROTECT
7899+ CHECK_HASH_CANARY(ht);
7900+#endif
7901 ht->pDestructor(p->pData);
7902 }
7903 if (!p->pDataPtr) {
7904diff -Nura php-4.4.2/Zend/zend_hash.h hardening-patch-4.4.2-0.4.10/Zend/zend_hash.h
7905--- php-4.4.2/Zend/zend_hash.h 2006-01-01 14:46:49.000000000 +0100
7906+++ hardening-patch-4.4.2-0.4.10/Zend/zend_hash.h 2006-05-11 10:36:02.000000000 +0200
7907@@ -54,6 +54,9 @@
7908 } Bucket;
7909
7910 typedef struct _hashtable {
7911+#if HARDENING_PATCH_HASH_PROTECT
7912+ unsigned int canary;
7913+#endif
7914 uint nTableSize;
7915 uint nTableMask;
7916 uint nNumOfElements;
7917diff -Nura php-4.4.2/Zend/zend_ini.h hardening-patch-4.4.2-0.4.10/Zend/zend_ini.h
7918--- php-4.4.2/Zend/zend_ini.h 2005-01-09 18:00:16.000000000 +0100
7919+++ hardening-patch-4.4.2-0.4.10/Zend/zend_ini.h 2006-05-11 10:36:02.000000000 +0200
7920@@ -174,6 +174,7 @@
7921 /* Standard message handlers */
7922 BEGIN_EXTERN_C()
7923 ZEND_API ZEND_INI_MH(OnUpdateBool);
7924+#define OnUpdateLong OnUpdateInt
7925 ZEND_API ZEND_INI_MH(OnUpdateInt);
7926 ZEND_API ZEND_INI_MH(OnUpdateReal);
7927 ZEND_API ZEND_INI_MH(OnUpdateString);
7928diff -Nura php-4.4.2/Zend/zend_language_scanner.l hardening-patch-4.4.2-0.4.10/Zend/zend_language_scanner.l
7929--- php-4.4.2/Zend/zend_language_scanner.l 2006-01-01 14:46:49.000000000 +0100
7930+++ hardening-patch-4.4.2-0.4.10/Zend/zend_language_scanner.l 2006-05-11 10:36:02.000000000 +0200
7931@@ -393,6 +393,13 @@
7932 compilation_successful=0;
7933 } else {
7934 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7935+#if HARDENING_PATCH
7936+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7937+ op_array->created_by_eval = 1;
7938+ } else {
7939+ op_array->created_by_eval = 0;
7940+ }
7941+#endif
7942 CG(in_compilation) = 1;
7943 CG(active_op_array) = op_array;
7944 compiler_result = zendparse(TSRMLS_C);
7945diff -Nura php-4.4.2/Zend/zend_language_scanner.c hardening-patch-4.4.2-0.4.10/Zend/zend_language_scanner.c
7946--- php-4.4.2/Zend/zend_language_scanner.c 2006-01-12 19:24:28.000000000 +0100
7947+++ hardening-patch-4.4.2-0.4.10/Zend/zend_language_scanner.c 2006-05-11 10:36:02.000000000 +0200
7948@@ -3036,6 +3036,13 @@
7949 compilation_successful=0;
7950 } else {
7951 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
7952+#if HARDENING_PATCH
7953+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7954+ op_array->created_by_eval = 1;
7955+ } else {
7956+ op_array->created_by_eval = 0;
7957+ }
7958+#endif
7959 CG(in_compilation) = 1;
7960 CG(active_op_array) = op_array;
7961 compiler_result = zendparse(TSRMLS_C);
7962diff -Nura php-4.4.2/Zend/zend_llist.c hardening-patch-4.4.2-0.4.10/Zend/zend_llist.c
7963--- php-4.4.2/Zend/zend_llist.c 2006-01-01 14:46:49.000000000 +0100
7964+++ hardening-patch-4.4.2-0.4.10/Zend/zend_llist.c 2006-05-11 10:36:02.000000000 +0200
7965@@ -21,9 +21,49 @@
7966 #include "zend.h"
7967 #include "zend_llist.h"
7968 #include "zend_qsort.h"
7969+#include "zend_globals.h"
7970+
7971+#if HARDENING_PATCH_LL_PROTECT
7972+ unsigned int zend_llist_canary_1 = 0x1234567;
7973+ unsigned int zend_llist_canary_2 = 0x1553425;
7974+ zend_bool zend_llist_canary_inited = 0;
7975+#endif
7976+
7977+#define CHECK_LIST_CANARY(list) \
7978+ if (((list)->persistent && (zend_llist_canary_1 != (list)->canary_h || zend_llist_canary_2 != (list)->canary_t)) \
7979+ ||(!(list)->persistent && (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t))) { \
7980+ zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
7981+ exit(1); \
7982+ }
7983+
7984+#define CHECK_LISTELEMENT_CANARY(elem, list) \
7985+ if (((list)->persistent && zend_llist_canary_1 != (elem)->canary)||(!(list)->persistent && HG(canary_3) != (elem)->canary)) { \
7986+ zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
7987+ exit(1); \
7988+ }
7989+
7990
7991 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
7992 {
7993+#if HARDENING_PATCH_LL_PROTECT
7994+ TSRMLS_FETCH();
7995+
7996+ if (persistent) {
7997+ if (!zend_llist_canary_inited) {
7998+ /* do not change order to ensure thread safety */
7999+ zend_llist_canary_1 = zend_canary();
8000+ zend_llist_canary_2 = zend_canary();
8001+ zend_llist_canary_inited = 1;
8002+ }
8003+ } else
8004+ if (!HG(ll_canary_inited)) {
8005+ HG(canary_3) = zend_canary();
8006+ HG(canary_4) = zend_canary();
8007+ HG(ll_canary_inited) = 1;
8008+ }
8009+ l->canary_h = persistent ? zend_llist_canary_1 : HG(canary_3);
8010+ l->canary_t = persistent ? zend_llist_canary_2 : HG(canary_4);
8011+#endif
8012 l->head = NULL;
8013 l->tail = NULL;
8014 l->count = 0;
8015@@ -37,6 +77,11 @@
8016 {
8017 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
8018
8019+#if HARDENING_PATCH_LL_PROTECT
8020+ TSRMLS_FETCH();
8021+ CHECK_LIST_CANARY(l)
8022+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
8023+#endif
8024 tmp->prev = l->tail;
8025 tmp->next = NULL;
8026 if (l->tail) {
8027@@ -55,6 +100,11 @@
8028 {
8029 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
8030
8031+#if HARDENING_PATCH_LL_PROTECT
8032+ TSRMLS_FETCH();
8033+ CHECK_LIST_CANARY(l)
8034+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
8035+#endif
8036 tmp->next = l->head;
8037 tmp->prev = NULL;
8038 if (l->head) {
8039@@ -91,10 +141,20 @@
8040 zend_llist_element *current=l->head;
8041 zend_llist_element *next;
8042
8043+#if HARDENING_PATCH_LL_PROTECT
8044+ TSRMLS_FETCH();
8045+ CHECK_LIST_CANARY(l)
8046+#endif
8047 while (current) {
8048+#if HARDENING_PATCH_LL_PROTECT
8049+ CHECK_LISTELEMENT_CANARY(current, l)
8050+#endif
8051 next = current->next;
8052 if (compare(current->data, element)) {
8053 DEL_LLIST_ELEMENT(current, l);
8054+#if HARDENING_PATCH_LL_PROTECT
8055+ current->canary = 0;
8056+#endif
8057 break;
8058 }
8059 current = next;
8060@@ -106,7 +166,14 @@
8061 {
8062 zend_llist_element *current=l->head, *next;
8063
8064+#if HARDENING_PATCH_LL_PROTECT
8065+ TSRMLS_FETCH();
8066+ CHECK_LIST_CANARY(l)
8067+#endif
8068 while (current) {
8069+#if HARDENING_PATCH_LL_PROTECT
8070+ CHECK_LISTELEMENT_CANARY(current, l)
8071+#endif
8072 next = current->next;
8073 if (l->dtor) {
8074 l->dtor(current->data);
8075@@ -131,7 +198,14 @@
8076 zend_llist_element *old_tail;
8077 void *data;
8078
8079+#if HARDENING_PATCH_LL_PROTECT
8080+ TSRMLS_FETCH();
8081+ CHECK_LIST_CANARY(l)
8082+#endif
8083 if ((old_tail = l->tail)) {
8084+#if HARDENING_PATCH_LL_PROTECT
8085+ CHECK_LISTELEMENT_CANARY(old_tail, l)
8086+#endif
8087 if (l->tail->prev) {
8088 l->tail->prev->next = NULL;
8089 }
8090@@ -157,9 +231,16 @@
8091 {
8092 zend_llist_element *ptr;
8093
8094+#if HARDENING_PATCH_LL_PROTECT
8095+ TSRMLS_FETCH();
8096+ CHECK_LIST_CANARY(src)
8097+#endif
8098 zend_llist_init(dst, src->size, src->dtor, src->persistent);
8099 ptr = src->head;
8100 while (ptr) {
8101+#if HARDENING_PATCH_LL_PROTECT
8102+ CHECK_LISTELEMENT_CANARY(ptr, src)
8103+#endif
8104 zend_llist_add_element(dst, ptr->data);
8105 ptr = ptr->next;
8106 }
8107@@ -170,11 +251,21 @@
8108 {
8109 zend_llist_element *element, *next;
8110
8111+#if HARDENING_PATCH_LL_PROTECT
8112+ TSRMLS_FETCH();
8113+ CHECK_LIST_CANARY(l)
8114+#endif
8115 element=l->head;
8116 while (element) {
8117+#if HARDENING_PATCH_LL_PROTECT
8118+ CHECK_LISTELEMENT_CANARY(element, l)
8119+#endif
8120 next = element->next;
8121 if (func(element->data)) {
8122 DEL_LLIST_ELEMENT(element, l);
8123+#if HARDENING_PATCH_LL_PROTECT
8124+ element->canary = 0;
8125+#endif
8126 }
8127 element = next;
8128 }
8129@@ -185,7 +276,13 @@
8130 {
8131 zend_llist_element *element;
8132
8133+#if HARDENING_PATCH_LL_PROTECT
8134+ CHECK_LIST_CANARY(l)
8135+#endif
8136 for (element=l->head; element; element=element->next) {
8137+#if HARDENING_PATCH_LL_PROTECT
8138+ CHECK_LISTELEMENT_CANARY(element, l)
8139+#endif
8140 func(element->data TSRMLS_CC);
8141 }
8142 }
8143@@ -197,6 +294,9 @@
8144 zend_llist_element **elements;
8145 zend_llist_element *element, **ptr;
8146
8147+#if HARDENING_PATCH_LL_PROTECT
8148+ CHECK_LIST_CANARY(l)
8149+#endif
8150 if (l->count <= 0) {
8151 return;
8152 }
8153@@ -206,6 +306,9 @@
8154 ptr = &elements[0];
8155
8156 for (element=l->head; element; element=element->next) {
8157+#if HARDENING_PATCH_LL_PROTECT
8158+ CHECK_LISTELEMENT_CANARY(element, l)
8159+#endif
8160 *ptr++ = element;
8161 }
8162
8163@@ -228,7 +331,13 @@
8164 {
8165 zend_llist_element *element;
8166
8167+#if HARDENING_PATCH_LL_PROTECT
8168+ CHECK_LIST_CANARY(l)
8169+#endif
8170 for (element=l->head; element; element=element->next) {
8171+#if HARDENING_PATCH_LL_PROTECT
8172+ CHECK_LISTELEMENT_CANARY(element, l)
8173+#endif
8174 func(element->data, arg TSRMLS_CC);
8175 }
8176 }
8177@@ -239,8 +348,14 @@
8178 zend_llist_element *element;
8179 va_list args;
8180
8181+#if HARDENING_PATCH_LL_PROTECT
8182+ CHECK_LIST_CANARY(l)
8183+#endif
8184 va_start(args, num_args);
8185 for (element=l->head; element; element=element->next) {
8186+#if HARDENING_PATCH_LL_PROTECT
8187+ CHECK_LISTELEMENT_CANARY(element, l)
8188+#endif
8189 func(element->data, num_args, args TSRMLS_CC);
8190 }
8191 va_end(args);
8192@@ -249,6 +364,10 @@
8193
8194 ZEND_API int zend_llist_count(zend_llist *l)
8195 {
8196+#if HARDENING_PATCH_LL_PROTECT
8197+ TSRMLS_FETCH();
8198+ CHECK_LIST_CANARY(l)
8199+#endif
8200 return l->count;
8201 }
8202
8203@@ -256,8 +375,15 @@
8204 {
8205 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8206
8207+#if HARDENING_PATCH_LL_PROTECT
8208+ TSRMLS_FETCH();
8209+ CHECK_LIST_CANARY(l)
8210+#endif
8211 *current = l->head;
8212 if (*current) {
8213+#if HARDENING_PATCH_LL_PROTECT
8214+ CHECK_LISTELEMENT_CANARY(*current, l)
8215+#endif
8216 return (*current)->data;
8217 } else {
8218 return NULL;
8219@@ -269,8 +395,15 @@
8220 {
8221 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8222
8223+#if HARDENING_PATCH_LL_PROTECT
8224+ TSRMLS_FETCH();
8225+ CHECK_LIST_CANARY(l)
8226+#endif
8227 *current = l->tail;
8228 if (*current) {
8229+#if HARDENING_PATCH_LL_PROTECT
8230+ CHECK_LISTELEMENT_CANARY(*current, l)
8231+#endif
8232 return (*current)->data;
8233 } else {
8234 return NULL;
8235@@ -282,9 +415,19 @@
8236 {
8237 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8238
8239+#if HARDENING_PATCH_LL_PROTECT
8240+ TSRMLS_FETCH();
8241+ CHECK_LIST_CANARY(l)
8242+#endif
8243 if (*current) {
8244+#if HARDENING_PATCH_LL_PROTECT
8245+ CHECK_LISTELEMENT_CANARY(*current, l)
8246+#endif
8247 *current = (*current)->next;
8248 if (*current) {
8249+#if HARDENING_PATCH_LL_PROTECT
8250+ CHECK_LISTELEMENT_CANARY(*current, l)
8251+#endif
8252 return (*current)->data;
8253 }
8254 }
8255@@ -296,9 +439,19 @@
8256 {
8257 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8258
8259+#if HARDENING_PATCH_LL_PROTECT
8260+ TSRMLS_FETCH();
8261+ CHECK_LIST_CANARY(l)
8262+#endif
8263 if (*current) {
8264+#if HARDENING_PATCH_LL_PROTECT
8265+ CHECK_LISTELEMENT_CANARY(*current, l)
8266+#endif
8267 *current = (*current)->prev;
8268 if (*current) {
8269+#if HARDENING_PATCH_LL_PROTECT
8270+ CHECK_LISTELEMENT_CANARY(*current, l)
8271+#endif
8272 return (*current)->data;
8273 }
8274 }
8275diff -Nura php-4.4.2/Zend/zend_llist.h hardening-patch-4.4.2-0.4.10/Zend/zend_llist.h
8276--- php-4.4.2/Zend/zend_llist.h 2006-01-01 14:46:49.000000000 +0100
8277+++ hardening-patch-4.4.2-0.4.10/Zend/zend_llist.h 2006-05-11 10:36:02.000000000 +0200
8278@@ -24,6 +24,9 @@
8279 #include <stdlib.h>
8280
8281 typedef struct _zend_llist_element {
8282+#if HARDENING_PATCH_LL_PROTECT
8283+ unsigned int canary, padding;
8284+#endif
8285 struct _zend_llist_element *next;
8286 struct _zend_llist_element *prev;
8287 char data[1]; /* Needs to always be last in the struct */
8288@@ -36,6 +39,9 @@
8289 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
8290
8291 typedef struct _zend_llist {
8292+#if HARDENING_PATCH_LL_PROTECT
8293+ unsigned int canary_h; /* head */
8294+#endif
8295 zend_llist_element *head;
8296 zend_llist_element *tail;
8297 size_t size;
8298@@ -43,6 +49,9 @@
8299 llist_dtor_func_t dtor;
8300 unsigned char persistent;
8301 zend_llist_element *traverse_ptr;
8302+#if HARDENING_PATCH_LL_PROTECT
8303+ unsigned int canary_t; /* tail */
8304+#endif
8305 } zend_llist;
8306
8307 typedef zend_llist_element* zend_llist_position;
8308diff -Nura php-4.4.2/Zend/zend_modules.h hardening-patch-4.4.2-0.4.10/Zend/zend_modules.h
8309--- php-4.4.2/Zend/zend_modules.h 2006-01-01 14:46:49.000000000 +0100
8310+++ hardening-patch-4.4.2-0.4.10/Zend/zend_modules.h 2006-05-11 10:36:02.000000000 +0200
8311@@ -34,6 +34,7 @@
8312 ZEND_API extern unsigned char second_arg_force_ref[];
8313 ZEND_API extern unsigned char third_arg_force_ref[];
8314
8315+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1001051112
8316 #define ZEND_MODULE_API_NO 20020429
8317 #ifdef ZTS
8318 #define USING_ZTS 1
8319@@ -41,9 +42,9 @@
8320 #define USING_ZTS 0
8321 #endif
8322
8323-#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8324+#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8325
8326-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
8327+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
8328
8329 #define STANDARD_MODULE_PROPERTIES \
8330 NULL, NULL, STANDARD_MODULE_PROPERTIES_EX
8331@@ -75,6 +76,7 @@
8332 unsigned char type;
8333 void *handle;
8334 int module_number;
8335+ unsigned int real_zend_api;
8336 };
8337
8338
8339diff -Nura php-4.4.2/Zend/zend_opcode.c hardening-patch-4.4.2-0.4.10/Zend/zend_opcode.c
8340--- php-4.4.2/Zend/zend_opcode.c 2006-01-01 14:46:49.000000000 +0100
8341+++ hardening-patch-4.4.2-0.4.10/Zend/zend_opcode.c 2006-05-11 10:36:02.000000000 +0200
8342@@ -88,6 +88,9 @@
8343 op_array->done_pass_two = 0;
8344
8345 op_array->start_op = NULL;
8346+#if HARDENING_PATCH
8347+ op_array->created_by_eval = 0;
8348+#endif
8349
8350 zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
8351 }
8352diff -Nura php-4.4.2/Zend/zend_operators.c hardening-patch-4.4.2-0.4.10/Zend/zend_operators.c
8353--- php-4.4.2/Zend/zend_operators.c 2006-01-01 14:46:49.000000000 +0100
8354+++ hardening-patch-4.4.2-0.4.10/Zend/zend_operators.c 2006-05-11 10:36:02.000000000 +0200
8355@@ -1604,6 +1604,20 @@
8356 return (op->value.lval ? 1 : 0);
8357 }
8358
8359+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length)
8360+{
8361+ register unsigned char *str = (unsigned char*)source;
8362+ register unsigned char *result = (unsigned char*)dest;
8363+ register unsigned char *end = str + length;
8364+
8365+ while (str < end) {
8366+ *result++ = tolower((int)*str++);
8367+ }
8368+ *result = *end;
8369+
8370+ return dest;
8371+}
8372+
8373 ZEND_API void zend_str_tolower(char *str, unsigned int length)
8374 {
8375 register char *p=str, *end=p+length;
8376diff -Nura php-4.4.2/Zend/zend_operators.h hardening-patch-4.4.2-0.4.10/Zend/zend_operators.h
8377--- php-4.4.2/Zend/zend_operators.h 2006-01-01 14:46:49.000000000 +0100
8378+++ hardening-patch-4.4.2-0.4.10/Zend/zend_operators.h 2006-05-11 10:36:02.000000000 +0200
8379@@ -174,6 +174,14 @@
8380 #endif
8381
8382 ZEND_API void zend_str_tolower(char *str, unsigned int length);
8383+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length);
8384+
8385+static inline char *
8386+zend_str_tolower_dup(const char *source, unsigned int length)
8387+{
8388+ return zend_str_tolower_copy((char *)emalloc(length+1), source, length);
8389+}
8390+
8391 ZEND_API int zend_binary_zval_strcmp(zval *s1, zval *s2);
8392 ZEND_API int zend_binary_zval_strncmp(zval *s1, zval *s2, zval *s3);
8393 ZEND_API int zend_binary_zval_strcasecmp(zval *s1, zval *s2);