summaryrefslogtreecommitdiff
path: root/0.4.15/hardening-patch-4.4.3-0.4.15.patch
diff options
context:
space:
mode:
Diffstat (limited to '0.4.15/hardening-patch-4.4.3-0.4.15.patch')
-rw-r--r--0.4.15/hardening-patch-4.4.3-0.4.15.patch8957
1 files changed, 8957 insertions, 0 deletions
diff --git a/0.4.15/hardening-patch-4.4.3-0.4.15.patch b/0.4.15/hardening-patch-4.4.3-0.4.15.patch
new file mode 100644
index 0000000..017b2a0
--- /dev/null
+++ b/0.4.15/hardening-patch-4.4.3-0.4.15.patch
@@ -0,0 +1,8957 @@
1diff -Nura php-4.4.3/Changelog.hphp hardening-patch-4.4.3-0.4.15/Changelog.hphp
2--- php-4.4.3/Changelog.hphp 1970-01-01 01:00:00.000000000 +0100
3+++ hardening-patch-4.4.3-0.4.15/Changelog.hphp 2006-09-07 19:32:48.000000000 +0200
4@@ -0,0 +1,61 @@
5+Changelog of the Hardening-Patch
6+--------------------------------
7+
8+0.4.15 - 07. September 2006
9+
10+ PHP4:
11+ [+] Fix for potential DOS in handling of include blacklists
12+
13+ PHP4+5:
14+ [+] Backported a fix for open_basedir problems with insanse PHP scripts
15+ [+] Added a fix for ini_restore() PHP security vulnerability
16+
17+0.4.14 - 11. August 2006
18+
19+ PHP4:
20+ [+] Remove unecessary call to AC_BROKEN_REALPATH
21+
22+ PHP5:
23+ [+] Fix Remote URL Include Protection - Thanks to: Bart Vanbrabant
24+
25+ PHP4+5:
26+ [+] Added a few PHP security fixes / see changelog.secfix for details
27+ [+] Fixed the memory_limit protection for systems with different perdir memory_limits
28+ [+] Fixed a possible memory corruption when foreach() is used with wrong arguments
29+
30+0.4.13 - 07. August 2006
31+
32+ PHP4+5:
33+ [+] Added a fix for a compile problem on solaris due to missing strcasestr()
34+
35+0.4.12 - 19. July 2006
36+
37+ PHP4:
38+ [+] Added fixes from sf4 security patch / see changelog.secfix for details
39+
40+ PHP5:
41+ [+] Added fixes from sf5 security patch / see changelog.secfix for details
42+
43+ PHP4+5:
44+ [+] Added anti mail spam feature
45+ [+] Speedup of zend_hash canary (clear/destroy)
46+ [+] Added a fix for a DOS in the handling of URL blacklists
47+
48+0.4.11 - 13. May 2006
49+
50+ PHP5:
51+ [+] tsrm_virtual_cwd.c: close open_basedir, safe_mode hole introduced by realpath() cache
52+ [+] install-pear-nozlib.phar: bundle in full package download of 5.1.4
53+
54+ PHP4+5:
55+ [+] tsrm_virtual_cwd.c: realpath() hotfix to solve problems with non existing directories
56+
57+
58+0.4.10 - 11. May 2006
59+
60+ PHP4:
61+ [+] info.c: backport from 5.1.4 contained TSRMLS macro that had to be removed
62+
63+ PHP4+5:
64+ [+] fopen_wrappers.c: fix for a trailing slash problem with open_basedir
65+
66diff -Nura php-4.4.3/Changelog.secfix hardening-patch-4.4.3-0.4.15/Changelog.secfix
67--- php-4.4.3/Changelog.secfix 1970-01-01 01:00:00.000000000 +0100
68+++ hardening-patch-4.4.3-0.4.15/Changelog.secfix 2006-09-05 20:30:44.000000000 +0200
69@@ -0,0 +1,17 @@
70+Changelog of PHP 4.4.3 Security Fixes
71+
72+Release 2 - 11. August 2006
73+
74+ [+] Added IMAP open_basedir/safe_mode check
75+ [+] Added a upstream fix for previous ext/session fixes
76+ [+] Added upstream fix to ext/socket
77+ [+] Added sscanf() security fix
78+ [+] Added fixes for handling of corrupt .gif files to gdlib
79+
80+Release 1 - 4. August 2006
81+
82+ [+] Added a fix to disable CURLOPT_FOLLOWLOCATION while in safe_mode()/open_basedir
83+ [+] Added a *working* wordwrap() fix
84+ [+] Added code to make memory_limit work on 64bit systems
85+ [+] Added a fix for an integer overflow in str_repeat()
86+
87diff -Nura php-4.4.3/configure hardening-patch-4.4.3-0.4.15/configure
88--- php-4.4.3/configure 2006-08-01 09:39:10.000000000 +0200
89+++ hardening-patch-4.4.3-0.4.15/configure 2006-09-05 20:30:44.000000000 +0200
90@@ -402,6 +402,16 @@
91 ac_default_prefix=/usr/local
92 # Any additions from configure.in:
93 ac_help="$ac_help
94+ --disable-hardening-patch-mm-protect Disable the Memory Manager protection."
95+ac_help="$ac_help
96+ --disable-hardening-patch-ll-protect Disable the Linked List protection."
97+ac_help="$ac_help
98+ --disable-hardening-patch-inc-protect Disable include/require protection."
99+ac_help="$ac_help
100+ --disable-hardening-patch-fmt-protect Disable format string protection."
101+ac_help="$ac_help
102+ --disable-hardening-patch-hash-protect Disable Zend HashTable DTOR protection."
103+ac_help="$ac_help
104
105 SAPI modules:
106 "
107@@ -854,6 +864,8 @@
108 ac_help="$ac_help
109 --disable-tokenizer Disable tokenizer support"
110 ac_help="$ac_help
111+ --disable-varfilter Disable Hardening-Patch's variable filter"
112+ac_help="$ac_help
113 --enable-wddx Enable WDDX support."
114 ac_help="$ac_help
115 --disable-xml Disable XML support using bundled expat lib"
116@@ -2942,6 +2954,157 @@
117
118
119
120+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
121+if test "${enable_hardening_patch_mm_protect+set}" = set; then
122+ enableval="$enable_hardening_patch_mm_protect"
123+
124+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
125+
126+else
127+
128+ DO_HARDENING_PATCH_MM_PROTECT=yes
129+
130+fi
131+
132+
133+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
134+if test "${enable_hardening_patch_ll_protect+set}" = set; then
135+ enableval="$enable_hardening_patch_ll_protect"
136+
137+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
138+
139+else
140+
141+ DO_HARDENING_PATCH_LL_PROTECT=yes
142+
143+fi
144+
145+
146+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
147+if test "${enable_hardening_patch_inc_protect+set}" = set; then
148+ enableval="$enable_hardening_patch_inc_protect"
149+
150+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
151+
152+else
153+
154+ DO_HARDENING_PATCH_INC_PROTECT=yes
155+
156+fi
157+
158+
159+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
160+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
161+ enableval="$enable_hardening_patch_fmt_protect"
162+
163+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
164+
165+else
166+
167+ DO_HARDENING_PATCH_FMT_PROTECT=yes
168+
169+fi
170+
171+
172+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
173+if test "${enable_hardening_patch_hash_protect+set}" = set; then
174+ enableval="$enable_hardening_patch_hash_protect"
175+
176+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
177+
178+else
179+
180+ DO_HARDENING_PATCH_HASH_PROTECT=yes
181+
182+fi
183+
184+
185+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
186+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
187+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
188+
189+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
190+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
191+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
192+
193+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
194+echo "configure:2733: checking whether to protect include/require statements" >&5
195+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
196+
197+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
198+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
199+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
200+
201+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
202+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
203+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
204+
205+
206+cat >> confdefs.h <<\EOF
207+#define HARDENING_PATCH 1
208+EOF
209+
210+
211+
212+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
213+ cat >> confdefs.h <<\EOF
214+#define HARDENING_PATCH_MM_PROTECT 1
215+EOF
216+
217+else
218+ cat >> confdefs.h <<\EOF
219+#define HARDENING_PATCH_MM_PROTECT 0
220+EOF
221+
222+fi
223+
224+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
225+ cat >> confdefs.h <<\EOF
226+#define HARDENING_PATCH_LL_PROTECT 1
227+EOF
228+
229+else
230+ cat >> confdefs.h <<\EOF
231+#define HARDENING_PATCH_LL_PROTECT 0
232+EOF
233+
234+fi
235+
236+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
237+ cat >> confdefs.h <<\EOF
238+#define HARDENING_PATCH_INC_PROTECT 1
239+EOF
240+
241+else
242+ cat >> confdefs.h <<\EOF
243+#define HARDENING_PATCH_INC_PROTECT 0
244+EOF
245+
246+fi
247+
248+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
249+ cat >> confdefs.h <<\EOF
250+#define HARDENING_PATCH_FMT_PROTECT 1
251+EOF
252+
253+else
254+ cat >> confdefs.h <<\EOF
255+#define HARDENING_PATCH_FMT_PROTECT 0
256+EOF
257+
258+fi
259+
260+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
261+ cat >> confdefs.h <<\EOF
262+#define HARDENING_PATCH_HASH_PROTECT 1
263+EOF
264+
265+else
266+ cat >> confdefs.h <<\EOF
267+#define HARDENING_PATCH_HASH_PROTECT 0
268+EOF
269+
270+fi
271
272
273
274@@ -16017,6 +16180,62 @@
275 fi
276
277
278+ echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
279+echo "configure:14928: checking whether realpath is broken" >&5
280+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
281+ echo $ac_n "(cached) $ac_c" 1>&6
282+else
283+
284+ if test "$cross_compiling" = yes; then
285+
286+ ac_cv_broken_realpath=no
287+
288+else
289+ cat > conftest.$ac_ext <<EOF
290+#line 14939 "configure"
291+#include "confdefs.h"
292+
293+main() {
294+ char buf[4096+1];
295+ buf[0] = 0;
296+ realpath("/etc/hosts/../passwd", buf);
297+ exit(strcmp(buf, "/etc/passwd")==0);
298+}
299+
300+EOF
301+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
302+then
303+
304+ ac_cv_broken_realpath=no
305+
306+else
307+ echo "configure: failed program was:" >&5
308+ cat conftest.$ac_ext >&5
309+ rm -fr conftest*
310+
311+ ac_cv_broken_realpath=yes
312+
313+fi
314+rm -fr conftest*
315+fi
316+
317+
318+fi
319+
320+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
321+ if test "$ac_cv_broken_realpath" = "yes"; then
322+ cat >> confdefs.h <<\EOF
323+#define PHP_BROKEN_REALPATH 1
324+EOF
325+
326+ else
327+ cat >> confdefs.h <<\EOF
328+#define PHP_BROKEN_REALPATH 0
329+EOF
330+
331+ fi
332+
333+
334 echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
335 echo "configure:16022: checking for declared timezone" >&5
336 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
337@@ -86718,7 +86937,7 @@
338 if test "$ac_cv_crypt_blowfish" = "yes"; then
339 ac_result=1
340 else
341- ac_result=0
342+ ac_result=1
343 fi
344 cat >> confdefs.h <<EOF
345 #define PHP_BLOWFISH_CRYPT $ac_result
346@@ -87420,7 +87639,7 @@
347 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
348 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
349 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
350- var_unserializer.c ftok.c aggregation.c sha1.c ; do
351+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
352
353 IFS=.
354 set $ac_src
355@@ -87475,7 +87694,7 @@
356 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
357 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
358 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
359- var_unserializer.c ftok.c aggregation.c sha1.c ; do
360+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
361
362 IFS=.
363 set $ac_src
364@@ -87601,7 +87820,7 @@
365 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
366 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
367 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
368- var_unserializer.c ftok.c aggregation.c sha1.c ; do
369+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
370
371 IFS=.
372 set $ac_src
373@@ -87653,7 +87872,7 @@
374 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
375 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
376 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
377- var_unserializer.c ftok.c aggregation.c sha1.c ; do
378+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
379
380 IFS=.
381 set $ac_src
382@@ -91124,6 +91343,265 @@
383 fi
384
385
386+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
387+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
388+# Check whether --enable-varfilter or --disable-varfilter was given.
389+if test "${enable_varfilter+set}" = set; then
390+ enableval="$enable_varfilter"
391+ PHP_VARFILTER=$enableval
392+else
393+
394+ PHP_VARFILTER=yes
395+
396+ if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
397+ PHP_VARFILTER=$PHP_ENABLE_ALL
398+ fi
399+
400+fi
401+
402+
403+
404+ext_output="yes, shared"
405+ext_shared=yes
406+case $PHP_VARFILTER in
407+shared,*)
408+ PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
409+ ;;
410+shared)
411+ PHP_VARFILTER=yes
412+ ;;
413+no)
414+ ext_output=no
415+ ext_shared=no
416+ ;;
417+*)
418+ ext_output=yes
419+ ext_shared=no
420+ ;;
421+esac
422+
423+
424+
425+echo "$ac_t""$ext_output" 1>&6
426+
427+
428+
429+
430+if test "$PHP_VARFILTER" != "no"; then
431+ cat >> confdefs.h <<\EOF
432+#define HAVE_VARFILTER 1
433+EOF
434+
435+
436+ ext_builddir=ext/varfilter
437+ ext_srcdir=$abs_srcdir/ext/varfilter
438+
439+ ac_extra=
440+
441+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
442+
443+
444+
445+ case ext/varfilter in
446+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
447+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
448+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
449+ esac
450+
451+
452+
453+ b_c_pre=$php_c_pre
454+ b_cxx_pre=$php_cxx_pre
455+ b_c_meta=$php_c_meta
456+ b_cxx_meta=$php_cxx_meta
457+ b_c_post=$php_c_post
458+ b_cxx_post=$php_cxx_post
459+ b_lo=$php_lo
460+
461+
462+ old_IFS=$IFS
463+ for ac_src in varfilter.c; do
464+
465+ IFS=.
466+ set $ac_src
467+ ac_obj=$1
468+ IFS=$old_IFS
469+
470+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
471+
472+ case $ac_src in
473+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
474+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
475+ esac
476+
477+ cat >>Makefile.objects<<EOF
478+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
479+ $ac_comp
480+EOF
481+ done
482+
483+
484+ EXT_STATIC="$EXT_STATIC varfilter"
485+ if test "$ext_shared" != "nocli"; then
486+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
487+ fi
488+ else
489+ if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
490+
491+ case ext/varfilter in
492+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
493+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
494+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
495+ esac
496+
497+
498+
499+ b_c_pre=$shared_c_pre
500+ b_cxx_pre=$shared_cxx_pre
501+ b_c_meta=$shared_c_meta
502+ b_cxx_meta=$shared_cxx_meta
503+ b_c_post=$shared_c_post
504+ b_cxx_post=$shared_cxx_post
505+ b_lo=$shared_lo
506+
507+
508+ old_IFS=$IFS
509+ for ac_src in varfilter.c; do
510+
511+ IFS=.
512+ set $ac_src
513+ ac_obj=$1
514+ IFS=$old_IFS
515+
516+ shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
517+
518+ case $ac_src in
519+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
520+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
521+ esac
522+
523+ cat >>Makefile.objects<<EOF
524+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
525+ $ac_comp
526+EOF
527+ done
528+
529+
530+ install_modules="install-modules"
531+ PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
532+
533+ PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
534+
535+ cat >>Makefile.objects<<EOF
536+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
537+ \$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
538+
539+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
540+ \$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
541+
542+EOF
543+
544+ cat >> confdefs.h <<EOF
545+#define COMPILE_DL_VARFILTER 1
546+EOF
547+
548+ fi
549+ fi
550+
551+ if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
552+ if test "$PHP_SAPI" = "cgi"; then
553+
554+
555+ case ext/varfilter in
556+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
557+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
558+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
559+ esac
560+
561+
562+
563+ b_c_pre=$php_c_pre
564+ b_cxx_pre=$php_cxx_pre
565+ b_c_meta=$php_c_meta
566+ b_cxx_meta=$php_cxx_meta
567+ b_c_post=$php_c_post
568+ b_cxx_post=$php_cxx_post
569+ b_lo=$php_lo
570+
571+
572+ old_IFS=$IFS
573+ for ac_src in varfilter.c; do
574+
575+ IFS=.
576+ set $ac_src
577+ ac_obj=$1
578+ IFS=$old_IFS
579+
580+ PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
581+
582+ case $ac_src in
583+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
584+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
585+ esac
586+
587+ cat >>Makefile.objects<<EOF
588+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
589+ $ac_comp
590+EOF
591+ done
592+
593+
594+ EXT_STATIC="$EXT_STATIC varfilter"
595+ else
596+
597+
598+ case ext/varfilter in
599+ "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
600+ /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
601+ *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
602+ esac
603+
604+
605+
606+ b_c_pre=$php_c_pre
607+ b_cxx_pre=$php_cxx_pre
608+ b_c_meta=$php_c_meta
609+ b_cxx_meta=$php_cxx_meta
610+ b_c_post=$php_c_post
611+ b_cxx_post=$php_cxx_post
612+ b_lo=$php_lo
613+
614+
615+ old_IFS=$IFS
616+ for ac_src in varfilter.c; do
617+
618+ IFS=.
619+ set $ac_src
620+ ac_obj=$1
621+ IFS=$old_IFS
622+
623+ PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
624+
625+ case $ac_src in
626+ *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
627+ *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
628+ esac
629+
630+ cat >>Makefile.objects<<EOF
631+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
632+ $ac_comp
633+EOF
634+ done
635+
636+
637+ fi
638+ EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
639+ fi
640+
641+ BUILD_DIR="$BUILD_DIR $ext_builddir"
642+
643+
644+fi
645
646
647 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
648@@ -104088,7 +104566,7 @@
649 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
650 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
651 streams.c network.c php_open_temporary_file.c php_logos.c \
652- output.c memory_streams.c user_streams.c; do
653+ output.c memory_streams.c user_streams.c hardening_patch.c; do
654
655 IFS=.
656 set $ac_src
657@@ -104273,7 +104751,7 @@
658 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
659 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
660 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
661- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
662+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
663
664 IFS=.
665 set $ac_src
666diff -Nura php-4.4.3/configure.in hardening-patch-4.4.3-0.4.15/configure.in
667--- php-4.4.3/configure.in 2006-07-31 17:04:53.000000000 +0200
668+++ hardening-patch-4.4.3-0.4.15/configure.in 2006-09-05 20:30:44.000000000 +0200
669@@ -247,7 +247,7 @@
670 sinclude(Zend/acinclude.m4)
671 sinclude(Zend/Zend.m4)
672 sinclude(TSRM/tsrm.m4)
673-
674+sinclude(main/hardening_patch.m4)
675
676
677 divert(2)
678@@ -621,6 +621,7 @@
679 AC_FUNC_ALLOCA
680 dnl PHP_AC_BROKEN_SPRINTF
681 dnl PHP_AC_BROKEN_SNPRINTF
682+dnl PHP_AC_BROKEN_REALPATH
683 PHP_DECLARED_TIMEZONE
684 PHP_TIME_R_TYPE
685 PHP_READDIR_R_TYPE
686@@ -1260,7 +1261,7 @@
687 php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
688 strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
689 streams.c network.c php_open_temporary_file.c php_logos.c \
690- output.c memory_streams.c user_streams.c)
691+ output.c memory_streams.c user_streams.c hardening_patch.c)
692 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
693 case $host_alias in
694 *netware*)
695@@ -1281,7 +1282,7 @@
696 zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
697 zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
698 zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
699- zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
700+ zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
701
702 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
703 PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
704diff -Nura php-4.4.3/ext/curl/curl.c hardening-patch-4.4.3-0.4.15/ext/curl/curl.c
705--- php-4.4.3/ext/curl/curl.c 2006-05-21 20:48:50.000000000 +0200
706+++ hardening-patch-4.4.3-0.4.15/ext/curl/curl.c 2006-09-05 20:30:44.000000000 +0200
707@@ -924,7 +924,6 @@
708 case CURLOPT_FTPLISTONLY:
709 case CURLOPT_FTPAPPEND:
710 case CURLOPT_NETRC:
711- case CURLOPT_FOLLOWLOCATION:
712 case CURLOPT_PUT:
713 #if CURLOPT_MUTE != 0
714 case CURLOPT_MUTE:
715@@ -961,6 +960,16 @@
716 convert_to_long_ex(zvalue);
717 error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
718 break;
719+ case CURLOPT_FOLLOWLOCATION:
720+ convert_to_long_ex(zvalue);
721+ if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
722+ if (Z_LVAL_PP(zvalue) != 0) {
723+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set");
724+ RETURN_FALSE;
725+ }
726+ }
727+ error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
728+ break;
729 case CURLOPT_URL:
730 case CURLOPT_PROXY:
731 case CURLOPT_USERPWD:
732diff -Nura php-4.4.3/ext/curl/curlstreams.c hardening-patch-4.4.3-0.4.15/ext/curl/curlstreams.c
733--- php-4.4.3/ext/curl/curlstreams.c 2006-01-01 14:46:50.000000000 +0100
734+++ hardening-patch-4.4.3-0.4.15/ext/curl/curlstreams.c 2006-09-05 20:30:44.000000000 +0200
735@@ -297,7 +297,11 @@
736 curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream);
737
738 /* currently buggy (bug is in curl) */
739- curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
740+ if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
741+ curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
742+ } else {
743+ curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
744+ }
745
746 curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr);
747 curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0);
748diff -Nura php-4.4.3/ext/fbsql/php_fbsql.c hardening-patch-4.4.3-0.4.15/ext/fbsql/php_fbsql.c
749--- php-4.4.3/ext/fbsql/php_fbsql.c 2006-01-01 14:46:52.000000000 +0100
750+++ hardening-patch-4.4.3-0.4.15/ext/fbsql/php_fbsql.c 2006-09-05 20:30:44.000000000 +0200
751@@ -1797,8 +1797,24 @@
752 }
753 else if (fbcmdErrorsFound(md))
754 {
755+#if HARDENING_PATCH
756+ char* query_copy;
757+ int i;
758+#endif
759 FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
760 char* emg = fbcemdAllErrorMessages(emd);
761+#if HARDENING_PATCH
762+ query_copy=estrdup(query_copy);
763+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
764+ php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
765+ efree(query_copy);
766+ if (HG(hphp_sql_bailout_on_error)) {
767+ free(emg);
768+ fbcemdRelease(emd);
769+ result = 0;
770+ zend_bailout();
771+ }
772+#endif
773 if (FB_SQL_G(generateWarnings))
774 {
775 if (emg)
776diff -Nura php-4.4.3/ext/gd/libgd/gd_gif_in.c hardening-patch-4.4.3-0.4.15/ext/gd/libgd/gd_gif_in.c
777--- php-4.4.3/ext/gd/libgd/gd_gif_in.c 2006-05-08 16:04:39.000000000 +0200
778+++ hardening-patch-4.4.3-0.4.15/ext/gd/libgd/gd_gif_in.c 2006-09-05 20:30:44.000000000 +0200
779@@ -216,6 +216,12 @@
780 if (!im) {
781 return 0;
782 }
783+
784+ if (!im->colorsTotal) {
785+ gdImageDestroy(im);
786+ return 0;
787+ }
788+
789 /* Check for open colors at the end, so
790 we can reduce colorsTotal and ultimately
791 BitsPerPixel */
792@@ -506,6 +512,19 @@
793 int v;
794 int xpos = 0, ypos = 0, pass = 0;
795 int i;
796+
797+ /*
798+ ** Initialize the Compression routines
799+ */
800+ if (! ReadOK(fd,&c,1)) {
801+ return;
802+ }
803+
804+ if (c > MAX_LWZ_BITS) {
805+ return;
806+ }
807+
808+
809 /* Stash the color map into the image */
810 for (i=0; (i<gdMaxColors); i++) {
811 im->red[i] = cmap[CM_RED][i];
812@@ -515,12 +534,7 @@
813 }
814 /* Many (perhaps most) of these colors will remain marked open. */
815 im->colorsTotal = gdMaxColors;
816- /*
817- ** Initialize the Compression routines
818- */
819- if (! ReadOK(fd,&c,1)) {
820- return;
821- }
822+
823 if (LWZReadByte(fd, TRUE, c) < 0) {
824 return;
825 }
826diff -Nura php-4.4.3/ext/gd/tests/bug38112.gif hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.gif
827--- php-4.4.3/ext/gd/tests/bug38112.gif 1970-01-01 01:00:00.000000000 +0100
828+++ hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.gif 2006-09-05 20:30:44.000000000 +0200
829@@ -0,0 +1,140 @@
830+GIF89a‚
831+ CEcKMk‡‹¸SUmŽ‘µ˜š¶hiu€"A3}‚±“˜Å;<E¤¥® &RF!(Z17bCF[JMc‡‹«KM] 4!&FŸ¤Â„†“xz…®°¼]i¥ˆ–Ü_fŠBEU©°ÑRUeVW\ôõú$,L;Ce6=\17R=C[8=S{~‹FGKæçë 69Fs '@$+EMUtW`FLc©×ovŽ )MTkEK^.r=,4K=CTU]sw]am139•¤ÔÙ踻ÄÐÑÔ4'5Y,3ELSdEKZ'K  $86B^3;M&*3U\l?Mh\dtÁÆÐ]_c:X)ESl«½ß·ÆàÇÑã %3KEKU<CMLS]hp|=K^%3E-;L7GZ3ARpx‚ESbN[jT\e„Œ• ‘–›Ýâçfhjêíð×ÚÝMZf>KV6=C%=O*>N.BR,:EKbp6JVq·Õ~«¹–š›ïóô(Òæ ‡““#%%@CC†ŠŠ’––öûûúþþóööòúøvzv’–’˜šþþúXVHtsm›š•nmi–•‘bR.æâÚ•ƒf¤ž•‹yd<4,„y»µ¯ÇÅÃ{zy2'sfZž’‡ÞÓÊ®¦ XTQc]Z}mg&{vu•Šˆ‹††þúúuttþþþúúú–––†††ÿÿÿ!ÿ NETSCAPE2.0
832+ CEcKMk‡‹¸SUmŽ‘µ˜š¶hiu€"A3}‚±“˜Å;<E¤¥® &RF!(Z17bCF[JMc‡‹«KM] 4!&FŸ¤Â„†“xz…®°¼]i¥ˆ–Ü_fŠBEU©°ÑRUeVW\ôõú$,L;Ce6=\17R=C[8=S{~‹FGKæçë 69Fs '@$+EMUtW`FLc©×ovŽ )MTkEK^.r=,4K=CTU]sw]am139•¤ÔÙ踻ÄÐÑÔ4'5Y,3ELSdEKZ'K  $86B^3;M&*3U\l?Mh\dtÁÆÐ]_c:X)ESl«½ß·ÆàÇÑã %3KEKU<CMLS]hp|=K^%3E-;L7GZ3ARpx‚ESbN[jT\e„Œ• ‘–›Ýâçfhjêíð×ÚÝMZf>KV6=C%=O*>N.BR,:EKbp6JVq·Õ~«¹–š›ïóô(Òæ ‡““#%%@CC†ŠŠ’––öûûúþþóööòúøvzv’–’˜šþþúXVHtsm›š•nmi–•‘bR.æâÚ•ƒf¤ž•‹yd<4,„y»µ¯ÇÅÃ{zy2'sfZž’‡ÞÓÊ®¦ XTQc]Z}mg&{vu•Šˆ‹††þúúuttþþþúúú–––†††ÿÿÿÿŒ©ËÍû¡‰qÝ]ïès¿†âH6Uà¡É~ý¡–»ÿðîF7•úÎ÷JšèýÒØ»Ì|[¿Ärú¦Ôê¢ÚüE–wЫÿ*4;çïW(´ÆºjÎ
833+“¬ùÈ–Ö¨ƒ_Ë×ÎxëÖšhyvVyë”xc-%Ba­â×kç(¨XÉÆö˜FÆ(½­äìÉÙyèvÛâä¹ï™‹ aÝë¸Ï‘@‰æHÛÙœøZk«¨hÚŠ'ÝMªåé °Í)Zùk[ùÖÒâ0K¡«ëÑÝíŒÂ\Gø%êÔy,l [6%F¼Ðà2Å >Ǿ…“UIŸ?6N¨ƒòîÀ>Mÿhîغ…CŒ¥J„
834+ÔJªmÚ¶iI’eÊ‘%~­!T‰"2¶ZU
835+禅^Ú@ë¥â¢-ÌBAYÊV©Y›Ü0âÅKTÊFÏX¹Ls†‘…)râ§R+0l-¹BãV%’âUråÃœ Jmy@ƒÌÒ-QYÅàŦ©mŒµ¼œ1%ΤO¥jvr3hm!1`0WêD©ÜJµj­%‚ÐTÚð¨o4­½QéÉ™%)0 *â‚Æ‹%LüÔTt9s­WKäÈ™#‡‰˜D›(QšÑ§ÓÜ_•NG‘ƒ¡PHx#{
836+1ŒHe{™¥„"Ë¥Z\¾UúÓ+M²fÑÿü#HP„B„
837+ª¨BÇ}ð1wV¡$øã.è˜[zsüÕJ'²Ì
838+@pÅ&±$² €èx …ø±Ùd¸Æ\ݵ@HÜy§øD5æýéC…ÜòŠ*sY‚¨„²Ž:æøÎ
839+ÿ a‡u¢c%l‰!F!¢Z­ŽÅЪrÎ9BýÜÉž<L0 $odˆëX¬âF!| A%tt°À<ÞHƒ‹Ì
840+!ž‰ñE³ÿÀÒG}A‡³pký)ŠlˆˆÄžzZÉYân,A~ûð*Ÿ·nYÂÇ( ׌Çƨ‡*°Ð1‡&rÈéÆ\gûÅ…¬bÉ*¡T²S%Ð~Z‰P©•Ë}ÇDÐÃhðÀk´;`»¯ôñB½¡õA¯kF.g- ¿²G!¯X‚íõ–à`‰ D¯›ÈD+Öô8P¸A\Üã˜À0
841+";_Þõ†BÈÄeIƒ-œàµ‚ŠZ8A6 ÀMgv
842+eÂ!È0/Jÿðál¡!@štÏuìAø€ÐCj< ˆ Ð
843+ñ`G¥*
844+’p"T–Ufö ·%¯ÿ–o,Ù
845+¤:>=#^db¥Î ˆ©"V¼xq?eê·+ﶓNC¯H€KØ
846+Üôl"ö°?¬a ‚@A°€…OK*æ¸G:ôÁˆK!œÆŽÍÆŠ'‹8HøB‹]íÀ×)¶ÆžD´?
847+.h¼$"y>¸9 E§û·«.cMÂü«[F/×W ÷b×®WƤmÀ3Æ3ž5 üP»sžsPé(ßÄ TH©;áîcœ©æÞyQr Ä'`1dS(m({fýÏýr¢K MeÆ„Èí éD°šê <¸b÷|lÀ]½ xOzÒséÅÐUHmŒÿü—¼äˆÈ~Éû0K—t›
848+-pwn¾§I4öU u##fàl@¤ ³À
849+K×oa×oͲ¦—ØGù—W±ç0ÕqHG Å H`w•^™·€Dcç5
850+hF_Ec2wƒK"Rà‰ÀƒÙg ìæ\oÇ— yÀ“}MV®°
851+t@ˆ D°‹€2€h`Hÿoñ¦l_bÜ€öð ð}@šb10…±0 Ã`ˆˆH |^]µCZ¶ `¸S“Ø 
852+ƒ ò%  P,’Òl Œ 8 ¿Ôœ€
853+¤@
854+qG
855+Ñ@|0 #]}P‹·˜‹»ç|s[\ø‹f‰a¨!pŇ€TAœ T@œPZ°àW˜ƒÉf{¤Gˆ` ° 
856+ˆ 
857
858+ÚÀ‹>à:ý ”¿× s¿%’Åx ‚ø0Ùÿç”' …3cSyˆp•'™
859+évYÐÖaéoð78”ý yšd”0’LÙá zäû·B-I qàz=C™
860+)0‰3ÆÀf\ÙªÀ„@–çâ@Œé˜½™ À–¸"o9 з l臙
861+) „'þô:©IÔ
862+œ`TNyS°x™£
863+W)<bŸÿšã—<ƒET0P­ÇX$_|ЈààÙ1â©‘©I2g> e
864+£=ß5
865+¨ç"¨8kC©¢¨fʨ1àf 9, zð©NZ!¤jBó©XD¬¦UQZ&ÀžÚ¤nx1o0^j'«jpþ”
866+™@«°P„.`“jF`©+`®æÚz=sªëZ¡JÊ|ëê|ð¬v‚
867+±ë*póz›Ðº;à;0  ´øÿÊ=þÙ
868+é!Ç ! 9­7‡0E@,P [+¶æJ40®&0±& ¶+
869+¶_ë¸çÊ& ¹I¨³ p»»rÛx
870+ä«3ðÀzP @Š0o°оî;º÷¿wµd° ° !`»*0˜€¸:³{«·Z³’ê³F°³¿Q¾z€ÃLÁ
871+.° 4`»û¿E
872+8\üÀE€¤ ¼oÀ?¼ÁBÜÁøêÁ‰ƒåS
873+ €E æë
874+wÀÇxÐ ¶pˆ
875+Šà
876+®@ ‡Œà8<9ŒÃzpÆ<Ü
877+æ Á@Ìn< Ó
878+3œ ¹&àcP
879+®PÈ´À®°ÈŒ Ë
880+²¼Ê
881+QÐ ~” ¬˜
882+32#Èæ%Þë°
883+cࡤ
884+àû³\0À- ½€¦ ß¡]ß=žðÜPÿ à)€Î^àúàÝÍƶ=â-.á»».À ]x 
885+¦Pöpõ Ôù€ƒ(à©@å¤Pu
886+‡çèÿ0ïÀlï êxþ@í@
887+X úmâ©
888+^ÛÄqP鸪Epák
889+æÐŒŸ†à g’)€ :
890+McŒó5Ÿ aŸ ΀ l0xð á>ÿ ?æÙ ôOVG¿ñ¨ c<^°>ðN` ›-@ð `_¢R
891+UiðDìbübŸ
892+¢° Њ¼Ðùáðö¡/÷\múbô’ T ÷]0#UÐ(aÉ0
893+¨Ì
894+„Ä$RD ÷"µäH«;˜ÏÐlºéª³Ž‡Ì8×
895+<Š‹-dC!¯½âsˆ½ á† œQ3.‘?Èœ!…‰Zq.3è¤0£FërÈñHøé¦AÂfŽ™á ¹à"Ã5òj·ø°@>>Ȩ§NÜBÅ!sñ7þ›Q@ ¼î,~ÀG o‚cÈC\pá‡CŠÀð†'¬ £/ÁÛ%_"¤RLDñvDBÎK7
896+7ÞŠ‚ã·S°m#ƒH¸ªÂOIü˜CŒ]y¥‘º3ÌØåRcor†KXO„$ÕškD¼ó +zk#øäË€œ.ÎÉ‚"´ 7×]ÿ{tL)þ[ÐG-Š…w -8E¨^ÆÛ‚‹t@!½0Ò#Å‘¬d ùȉ#a"!"‰$¨ðC7ÐÒéþ …ÁŒ5îB f†¤—…N’ uÔ&P~¢ 4 ex|ñ%”ÃÚ+ÖƒNEì[¨"WŽ[(–øçéhAL‹væè9T0‚…»‹¸°¼§ŸPaÏG#,?·ÿ~¹ r&ƒ,Ra$\2Ñ™ç
897+özs-Sêq™Øb!äÐ… ½–IÒÃ,?±Ã[:¢Cóæ.½`nÀ¡ˆ`à æ@ b@Ϙ¡Àž6JiJyÎ38¡€Äº7XæÍØt¤ \‘KÿS â´†+ÈЇKðA›PEäp”P,s{¾ñ =³eO|^¨š°¼¦"²i†;¸BÂJ#A9˜}TchXÄ1q‰x€ŠD$þ‚JŠno{§ˆDðé‚K\ÂI2BQõ 
898+?”Bf -,6?”VS§‘@/B…5ü=V@Ãor
899+¸œŽu™m€D ö0 %^‚ vsžáÏ;DˆRjºa k ±ª¸F/vŠS´>Ü“/XÁŒ5?M+ èH#lá¨pHá
900+Hhî¤wu 3;X+
901+,%+
902+ðR‚  ë…#ôà |Ä»ÂRRK-,¤Ê.@8’Ks7HPp hœÚLÀ/C ;ñ|SÏ,Á  \¢J†Î@©Ö^Ô0‚ =QCÇ&³5/1V„vD @
903+ã„âÏ=Ð0ó=ßÄãŽG¸‘¿~Â˳‚ÿ"J±d¸[
904+Ä¥'Là¬O~:唑 eðBiˆA,Ε¾?¸aK€a
905+Ø=4—XY6“1ž’£¤†½yŠ&,á oHT™
906+ÒÀÕ®.pã“?§yÐg¨ñ‡cÆ,n
907+@LbÁPÜ+™À„‹2aÿU<²@Λál•«Íxé:ÖA
908+@
909+Y”L-¢0m–ÀsrÓ&ò
910+bôÜàg?Ó(Žº;ãîæ0‡ žñ n$êR§z6ärzË"1\ßA&ЃL×¼ | ²ÀÍÎGd¨¼¼P8ñ
911+ív¼°2ôe¦Æ%¢ ~Ñu€À+seÍÖ„|Xaô
912+W
913+0ΧA§çwe|wˆ<DŠø\‡Ö Éÿr”±†?ø€à+pWƒdN?V‡‡8yX|£Sp—TIç€*Pâà Q–wÒÇwÂxÊ0xóVÅ pQ ¼àƒ„n
914+h`EË`•ˆ„|%|5Bpx8eÀfÊH^åÏè„ 
915+ËU
916+`PÔ Ù
917+`u§ÕðX¡‡w
918+ ºð™´š<ðM•Q©—øéÝÅŸÔY[Ö‰i°
919+ð›@
920+ë` $
921+„Pʉ òJ¯nà>Š#‰Rª¥zªcPýj?ƒZ“ ` ZúVÿàp×i
922+ã0˳œ´û°Žœ›w7 ¿û ñ³ÁEÀÇ]Êx•»“VP&œÊfÌÊa
923+0 t̆ý°Z¡¢@1]‰Œˆ ÀÕé„Óó[Ñ}K} †ü@½
924+€iìÑný¸Â`Š*¬'ÝÀË` (gñeWÝf`ˆ’0ØÉëÎûÖËŒº@Ïgí
925+« ù€uWÙáê͘ˆ‘Ê ÓP˜,œx-
926+Æ€Æ
927+$p
928+o FO°4±
929+´ üÝß­°4Èà³qÝ©­ÕÚíÅݽ¼‰­µã-4åMè00¹p
930+,Ðk¯á¯à ©p
931+žà ‚ð© ¡
932
933+ÿÝ
934+
935+0 Ïð ¥€xÁ´ Í °PJÃðNH*ÿPÙt qÑ
936+ðèÈ0Ý€æj>Ø\ÍÚ­ u çóÜî
937+Ž@ ˜à劮 ŒÞ_Œ^ 6Ž]i~ÝžÌÇò;¿`œŽÑíp Î,
938+R° j° Ÿð Ýþ ›0^¬ð h€4ƒ
939+y°
940+ÉÀ@
941+›ÿþïÄÐþn%°ÙÀ ÉÀé˜ ÿ훀Rð H°š@8¥°¿À L
942
943+%PÊð ‹ðí[° k ¿„ã
944+BLÀ±ŒÐS? ^xø¡!
945+dPžã_]é0ÏïO%Udð£ƒöõpÉp
946+j°ñP€ú‹P&¬à÷ À y 
947+QßËàYˆï…¼ 
948+L0Š°õ¿ßõx]- _•ÏQd =½ºŸÊÀ
949+!
950+ÆJ.«3rÏ Tɲ̘4É F'OŸH Fl”©S¨¾y¸ä@¹`ÁÒ­ShŒ,W¸,¹‚õDYDB¨`9úIÓ4F§Z™8[vÿìK)WÖi³ïÌIaŠ C„pbâÅ‘2mçî[ÔÇYÆÙ›g«7¿’±1& yȸúE6TPcÅ´bÝ)öíñ1*I^ÜŠ\îžù;°ðž´Œÿp˜kÚ ç›z³ ÎéFœgÌyXt t
951+fˆ¢ 5>á‚ÄqÆa|ùe‹ @B
952+)Ö¸cšK\øc pÅÚj=øE 9¬(b‡–øšiÕá|õGtcU×)=m8c‡æYc†ºÈÁ>ù¤?Ø°d
953+$\>¸PKr€eP& 4¬5ºWLÐ!v(ûÿ`êx?0®6Wä‘ë,¹À=Qfˆy
954+¡wB
955+ÉaŠM61 $¶¢`.ÑÃŽH`©¥äH烌 øØàv
956+‰›L~£8 >ÊfÅ?å¸#  …ÆúÁ{8hD#ì€d|ˆ„%"Á¹;Xâ‚C«B0~€ üÀŠ Ä…1*Ül,…5깊ð‡ÆP†ºà_løYX¡yà¡rÀ*pÂz™à'ö
957+X„@&°¢mÈXà0€v·»—èŒ`”à ‡gFâÜIrŠ;FÀ‡#$ày<D›çº
958+T¸Cô0ËYfA‰—° ¼0rV¼Á¾ €H²%{¹ä%u2Æ2r2@ºø$‘lèøÿc6àár ²ÁY[ˆB8ù$tátl¤+h ^úò—?ø@"ª ©!™5²nbR„LÂЙơ†,t1 P& ³°&6 X6Ü´,õ*À°ðEç|1T¡DHEúƒAØ€VøCãpI}ê“Ÿ/DÆ?*P†#®8®¹… œ­{DÄ"!ÁH¸"ÞóžÁŠŽöa"…jIÝ …?Hm~`Ô'o&ÁÏHÈô?(ÜaSœêÔ<5ìÇ<â€
959+YX…$ʺâ q%ú
960+¯ ;9"
961+¨@E;÷_Àâ´˜pB.œ0d"¿!Š ÿoë°RÂÆOÀ¨Ânß+â+†¦ÁM1¡\sœk¨k˜*ÑGظsÈ®‡€‰7äâ oÄœðf2 9¥öÜA–ŒÏ/è¹
962+6xo9¨\墘ر(Vñ#¬Ðå€ÆÕ b=`!-sý` X$x͹h D½9¿ v–í’óü…<ÇaU€„B
963+^DÍ=>-.à
964+Qz K(ëä=/y°UHÐñ“MÚZ(†>^ŠÛÁ‚<hó€c`|3o®!nP ˜Û 6.p®jÿà \bÐöb„8Wãfy¶Dñ^sÆÐhIJÚm/Ë» š®+¦À,WN·¹Ï8Áî O| ŠøCJ=×!wVðB+€‚¡Š#ÅЇN±Æ­ ý~YÓ9°Ä¦-`4+QÆ›†ö€á–{‚êVwÃËcŽLÐ|/äEÏsñãWèZ°G  o)Tw‰t¤Âì°Òž¹\Ø´iN;7¸ánèDßÝ`†%$¼èE/ͱ /¸w
965+H }[Á)œBÍbƒê«>"ò¿G0*tÀP„‡CE°§8hƒQ¨9xÿZ(Z¨µ#
966+~H†[ÀYК¢2xÂÓØ`P?À;
967+ÂP…eZ£…V
968+‰XQP… ²ƒŽŒ‚Þ³‚*HJdÊ?!¨´r(†‰¤ÉÈ©qãDŠ˜² ø ¥ˆeü‰8\…n
969+
970\ Kein Zeilenumbruch am Dateiende.
971diff -Nura php-4.4.3/ext/gd/tests/bug38112.phpt hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.phpt
972--- php-4.4.3/ext/gd/tests/bug38112.phpt 1970-01-01 01:00:00.000000000 +0100
973+++ hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.phpt 2006-09-05 20:30:44.000000000 +0200
974@@ -0,0 +1,17 @@
975+--TEST--
976+Bug #38112 (GIF Invalid Code size ).
977+--SKIPIF--
978+<?php
979+ if (!extension_loaded('gd')) {
980+ die("skip gd extension not available\n");
981+ }
982+ if (!GD_BUNDLED) {
983+ die('skip external GD libraries may fail');
984+ }
985+?>
986+--FILE--
987+<?php
988+$im = imagecreatefromgif(dirname(__FILE__) . '/bug38112.gif');
989+?>
990+--EXPECTF--
991+Warning: imagecreatefromgif() [%s]: '%sbug38112.gif' is not a valid GIF file in %sbug38112.php on line %d
992diff -Nura php-4.4.3/ext/imap/php_imap.c hardening-patch-4.4.3-0.4.15/ext/imap/php_imap.c
993--- php-4.4.3/ext/imap/php_imap.c 2006-01-05 01:50:19.000000000 +0100
994+++ hardening-patch-4.4.3-0.4.15/ext/imap/php_imap.c 2006-09-05 20:30:44.000000000 +0200
995@@ -26,7 +26,7 @@
996 | PHP 4.0 updates: Zeev Suraski <zeev@zend.com> |
997 +----------------------------------------------------------------------+
998 */
999-/* $Id: php_imap.c,v 1.142.2.44.2.4 2006/01/05 00:50:19 iliaa Exp $ */
1000+/* $Id: php_imap.c,v 1.142.2.44.2.5 2006/08/04 20:32:44 iliaa Exp $ */
1001
1002 #define IMAP41
1003
1004@@ -731,6 +731,13 @@
1005 efree(IMAPG(imap_password));
1006 }
1007
1008+ /* local filename, need to perform open_basedir and safe_mode checks */
1009+ if (Z_STRVAL_PP(mailbox)[0] != '{' &&
1010+ (php_check_open_basedir(Z_STRVAL_PP(mailbox) TSRMLS_CC) ||
1011+ (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(mailbox), NULL, CHECKUID_CHECK_FILE_AND_DIR)))) {
1012+ RETURN_FALSE;
1013+ }
1014+
1015 IMAPG(imap_user) = estrndup(Z_STRVAL_PP(user), Z_STRLEN_PP(user));
1016 IMAPG(imap_password) = estrndup(Z_STRVAL_PP(passwd), Z_STRLEN_PP(passwd));
1017
1018diff -Nura php-4.4.3/ext/mbstring/mbstring.c hardening-patch-4.4.3-0.4.15/ext/mbstring/mbstring.c
1019--- php-4.4.3/ext/mbstring/mbstring.c 2006-04-03 15:04:13.000000000 +0200
1020+++ hardening-patch-4.4.3-0.4.15/ext/mbstring/mbstring.c 2006-09-05 20:30:44.000000000 +0200
1021@@ -1500,6 +1500,7 @@
1022 char *strtok_buf = NULL, **val_list;
1023 zval *array_ptr = (zval *) arg;
1024 int n, num, val_len, *len_list;
1025+ unsigned int new_val_len;
1026 enum mbfl_no_encoding from_encoding;
1027 mbfl_string string, resvar, resval;
1028 mbfl_encoding_detector *identd = NULL;
1029@@ -1622,8 +1623,14 @@
1030 val_len = len_list[n];
1031 }
1032 n++;
1033- /* add variable to symbol table */
1034- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
1035+ /* we need val to be emalloc()ed */
1036+ val = estrndup(val, val_len);
1037+ if (sapi_module.input_filter(info->data_type, var, &val, val_len, &new_val_len TSRMLS_CC)) {
1038+ /* add variable to symbol table */
1039+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
1040+ }
1041+ efree(val);
1042+
1043 if (convd != NULL){
1044 mbfl_string_clear(&resvar);
1045 mbfl_string_clear(&resval);
1046diff -Nura php-4.4.3/ext/mysql/php_mysql.c hardening-patch-4.4.3-0.4.15/ext/mysql/php_mysql.c
1047--- php-4.4.3/ext/mysql/php_mysql.c 2006-01-01 14:46:55.000000000 +0100
1048+++ hardening-patch-4.4.3-0.4.15/ext/mysql/php_mysql.c 2006-09-05 20:30:44.000000000 +0200
1049@@ -1218,6 +1218,8 @@
1050 {
1051 php_mysql_conn *mysql;
1052 MYSQL_RES *mysql_result;
1053+ char *copy_query;
1054+ int i;
1055
1056 ZEND_FETCH_RESOURCE2(mysql, php_mysql_conn *, mysql_link, link_id, "MySQL-Link", le_link, le_plink);
1057
1058@@ -1268,6 +1270,13 @@
1059 php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
1060 }
1061 }
1062+ copy_query = estrdup(Z_STRVAL_PP(query));
1063+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
1064+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
1065+ efree(copy_query);
1066+ if (HG(hphp_sql_bailout_on_error)) {
1067+ zend_bailout();
1068+ }
1069 RETURN_FALSE;
1070 }
1071 #else
1072@@ -1275,12 +1284,20 @@
1073 /* check possible error */
1074 if (MySG(trace_mode)){
1075 if (mysql_errno(&mysql->conn)){
1076- php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, mysql_error(&mysql->conn));
1077+ php_error_docref("http://www.mysql.com/doc" TSRMLS_CC, E_WARNING, "%s", mysql_error(&mysql->conn));
1078 }
1079 }
1080+ copy_query = estrdup(Z_STRVAL_PP(query));
1081+ for (i=0; copy_query[i]; i++) if (copy_query[i] < 32) copy_query[i]='.';
1082+ php_security_log(S_SQL, "MySQL error: %s - query: %s", mysql_error(&mysql->conn), copy_query);
1083+ efree(copy_query);
1084+ if (HG(hphp_sql_bailout_on_error)) {
1085+ zend_bailout();
1086+ }
1087 RETURN_FALSE;
1088 }
1089 #endif
1090+
1091 if(use_store == MYSQL_USE_RESULT) {
1092 mysql_result=mysql_use_result(&mysql->conn);
1093 } else {
1094diff -Nura php-4.4.3/ext/pgsql/pgsql.c hardening-patch-4.4.3-0.4.15/ext/pgsql/pgsql.c
1095--- php-4.4.3/ext/pgsql/pgsql.c 2006-01-01 14:46:56.000000000 +0100
1096+++ hardening-patch-4.4.3-0.4.15/ext/pgsql/pgsql.c 2006-09-05 20:30:44.000000000 +0200
1097@@ -1001,10 +1001,28 @@
1098 case PGRES_EMPTY_QUERY:
1099 case PGRES_BAD_RESPONSE:
1100 case PGRES_NONFATAL_ERROR:
1101- case PGRES_FATAL_ERROR:
1102- PHP_PQ_ERROR("Query failed: %s", pgsql);
1103- PQclear(pgsql_result);
1104- RETURN_FALSE;
1105+ case PGRES_FATAL_ERROR:
1106+ {
1107+#if HARDENING_PATCH
1108+ int i;
1109+ char *query_copy;
1110+#endif
1111+ char *msgbuf = _php_pgsql_trim_message(PQerrorMessage(pgsql), NULL);
1112+ PQclear(pgsql_result);
1113+#if HARDENING_PATCH
1114+ query_copy = estrdup(Z_STRVAL_PP(query));
1115+ for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
1116+ php_security_log(S_SQL, "PgSQL error: %s - query: %s", msgbuf, query_copy);
1117+ efree(query_copy);
1118+ if (HG(hphp_sql_bailout_on_error)) {
1119+ efree(msgbuf);
1120+ zend_bailout();
1121+ }
1122+#endif
1123+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Query failed: %s", msgbuf);
1124+ efree(msgbuf);
1125+ RETURN_FALSE;
1126+ }
1127 break;
1128 case PGRES_COMMAND_OK: /* successful command that did not return rows */
1129 default:
1130diff -Nura php-4.4.3/ext/session/mod_files.c hardening-patch-4.4.3-0.4.15/ext/session/mod_files.c
1131--- php-4.4.3/ext/session/mod_files.c 2006-04-18 01:29:37.000000000 +0200
1132+++ hardening-patch-4.4.3-0.4.15/ext/session/mod_files.c 2006-09-05 20:30:44.000000000 +0200
1133@@ -16,7 +16,7 @@
1134 +----------------------------------------------------------------------+
1135 */
1136
1137-/* $Id: mod_files.c,v 1.83.2.9.2.3 2006/04/17 23:29:37 iliaa Exp $ */
1138+/* $Id: mod_files.c,v 1.83.2.9.2.4 2006/08/08 14:57:04 iliaa Exp $ */
1139
1140 #include "php.h"
1141
1142@@ -368,7 +368,12 @@
1143 ps_files_close(data);
1144
1145 if (VCWD_UNLINK(buf) == -1) {
1146- return FAILURE;
1147+ /* This is a little safety check for instances when we are dealing with a regenerated session
1148+ * that was not yet written to disk
1149+ */
1150+ if (!VCWD_ACCESS(buf, F_OK)) {
1151+ return FAILURE;
1152+ }
1153 }
1154 }
1155
1156@@ -391,6 +396,34 @@
1157 return SUCCESS;
1158 }
1159
1160+PS_VALIDATE_SID_FUNC(files)
1161+{
1162+ char buf[MAXPATHLEN];
1163+ int fd;
1164+ PS_FILES_DATA;
1165+
1166+ if (!ps_files_valid_key(key)) {
1167+ return FAILURE;
1168+ }
1169+
1170+ if (!PS(use_strict_mode)) {
1171+ return SUCCESS;
1172+ }
1173+
1174+ if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
1175+ return FAILURE;
1176+ }
1177+
1178+ fd = VCWD_OPEN_MODE(buf, O_RDWR | O_BINARY, 0600);
1179+
1180+ if (fd != -1) {
1181+ close(fd);
1182+ return SUCCESS;
1183+ }
1184+
1185+ return FAILURE;
1186+}
1187+
1188 /*
1189 * Local variables:
1190 * tab-width: 4
1191diff -Nura php-4.4.3/ext/session/mod_mm.c hardening-patch-4.4.3-0.4.15/ext/session/mod_mm.c
1192--- php-4.4.3/ext/session/mod_mm.c 2006-01-01 14:46:56.000000000 +0100
1193+++ hardening-patch-4.4.3-0.4.15/ext/session/mod_mm.c 2006-09-05 20:30:44.000000000 +0200
1194@@ -425,6 +425,42 @@
1195 return SUCCESS;
1196 }
1197
1198+PS_VALIDATE_SID_FUNC(mm)
1199+{
1200+ PS_MM_DATA;
1201+ ps_sd *sd;
1202+ const char *p;
1203+ char c;
1204+ int ret = SUCCESS;
1205+
1206+ for (p = key; (c = *p); p++) {
1207+ /* valid characters are a..z,A..Z,0..9 */
1208+ if (!((c >= 'a' && c <= 'z')
1209+ || (c >= 'A' && c <= 'Z')
1210+ || (c >= '0' && c <= '9')
1211+ || c == ','
1212+ || c == '-')) {
1213+ return FAILURE;
1214+ }
1215+ }
1216+
1217+ if (!PS(use_strict_mode)) {
1218+ return SUCCESS;
1219+ }
1220+
1221+ mm_lock(data->mm, MM_LOCK_RD);
1222+
1223+ sd = ps_sd_lookup(data, key, 0);
1224+ if (sd) {
1225+ mm_unlock(data->mm);
1226+ return SUCCESS;
1227+ }
1228+
1229+ mm_unlock(data->mm);
1230+
1231+ return FAILURE;
1232+}
1233+
1234 #endif
1235
1236 /*
1237diff -Nura php-4.4.3/ext/session/mod_user.c hardening-patch-4.4.3-0.4.15/ext/session/mod_user.c
1238--- php-4.4.3/ext/session/mod_user.c 2006-01-01 14:46:56.000000000 +0100
1239+++ hardening-patch-4.4.3-0.4.15/ext/session/mod_user.c 2006-09-05 20:30:44.000000000 +0200
1240@@ -23,7 +23,7 @@
1241 #include "mod_user.h"
1242
1243 ps_module ps_mod_user = {
1244- PS_MOD(user)
1245+ PS_MOD_SID(user)
1246 };
1247
1248 #define SESS_ZVAL_LONG(val, a) \
1249@@ -174,6 +174,83 @@
1250 FINISH;
1251 }
1252
1253+PS_CREATE_SID_FUNC(user)
1254+{
1255+ int i;
1256+ char *val = NULL;
1257+ zval *retval;
1258+ ps_user *mdata = PS_GET_MOD_DATA();
1259+
1260+ if (!mdata)
1261+ return estrndup("", 0);
1262+
1263+ if (PSF(create) == NULL || ZVAL_IS_NULL(PSF(create))) {
1264+ return php_session_create_id(mod_data, newlen TSRMLS_CC);
1265+ }
1266+ retval = ps_call_handler(PSF(create), 0, NULL TSRMLS_CC);
1267+
1268+ if (retval) {
1269+ if (Z_TYPE_P(retval) == IS_STRING) {
1270+ val = estrndup(Z_STRVAL_P(retval), Z_STRLEN_P(retval));
1271+ } else {
1272+ val = estrndup("", 0);
1273+ }
1274+ zval_ptr_dtor(&retval);
1275+ } else {
1276+ val = estrndup("", 0);
1277+ }
1278+
1279+ return val;
1280+}
1281+
1282+static int ps_user_valid_key(const char *key TSRMLS_DC)
1283+{
1284+ size_t len;
1285+ const char *p;
1286+ char c;
1287+ int ret = SUCCESS;
1288+
1289+ for (p = key; (c = *p); p++) {
1290+ /* valid characters are a..z,A..Z,0..9 */
1291+ if (!((c >= 'a' && c <= 'z')
1292+ || (c >= 'A' && c <= 'Z')
1293+ || (c >= '0' && c <= '9')
1294+ || c == ','
1295+ || c == '-')) {
1296+ ret = FAILURE;
1297+ break;
1298+ }
1299+ }
1300+
1301+ len = p - key;
1302+
1303+ if (len == 0)
1304+ ret = FAILURE;
1305+
1306+ return ret;
1307+}
1308+
1309+PS_VALIDATE_SID_FUNC(user)
1310+{
1311+ zval *args[1];
1312+ STDVARS;
1313+
1314+ if (PSF(validate) == NULL || ZVAL_IS_NULL(PSF(validate))) {
1315+ return ps_user_valid_key(key TSRMLS_CC);
1316+ }
1317+ SESS_ZVAL_STRING(key, args[0]);
1318+
1319+ retval = ps_call_handler(PSF(validate), 1, args TSRMLS_CC);
1320+
1321+ if (retval) {
1322+ convert_to_long(retval);
1323+ ret = Z_LVAL_P(retval) ? SUCCESS : FAILURE;
1324+ zval_ptr_dtor(&retval);
1325+ }
1326+
1327+ return ret;
1328+}
1329+
1330 /*
1331 * Local variables:
1332 * tab-width: 4
1333diff -Nura php-4.4.3/ext/session/mod_user.h hardening-patch-4.4.3-0.4.15/ext/session/mod_user.h
1334--- php-4.4.3/ext/session/mod_user.h 2006-01-01 14:46:56.000000000 +0100
1335+++ hardening-patch-4.4.3-0.4.15/ext/session/mod_user.h 2006-09-05 20:30:44.000000000 +0200
1336@@ -22,7 +22,7 @@
1337 #define MOD_USER_H
1338
1339 typedef union {
1340- zval *names[6];
1341+ zval *names[8];
1342 struct {
1343 zval *ps_open;
1344 zval *ps_close;
1345@@ -30,6 +30,8 @@
1346 zval *ps_write;
1347 zval *ps_destroy;
1348 zval *ps_gc;
1349+ zval *ps_create;
1350+ zval *ps_validate;
1351 } name;
1352 } ps_user;
1353
1354diff -Nura php-4.4.3/ext/session/php_session.h hardening-patch-4.4.3-0.4.15/ext/session/php_session.h
1355--- php-4.4.3/ext/session/php_session.h 2006-01-01 14:46:56.000000000 +0100
1356+++ hardening-patch-4.4.3-0.4.15/ext/session/php_session.h 2006-09-05 20:30:44.000000000 +0200
1357@@ -23,7 +23,7 @@
1358
1359 #include "ext/standard/php_var.h"
1360
1361-#define PHP_SESSION_API 20020330
1362+#define PHP_SESSION_API 20051121
1363
1364 #define PS_OPEN_ARGS void **mod_data, const char *save_path, const char *session_name TSRMLS_DC
1365 #define PS_CLOSE_ARGS void **mod_data TSRMLS_DC
1366@@ -32,6 +32,7 @@
1367 #define PS_DESTROY_ARGS void **mod_data, const char *key TSRMLS_DC
1368 #define PS_GC_ARGS void **mod_data, int maxlifetime, int *nrdels TSRMLS_DC
1369 #define PS_CREATE_SID_ARGS void **mod_data, int *newlen TSRMLS_DC
1370+#define PS_VALIDATE_SID_ARGS void **mod_data, const char *key TSRMLS_DC
1371
1372 /* default create id function */
1373 char *php_session_create_id(PS_CREATE_SID_ARGS);
1374@@ -45,6 +46,7 @@
1375 int (*s_destroy)(PS_DESTROY_ARGS);
1376 int (*s_gc)(PS_GC_ARGS);
1377 char *(*s_create_sid)(PS_CREATE_SID_ARGS);
1378+ int (*s_validate_sid)(PS_VALIDATE_SID_ARGS);
1379 } ps_module;
1380
1381 #define PS_GET_MOD_DATA() *mod_data
1382@@ -57,6 +59,7 @@
1383 #define PS_DESTROY_FUNC(x) int ps_delete_##x(PS_DESTROY_ARGS)
1384 #define PS_GC_FUNC(x) int ps_gc_##x(PS_GC_ARGS)
1385 #define PS_CREATE_SID_FUNC(x) char *ps_create_sid_##x(PS_CREATE_SID_ARGS)
1386+#define PS_VALIDATE_SID_FUNC(x) int ps_validate_sid_##x(PS_VALIDATE_SID_ARGS)
1387
1388 #define PS_FUNCS(x) \
1389 PS_OPEN_FUNC(x); \
1390@@ -65,11 +68,12 @@
1391 PS_WRITE_FUNC(x); \
1392 PS_DESTROY_FUNC(x); \
1393 PS_GC_FUNC(x); \
1394- PS_CREATE_SID_FUNC(x)
1395+ PS_CREATE_SID_FUNC(x); \
1396+ PS_VALIDATE_SID_FUNC(x)
1397
1398 #define PS_MOD(x) \
1399 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1400- ps_delete_##x, ps_gc_##x, php_session_create_id
1401+ ps_delete_##x, ps_gc_##x, php_session_create_id, ps_validate_sid_##x
1402
1403 /* SID enabled module handler definitions */
1404 #define PS_FUNCS_SID(x) \
1405@@ -79,11 +83,12 @@
1406 PS_WRITE_FUNC(x); \
1407 PS_DESTROY_FUNC(x); \
1408 PS_GC_FUNC(x); \
1409- PS_CREATE_SID_FUNC(x)
1410+ PS_CREATE_SID_FUNC(x); \
1411+ PS_VALIDATE_SID(x)
1412
1413 #define PS_MOD_SID(x) \
1414 #x, ps_open_##x, ps_close_##x, ps_read_##x, ps_write_##x, \
1415- ps_delete_##x, ps_gc_##x, ps_create_sid_##x
1416+ ps_delete_##x, ps_gc_##x, ps_create_sid_##x, ps_validate_sid_##x
1417
1418 typedef enum {
1419 php_session_disabled,
1420@@ -120,6 +125,7 @@
1421 zend_bool use_only_cookies;
1422 zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
1423 zend_bool apply_trans_sid; /* whether or not to enable trans-sid for the current request */
1424+ zend_bool use_strict_mode; /* whether or not PHP accepts unknown session ids */
1425 int send_cookie;
1426 int define_sid;
1427 } php_ps_globals;
1428diff -Nura php-4.4.3/ext/session/session.c hardening-patch-4.4.3-0.4.15/ext/session/session.c
1429--- php-4.4.3/ext/session/session.c 2006-05-19 00:16:27.000000000 +0200
1430+++ hardening-patch-4.4.3-0.4.15/ext/session/session.c 2006-09-05 20:30:44.000000000 +0200
1431@@ -17,7 +17,7 @@
1432 +----------------------------------------------------------------------+
1433 */
1434
1435-/* $Id: session.c,v 1.336.2.53.2.6 2006/05/18 22:16:27 helly Exp $ */
1436+/* $Id: session.c,v 1.336.2.53.2.7 2006/08/01 08:33:13 tony2001 Exp $ */
1437
1438 #ifdef HAVE_CONFIG_H
1439 #include "config.h"
1440@@ -155,6 +155,7 @@
1441 STD_PHP_INI_BOOLEAN("session.cookie_secure", "", PHP_INI_ALL, OnUpdateBool, cookie_secure, php_ps_globals, ps_globals)
1442 STD_PHP_INI_BOOLEAN("session.use_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_cookies, php_ps_globals, ps_globals)
1443 STD_PHP_INI_BOOLEAN("session.use_only_cookies", "0", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
1444+ STD_PHP_INI_BOOLEAN("session.use_strict_mode", "1", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals)
1445 STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
1446 STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
1447 STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateInt, entropy_length, php_ps_globals, ps_globals)
1448@@ -643,6 +644,15 @@
1449 return;
1450 }
1451
1452+ /* If there is an ID, use session module to verify it */
1453+ if (PS(id)) {
1454+ if (PS(mod)->s_validate_sid(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1455+ efree(PS(id));
1456+ PS(id) = NULL;
1457+ PS(send_cookie) = 1;
1458+ }
1459+ }
1460+
1461 /* If there is no ID, use session module to create one */
1462 if (!PS(id))
1463 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1464@@ -1262,22 +1272,31 @@
1465 }
1466 /* }}} */
1467
1468-/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc)
1469+/* {{{ proto void session_set_save_handler(string open, string close, string read, string write, string destroy, string gc[, string create, string validate])
1470 Sets user-level functions */
1471 PHP_FUNCTION(session_set_save_handler)
1472 {
1473- zval **args[6];
1474- int i;
1475+ zval **args[8];
1476+ int i, numargs;
1477 ps_user *mdata;
1478 char *name;
1479
1480+ numargs = ZEND_NUM_ARGS();
1481+ args[6] = NULL;
1482+ args[7] = NULL;
1483+
1484+ if (numargs < 6 || numargs > 8 || zend_get_parameters_array_ex(numargs, args) == FAILURE)
1485+ WRONG_PARAM_COUNT;
1486 if (ZEND_NUM_ARGS() != 6 || zend_get_parameters_array_ex(6, args) == FAILURE)
1487 WRONG_PARAM_COUNT;
1488
1489 if (PS(session_status) != php_session_none)
1490 RETURN_FALSE;
1491
1492- for (i = 0; i < 6; i++) {
1493+ for (i = 0; i < 8; i++) {
1494+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1495+ continue;
1496+ }
1497 if (!zend_is_callable(*args[i], 0, &name)) {
1498 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Argument %d is not a valid callback", i+1);
1499 efree(name);
1500@@ -1290,7 +1309,11 @@
1501
1502 mdata = emalloc(sizeof(*mdata));
1503
1504- for (i = 0; i < 6; i++) {
1505+ for (i = 0; i < 8; i++) {
1506+ if (i >= 6 && (args[i] == NULL || ZVAL_IS_NULL(*args[i]))) {
1507+ mdata->names[i] = NULL;
1508+ continue;
1509+ }
1510 ZVAL_ADDREF(*args[i]);
1511 mdata->names[i] = *args[i];
1512 }
1513@@ -1351,12 +1374,25 @@
1514 Update the current session id with a newly generated one. */
1515 PHP_FUNCTION(session_regenerate_id)
1516 {
1517+ zend_bool del_ses = 0;
1518+
1519+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &del_ses) == FAILURE) {
1520+ WRONG_PARAM_COUNT;
1521+ }
1522+
1523 if (SG(headers_sent)) {
1524 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot regenerate session id - headers already sent");
1525 RETURN_FALSE;
1526 }
1527- if (PS(session_status) == php_session_active) {
1528- if (PS(id)) efree(PS(id));
1529+
1530+ if (PS(session_status) == php_session_active) {
1531+ if (PS(id)) {
1532+ if (del_ses && PS(mod)->s_destroy(&PS(mod_data), PS(id) TSRMLS_CC) == FAILURE) {
1533+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Session object destruction failed");
1534+ RETURN_FALSE;
1535+ }
1536+ efree(PS(id));
1537+ }
1538
1539 PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
1540
1541@@ -1405,8 +1441,8 @@
1542 WRONG_PARAM_COUNT;
1543
1544 if (ac == 1) {
1545- convert_to_long_ex(p_cache_expire);
1546- PS(cache_expire) = Z_LVAL_PP(p_cache_expire);
1547+ convert_to_string_ex(p_cache_expire);
1548+ zend_alter_ini_entry("session.cache_expire", sizeof("session.cache_expire"), Z_STRVAL_PP(p_cache_expire), Z_STRLEN_PP(p_cache_expire), ZEND_INI_USER, ZEND_INI_STAGE_RUNTIME);
1549 }
1550
1551 RETVAL_LONG(old);
1552diff -Nura php-4.4.3/ext/session/tests/014.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/014.phpt
1553--- php-4.4.3/ext/session/tests/014.phpt 2002-11-26 00:19:18.000000000 +0100
1554+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/014.phpt 2006-09-05 20:30:44.000000000 +0200
1555@@ -5,6 +5,7 @@
1556 --INI--
1557 session.use_trans_sid=1
1558 session.use_cookies=0
1559+session.use_strict_mode=0
1560 session.cache_limiter=
1561 register_globals=1
1562 session.bug_compat_42=1
1563diff -Nura php-4.4.3/ext/session/tests/015.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/015.phpt
1564--- php-4.4.3/ext/session/tests/015.phpt 2002-11-26 00:19:19.000000000 +0100
1565+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/015.phpt 2006-09-05 20:30:44.000000000 +0200
1566@@ -5,6 +5,7 @@
1567 --INI--
1568 session.use_trans_sid=1
1569 session.use_cookies=0
1570+session.use_strict_mode=0
1571 session.cache_limiter=
1572 arg_separator.output=&
1573 session.name=PHPSESSID
1574diff -Nura php-4.4.3/ext/session/tests/018.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/018.phpt
1575--- php-4.4.3/ext/session/tests/018.phpt 2002-11-26 00:19:19.000000000 +0100
1576+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/018.phpt 2006-09-05 20:30:44.000000000 +0200
1577@@ -4,6 +4,7 @@
1578 <?php include('skipif.inc'); ?>
1579 --INI--
1580 session.use_cookies=0
1581+session.use_strict_mode=0
1582 session.cache_limiter=
1583 session.use_trans_sid=1
1584 session.name=PHPSESSID
1585diff -Nura php-4.4.3/ext/session/tests/020.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/020.phpt
1586--- php-4.4.3/ext/session/tests/020.phpt 2002-11-26 00:19:19.000000000 +0100
1587+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/020.phpt 2006-09-05 20:30:44.000000000 +0200
1588@@ -4,6 +4,7 @@
1589 <?php include('skipif.inc'); ?>
1590 --INI--
1591 session.use_cookies=0
1592+session.use_strict_mode=0
1593 session.cache_limiter=
1594 session.use_trans_sid=1
1595 arg_separator.output=&amp;
1596diff -Nura php-4.4.3/ext/session/tests/021.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/021.phpt
1597--- php-4.4.3/ext/session/tests/021.phpt 2002-11-26 00:19:19.000000000 +0100
1598+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/021.phpt 2006-09-05 20:30:44.000000000 +0200
1599@@ -4,6 +4,7 @@
1600 <?php include('skipif.inc'); ?>
1601 --INI--
1602 session.use_cookies=0
1603+session.use_strict_mode=0
1604 session.cache_limiter=
1605 session.use_trans_sid=1
1606 url_rewriter.tags="a=href,area=href,frame=src,input=src,form=,fieldset="
1607diff -Nura php-4.4.3/ext/session/tests/bug38377.phpt hardening-patch-4.4.3-0.4.15/ext/session/tests/bug38377.phpt
1608--- php-4.4.3/ext/session/tests/bug38377.phpt 1970-01-01 01:00:00.000000000 +0100
1609+++ hardening-patch-4.4.3-0.4.15/ext/session/tests/bug38377.phpt 2006-09-05 20:30:44.000000000 +0200
1610@@ -0,0 +1,13 @@
1611+--TEST--
1612+bug #38377 (session_destroy() gives warning after session_regenerate_id())
1613+--SKIPIF--
1614+<?php include('skipif.inc'); ?>
1615+--FILE--
1616+<?php
1617+session_start();
1618+session_regenerate_id();
1619+session_destroy();
1620+echo "Done\n";
1621+?>
1622+--EXPECT--
1623+Done
1624diff -Nura php-4.4.3/ext/sockets/sockets.c hardening-patch-4.4.3-0.4.15/ext/sockets/sockets.c
1625--- php-4.4.3/ext/sockets/sockets.c 2006-01-01 14:46:56.000000000 +0100
1626+++ hardening-patch-4.4.3-0.4.15/ext/sockets/sockets.c 2006-09-05 20:30:44.000000000 +0200
1627@@ -19,7 +19,7 @@
1628 +----------------------------------------------------------------------+
1629 */
1630
1631-/* $Id: sockets.c,v 1.125.2.29.2.3 2006/01/01 13:46:56 sniper Exp $ */
1632+/* $Id: sockets.c,v 1.125.2.29.2.6 2006/08/01 12:04:14 tony2001 Exp $ */
1633
1634 #ifdef HAVE_CONFIG_H
1635 #include "config.h"
1636@@ -515,6 +515,7 @@
1637 int php_sock_array_to_fd_set(zval *sock_array, fd_set *fds, SOCKET *max_fd TSRMLS_DC) {
1638 zval **element;
1639 php_socket *php_sock;
1640+ int num = 0;
1641
1642 if (Z_TYPE_P(sock_array) != IS_ARRAY) return 0;
1643
1644@@ -529,9 +530,10 @@
1645 if (php_sock->bsd_socket > *max_fd) {
1646 *max_fd = php_sock->bsd_socket;
1647 }
1648+ num++;
1649 }
1650
1651- return 1;
1652+ return num ? 1 : 0;
1653 }
1654
1655 int php_sock_array_from_fd_set(zval *sock_array, fd_set *fds TSRMLS_DC) {
1656@@ -539,6 +541,8 @@
1657 zval **dest_element;
1658 php_socket *php_sock;
1659 HashTable *new_hash;
1660+ int num = 0;
1661+
1662 if (Z_TYPE_P(sock_array) != IS_ARRAY) return 0;
1663
1664 ALLOC_HASHTABLE(new_hash);
1665@@ -555,6 +559,7 @@
1666 zend_hash_next_index_insert(new_hash, (void *)element, sizeof(zval *), (void **)&dest_element);
1667 if (dest_element) zval_add_ref(dest_element);
1668 }
1669+ num++;
1670 }
1671
1672 /* Destroy old array, add new one */
1673@@ -564,7 +569,7 @@
1674 zend_hash_internal_pointer_reset(new_hash);
1675 Z_ARRVAL_P(sock_array) = new_hash;
1676
1677- return 1;
1678+ return num ? 1 : 0;
1679 }
1680
1681
1682diff -Nura php-4.4.3/ext/standard/array.c hardening-patch-4.4.3-0.4.15/ext/standard/array.c
1683--- php-4.4.3/ext/standard/array.c 2006-01-01 14:46:57.000000000 +0100
1684+++ hardening-patch-4.4.3-0.4.15/ext/standard/array.c 2006-09-05 20:30:44.000000000 +0200
1685@@ -1162,6 +1162,32 @@
1686 }
1687 }
1688 }
1689+
1690+ if (var_name[0] == 'H') {
1691+ if ((strcmp(var_name, "HTTP_GET_VARS")==0)||
1692+ (strcmp(var_name, "HTTP_POST_VARS")==0)||
1693+ (strcmp(var_name, "HTTP_POST_FILES")==0)||
1694+ (strcmp(var_name, "HTTP_ENV_VARS")==0)||
1695+ (strcmp(var_name, "HTTP_SERVER_VARS")==0)||
1696+ (strcmp(var_name, "HTTP_SESSION_VARS")==0)||
1697+ (strcmp(var_name, "HTTP_COOKIE_VARS")==0)||
1698+ (strcmp(var_name, "HTTP_RAW_POST_DATA")==0)) {
1699+ return 0;
1700+ }
1701+ } else if (var_name[0] == '_') {
1702+ if ((strcmp(var_name, "_COOKIE")==0)||
1703+ (strcmp(var_name, "_ENV")==0)||
1704+ (strcmp(var_name, "_FILES")==0)||
1705+ (strcmp(var_name, "_GET")==0)||
1706+ (strcmp(var_name, "_POST")==0)||
1707+ (strcmp(var_name, "_REQUEST")==0)||
1708+ (strcmp(var_name, "_SESSION")==0)||
1709+ (strcmp(var_name, "_SERVER")==0)) {
1710+ return 0;
1711+ }
1712+ } else if (strcmp(var_name, "GLOBALS")==0) {
1713+ return 0;
1714+ }
1715
1716 return 1;
1717 }
1718diff -Nura php-4.4.3/ext/standard/basic_functions.c hardening-patch-4.4.3-0.4.15/ext/standard/basic_functions.c
1719--- php-4.4.3/ext/standard/basic_functions.c 2006-06-29 00:09:09.000000000 +0200
1720+++ hardening-patch-4.4.3-0.4.15/ext/standard/basic_functions.c 2006-09-07 19:35:02.000000000 +0200
1721@@ -107,12 +107,14 @@
1722 typedef struct _php_shutdown_function_entry {
1723 zval **arguments;
1724 int arg_count;
1725+ zend_bool created_by_eval;
1726 } php_shutdown_function_entry;
1727
1728 typedef struct _user_tick_function_entry {
1729 zval **arguments;
1730 int arg_count;
1731 int calling;
1732+ zend_bool created_by_eval;
1733 } user_tick_function_entry;
1734
1735 /* some prototypes for local functions */
1736@@ -295,6 +297,8 @@
1737 PHP_FE(get_html_translation_table, NULL)
1738 PHP_FE(sha1, NULL)
1739 PHP_FE(sha1_file, NULL)
1740+ PHP_FE(sha256, NULL)
1741+ PHP_FE(sha256_file, NULL)
1742 PHP_NAMED_FE(md5,php_if_md5, NULL)
1743 PHP_NAMED_FE(md5_file,php_if_md5_file, NULL)
1744 PHP_NAMED_FE(crc32,php_if_crc32, NULL)
1745@@ -676,7 +680,7 @@
1746 PHP_FALIAS(socket_get_status, stream_get_meta_data, NULL)
1747
1748 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
1749- PHP_FE(realpath, NULL)
1750+ PHP_STATIC_FE("realpath", zif_real_path, NULL)
1751 #endif
1752
1753 #ifdef HAVE_FNMATCH
1754@@ -2101,6 +2105,13 @@
1755 {
1756 zval retval;
1757 char *function_name = NULL;
1758+#if HARDENING_PATCH
1759+ zend_uint orig_code_type = EG(in_code_type);
1760+
1761+ if (shutdown_function_entry->created_by_eval) {
1762+ EG(in_code_type) = ZEND_EVAL_CODE;
1763+ }
1764+#endif
1765
1766 if (!zend_is_callable(shutdown_function_entry->arguments[0], 0, &function_name)) {
1767 php_error(E_WARNING, "(Registered shutdown functions) Unable to call %s() - function does not exist", function_name);
1768@@ -2116,6 +2127,9 @@
1769 if (function_name) {
1770 efree(function_name);
1771 }
1772+#if HARDENING_PATCH
1773+ EG(in_code_type) = orig_code_type;
1774+#endif
1775 return 0;
1776 }
1777
1778@@ -2123,6 +2137,13 @@
1779 {
1780 zval retval;
1781 zval *function = tick_fe->arguments[0];
1782+#if HARDENING_PATCH
1783+ zend_uint orig_code_type = EG(in_code_type);
1784+
1785+ if (tick_fe->created_by_eval) {
1786+ EG(in_code_type) = ZEND_EVAL_CODE;
1787+ }
1788+#endif
1789
1790 /* Prevent reentrant calls to the same user ticks function */
1791 if (! tick_fe->calling) {
1792@@ -2154,6 +2175,9 @@
1793
1794 tick_fe->calling = 0;
1795 }
1796+#if HARDENING_PATCH
1797+ EG(in_code_type) = orig_code_type;
1798+#endif
1799 }
1800
1801 static void run_user_tick_functions(int tick_count)
1802@@ -2222,6 +2246,13 @@
1803 efree(shutdown_function_entry.arguments);
1804 RETURN_FALSE;
1805 }
1806+#if HARDENING_PATCH
1807+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1808+ shutdown_function_entry.created_by_eval = 1;
1809+ } else {
1810+ shutdown_function_entry.created_by_eval = 0;
1811+ }
1812+#endif
1813
1814 /* Prevent entering of anything but valid callback (syntax check only!) */
1815 if (!zend_is_callable(shutdown_function_entry.arguments[0], 1, &function_name)) {
1816@@ -2503,6 +2534,15 @@
1817
1818 convert_to_string_ex(varname);
1819
1820+ /* checks that ensure the user does not overwrite certain ini settings when safe_mode is enabled */
1821+ if (PG(safe_mode)) {
1822+ if (!strncmp("max_execution_time", Z_STRVAL_PP(varname), sizeof("max_execution_time")) ||
1823+ !strncmp("memory_limit", Z_STRVAL_PP(varname), sizeof("memory_limit")) ||
1824+ !strncmp("child_terminate", Z_STRVAL_PP(varname), sizeof("child_terminate"))) {
1825+ RETURN_FALSE;
1826+ }
1827+ }
1828+
1829 zend_restore_ini_entry(Z_STRVAL_PP(varname), Z_STRLEN_PP(varname)+1, PHP_INI_STAGE_RUNTIME);
1830 }
1831 /* }}} */
1832@@ -2759,6 +2799,13 @@
1833 }
1834
1835 tick_fe.arguments = (zval **) safe_emalloc(sizeof(zval *), tick_fe.arg_count, 0);
1836+#if HARDENING_PATCH
1837+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
1838+ tick_fe.created_by_eval = 1;
1839+ } else {
1840+ tick_fe.created_by_eval = 0;
1841+ }
1842+#endif
1843
1844 if (zend_get_parameters_array(ht, tick_fe.arg_count, tick_fe.arguments) == FAILURE) {
1845 efree(tick_fe.arguments);
1846@@ -3057,6 +3104,35 @@
1847 new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
1848 }
1849
1850+ if (new_key[0] == 'H') {
1851+ if ((strcmp(new_key, "HTTP_GET_VARS")==0)||
1852+ (strcmp(new_key, "HTTP_POST_VARS")==0)||
1853+ (strcmp(new_key, "HTTP_POST_FILES")==0)||
1854+ (strcmp(new_key, "HTTP_ENV_VARS")==0)||
1855+ (strcmp(new_key, "HTTP_SERVER_VARS")==0)||
1856+ (strcmp(new_key, "HTTP_SESSION_VARS")==0)||
1857+ (strcmp(new_key, "HTTP_COOKIE_VARS")==0)||
1858+ (strcmp(new_key, "HTTP_RAW_POST_DATA")==0)) {
1859+ efree(new_key);
1860+ return 0;
1861+ }
1862+ } else if (new_key[0] == '_') {
1863+ if ((strcmp(new_key, "_COOKIE")==0)||
1864+ (strcmp(new_key, "_ENV")==0)||
1865+ (strcmp(new_key, "_FILES")==0)||
1866+ (strcmp(new_key, "_GET")==0)||
1867+ (strcmp(new_key, "_POST")==0)||
1868+ (strcmp(new_key, "_REQUEST")==0)||
1869+ (strcmp(new_key, "_SESSION")==0)||
1870+ (strcmp(new_key, "_SERVER")==0)) {
1871+ efree(new_key);
1872+ return 0;
1873+ }
1874+ } else if (strcmp(new_key, "GLOBALS")==0) {
1875+ efree(new_key);
1876+ return 0;
1877+ }
1878+
1879 zend_hash_del(&EG(symbol_table), new_key, new_key_len);
1880 ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
1881
1882diff -Nura php-4.4.3/ext/standard/config.m4 hardening-patch-4.4.3-0.4.15/ext/standard/config.m4
1883--- php-4.4.3/ext/standard/config.m4 2004-12-30 08:02:18.000000000 +0100
1884+++ hardening-patch-4.4.3-0.4.15/ext/standard/config.m4 2006-09-05 20:30:45.000000000 +0200
1885@@ -203,7 +203,7 @@
1886 if test "$ac_cv_crypt_blowfish" = "yes"; then
1887 ac_result=1
1888 else
1889- ac_result=0
1890+ ac_result=1
1891 fi
1892 AC_DEFINE_UNQUOTED(PHP_BLOWFISH_CRYPT, $ac_result, [Whether the system supports BlowFish salt])
1893 ])
1894@@ -419,6 +419,6 @@
1895 url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
1896 incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
1897 http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
1898- var_unserializer.c ftok.c aggregation.c sha1.c )
1899+ var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c )
1900
1901 PHP_ADD_MAKEFILE_FRAGMENT
1902diff -Nura php-4.4.3/ext/standard/crypt_blowfish.c hardening-patch-4.4.3-0.4.15/ext/standard/crypt_blowfish.c
1903--- php-4.4.3/ext/standard/crypt_blowfish.c 1970-01-01 01:00:00.000000000 +0100
1904+++ hardening-patch-4.4.3-0.4.15/ext/standard/crypt_blowfish.c 2006-09-05 20:30:45.000000000 +0200
1905@@ -0,0 +1,748 @@
1906+/*
1907+ * This code comes from John the Ripper password cracker, with reentrant
1908+ * and crypt(3) interfaces added, but optimizations specific to password
1909+ * cracking removed.
1910+ *
1911+ * Written by Solar Designer <solar at openwall.com> in 1998-2002 and
1912+ * placed in the public domain.
1913+ *
1914+ * There's absolutely no warranty.
1915+ *
1916+ * It is my intent that you should be able to use this on your system,
1917+ * as a part of a software package, or anywhere else to improve security,
1918+ * ensure compatibility, or for any other purpose. I would appreciate
1919+ * it if you give credit where it is due and keep your modifications in
1920+ * the public domain as well, but I don't require that in order to let
1921+ * you place this code and any modifications you make under a license
1922+ * of your choice.
1923+ *
1924+ * This implementation is compatible with OpenBSD bcrypt.c (version 2a)
1925+ * by Niels Provos <provos at citi.umich.edu>, and uses some of his
1926+ * ideas. The password hashing algorithm was designed by David Mazieres
1927+ * <dm at lcs.mit.edu>.
1928+ *
1929+ * There's a paper on the algorithm that explains its design decisions:
1930+ *
1931+ * http://www.usenix.org/events/usenix99/provos.html
1932+ *
1933+ * Some of the tricks in BF_ROUND might be inspired by Eric Young's
1934+ * Blowfish library (I can't be sure if I would think of something if I
1935+ * hadn't seen his code).
1936+ */
1937+
1938+#include <string.h>
1939+
1940+#include <errno.h>
1941+#ifndef __set_errno
1942+#define __set_errno(val) errno = (val)
1943+#endif
1944+
1945+#undef __CONST
1946+#ifdef __GNUC__
1947+#define __CONST __const
1948+#else
1949+#define __CONST
1950+#endif
1951+
1952+#ifdef __i386__
1953+#define BF_ASM 0
1954+#define BF_SCALE 1
1955+#elif defined(__alpha__) || defined(__hppa__)
1956+#define BF_ASM 0
1957+#define BF_SCALE 1
1958+#else
1959+#define BF_ASM 0
1960+#define BF_SCALE 0
1961+#endif
1962+
1963+typedef unsigned int BF_word;
1964+
1965+/* Number of Blowfish rounds, this is also hardcoded into a few places */
1966+#define BF_N 16
1967+
1968+typedef BF_word BF_key[BF_N + 2];
1969+
1970+typedef struct {
1971+ BF_word S[4][0x100];
1972+ BF_key P;
1973+} BF_ctx;
1974+
1975+/*
1976+ * Magic IV for 64 Blowfish encryptions that we do at the end.
1977+ * The string is "OrpheanBeholderScryDoubt" on big-endian.
1978+ */
1979+static BF_word BF_magic_w[6] = {
1980+ 0x4F727068, 0x65616E42, 0x65686F6C,
1981+ 0x64657253, 0x63727944, 0x6F756274
1982+};
1983+
1984+/*
1985+ * P-box and S-box tables initialized with digits of Pi.
1986+ */
1987+static BF_ctx BF_init_state = {
1988+ {
1989+ {
1990+ 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7,
1991+ 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99,
1992+ 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
1993+ 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e,
1994+ 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee,
1995+ 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
1996+ 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef,
1997+ 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e,
1998+ 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
1999+ 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440,
2000+ 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce,
2001+ 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
2002+ 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e,
2003+ 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677,
2004+ 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
2005+ 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032,
2006+ 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88,
2007+ 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
2008+ 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e,
2009+ 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0,
2010+ 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
2011+ 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98,
2012+ 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88,
2013+ 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
2014+ 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6,
2015+ 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d,
2016+ 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
2017+ 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7,
2018+ 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba,
2019+ 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
2020+ 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f,
2021+ 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09,
2022+ 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
2023+ 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb,
2024+ 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279,
2025+ 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
2026+ 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab,
2027+ 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82,
2028+ 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
2029+ 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573,
2030+ 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0,
2031+ 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
2032+ 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790,
2033+ 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8,
2034+ 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
2035+ 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0,
2036+ 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7,
2037+ 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
2038+ 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad,
2039+ 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1,
2040+ 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
2041+ 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9,
2042+ 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477,
2043+ 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
2044+ 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49,
2045+ 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af,
2046+ 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
2047+ 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5,
2048+ 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41,
2049+ 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
2050+ 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400,
2051+ 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915,
2052+ 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
2053+ 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a
2054+ }, {
2055+ 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623,
2056+ 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266,
2057+ 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
2058+ 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e,
2059+ 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6,
2060+ 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
2061+ 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e,
2062+ 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1,
2063+ 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
2064+ 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8,
2065+ 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff,
2066+ 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
2067+ 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701,
2068+ 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7,
2069+ 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
2070+ 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331,
2071+ 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf,
2072+ 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
2073+ 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e,
2074+ 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87,
2075+ 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
2076+ 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2,
2077+ 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16,
2078+ 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
2079+ 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b,
2080+ 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509,
2081+ 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
2082+ 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3,
2083+ 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f,
2084+ 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
2085+ 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4,
2086+ 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960,
2087+ 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
2088+ 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28,
2089+ 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802,
2090+ 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
2091+ 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510,
2092+ 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf,
2093+ 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
2094+ 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e,
2095+ 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50,
2096+ 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
2097+ 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8,
2098+ 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281,
2099+ 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
2100+ 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696,
2101+ 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128,
2102+ 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
2103+ 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0,
2104+ 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0,
2105+ 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
2106+ 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250,
2107+ 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3,
2108+ 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
2109+ 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00,
2110+ 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061,
2111+ 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
2112+ 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e,
2113+ 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735,
2114+ 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
2115+ 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9,
2116+ 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340,
2117+ 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
2118+ 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7
2119+ }, {
2120+ 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934,
2121+ 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068,
2122+ 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
2123+ 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840,
2124+ 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45,
2125+ 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
2126+ 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a,
2127+ 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb,
2128+ 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
2129+ 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6,
2130+ 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42,
2131+ 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
2132+ 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2,
2133+ 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb,
2134+ 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
2135+ 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b,
2136+ 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33,
2137+ 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
2138+ 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3,
2139+ 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc,
2140+ 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
2141+ 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564,
2142+ 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b,
2143+ 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
2144+ 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922,
2145+ 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728,
2146+ 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
2147+ 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e,
2148+ 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37,
2149+ 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
2150+ 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804,
2151+ 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b,
2152+ 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
2153+ 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb,
2154+ 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d,
2155+ 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
2156+ 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350,
2157+ 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9,
2158+ 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
2159+ 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe,
2160+ 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d,
2161+ 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
2162+ 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f,
2163+ 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61,
2164+ 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
2165+ 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9,
2166+ 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2,
2167+ 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
2168+ 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e,
2169+ 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633,
2170+ 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
2171+ 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169,
2172+ 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52,
2173+ 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
2174+ 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5,
2175+ 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62,
2176+ 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
2177+ 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76,
2178+ 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24,
2179+ 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
2180+ 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4,
2181+ 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c,
2182+ 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
2183+ 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0
2184+ }, {
2185+ 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b,
2186+ 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe,
2187+ 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
2188+ 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4,
2189+ 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8,
2190+ 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
2191+ 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304,
2192+ 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22,
2193+ 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
2194+ 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6,
2195+ 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9,
2196+ 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
2197+ 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593,
2198+ 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51,
2199+ 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
2200+ 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c,
2201+ 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b,
2202+ 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
2203+ 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c,
2204+ 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd,
2205+ 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
2206+ 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319,
2207+ 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb,
2208+ 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
2209+ 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991,
2210+ 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32,
2211+ 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
2212+ 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166,
2213+ 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae,
2214+ 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
2215+ 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5,
2216+ 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47,
2217+ 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
2218+ 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d,
2219+ 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84,
2220+ 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
2221+ 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8,
2222+ 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd,
2223+ 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
2224+ 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7,
2225+ 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38,
2226+ 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
2227+ 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c,
2228+ 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525,
2229+ 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
2230+ 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442,
2231+ 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964,
2232+ 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
2233+ 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8,
2234+ 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d,
2235+ 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
2236+ 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299,
2237+ 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02,
2238+ 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
2239+ 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614,
2240+ 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a,
2241+ 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
2242+ 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b,
2243+ 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0,
2244+ 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
2245+ 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e,
2246+ 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9,
2247+ 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
2248+ 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6
2249+ }
2250+ }, {
2251+ 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344,
2252+ 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89,
2253+ 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
2254+ 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917,
2255+ 0x9216d5d9, 0x8979fb1b
2256+ }
2257+};
2258+
2259+static unsigned char BF_itoa64[64 + 1] =
2260+ "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
2261+
2262+static unsigned char BF_atoi64[0x60] = {
2263+ 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 0, 1,
2264+ 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 64, 64, 64, 64, 64,
2265+ 64, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16,
2266+ 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 64, 64, 64, 64, 64,
2267+ 64, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42,
2268+ 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 64, 64, 64, 64, 64
2269+};
2270+
2271+/*
2272+ * This may be optimized out if built with function inlining and no BF_ASM.
2273+ */
2274+static void clean(void *data, int size)
2275+{
2276+#if BF_ASM
2277+ extern void _BF_clean(void *data);
2278+#endif
2279+ memset(data, 0, size);
2280+#if BF_ASM
2281+ _BF_clean(data);
2282+#endif
2283+}
2284+
2285+#define BF_safe_atoi64(dst, src) \
2286+{ \
2287+ tmp = (unsigned char)(src); \
2288+ if (tmp == '$') break; \
2289+ if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \
2290+ tmp = BF_atoi64[tmp]; \
2291+ if (tmp > 63) return -1; \
2292+ (dst) = tmp; \
2293+}
2294+
2295+static int BF_decode(BF_word *dst, __CONST char *src, int size)
2296+{
2297+ unsigned char *dptr = (unsigned char *)dst;
2298+ unsigned char *end = dptr + size;
2299+ unsigned char *sptr = (unsigned char *)src;
2300+ unsigned int tmp, c1, c2, c3, c4;
2301+
2302+ do {
2303+ BF_safe_atoi64(c1, *sptr++);
2304+ BF_safe_atoi64(c2, *sptr++);
2305+ *dptr++ = (c1 << 2) | ((c2 & 0x30) >> 4);
2306+ if (dptr >= end) break;
2307+
2308+ BF_safe_atoi64(c3, *sptr++);
2309+ *dptr++ = ((c2 & 0x0F) << 4) | ((c3 & 0x3C) >> 2);
2310+ if (dptr >= end) break;
2311+
2312+ BF_safe_atoi64(c4, *sptr++);
2313+ *dptr++ = ((c3 & 0x03) << 6) | c4;
2314+ } while (dptr < end);
2315+
2316+ while (dptr < end)
2317+ *dptr++ = 0;
2318+
2319+ return 0;
2320+}
2321+
2322+static void BF_encode(char *dst, __CONST BF_word *src, int size)
2323+{
2324+ unsigned char *sptr = (unsigned char *)src;
2325+ unsigned char *end = sptr + size;
2326+ unsigned char *dptr = (unsigned char *)dst;
2327+ unsigned int c1, c2;
2328+
2329+ do {
2330+ c1 = *sptr++;
2331+ *dptr++ = BF_itoa64[c1 >> 2];
2332+ c1 = (c1 & 0x03) << 4;
2333+ if (sptr >= end) {
2334+ *dptr++ = BF_itoa64[c1];
2335+ break;
2336+ }
2337+
2338+ c2 = *sptr++;
2339+ c1 |= c2 >> 4;
2340+ *dptr++ = BF_itoa64[c1];
2341+ c1 = (c2 & 0x0f) << 2;
2342+ if (sptr >= end) {
2343+ *dptr++ = BF_itoa64[c1];
2344+ break;
2345+ }
2346+
2347+ c2 = *sptr++;
2348+ c1 |= c2 >> 6;
2349+ *dptr++ = BF_itoa64[c1];
2350+ *dptr++ = BF_itoa64[c2 & 0x3f];
2351+ } while (sptr < end);
2352+}
2353+
2354+static void BF_swap(BF_word *x, int count)
2355+{
2356+ static int endianness_check = 1;
2357+ char *is_little_endian = (char *)&endianness_check;
2358+ BF_word tmp;
2359+
2360+ if (*is_little_endian)
2361+ do {
2362+ tmp = *x;
2363+ tmp = (tmp << 16) | (tmp >> 16);
2364+ *x++ = ((tmp & 0x00FF00FF) << 8) | ((tmp >> 8) & 0x00FF00FF);
2365+ } while (--count);
2366+}
2367+
2368+#if BF_SCALE
2369+/* Architectures which can shift addresses left by 2 bits with no extra cost */
2370+#define BF_ROUND(L, R, N) \
2371+ tmp1 = L & 0xFF; \
2372+ tmp2 = L >> 8; \
2373+ tmp2 &= 0xFF; \
2374+ tmp3 = L >> 16; \
2375+ tmp3 &= 0xFF; \
2376+ tmp4 = L >> 24; \
2377+ tmp1 = data.ctx.S[3][tmp1]; \
2378+ tmp2 = data.ctx.S[2][tmp2]; \
2379+ tmp3 = data.ctx.S[1][tmp3]; \
2380+ tmp3 += data.ctx.S[0][tmp4]; \
2381+ tmp3 ^= tmp2; \
2382+ R ^= data.ctx.P[N + 1]; \
2383+ tmp3 += tmp1; \
2384+ R ^= tmp3;
2385+#else
2386+/* Architectures with no complicated addressing modes supported */
2387+#define BF_INDEX(S, i) \
2388+ (*((BF_word *)(((unsigned char *)S) + (i))))
2389+#define BF_ROUND(L, R, N) \
2390+ tmp1 = L & 0xFF; \
2391+ tmp1 <<= 2; \
2392+ tmp2 = L >> 6; \
2393+ tmp2 &= 0x3FC; \
2394+ tmp3 = L >> 14; \
2395+ tmp3 &= 0x3FC; \
2396+ tmp4 = L >> 22; \
2397+ tmp4 &= 0x3FC; \
2398+ tmp1 = BF_INDEX(data.ctx.S[3], tmp1); \
2399+ tmp2 = BF_INDEX(data.ctx.S[2], tmp2); \
2400+ tmp3 = BF_INDEX(data.ctx.S[1], tmp3); \
2401+ tmp3 += BF_INDEX(data.ctx.S[0], tmp4); \
2402+ tmp3 ^= tmp2; \
2403+ R ^= data.ctx.P[N + 1]; \
2404+ tmp3 += tmp1; \
2405+ R ^= tmp3;
2406+#endif
2407+
2408+/*
2409+ * Encrypt one block, BF_N is hardcoded here.
2410+ */
2411+#define BF_ENCRYPT \
2412+ L ^= data.ctx.P[0]; \
2413+ BF_ROUND(L, R, 0); \
2414+ BF_ROUND(R, L, 1); \
2415+ BF_ROUND(L, R, 2); \
2416+ BF_ROUND(R, L, 3); \
2417+ BF_ROUND(L, R, 4); \
2418+ BF_ROUND(R, L, 5); \
2419+ BF_ROUND(L, R, 6); \
2420+ BF_ROUND(R, L, 7); \
2421+ BF_ROUND(L, R, 8); \
2422+ BF_ROUND(R, L, 9); \
2423+ BF_ROUND(L, R, 10); \
2424+ BF_ROUND(R, L, 11); \
2425+ BF_ROUND(L, R, 12); \
2426+ BF_ROUND(R, L, 13); \
2427+ BF_ROUND(L, R, 14); \
2428+ BF_ROUND(R, L, 15); \
2429+ tmp4 = R; \
2430+ R = L; \
2431+ L = tmp4 ^ data.ctx.P[BF_N + 1];
2432+
2433+#if BF_ASM
2434+#define BF_body() \
2435+ _BF_body_r(&data.ctx);
2436+#else
2437+#define BF_body() \
2438+ L = R = 0; \
2439+ ptr = data.ctx.P; \
2440+ do { \
2441+ ptr += 2; \
2442+ BF_ENCRYPT; \
2443+ *(ptr - 2) = L; \
2444+ *(ptr - 1) = R; \
2445+ } while (ptr < &data.ctx.P[BF_N + 2]); \
2446+\
2447+ ptr = data.ctx.S[0]; \
2448+ do { \
2449+ ptr += 2; \
2450+ BF_ENCRYPT; \
2451+ *(ptr - 2) = L; \
2452+ *(ptr - 1) = R; \
2453+ } while (ptr < &data.ctx.S[3][0xFF]);
2454+#endif
2455+
2456+static void BF_set_key(__CONST char *key, BF_key expanded, BF_key initial)
2457+{
2458+ __CONST char *ptr = key;
2459+ int i, j;
2460+ BF_word tmp;
2461+
2462+ for (i = 0; i < BF_N + 2; i++) {
2463+ tmp = 0;
2464+ for (j = 0; j < 4; j++) {
2465+ tmp <<= 8;
2466+ tmp |= *ptr;
2467+
2468+ if (!*ptr) ptr = key; else ptr++;
2469+ }
2470+
2471+ expanded[i] = tmp;
2472+ initial[i] = BF_init_state.P[i] ^ tmp;
2473+ }
2474+}
2475+
2476+char *_crypt_blowfish_rn(__CONST char *key, __CONST char *setting,
2477+ char *output, int size)
2478+{
2479+#if BF_ASM
2480+ extern void _BF_body_r(BF_ctx *ctx);
2481+#endif
2482+ struct {
2483+ BF_ctx ctx;
2484+ BF_key expanded_key;
2485+ union {
2486+ BF_word salt[4];
2487+ BF_word output[6];
2488+ } binary;
2489+ } data;
2490+ BF_word L, R;
2491+ BF_word tmp1, tmp2, tmp3, tmp4;
2492+ BF_word *ptr;
2493+ BF_word count;
2494+ int i;
2495+
2496+ if (size < 7 + 22 + 31 + 1) {
2497+ __set_errno(ERANGE);
2498+ return NULL;
2499+ }
2500+
2501+ if (setting[0] != '$' ||
2502+ setting[1] != '2' ||
2503+ setting[2] != 'a' ||
2504+ setting[3] != '$' ||
2505+ setting[4] < '0' || setting[4] > '3' ||
2506+ setting[5] < '0' || setting[5] > '9' ||
2507+ setting[6] != '$') {
2508+ __set_errno(EINVAL);
2509+ return NULL;
2510+ }
2511+
2512+ count = (BF_word)1 << ((setting[4] - '0') * 10 + (setting[5] - '0'));
2513+ if (count < 16 || BF_decode(data.binary.salt, &setting[7], 16)) {
2514+ clean(data.binary.salt, sizeof(data.binary.salt));
2515+ __set_errno(EINVAL);
2516+ return NULL;
2517+ }
2518+
2519+ BF_swap(data.binary.salt, 4);
2520+
2521+ BF_set_key(key, data.expanded_key, data.ctx.P);
2522+
2523+ memcpy(data.ctx.S, BF_init_state.S, sizeof(data.ctx.S));
2524+
2525+ L = R = 0;
2526+ for (i = 0; i < BF_N + 2; i += 2) {
2527+ L ^= data.binary.salt[i & 2];
2528+ R ^= data.binary.salt[(i & 2) + 1];
2529+ BF_ENCRYPT;
2530+ data.ctx.P[i] = L;
2531+ data.ctx.P[i + 1] = R;
2532+ }
2533+
2534+ ptr = data.ctx.S[0];
2535+ do {
2536+ ptr += 4;
2537+ L ^= data.binary.salt[(BF_N + 2) & 3];
2538+ R ^= data.binary.salt[(BF_N + 3) & 3];
2539+ BF_ENCRYPT;
2540+ *(ptr - 4) = L;
2541+ *(ptr - 3) = R;
2542+
2543+ L ^= data.binary.salt[(BF_N + 4) & 3];
2544+ R ^= data.binary.salt[(BF_N + 5) & 3];
2545+ BF_ENCRYPT;
2546+ *(ptr - 2) = L;
2547+ *(ptr - 1) = R;
2548+ } while (ptr < &data.ctx.S[3][0xFF]);
2549+
2550+ do {
2551+ data.ctx.P[0] ^= data.expanded_key[0];
2552+ data.ctx.P[1] ^= data.expanded_key[1];
2553+ data.ctx.P[2] ^= data.expanded_key[2];
2554+ data.ctx.P[3] ^= data.expanded_key[3];
2555+ data.ctx.P[4] ^= data.expanded_key[4];
2556+ data.ctx.P[5] ^= data.expanded_key[5];
2557+ data.ctx.P[6] ^= data.expanded_key[6];
2558+ data.ctx.P[7] ^= data.expanded_key[7];
2559+ data.ctx.P[8] ^= data.expanded_key[8];
2560+ data.ctx.P[9] ^= data.expanded_key[9];
2561+ data.ctx.P[10] ^= data.expanded_key[10];
2562+ data.ctx.P[11] ^= data.expanded_key[11];
2563+ data.ctx.P[12] ^= data.expanded_key[12];
2564+ data.ctx.P[13] ^= data.expanded_key[13];
2565+ data.ctx.P[14] ^= data.expanded_key[14];
2566+ data.ctx.P[15] ^= data.expanded_key[15];
2567+ data.ctx.P[16] ^= data.expanded_key[16];
2568+ data.ctx.P[17] ^= data.expanded_key[17];
2569+
2570+ BF_body();
2571+
2572+ tmp1 = data.binary.salt[0];
2573+ tmp2 = data.binary.salt[1];
2574+ tmp3 = data.binary.salt[2];
2575+ tmp4 = data.binary.salt[3];
2576+ data.ctx.P[0] ^= tmp1;
2577+ data.ctx.P[1] ^= tmp2;
2578+ data.ctx.P[2] ^= tmp3;
2579+ data.ctx.P[3] ^= tmp4;
2580+ data.ctx.P[4] ^= tmp1;
2581+ data.ctx.P[5] ^= tmp2;
2582+ data.ctx.P[6] ^= tmp3;
2583+ data.ctx.P[7] ^= tmp4;
2584+ data.ctx.P[8] ^= tmp1;
2585+ data.ctx.P[9] ^= tmp2;
2586+ data.ctx.P[10] ^= tmp3;
2587+ data.ctx.P[11] ^= tmp4;
2588+ data.ctx.P[12] ^= tmp1;
2589+ data.ctx.P[13] ^= tmp2;
2590+ data.ctx.P[14] ^= tmp3;
2591+ data.ctx.P[15] ^= tmp4;
2592+ data.ctx.P[16] ^= tmp1;
2593+ data.ctx.P[17] ^= tmp2;
2594+
2595+ BF_body();
2596+ } while (--count);
2597+
2598+ for (i = 0; i < 6; i += 2) {
2599+ L = BF_magic_w[i];
2600+ R = BF_magic_w[i + 1];
2601+
2602+ count = 64;
2603+ do {
2604+ BF_ENCRYPT;
2605+ } while (--count);
2606+
2607+ data.binary.output[i] = L;
2608+ data.binary.output[i + 1] = R;
2609+ }
2610+
2611+ memcpy(output, setting, 7 + 22 - 1);
2612+ output[7 + 22 - 1] = BF_itoa64[(int)
2613+ BF_atoi64[(int)setting[7 + 22 - 1] - 0x20] & 0x30];
2614+
2615+/* This has to be bug-compatible with the original implementation, so
2616+ * only encode 23 of the 24 bytes. :-) */
2617+ BF_swap(data.binary.output, 6);
2618+ BF_encode(&output[7 + 22], data.binary.output, 23);
2619+ output[7 + 22 + 31] = '\0';
2620+
2621+/* Overwrite the most obvious sensitive data we have on the stack. Note
2622+ * that this does not guarantee there's no sensitive data left on the
2623+ * stack and/or in registers; I'm not aware of portable code that does. */
2624+ clean(&data, sizeof(data));
2625+
2626+ return output;
2627+}
2628+
2629+char *_crypt_gensalt_blowfish_rn(unsigned long count,
2630+ __CONST char *input, int size, char *output, int output_size)
2631+{
2632+ if (size < 16 || output_size < 7 + 22 + 1 ||
2633+ (count && (count < 4 || count > 31))) {
2634+ if (output_size > 0) output[0] = '\0';
2635+ __set_errno((output_size < 7 + 22 + 1) ? ERANGE : EINVAL);
2636+ return NULL;
2637+ }
2638+
2639+ if (!count) count = 5;
2640+
2641+ output[0] = '$';
2642+ output[1] = '2';
2643+ output[2] = 'a';
2644+ output[3] = '$';
2645+ output[4] = '0' + count / 10;
2646+ output[5] = '0' + count % 10;
2647+ output[6] = '$';
2648+
2649+ BF_encode(&output[7], (BF_word *)input, 16);
2650+ output[7 + 22] = '\0';
2651+
2652+ return output;
2653+}
2654diff -Nura php-4.4.3/ext/standard/crypt.c hardening-patch-4.4.3-0.4.15/ext/standard/crypt.c
2655--- php-4.4.3/ext/standard/crypt.c 2006-01-01 14:46:57.000000000 +0100
2656+++ hardening-patch-4.4.3-0.4.15/ext/standard/crypt.c 2006-09-05 20:30:45.000000000 +0200
2657@@ -100,6 +100,8 @@
2658 return SUCCESS;
2659 }
2660
2661+char *_crypt_blowfish_rn(char *key, char *setting, char *output, int size);
2662+char *_crypt_gensalt_blowfish_rn(unsigned long count, char *input, int size, char *output, int output_size);
2663
2664 static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
2665
2666@@ -135,7 +137,14 @@
2667
2668 /* The automatic salt generation only covers standard DES and md5-crypt */
2669 if(!*salt) {
2670-#if PHP_MD5_CRYPT
2671+#if PHP_BLOWFISH_CRYPT
2672+ char randat[16];
2673+ int i;
2674+
2675+ for (i=0; i<16; i++) randat[i] = PHP_CRYPT_RAND;
2676+
2677+ _crypt_gensalt_blowfish_rn(5, randat, sizeof(randat), salt, sizeof(salt));
2678+#elif PHP_MD5_CRYPT
2679 strcpy(salt, "$1$");
2680 php_to64(&salt[3], PHP_CRYPT_RAND, 4);
2681 php_to64(&salt[7], PHP_CRYPT_RAND, 4);
2682@@ -145,8 +154,24 @@
2683 salt[2] = '\0';
2684 #endif
2685 }
2686-
2687- RETVAL_STRING(crypt(str, salt), 1);
2688+
2689+ if (salt[0] == '$' &&
2690+ salt[1] == '2' &&
2691+ salt[2] == 'a' &&
2692+ salt[3] == '$' &&
2693+ salt[4] >= '0' && salt[4] <= '3' &&
2694+ salt[5] >= '0' && salt[5] <= '9' &&
2695+ salt[6] == '$') {
2696+
2697+ char output[PHP_MAX_SALT_LEN+1];
2698+
2699+ output[0] = 0;
2700+ _crypt_blowfish_rn(str, salt, output, sizeof(output));
2701+ RETVAL_STRING(output, 1);
2702+
2703+ } else {
2704+ RETVAL_STRING(crypt(str, salt), 1);
2705+ }
2706 }
2707 /* }}} */
2708 #endif
2709diff -Nura php-4.4.3/ext/standard/dl.c hardening-patch-4.4.3-0.4.15/ext/standard/dl.c
2710--- php-4.4.3/ext/standard/dl.c 2006-01-01 14:46:57.000000000 +0100
2711+++ hardening-patch-4.4.3-0.4.15/ext/standard/dl.c 2006-09-05 20:30:45.000000000 +0200
2712@@ -160,8 +160,35 @@
2713 RETURN_FALSE;
2714 }
2715 module_entry = get_module();
2716+
2717+ /* check if Hardening-Patch is installed */
2718+ if (module_entry->zend_api < 1000000000) {
2719+ php_error_docref(NULL TSRMLS_CC, error_type,
2720+ "%s: Unable to initialize module\n"
2721+ "Module compiled without Hardening-Patch, module API=%d, debug=%d, thread-safety=%d\n"
2722+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2723+ "These options need to match\n",
2724+ module_entry->name, module_entry->zend_api, module_entry->zend_debug, module_entry->zts,
2725+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2726+ DL_UNLOAD(handle);
2727+ RETURN_FALSE;
2728+ }
2729+
2730+ /* check if correct Hardening-Patch is installed */
2731+ if (module_entry->zend_api != HARDENING_PATCH_ZEND_MODULE_API_NO) {
2732+ php_error_docref(NULL TSRMLS_CC, error_type,
2733+ "%s: Unable to initialize module\n"
2734+ "Module compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2735+ "PHP compiled with Hardening-Patch=%d, module API=%d, debug=%d, thread-safety=%d\n"
2736+ "These options need to match\n",
2737+ module_entry->name, module_entry->zend_api, module_entry->real_zend_api, module_entry->zend_debug, module_entry->zts,
2738+ HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS);
2739+ DL_UNLOAD(handle);
2740+ RETURN_FALSE;
2741+ }
2742+
2743 if ((module_entry->zend_debug != ZEND_DEBUG) || (module_entry->zts != USING_ZTS)
2744- || (module_entry->zend_api != ZEND_MODULE_API_NO)) {
2745+ || (module_entry->real_zend_api != ZEND_MODULE_API_NO)) {
2746 /* Check for pre-4.1.0 module which has a slightly different module_entry structure :( */
2747 struct pre_4_1_0_module_entry {
2748 char *name;
2749@@ -195,7 +222,7 @@
2750 zts = ((struct pre_4_1_0_module_entry *)module_entry)->zts;
2751 } else {
2752 name = module_entry->name;
2753- zend_api = module_entry->zend_api;
2754+ zend_api = module_entry->real_zend_api;
2755 zend_debug = module_entry->zend_debug;
2756 zts = module_entry->zts;
2757 }
2758diff -Nura php-4.4.3/ext/standard/file.c hardening-patch-4.4.3-0.4.15/ext/standard/file.c
2759--- php-4.4.3/ext/standard/file.c 2006-04-14 19:46:59.000000000 +0200
2760+++ hardening-patch-4.4.3-0.4.15/ext/standard/file.c 2006-09-05 20:30:45.000000000 +0200
2761@@ -2527,7 +2527,7 @@
2762 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2763 /* {{{ proto string realpath(string path)
2764 Return the resolved path */
2765-PHP_FUNCTION(realpath)
2766+PHP_FUNCTION(real_path)
2767 {
2768 zval **path;
2769 char resolved_path_buff[MAXPATHLEN];
2770diff -Nura php-4.4.3/ext/standard/file.h hardening-patch-4.4.3-0.4.15/ext/standard/file.h
2771--- php-4.4.3/ext/standard/file.h 2006-01-01 14:46:57.000000000 +0100
2772+++ hardening-patch-4.4.3-0.4.15/ext/standard/file.h 2006-09-05 20:30:45.000000000 +0200
2773@@ -64,7 +64,7 @@
2774 PHP_FUNCTION(fd_set);
2775 PHP_FUNCTION(fd_isset);
2776 #if (!defined(__BEOS__) && !defined(NETWARE) && HAVE_REALPATH) || defined(ZTS)
2777-PHP_FUNCTION(realpath);
2778+PHP_FUNCTION(real_path);
2779 #endif
2780 #ifdef HAVE_FNMATCH
2781 PHP_FUNCTION(fnmatch);
2782diff -Nura php-4.4.3/ext/standard/head.c hardening-patch-4.4.3-0.4.15/ext/standard/head.c
2783--- php-4.4.3/ext/standard/head.c 2006-01-01 14:46:57.000000000 +0100
2784+++ hardening-patch-4.4.3-0.4.15/ext/standard/head.c 2006-09-05 20:30:45.000000000 +0200
2785@@ -44,7 +44,7 @@
2786 if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|bl", &ctr.line,
2787 &ctr.line_len, &rep, &ctr.response_code) == FAILURE)
2788 return;
2789-
2790+
2791 sapi_header_op(rep ? SAPI_HEADER_REPLACE:SAPI_HEADER_ADD, &ctr TSRMLS_CC);
2792 }
2793 /* }}} */
2794diff -Nura php-4.4.3/ext/standard/mail.c hardening-patch-4.4.3-0.4.15/ext/standard/mail.c
2795--- php-4.4.3/ext/standard/mail.c 2006-01-01 14:46:57.000000000 +0100
2796+++ hardening-patch-4.4.3-0.4.15/ext/standard/mail.c 2006-09-05 20:30:45.000000000 +0200
2797@@ -78,6 +78,25 @@
2798 }
2799 /* }}} */
2800
2801+/* {{{ hphp_strcasestr */
2802+char *hphp_strcasestr(char *haystack, char *needle)
2803+{
2804+ unsigned char *t, *h, *n;
2805+
2806+ h = (unsigned char *) haystack;
2807+conts:
2808+ while (*h) {
2809+ n = (unsigned char *) needle;
2810+ for (t=h++; *n && *h; t++, n++) {
2811+ if (toupper(*t) != toupper(*n)) goto conts;
2812+ }
2813+ return ((char*)h-1);
2814+ }
2815+
2816+ return (NULL);
2817+}
2818+/* }}} */
2819+
2820 /* {{{ proto int mail(string to, string subject, string message [, string additional_headers [, string additional_parameters]])
2821 Send an email message */
2822 PHP_FUNCTION(mail)
2823@@ -103,6 +122,44 @@
2824 return;
2825 }
2826
2827+ if (HG(hphp_mailprotect) > 0) {
2828+ if (headers_len > 0 && headers && (strstr(headers,"\n\n") || strstr(headers,"\r\n\r\n")) ) {
2829+ php_security_log(S_MAIL, "mail() - double newline in headers, possible injection, mail dropped");
2830+ RETURN_FALSE;
2831+ }
2832+
2833+ /* check for spam attempts with buggy webforms */
2834+ if (to_len > 0 && to && (strchr(to, '\n') != NULL || strchr(to, '\r') != NULL)) {
2835+ php_security_log(S_MAIL, "mail() - newline in to header, possible injection, mail dropped");
2836+ RETURN_FALSE;
2837+ }
2838+
2839+ if (subject_len > 0 && subject && (strchr(subject, '\n') != NULL || strchr(subject, '\r') != NULL)) {
2840+ php_security_log(S_MAIL, "mail() - newline subject header, possible injection, mail dropped");
2841+ RETURN_FALSE;
2842+ }
2843+
2844+ if (HG(hphp_mailprotect) > 1) {
2845+ /* search for to, cc or bcc headers */
2846+ if (headers_len > 0 && headers != NULL) {
2847+ if (strncasecmp(headers, "to:", sizeof("to:") - 1) == 0 || hphp_strcasestr(headers, "\nto:")) {
2848+ php_security_log(S_MAIL, "mail() - To: headers aren't allowed in the headers parameter.");
2849+ RETURN_FALSE;
2850+ }
2851+
2852+ if (strncasecmp(headers, "cc:", sizeof("cc:") - 1) == 0 || hphp_strcasestr(headers, "\ncc:")) {
2853+ php_security_log(S_MAIL, "mail() - CC: headers aren't allowed in the headers parameter.");
2854+ RETURN_FALSE;
2855+ }
2856+
2857+ if (strncasecmp(headers, "bcc:", sizeof("bcc:") - 1) == 0 || hphp_strcasestr(headers, "\nbcc:")) {
2858+ php_security_log(S_MAIL, "mail() - BCC: headers aren't allowed in the headers parameter.");
2859+ RETURN_FALSE;
2860+ }
2861+ }
2862+ }
2863+ }
2864+
2865 if (to_len > 0) {
2866 to_r = estrndup(to, to_len);
2867 for (; to_len; to_len--) {
2868diff -Nura php-4.4.3/ext/standard/php_standard.h hardening-patch-4.4.3-0.4.15/ext/standard/php_standard.h
2869--- php-4.4.3/ext/standard/php_standard.h 2006-01-01 14:46:58.000000000 +0100
2870+++ hardening-patch-4.4.3-0.4.15/ext/standard/php_standard.h 2006-09-05 20:30:45.000000000 +0200
2871@@ -28,6 +28,7 @@
2872 #include "php_mail.h"
2873 #include "md5.h"
2874 #include "sha1.h"
2875+#include "sha256.h"
2876 #include "html.h"
2877 #include "exec.h"
2878 #include "file.h"
2879diff -Nura php-4.4.3/ext/standard/scanf.c hardening-patch-4.4.3-0.4.15/ext/standard/scanf.c
2880--- php-4.4.3/ext/standard/scanf.c 2006-01-01 14:46:58.000000000 +0100
2881+++ hardening-patch-4.4.3-0.4.15/ext/standard/scanf.c 2006-09-05 20:30:45.000000000 +0200
2882@@ -16,7 +16,7 @@
2883 +----------------------------------------------------------------------+
2884 */
2885
2886-/* $Id: scanf.c,v 1.16.4.9.2.1 2006/01/01 13:46:58 sniper Exp $ */
2887+/* $Id: scanf.c,v 1.16.4.9.2.2 2006/08/04 11:59:50 tony2001 Exp $ */
2888
2889 /*
2890 scanf.c --
2891@@ -732,7 +732,7 @@
2892 if (*end == '$') {
2893 format = end+1;
2894 ch = format++;
2895- objIndex = varStart + value;
2896+ objIndex = varStart + value - 1;
2897 }
2898 }
2899
2900@@ -762,8 +762,10 @@
2901 switch (*ch) {
2902 case 'n':
2903 if (!(flags & SCAN_SUPPRESS)) {
2904- if (numVars) {
2905- current = args[objIndex++];
2906+ if (numVars && objIndex >= argCount) {
2907+ break;
2908+ } else if (numVars) {
2909+ current = args[objIndex++];
2910 zval_dtor( *current );
2911 ZVAL_LONG( *current, (long)(string - baseString) );
2912 } else {
2913@@ -883,8 +885,10 @@
2914 }
2915 }
2916 if (!(flags & SCAN_SUPPRESS)) {
2917- if (numVars) {
2918- current = args[objIndex++];
2919+ if (numVars && objIndex >= argCount) {
2920+ break;
2921+ } else if (numVars) {
2922+ current = args[objIndex++];
2923 zval_dtor( *current );
2924 ZVAL_STRINGL( *current, string, end-string, 1);
2925 } else {
2926@@ -922,7 +926,9 @@
2927 goto done;
2928 }
2929 if (!(flags & SCAN_SUPPRESS)) {
2930- if (numVars) {
2931+ if (numVars && objIndex >= argCount) {
2932+ break;
2933+ } else if (numVars) {
2934 current = args[objIndex++];
2935 zval_dtor( *current );
2936 ZVAL_STRINGL( *current, string, end-string, 1);
2937@@ -1079,8 +1085,10 @@
2938 value = (int) (*fn)(buf, NULL, base);
2939 if ((flags & SCAN_UNSIGNED) && (value < 0)) {
2940 sprintf(buf, "%u", value); /* INTL: ISO digit */
2941- if (numVars) {
2942- /* change passed value type to string */
2943+ if (numVars && objIndex >= argCount) {
2944+ break;
2945+ } else if (numVars) {
2946+ /* change passed value type to string */
2947 current = args[objIndex++];
2948 convert_to_string( *current );
2949 ZVAL_STRING( *current, buf, 1 );
2950@@ -1088,7 +1096,9 @@
2951 add_index_string(*return_value, objIndex++, buf, 1);
2952 }
2953 } else {
2954- if (numVars) {
2955+ if (numVars && objIndex >= argCount) {
2956+ break;
2957+ } else if (numVars) {
2958 current = args[objIndex++];
2959 convert_to_long( *current );
2960 Z_LVAL(**current) = value;
2961@@ -1196,7 +1206,9 @@
2962 double dvalue;
2963 *end = '\0';
2964 dvalue = zend_strtod(buf, NULL);
2965- if (numVars) {
2966+ if (numVars && objIndex >= argCount) {
2967+ break;
2968+ } else if (numVars) {
2969 current = args[objIndex++];
2970 convert_to_double( *current );
2971 Z_DVAL_PP( current ) = dvalue;
2972diff -Nura php-4.4.3/ext/standard/sha256.c hardening-patch-4.4.3-0.4.15/ext/standard/sha256.c
2973--- php-4.4.3/ext/standard/sha256.c 1970-01-01 01:00:00.000000000 +0100
2974+++ hardening-patch-4.4.3-0.4.15/ext/standard/sha256.c 2006-09-05 20:30:45.000000000 +0200
2975@@ -0,0 +1,398 @@
2976+/*
2977+ +----------------------------------------------------------------------+
2978+ | PHP Version 5 |
2979+ +----------------------------------------------------------------------+
2980+ | Copyright (c) 1997-2004 The PHP Group |
2981+ +----------------------------------------------------------------------+
2982+ | This source file is subject to version 3.0 of the PHP license, |
2983+ | that is bundled with this package in the file LICENSE, and is |
2984+ | available through the world-wide-web at the following url: |
2985+ | http://www.php.net/license/3_0.txt. |
2986+ | If you did not receive a copy of the PHP license and are unable to |
2987+ | obtain it through the world-wide-web, please send a note to |
2988+ | license@php.net so we can mail you a copy immediately. |
2989+ +----------------------------------------------------------------------+
2990+ | Author: Stefan Esser <sesser@php.net> |
2991+ +----------------------------------------------------------------------+
2992+*/
2993+
2994+/* $Id: sha256.c,v 1.9 2004/01/08 08:17:34 andi Exp $ */
2995+
2996+#include <stdio.h>
2997+#include "php.h"
2998+
2999+/* This code is heavily based on the PHP md5/sha1 implementations */
3000+
3001+#include "sha256.h"
3002+
3003+PHPAPI void make_sha256_digest(char *sha256str, unsigned char *digest)
3004+{
3005+ int i;
3006+
3007+ for (i = 0; i < 32; i++) {
3008+ sprintf(sha256str, "%02x", digest[i]);
3009+ sha256str += 2;
3010+ }
3011+
3012+ *sha256str = '\0';
3013+}
3014+
3015+/* {{{ proto string sha256(string str [, bool raw_output])
3016+ Calculate the sha256 hash of a string */
3017+PHP_FUNCTION(sha256)
3018+{
3019+ char *arg;
3020+ int arg_len;
3021+ zend_bool raw_output = 0;
3022+ char sha256str[65];
3023+ PHP_SHA256_CTX context;
3024+ unsigned char digest[32];
3025+
3026+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
3027+ return;
3028+ }
3029+
3030+ sha256str[0] = '\0';
3031+ PHP_SHA256Init(&context);
3032+ PHP_SHA256Update(&context, arg, arg_len);
3033+ PHP_SHA256Final(digest, &context);
3034+ if (raw_output) {
3035+ RETURN_STRINGL(digest, 32, 1);
3036+ } else {
3037+ make_sha256_digest(sha256str, digest);
3038+ RETVAL_STRING(sha256str, 1);
3039+ }
3040+
3041+}
3042+
3043+/* }}} */
3044+
3045+/* {{{ proto string sha256_file(string filename [, bool raw_output])
3046+ Calculate the sha256 hash of given filename */
3047+PHP_FUNCTION(sha256_file)
3048+{
3049+ char *arg;
3050+ int arg_len;
3051+ zend_bool raw_output = 0;
3052+ char sha256str[65];
3053+ unsigned char buf[1024];
3054+ unsigned char digest[32];
3055+ PHP_SHA256_CTX context;
3056+ int n;
3057+ FILE *fp;
3058+
3059+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &arg, &arg_len, &raw_output) == FAILURE) {
3060+ return;
3061+ }
3062+
3063+ if (PG(safe_mode) && (!php_checkuid(arg, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
3064+ RETURN_FALSE;
3065+ }
3066+
3067+ if (php_check_open_basedir(arg TSRMLS_CC)) {
3068+ RETURN_FALSE;
3069+ }
3070+
3071+ if ((fp = VCWD_FOPEN(arg, "rb")) == NULL) {
3072+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to open file");
3073+ RETURN_FALSE;
3074+ }
3075+
3076+ PHP_SHA256Init(&context);
3077+
3078+ while ((n = fread(buf, 1, sizeof(buf), fp)) > 0) {
3079+ PHP_SHA256Update(&context, buf, n);
3080+ }
3081+
3082+ PHP_SHA256Final(digest, &context);
3083+
3084+ if (ferror(fp)) {
3085+ fclose(fp);
3086+ RETURN_FALSE;
3087+ }
3088+
3089+ fclose(fp);
3090+
3091+ if (raw_output) {
3092+ RETURN_STRINGL(digest, 32, 1);
3093+ } else {
3094+ make_sha256_digest(sha256str, digest);
3095+ RETVAL_STRING(sha256str, 1);
3096+ }
3097+}
3098+/* }}} */
3099+
3100+
3101+static void SHA256Transform(php_uint32[8], const unsigned char[64]);
3102+static void SHA256Encode(unsigned char *, php_uint32 *, unsigned int);
3103+static void SHA256Decode(php_uint32 *, const unsigned char *, unsigned int);
3104+
3105+static unsigned char PADDING[64] =
3106+{
3107+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
3108+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
3109+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
3110+};
3111+
3112+/* F, G, H and I are basic SHA256 functions.
3113+ */
3114+#define F(x) (ROTATE_RIGHT(x,2) ^ ROTATE_RIGHT(x,13) ^ ROTATE_RIGHT(x,22))
3115+#define G(x, y, z) (((x) & (y)) | ((z) & ((y) | (x))))
3116+#define H(x) (ROTATE_RIGHT(x,6) ^ ROTATE_RIGHT(x,11) ^ ROTATE_RIGHT(x,25))
3117+#define I(x, y, z) (((x) & (y)) | ((~x) & z))
3118+
3119+/* ROTATE_RIGHT rotates x right n bits.
3120+ */
3121+#define ROTATE_RIGHT(x, n) (((x) >> (n)) | ((x) << (32-(n))))
3122+
3123+/* W[i]
3124+ */
3125+#define W(i) ( tmp1=ROTATE_RIGHT(x[(i-15)&15],7)^ROTATE_RIGHT(x[(i-15)&15],18)^(x[(i-15)&15] >> 3), \
3126+ tmp2=ROTATE_RIGHT(x[(i-2)&15],17)^ROTATE_RIGHT(x[(i-2)&15],19)^(x[(i-2)&15] >> 10), \
3127+ (x[i&15]=x[i&15] + tmp1 + x[(i-7)&15] + tmp2) )
3128+
3129+/* ROUND function of sha256
3130+ */
3131+
3132+#define ROUND(a,b,c,d,e,f,g,h,w,k) { \
3133+ t1 = (h) + H((e)) + I((e), (f), (g)) + (k) + (php_uint32)(w); \
3134+ (h) = F((a)) + G((a), (b), (c)) + t1; \
3135+ (d) += t1; \
3136+ }
3137+
3138+
3139+/* {{{ PHP_SHA256Init
3140+ * SHA256 initialization. Begins an SHA256 operation, writing a new context.
3141+ */
3142+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX * context)
3143+{
3144+ context->count[0] = context->count[1] = 0;
3145+ /* Load magic initialization constants.
3146+ */
3147+ context->state[0] = 0x6a09e667;
3148+ context->state[1] = 0xbb67ae85;
3149+ context->state[2] = 0x3c6ef372;
3150+ context->state[3] = 0xa54ff53a;
3151+ context->state[4] = 0x510e527f;
3152+ context->state[5] = 0x9b05688c;
3153+ context->state[6] = 0x1f83d9ab;
3154+ context->state[7] = 0x5be0cd19;
3155+}
3156+/* }}} */
3157+
3158+/* {{{ PHP_SHA256Update
3159+ SHA256 block update operation. Continues an SHA256 message-digest
3160+ operation, processing another message block, and updating the
3161+ context.
3162+ */
3163+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX * context, const unsigned char *input,
3164+ unsigned int inputLen)
3165+{
3166+ unsigned int i, index, partLen;
3167+
3168+ /* Compute number of bytes mod 64 */
3169+ index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
3170+
3171+ /* Update number of bits */
3172+ if ((context->count[0] += ((php_uint32) inputLen << 3))
3173+ < ((php_uint32) inputLen << 3))
3174+ context->count[1]++;
3175+ context->count[1] += ((php_uint32) inputLen >> 29);
3176+
3177+ partLen = 64 - index;
3178+
3179+ /* Transform as many times as possible.
3180+ */
3181+ if (inputLen >= partLen) {
3182+ memcpy
3183+ ((unsigned char*) & context->buffer[index], (unsigned char*) input, partLen);
3184+ SHA256Transform(context->state, context->buffer);
3185+
3186+ for (i = partLen; i + 63 < inputLen; i += 64)
3187+ SHA256Transform(context->state, &input[i]);
3188+
3189+ index = 0;
3190+ } else
3191+ i = 0;
3192+
3193+ /* Buffer remaining input */
3194+ memcpy
3195+ ((unsigned char*) & context->buffer[index], (unsigned char*) & input[i],
3196+ inputLen - i);
3197+}
3198+/* }}} */
3199+
3200+/* {{{ PHP_SHA256Final
3201+ SHA256 finalization. Ends an SHA256 message-digest operation, writing the
3202+ the message digest and zeroizing the context.
3203+ */
3204+PHPAPI void PHP_SHA256Final(unsigned char digest[32], PHP_SHA256_CTX * context)
3205+{
3206+ unsigned char bits[8];
3207+ unsigned int index, padLen;
3208+
3209+ /* Save number of bits */
3210+ bits[7] = context->count[0] & 0xFF;
3211+ bits[6] = (context->count[0] >> 8) & 0xFF;
3212+ bits[5] = (context->count[0] >> 16) & 0xFF;
3213+ bits[4] = (context->count[0] >> 24) & 0xFF;
3214+ bits[3] = context->count[1] & 0xFF;
3215+ bits[2] = (context->count[1] >> 8) & 0xFF;
3216+ bits[1] = (context->count[1] >> 16) & 0xFF;
3217+ bits[0] = (context->count[1] >> 24) & 0xFF;
3218+
3219+ /* Pad out to 56 mod 64.
3220+ */
3221+ index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
3222+ padLen = (index < 56) ? (56 - index) : (120 - index);
3223+ PHP_SHA256Update(context, PADDING, padLen);
3224+
3225+ /* Append length (before padding) */
3226+ PHP_SHA256Update(context, bits, 8);
3227+
3228+ /* Store state in digest */
3229+ SHA256Encode(digest, context->state, 32);
3230+
3231+ /* Zeroize sensitive information.
3232+ */
3233+ memset((unsigned char*) context, 0, sizeof(*context));
3234+}
3235+/* }}} */
3236+
3237+/* {{{ SHA256Transform
3238+ * SHA256 basic transformation. Transforms state based on block.
3239+ */
3240+static void SHA256Transform(state, block)
3241+php_uint32 state[8];
3242+const unsigned char block[64];
3243+{
3244+ php_uint32 a = state[0], b = state[1], c = state[2];
3245+ php_uint32 d = state[3], e = state[4], f = state[5];
3246+ php_uint32 g = state[6], h = state[7], x[16], tmp1, tmp2, t1;
3247+
3248+ SHA256Decode(x, block, 64);
3249+
3250+ ROUND(a, b, c, d, e, f, g, h, x[0], 0x428a2f98)
3251+ ROUND(h, a, b, c, d, e, f, g, x[1], 0x71374491)
3252+ ROUND(g, h, a, b, c, d, e, f, x[2], 0xb5c0fbcf)
3253+ ROUND(f, g, h, a, b, c, d, e, x[3], 0xe9b5dba5)
3254+ ROUND(e, f, g, h, a, b, c, d, x[4], 0x3956c25b)
3255+ ROUND(d, e, f, g, h, a, b, c, x[5], 0x59f111f1)
3256+ ROUND(c, d, e, f, g, h, a, b, x[6], 0x923f82a4)
3257+ ROUND(b, c, d, e, f, g, h, a, x[7], 0xab1c5ed5)
3258+ ROUND(a, b, c, d, e, f, g, h, x[8], 0xd807aa98)
3259+ ROUND(h, a, b, c, d, e, f, g, x[9], 0x12835b01)
3260+ ROUND(g, h, a, b, c, d, e, f, x[10], 0x243185be)
3261+ ROUND(f, g, h, a, b, c, d, e, x[11], 0x550c7dc3)
3262+ ROUND(e, f, g, h, a, b, c, d, x[12], 0x72be5d74)
3263+ ROUND(d, e, f, g, h, a, b, c, x[13], 0x80deb1fe)
3264+ ROUND(c, d, e, f, g, h, a, b, x[14], 0x9bdc06a7)
3265+ ROUND(b, c, d, e, f, g, h, a, x[15], 0xc19bf174)
3266+ ROUND(a, b, c, d, e, f, g, h, W(16), 0xe49b69c1)
3267+ ROUND(h, a, b, c, d, e, f, g, W(17), 0xefbe4786)
3268+ ROUND(g, h, a, b, c, d, e, f, W(18), 0x0fc19dc6)
3269+ ROUND(f, g, h, a, b, c, d, e, W(19), 0x240ca1cc)
3270+ ROUND(e, f, g, h, a, b, c, d, W(20), 0x2de92c6f)
3271+ ROUND(d, e, f, g, h, a, b, c, W(21), 0x4a7484aa)
3272+ ROUND(c, d, e, f, g, h, a, b, W(22), 0x5cb0a9dc)
3273+ ROUND(b, c, d, e, f, g, h, a, W(23), 0x76f988da)
3274+ ROUND(a, b, c, d, e, f, g, h, W(24), 0x983e5152)
3275+ ROUND(h, a, b, c, d, e, f, g, W(25), 0xa831c66d)
3276+ ROUND(g, h, a, b, c, d, e, f, W(26), 0xb00327c8)
3277+ ROUND(f, g, h, a, b, c, d, e, W(27), 0xbf597fc7)
3278+ ROUND(e, f, g, h, a, b, c, d, W(28), 0xc6e00bf3)
3279+ ROUND(d, e, f, g, h, a, b, c, W(29), 0xd5a79147)
3280+ ROUND(c, d, e, f, g, h, a, b, W(30), 0x06ca6351)
3281+ ROUND(b, c, d, e, f, g, h, a, W(31), 0x14292967)
3282+ ROUND(a, b, c, d, e, f, g, h, W(32), 0x27b70a85)
3283+ ROUND(h, a, b, c, d, e, f, g, W(33), 0x2e1b2138)
3284+ ROUND(g, h, a, b, c, d, e, f, W(34), 0x4d2c6dfc)
3285+ ROUND(f, g, h, a, b, c, d, e, W(35), 0x53380d13)
3286+ ROUND(e, f, g, h, a, b, c, d, W(36), 0x650a7354)
3287+ ROUND(d, e, f, g, h, a, b, c, W(37), 0x766a0abb)
3288+ ROUND(c, d, e, f, g, h, a, b, W(38), 0x81c2c92e)
3289+ ROUND(b, c, d, e, f, g, h, a, W(39), 0x92722c85)
3290+ ROUND(a, b, c, d, e, f, g, h, W(40), 0xa2bfe8a1)
3291+ ROUND(h, a, b, c, d, e, f, g, W(41), 0xa81a664b)
3292+ ROUND(g, h, a, b, c, d, e, f, W(42), 0xc24b8b70)
3293+ ROUND(f, g, h, a, b, c, d, e, W(43), 0xc76c51a3)
3294+ ROUND(e, f, g, h, a, b, c, d, W(44), 0xd192e819)
3295+ ROUND(d, e, f, g, h, a, b, c, W(45), 0xd6990624)
3296+ ROUND(c, d, e, f, g, h, a, b, W(46), 0xf40e3585)
3297+ ROUND(b, c, d, e, f, g, h, a, W(47), 0x106aa070)
3298+ ROUND(a, b, c, d, e, f, g, h, W(48), 0x19a4c116)
3299+ ROUND(h, a, b, c, d, e, f, g, W(49), 0x1e376c08)
3300+ ROUND(g, h, a, b, c, d, e, f, W(50), 0x2748774c)
3301+ ROUND(f, g, h, a, b, c, d, e, W(51), 0x34b0bcb5)
3302+ ROUND(e, f, g, h, a, b, c, d, W(52), 0x391c0cb3)
3303+ ROUND(d, e, f, g, h, a, b, c, W(53), 0x4ed8aa4a)
3304+ ROUND(c, d, e, f, g, h, a, b, W(54), 0x5b9cca4f)
3305+ ROUND(b, c, d, e, f, g, h, a, W(55), 0x682e6ff3)
3306+ ROUND(a, b, c, d, e, f, g, h, W(56), 0x748f82ee)
3307+ ROUND(h, a, b, c, d, e, f, g, W(57), 0x78a5636f)
3308+ ROUND(g, h, a, b, c, d, e, f, W(58), 0x84c87814)
3309+ ROUND(f, g, h, a, b, c, d, e, W(59), 0x8cc70208)
3310+ ROUND(e, f, g, h, a, b, c, d, W(60), 0x90befffa)
3311+ ROUND(d, e, f, g, h, a, b, c, W(61), 0xa4506ceb)
3312+ ROUND(c, d, e, f, g, h, a, b, W(62), 0xbef9a3f7)
3313+ ROUND(b, c, d, e, f, g, h, a, W(63), 0xc67178f2)
3314+
3315+ state[0] += a;
3316+ state[1] += b;
3317+ state[2] += c;
3318+ state[3] += d;
3319+ state[4] += e;
3320+ state[5] += f;
3321+ state[6] += g;
3322+ state[7] += h;
3323+
3324+ /* Zeroize sensitive information. */
3325+ memset((unsigned char*) x, 0, sizeof(x));
3326+}
3327+/* }}} */
3328+
3329+/* {{{ SHA256Encode
3330+ Encodes input (php_uint32) into output (unsigned char). Assumes len is
3331+ a multiple of 4.
3332+ */
3333+static void SHA256Encode(output, input, len)
3334+unsigned char *output;
3335+php_uint32 *input;
3336+unsigned int len;
3337+{
3338+ unsigned int i, j;
3339+
3340+ for (i = 0, j = 0; j < len; i++, j += 4) {
3341+ output[j] = (unsigned char) ((input[i] >> 24) & 0xff);
3342+ output[j + 1] = (unsigned char) ((input[i] >> 16) & 0xff);
3343+ output[j + 2] = (unsigned char) ((input[i] >> 8) & 0xff);
3344+ output[j + 3] = (unsigned char) (input[i] & 0xff);
3345+ }
3346+}
3347+/* }}} */
3348+
3349+/* {{{ SHA256Decode
3350+ Decodes input (unsigned char) into output (php_uint32). Assumes len is
3351+ a multiple of 4.
3352+ */
3353+static void SHA256Decode(output, input, len)
3354+php_uint32 *output;
3355+const unsigned char *input;
3356+unsigned int len;
3357+{
3358+ unsigned int i, j;
3359+
3360+ for (i = 0, j = 0; j < len; i++, j += 4)
3361+ output[i] = ((php_uint32) input[j + 3]) | (((php_uint32) input[j + 2]) << 8) |
3362+ (((php_uint32) input[j + 1]) << 16) | (((php_uint32) input[j]) << 24);
3363+}
3364+/* }}} */
3365+
3366+/*
3367+ * Local variables:
3368+ * tab-width: 4
3369+ * c-basic-offset: 4
3370+ * End:
3371+ * vim600: sw=4 ts=4 fdm=marker
3372+ * vim<600: sw=4 ts=4
3373+ */
3374diff -Nura php-4.4.3/ext/standard/sha256.h hardening-patch-4.4.3-0.4.15/ext/standard/sha256.h
3375--- php-4.4.3/ext/standard/sha256.h 1970-01-01 01:00:00.000000000 +0100
3376+++ hardening-patch-4.4.3-0.4.15/ext/standard/sha256.h 2006-09-05 20:30:45.000000000 +0200
3377@@ -0,0 +1,40 @@
3378+/*
3379+ +----------------------------------------------------------------------+
3380+ | PHP Version 5 |
3381+ +----------------------------------------------------------------------+
3382+ | Copyright (c) 1997-2004 The PHP Group |
3383+ +----------------------------------------------------------------------+
3384+ | This source file is subject to version 3.0 of the PHP license, |
3385+ | that is bundled with this package in the file LICENSE, and is |
3386+ | available through the world-wide-web at the following url: |
3387+ | http://www.php.net/license/3_0.txt. |
3388+ | If you did not receive a copy of the PHP license and are unable to |
3389+ | obtain it through the world-wide-web, please send a note to |
3390+ | license@php.net so we can mail you a copy immediately. |
3391+ +----------------------------------------------------------------------+
3392+ | Author: Stefan Esser <sesser@php.net> |
3393+ +----------------------------------------------------------------------+
3394+*/
3395+
3396+/* $Id: sha256.h,v 1.4 2004/01/08 17:32:52 sniper Exp $ */
3397+
3398+#ifndef SHA256_H
3399+#define SHA256_H
3400+
3401+#include "ext/standard/basic_functions.h"
3402+
3403+/* SHA1 context. */
3404+typedef struct {
3405+ php_uint32 state[8]; /* state (ABCD) */
3406+ php_uint32 count[2]; /* number of bits, modulo 2^64 (lsb first) */
3407+ unsigned char buffer[64]; /* input buffer */
3408+} PHP_SHA256_CTX;
3409+
3410+PHPAPI void PHP_SHA256Init(PHP_SHA256_CTX *);
3411+PHPAPI void PHP_SHA256Update(PHP_SHA256_CTX *, const unsigned char *, unsigned int);
3412+PHPAPI void PHP_SHA256Final(unsigned char[32], PHP_SHA256_CTX *);
3413+
3414+PHP_FUNCTION(sha256);
3415+PHP_FUNCTION(sha256_file);
3416+
3417+#endif
3418diff -Nura php-4.4.3/ext/standard/string.c hardening-patch-4.4.3-0.4.15/ext/standard/string.c
3419--- php-4.4.3/ext/standard/string.c 2006-05-19 12:20:44.000000000 +0200
3420+++ hardening-patch-4.4.3-0.4.15/ext/standard/string.c 2006-09-05 20:30:45.000000000 +0200
3421@@ -628,7 +628,8 @@
3422 {
3423 const char *text, *breakchar = "\n";
3424 char *newtext;
3425- int textlen, breakcharlen = 1, newtextlen, alloced, chk;
3426+ int textlen, breakcharlen = 1, newtextlen, chk;
3427+ size_t alloced;
3428 long current = 0, laststart = 0, lastspace = 0;
3429 long linelength = 75;
3430 zend_bool docut = 0;
3431@@ -3518,7 +3519,7 @@
3432 zval **input_str; /* Input string */
3433 zval **mult; /* Multiplier */
3434 char *result; /* Resulting string */
3435- int result_len; /* Length of the resulting string */
3436+ size_t result_len; /* Length of the resulting string */
3437
3438 if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) {
3439 WRONG_PARAM_COUNT;
3440@@ -3543,11 +3544,7 @@
3441
3442 /* Initialize the result string */
3443 result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult);
3444- if (result_len < 1) {
3445- php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes");
3446- RETURN_FALSE;
3447- }
3448- result = (char *)emalloc(result_len + 1);
3449+ result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1);
3450
3451 /* Heavy optimization for situations where input string is 1 byte long */
3452 if (Z_STRLEN_PP(input_str) == 1) {
3453diff -Nura php-4.4.3/ext/standard/syslog.c hardening-patch-4.4.3-0.4.15/ext/standard/syslog.c
3454--- php-4.4.3/ext/standard/syslog.c 2006-01-01 14:46:58.000000000 +0100
3455+++ hardening-patch-4.4.3-0.4.15/ext/standard/syslog.c 2006-09-05 20:30:45.000000000 +0200
3456@@ -42,6 +42,8 @@
3457 */
3458 PHP_MINIT_FUNCTION(syslog)
3459 {
3460+
3461+#if !HARDENING_PATCH
3462 /* error levels */
3463 REGISTER_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
3464 REGISTER_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
3465@@ -97,7 +99,7 @@
3466 /* AIX doesn't have LOG_PERROR */
3467 REGISTER_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
3468 #endif
3469-
3470+#endif
3471 return SUCCESS;
3472 }
3473 /* }}} */
3474diff -Nura php-4.4.3/ext/standard/tests/strings/bug38322.phpt hardening-patch-4.4.3-0.4.15/ext/standard/tests/strings/bug38322.phpt
3475--- php-4.4.3/ext/standard/tests/strings/bug38322.phpt 1970-01-01 01:00:00.000000000 +0100
3476+++ hardening-patch-4.4.3-0.4.15/ext/standard/tests/strings/bug38322.phpt 2006-09-05 20:30:45.000000000 +0200
3477@@ -0,0 +1,13 @@
3478+--TEST--
3479+Bug #38322 (reading past array in sscanf() leads to segfault/arbitary code execution)
3480+--FILE--
3481+<?php
3482+
3483+$str = "a b c d e";
3484+var_dump(sscanf("a ",'%1$s',$str));
3485+
3486+echo "Done\n";
3487+?>
3488+--EXPECTF--
3489+int(1)
3490+Done
3491diff -Nura php-4.4.3/ext/varfilter/config.m4 hardening-patch-4.4.3-0.4.15/ext/varfilter/config.m4
3492--- php-4.4.3/ext/varfilter/config.m4 1970-01-01 01:00:00.000000000 +0100
3493+++ hardening-patch-4.4.3-0.4.15/ext/varfilter/config.m4 2006-09-05 20:30:45.000000000 +0200
3494@@ -0,0 +1,11 @@
3495+dnl
3496+dnl $Id: config.m4,v 1.1 2004/11/14 13:27:16 ionic Exp $
3497+dnl
3498+
3499+PHP_ARG_ENABLE(varfilter, whether to enable Hardening-Patch's variable filter,
3500+[ --disable-varfilter Disable Hardening-Patch's variable filter], yes)
3501+
3502+if test "$PHP_VARFILTER" != "no"; then
3503+ AC_DEFINE(HAVE_VARFILTER, 1, [ ])
3504+ PHP_NEW_EXTENSION(varfilter, varfilter.c, $ext_shared)
3505+fi
3506diff -Nura php-4.4.3/ext/varfilter/CREDITS hardening-patch-4.4.3-0.4.15/ext/varfilter/CREDITS
3507--- php-4.4.3/ext/varfilter/CREDITS 1970-01-01 01:00:00.000000000 +0100
3508+++ hardening-patch-4.4.3-0.4.15/ext/varfilter/CREDITS 2006-09-05 20:30:45.000000000 +0200
3509@@ -0,0 +1,2 @@
3510+varfilter
3511+Stefan Esser
3512\ Kein Zeilenumbruch am Dateiende.
3513diff -Nura php-4.4.3/ext/varfilter/php_varfilter.h hardening-patch-4.4.3-0.4.15/ext/varfilter/php_varfilter.h
3514--- php-4.4.3/ext/varfilter/php_varfilter.h 1970-01-01 01:00:00.000000000 +0100
3515+++ hardening-patch-4.4.3-0.4.15/ext/varfilter/php_varfilter.h 2006-09-05 20:30:45.000000000 +0200
3516@@ -0,0 +1,144 @@
3517+/*
3518+ +----------------------------------------------------------------------+
3519+ | Hardened-PHP Project's varfilter extension |
3520+ +----------------------------------------------------------------------+
3521+ | Copyright (c) 2004-2005 Stefan Esser |
3522+ +----------------------------------------------------------------------+
3523+ | This source file is subject to version 2.02 of the PHP license, |
3524+ | that is bundled with this package in the file LICENSE, and is |
3525+ | available at through the world-wide-web at |
3526+ | http://www.php.net/license/2_02.txt. |
3527+ | If you did not receive a copy of the PHP license and are unable to |
3528+ | obtain it through the world-wide-web, please send a note to |
3529+ | license@php.net so we can mail you a copy immediately. |
3530+ +----------------------------------------------------------------------+
3531+ | Author: Stefan Esser <sesser@hardened-php.net> |
3532+ +----------------------------------------------------------------------+
3533+
3534+ $Id: php_varfilter.h,v 1.1 2004/11/14 13:27:16 ionic Exp $
3535+*/
3536+
3537+#ifndef PHP_VARFILTER_H
3538+#define PHP_VARFILTER_H
3539+
3540+extern zend_module_entry varfilter_module_entry;
3541+#define phpext_varfilter_ptr &varfilter_module_entry
3542+
3543+#ifdef PHP_WIN32
3544+#define PHP_VARFILTER_API __declspec(dllexport)
3545+#else
3546+#define PHP_VARFILTER_API
3547+#endif
3548+
3549+#ifdef ZTS
3550+#include "TSRM.h"
3551+#endif
3552+
3553+#include "SAPI.h"
3554+
3555+#include "php_variables.h"
3556+
3557+#ifdef ZEND_ENGINE_2
3558+#define HASH_HTTP_GET_VARS 0x2095733f
3559+#define HASH_HTTP_POST_VARS 0xbfee1265
3560+#define HASH_HTTP_COOKIE_VARS 0xaaca9d99
3561+#define HASH_HTTP_ENV_VARS 0x1fe186a8
3562+#define HASH_HTTP_SERVER_VARS 0xc987afd6
3563+#define HASH_HTTP_SESSION_VARS 0x7aba0d43
3564+#define HASH_HTTP_POST_FILES 0x98eb1ddc
3565+#define HASH_HTTP_RAW_POST_DATA 0xdd633fec
3566+#else
3567+#define HASH_HTTP_GET_VARS 0x8d8645bd
3568+#define HASH_HTTP_POST_VARS 0x7c699bf3
3569+#define HASH_HTTP_COOKIE_VARS 0x93ad0d6f
3570+#define HASH_HTTP_ENV_VARS 0x84da3016
3571+#define HASH_HTTP_SERVER_VARS 0x6dbf964e
3572+#define HASH_HTTP_SESSION_VARS 0x322906f5
3573+#define HASH_HTTP_POST_FILES 0xe4e4ce70
3574+#define HASH_HTTP_RAW_POST_DATA 0xe6137a0e
3575+#endif
3576+
3577+PHP_MINIT_FUNCTION(varfilter);
3578+PHP_MSHUTDOWN_FUNCTION(varfilter);
3579+PHP_RINIT_FUNCTION(varfilter);
3580+PHP_RSHUTDOWN_FUNCTION(varfilter);
3581+PHP_MINFO_FUNCTION(varfilter);
3582+
3583+
3584+ZEND_BEGIN_MODULE_GLOBALS(varfilter)
3585+/* request variables */
3586+ long max_request_variables;
3587+ long cur_request_variables;
3588+ long max_varname_length;
3589+ long max_totalname_length;
3590+ long max_value_length;
3591+ long max_array_depth;
3592+ long max_array_index_length;
3593+ zend_bool disallow_nul;
3594+/* cookie variables */
3595+ long max_cookie_vars;
3596+ long cur_cookie_vars;
3597+ long max_cookie_name_length;
3598+ long max_cookie_totalname_length;
3599+ long max_cookie_value_length;
3600+ long max_cookie_array_depth;
3601+ long max_cookie_array_index_length;
3602+ zend_bool disallow_cookie_nul;
3603+/* get variables */
3604+ long max_get_vars;
3605+ long cur_get_vars;
3606+ long max_get_name_length;
3607+ long max_get_totalname_length;
3608+ long max_get_value_length;
3609+ long max_get_array_depth;
3610+ long max_get_array_index_length;
3611+ zend_bool disallow_get_nul;
3612+/* post variables */
3613+ long max_post_vars;
3614+ long cur_post_vars;
3615+ long max_post_name_length;
3616+ long max_post_totalname_length;
3617+ long max_post_value_length;
3618+ long max_post_array_depth;
3619+ long max_post_array_index_length;
3620+ zend_bool disallow_post_nul;
3621+/* fileupload */
3622+ long max_uploads;
3623+ long cur_uploads;
3624+ zend_bool disallow_elf_files;
3625+ char *verification_script;
3626+
3627+ zend_bool no_more_variables;
3628+ zend_bool no_more_get_variables;
3629+ zend_bool no_more_post_variables;
3630+ zend_bool no_more_cookie_variables;
3631+ zend_bool no_more_uploads;
3632+
3633+ZEND_END_MODULE_GLOBALS(varfilter)
3634+
3635+
3636+#ifdef ZTS
3637+#define VARFILTER_G(v) TSRMG(varfilter_globals_id, zend_varfilter_globals *, v)
3638+#else
3639+#define VARFILTER_G(v) (varfilter_globals.v)
3640+#endif
3641+
3642+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter);
3643+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter);
3644+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter);
3645+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter);
3646+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter);
3647+SAPI_TREAT_DATA_FUNC(varfilter_treat_data);
3648+
3649+
3650+
3651+#endif /* PHP_VARFILTER_H */
3652+
3653+
3654+/*
3655+ * Local variables:
3656+ * tab-width: 4
3657+ * c-basic-offset: 4
3658+ * indent-tabs-mode: t
3659+ * End:
3660+ */
3661diff -Nura php-4.4.3/ext/varfilter/varfilter.c hardening-patch-4.4.3-0.4.15/ext/varfilter/varfilter.c
3662--- php-4.4.3/ext/varfilter/varfilter.c 1970-01-01 01:00:00.000000000 +0100
3663+++ hardening-patch-4.4.3-0.4.15/ext/varfilter/varfilter.c 2006-09-07 18:50:05.000000000 +0200
3664@@ -0,0 +1,915 @@
3665+/*
3666+ +----------------------------------------------------------------------+
3667+ | Hardened-PHP Project's varfilter extension |
3668+ +----------------------------------------------------------------------+
3669+ | Copyright (c) 2004-2005 Stefan Esser |
3670+ +----------------------------------------------------------------------+
3671+ | This source file is subject to version 2.02 of the PHP license, |
3672+ | that is bundled with this package in the file LICENSE, and is |
3673+ | available at through the world-wide-web at |
3674+ | http://www.php.net/license/2_02.txt. |
3675+ | If you did not receive a copy of the PHP license and are unable to |
3676+ | obtain it through the world-wide-web, please send a note to |
3677+ | license@php.net so we can mail you a copy immediately. |
3678+ +----------------------------------------------------------------------+
3679+ | Author: Stefan Esser <sesser@hardened-php.net> |
3680+ +----------------------------------------------------------------------+
3681+
3682+ $Id: varfilter.c,v 1.1 2004/11/14 13:27:16 ionic Exp $
3683+*/
3684+
3685+#ifdef HAVE_CONFIG_H
3686+#include "config.h"
3687+#endif
3688+
3689+#include "php.h"
3690+#include "php_ini.h"
3691+#include "ext/standard/info.h"
3692+#include "php_varfilter.h"
3693+#include "hardening_patch.h"
3694+
3695+ZEND_DECLARE_MODULE_GLOBALS(varfilter)
3696+
3697+/* True global resources - no need for thread safety here */
3698+static int le_varfilter;
3699+
3700+static void (*orig_register_server_variables)(zval *track_vars_array TSRMLS_DC) = NULL;
3701+static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC) = NULL;
3702+static zend_bool hooked = 0;
3703+
3704+/* {{{ varfilter_module_entry
3705+ */
3706+zend_module_entry varfilter_module_entry = {
3707+#if ZEND_MODULE_API_NO >= 20010901
3708+ STANDARD_MODULE_HEADER,
3709+#endif
3710+ "varfilter",
3711+ NULL,
3712+ PHP_MINIT(varfilter),
3713+ PHP_MSHUTDOWN(varfilter),
3714+ PHP_RINIT(varfilter), /* Replace with NULL if there's nothing to do at request start */
3715+ PHP_RSHUTDOWN(varfilter), /* Replace with NULL if there's nothing to do at request end */
3716+ PHP_MINFO(varfilter),
3717+#if ZEND_MODULE_API_NO >= 20010901
3718+ "0.4.15", /* Replace with version number for your extension */
3719+#endif
3720+ STANDARD_MODULE_PROPERTIES
3721+};
3722+/* }}} */
3723+
3724+#ifdef COMPILE_DL_VARFILTER
3725+ZEND_GET_MODULE(varfilter)
3726+#endif
3727+
3728+/* {{{ PHP_INI
3729+ */
3730+PHP_INI_BEGIN()
3731+ /* for backward compatibility */
3732+ STD_PHP_INI_ENTRY("varfilter.max_request_variables", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3733+ STD_PHP_INI_ENTRY("varfilter.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3734+ STD_PHP_INI_ENTRY("varfilter.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3735+ STD_PHP_INI_ENTRY("varfilter.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3736+ STD_PHP_INI_ENTRY("varfilter.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3737+ STD_PHP_INI_ENTRY("varfilter.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3738+
3739+ STD_PHP_INI_ENTRY("hphp.request.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_request_variables, zend_varfilter_globals, varfilter_globals)
3740+ STD_PHP_INI_ENTRY("hphp.request.max_varname_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_varname_length, zend_varfilter_globals, varfilter_globals)
3741+ STD_PHP_INI_ENTRY("hphp.request.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_value_length, zend_varfilter_globals, varfilter_globals)
3742+ STD_PHP_INI_ENTRY("hphp.request.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_array_depth, zend_varfilter_globals, varfilter_globals)
3743+ STD_PHP_INI_ENTRY("hphp.request.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_totalname_length, zend_varfilter_globals, varfilter_globals)
3744+ STD_PHP_INI_ENTRY("hphp.request.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_array_index_length, zend_varfilter_globals, varfilter_globals)
3745+ STD_PHP_INI_ENTRY("hphp.request.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_nul, zend_varfilter_globals, varfilter_globals)
3746+
3747+ STD_PHP_INI_ENTRY("hphp.cookie.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_vars, zend_varfilter_globals, varfilter_globals)
3748+ STD_PHP_INI_ENTRY("hphp.cookie.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_name_length, zend_varfilter_globals, varfilter_globals)
3749+ STD_PHP_INI_ENTRY("hphp.cookie.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_cookie_totalname_length, zend_varfilter_globals, varfilter_globals)
3750+ STD_PHP_INI_ENTRY("hphp.cookie.max_value_length", "10000", PHP_INI_PERDIR, OnUpdateLong, max_cookie_value_length, zend_varfilter_globals, varfilter_globals)
3751+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_depth, zend_varfilter_globals, varfilter_globals)
3752+ STD_PHP_INI_ENTRY("hphp.cookie.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_cookie_array_index_length, zend_varfilter_globals, varfilter_globals)
3753+ STD_PHP_INI_ENTRY("hphp.cookie.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_cookie_nul, zend_varfilter_globals, varfilter_globals)
3754+
3755+ STD_PHP_INI_ENTRY("hphp.get.max_vars", "100", PHP_INI_PERDIR, OnUpdateLong, max_get_vars, zend_varfilter_globals, varfilter_globals)
3756+ STD_PHP_INI_ENTRY("hphp.get.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_name_length, zend_varfilter_globals, varfilter_globals)
3757+ STD_PHP_INI_ENTRY("hphp.get.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_get_totalname_length, zend_varfilter_globals, varfilter_globals)
3758+ STD_PHP_INI_ENTRY("hphp.get.max_value_length", "512", PHP_INI_PERDIR, OnUpdateLong, max_get_value_length, zend_varfilter_globals, varfilter_globals)
3759+ STD_PHP_INI_ENTRY("hphp.get.max_array_depth", "50", PHP_INI_PERDIR, OnUpdateLong, max_get_array_depth, zend_varfilter_globals, varfilter_globals)
3760+ STD_PHP_INI_ENTRY("hphp.get.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_get_array_index_length, zend_varfilter_globals, varfilter_globals)
3761+ STD_PHP_INI_ENTRY("hphp.get.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_get_nul, zend_varfilter_globals, varfilter_globals)
3762+
3763+ STD_PHP_INI_ENTRY("hphp.post.max_vars", "200", PHP_INI_PERDIR, OnUpdateLong, max_post_vars, zend_varfilter_globals, varfilter_globals)
3764+ STD_PHP_INI_ENTRY("hphp.post.max_name_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_name_length, zend_varfilter_globals, varfilter_globals)
3765+ STD_PHP_INI_ENTRY("hphp.post.max_totalname_length", "256", PHP_INI_PERDIR, OnUpdateLong, max_post_totalname_length, zend_varfilter_globals, varfilter_globals)
3766+ STD_PHP_INI_ENTRY("hphp.post.max_value_length", "65000", PHP_INI_PERDIR, OnUpdateLong, max_post_value_length, zend_varfilter_globals, varfilter_globals)
3767+ STD_PHP_INI_ENTRY("hphp.post.max_array_depth", "100", PHP_INI_PERDIR, OnUpdateLong, max_post_array_depth, zend_varfilter_globals, varfilter_globals)
3768+ STD_PHP_INI_ENTRY("hphp.post.max_array_index_length", "64", PHP_INI_PERDIR, OnUpdateLong, max_post_array_index_length, zend_varfilter_globals, varfilter_globals)
3769+ STD_PHP_INI_ENTRY("hphp.post.disallow_nul", "1", PHP_INI_PERDIR, OnUpdateBool, disallow_post_nul, zend_varfilter_globals, varfilter_globals)
3770+
3771+ STD_PHP_INI_ENTRY("hphp.upload.max_uploads", "25", PHP_INI_PERDIR, OnUpdateLong, max_uploads, zend_varfilter_globals, varfilter_globals)
3772+ STD_PHP_INI_ENTRY("hphp.upload.disallow_elf_files", "1", PHP_INI_SYSTEM, OnUpdateBool, disallow_elf_files, zend_varfilter_globals, varfilter_globals)
3773+ STD_PHP_INI_ENTRY("hphp.upload.verification_script", NULL, PHP_INI_SYSTEM, OnUpdateString, verification_script, zend_varfilter_globals, varfilter_globals)
3774+
3775+
3776+PHP_INI_END()
3777+/* }}} */
3778+
3779+/* {{{ php_varfilter_init_globals
3780+ */
3781+static void php_varfilter_init_globals(zend_varfilter_globals *varfilter_globals)
3782+{
3783+ varfilter_globals->max_request_variables = 200;
3784+ varfilter_globals->max_varname_length = 64;
3785+ varfilter_globals->max_value_length = 10000;
3786+ varfilter_globals->max_array_depth = 100;
3787+ varfilter_globals->max_totalname_length = 256;
3788+ varfilter_globals->max_array_index_length = 64;
3789+ varfilter_globals->disallow_nul = 1;
3790+
3791+ varfilter_globals->max_cookie_vars = 100;
3792+ varfilter_globals->max_cookie_name_length = 64;
3793+ varfilter_globals->max_cookie_totalname_length = 256;
3794+ varfilter_globals->max_cookie_value_length = 10000;
3795+ varfilter_globals->max_cookie_array_depth = 100;
3796+ varfilter_globals->max_cookie_array_index_length = 64;
3797+ varfilter_globals->disallow_cookie_nul = 1;
3798+
3799+ varfilter_globals->max_get_vars = 100;
3800+ varfilter_globals->max_get_name_length = 64;
3801+ varfilter_globals->max_get_totalname_length = 256;
3802+ varfilter_globals->max_get_value_length = 512;
3803+ varfilter_globals->max_get_array_depth = 50;
3804+ varfilter_globals->max_get_array_index_length = 64;
3805+ varfilter_globals->disallow_get_nul = 1;
3806+
3807+ varfilter_globals->max_post_vars = 200;
3808+ varfilter_globals->max_post_name_length = 64;
3809+ varfilter_globals->max_post_totalname_length = 256;
3810+ varfilter_globals->max_post_value_length = 65000;
3811+ varfilter_globals->max_post_array_depth = 100;
3812+ varfilter_globals->max_post_array_index_length = 64;
3813+ varfilter_globals->disallow_post_nul = 1;
3814+
3815+ varfilter_globals->max_uploads = 25;
3816+ varfilter_globals->disallow_elf_files = 1;
3817+ varfilter_globals->verification_script = NULL;
3818+
3819+ varfilter_globals->no_more_variables = 0;
3820+ varfilter_globals->no_more_get_variables = 0;
3821+ varfilter_globals->no_more_post_variables = 0;
3822+ varfilter_globals->no_more_cookie_variables = 0;
3823+ varfilter_globals->no_more_uploads = 0;
3824+
3825+ varfilter_globals->cur_request_variables = 0;
3826+ varfilter_globals->cur_get_vars = 0;
3827+ varfilter_globals->cur_post_vars = 0;
3828+ varfilter_globals->cur_cookie_vars = 0;
3829+
3830+ varfilter_globals->cur_uploads = 0;
3831+
3832+}
3833+/* }}} */
3834+
3835+
3836+void varfilter_register_server_variables(zval *track_vars_array TSRMLS_DC)
3837+{
3838+ HashTable *svars;
3839+ int retval, failure=0;
3840+
3841+ orig_register_server_variables(track_vars_array TSRMLS_CC);
3842+
3843+ svars = Z_ARRVAL_P(track_vars_array);
3844+
3845+ retval = zend_hash_del_key_or_index(svars, "HTTP_GET_VARS", sizeof("HTTP_GET_VARS"), HASH_HTTP_GET_VARS, HASH_DEL_INDEX);
3846+ if (retval == SUCCESS) failure = 1;
3847+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_VARS", sizeof("HTTP_POST_VARS"), HASH_HTTP_POST_VARS, HASH_DEL_INDEX);
3848+ if (retval == SUCCESS) failure = 1;
3849+ retval = zend_hash_del_key_or_index(svars, "HTTP_COOKIE_VARS", sizeof("HTTP_COOKIE_VARS"), HASH_HTTP_COOKIE_VARS, HASH_DEL_INDEX);
3850+ if (retval == SUCCESS) failure = 1;
3851+ retval = zend_hash_del_key_or_index(svars, "HTTP_ENV_VARS", sizeof("HTTP_ENV_VARS"), HASH_HTTP_ENV_VARS, HASH_DEL_INDEX);
3852+ if (retval == SUCCESS) failure = 1;
3853+ retval = zend_hash_del_key_or_index(svars, "HTTP_SERVER_VARS", sizeof("HTTP_SERVER_VARS"), HASH_HTTP_SERVER_VARS, HASH_DEL_INDEX);
3854+ if (retval == SUCCESS) failure = 1;
3855+ retval = zend_hash_del_key_or_index(svars, "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), HASH_HTTP_SESSION_VARS, HASH_DEL_INDEX);
3856+ if (retval == SUCCESS) failure = 1;
3857+ retval = zend_hash_del_key_or_index(svars, "HTTP_POST_FILES", sizeof("HTTP_POST_FILES"), HASH_HTTP_POST_FILES, HASH_DEL_INDEX);
3858+ if (retval == SUCCESS) failure = 1;
3859+ retval = zend_hash_del_key_or_index(svars, "HTTP_RAW_POST_DATA", sizeof("HTTP_RAW_POST_DATA"), HASH_HTTP_RAW_POST_DATA, HASH_DEL_INDEX);
3860+ if (retval == SUCCESS) failure = 1;
3861+
3862+ if (failure) {
3863+ php_security_log(S_VARS, "Attacker tried to overwrite a superglobal through a HTTP header");
3864+ }
3865+}
3866+
3867+int varfilter_header_handler(sapi_header_struct *sapi_header, sapi_headers_struct *sapi_headers TSRMLS_DC)
3868+{
3869+ int retval = SAPI_HEADER_ADD, i;
3870+ char *tmp;
3871+
3872+ if (!HG(hphp_multiheader) && sapi_header && sapi_header->header) {
3873+
3874+ tmp = sapi_header->header;
3875+ for (i=0; i<sapi_header->header_len; i++, tmp++) {
3876+ if (tmp[0] == 0) {
3877+ char *fname = get_active_function_name(TSRMLS_C);
3878+
3879+ if (!fname) {
3880+ fname = "unknown";
3881+ }
3882+
3883+ php_security_log(S_MISC, "%s() - wanted to send a HTTP header with an ASCII NUL in it", fname);
3884+ sapi_header->header_len = i;
3885+ } else if (tmp[0] == '\n' && (i == sapi_header->header_len-1 || (tmp[1] != ' ' && tmp[1] != '\t'))) {
3886+ char *fname = get_active_function_name(TSRMLS_C);
3887+
3888+ if (!fname) {
3889+ fname = "unknown";
3890+ }
3891+
3892+ php_security_log(S_MISC, "%s() - wanted to send multiple HTTP headers at once", fname);
3893+ sapi_header->header_len = i;
3894+ tmp[0] = 0;
3895+ }
3896+ }
3897+ }
3898+
3899+ if (orig_header_handler) {
3900+ retval = orig_header_handler(sapi_header, sapi_headers TSRMLS_CC);
3901+ }
3902+
3903+ return retval;
3904+}
3905+
3906+/* {{{ PHP_MINIT_FUNCTION
3907+ */
3908+PHP_MINIT_FUNCTION(varfilter)
3909+{
3910+ ZEND_INIT_MODULE_GLOBALS(varfilter, php_varfilter_init_globals, NULL);
3911+ REGISTER_INI_ENTRIES();
3912+
3913+ if (!hooked) {
3914+ void *temp;
3915+ hooked = 1;
3916+
3917+ temp = (void *)sapi_module.register_server_variables;
3918+ if (temp != varfilter_register_server_variables) {
3919+ orig_register_server_variables = temp;
3920+ }
3921+ temp = (void *)sapi_module.header_handler;
3922+ if (temp != varfilter_header_handler) {
3923+ orig_header_handler = temp;
3924+ }
3925+ }
3926+
3927+ sapi_register_input_filter(varfilter_input_filter);
3928+ sapi_register_upload_varname_filter(varfilter_upload_varname_filter);
3929+ sapi_register_pre_upload_filter(varfilter_pre_upload_filter);
3930+ sapi_register_upload_content_filter(varfilter_upload_content_filter);
3931+ sapi_register_post_upload_filter(varfilter_post_upload_filter);
3932+
3933+ sapi_module.header_handler = varfilter_header_handler;
3934+ sapi_module.register_server_variables = varfilter_register_server_variables;
3935+
3936+
3937+ return SUCCESS;
3938+}
3939+/* }}} */
3940+
3941+/* {{{ PHP_MSHUTDOWN_FUNCTION
3942+ */
3943+PHP_MSHUTDOWN_FUNCTION(varfilter)
3944+{
3945+ UNREGISTER_INI_ENTRIES();
3946+
3947+ return SUCCESS;
3948+}
3949+/* }}} */
3950+
3951+/* Remove if there's nothing to do at request start */
3952+/* {{{ PHP_RINIT_FUNCTION
3953+ */
3954+PHP_RINIT_FUNCTION(varfilter)
3955+{
3956+ VARFILTER_G(cur_request_variables) = 0;
3957+ VARFILTER_G(cur_get_vars) = 0;
3958+ VARFILTER_G(cur_post_vars) = 0;
3959+ VARFILTER_G(cur_cookie_vars) = 0;
3960+
3961+ VARFILTER_G(cur_uploads) = 0;
3962+
3963+ VARFILTER_G(no_more_variables) = 0;
3964+ VARFILTER_G(no_more_get_variables) = 0;
3965+ VARFILTER_G(no_more_post_variables) = 0;
3966+ VARFILTER_G(no_more_cookie_variables) = 0;
3967+ VARFILTER_G(no_more_uploads) = 0;
3968+
3969+ return SUCCESS;
3970+}
3971+/* }}} */
3972+
3973+/* Remove if there's nothing to do at request end */
3974+/* {{{ PHP_RSHUTDOWN_FUNCTION
3975+ */
3976+PHP_RSHUTDOWN_FUNCTION(varfilter)
3977+{
3978+ return SUCCESS;
3979+}
3980+/* }}} */
3981+
3982+/* {{{ PHP_MINFO_FUNCTION
3983+ */
3984+PHP_MINFO_FUNCTION(varfilter)
3985+{
3986+ php_info_print_table_start();
3987+ php_info_print_table_header(2, "Hardening-Patch's variable filter support", "enabled");
3988+ php_info_print_table_end();
3989+
3990+ DISPLAY_INI_ENTRIES();
3991+}
3992+/* }}} */
3993+
3994+/* {{{ normalize_varname
3995+ */
3996+static void normalize_varname(char *varname)
3997+{
3998+ char *s=varname, *index=NULL, *indexend=NULL, *p;
3999+
4000+ /* overjump leading space */
4001+ while (*s == ' ') {
4002+ s++;
4003+ }
4004+
4005+ /* and remove it */
4006+ if (s != varname) {
4007+ memmove(varname, s, strlen(s)+1);
4008+ }
4009+
4010+ for (p=varname; *p && *p != '['; p++) {
4011+ switch(*p) {
4012+ case ' ':
4013+ case '.':
4014+ *p='_';
4015+ break;
4016+ }
4017+ }
4018+
4019+ /* find index */
4020+ index = strchr(varname, '[');
4021+ if (index) {
4022+ index++;
4023+ s=index;
4024+ } else {
4025+ return;
4026+ }
4027+
4028+ /* done? */
4029+ while (index) {
4030+
4031+ while (*index == ' ' || *index == '\r' || *index == '\n' || *index=='\t') {
4032+ index++;
4033+ }
4034+ indexend = strchr(index, ']');
4035+ indexend = indexend ? indexend + 1 : index + strlen(index);
4036+
4037+ if (s != index) {
4038+ memmove(s, index, strlen(index)+1);
4039+ s += indexend-index;
4040+ } else {
4041+ s = indexend;
4042+ }
4043+
4044+ if (*s == '[') {
4045+ s++;
4046+ index = s;
4047+ } else {
4048+ index = NULL;
4049+ }
4050+ }
4051+ *s++='\0';
4052+}
4053+/* }}} */
4054+
4055+/* {{{ SAPI_UPLOAD_VARNAME_FILTER_FUNC
4056+ */
4057+SAPI_UPLOAD_VARNAME_FILTER_FUNC(varfilter_upload_varname_filter)
4058+{
4059+ char *index, *prev_index = NULL, *var;
4060+ unsigned int var_len, total_len, depth = 0;
4061+
4062+ var = estrdup(varname);
4063+
4064+ /* Normalize the variable name */
4065+ normalize_varname(var);
4066+
4067+ /* Find length of variable name */
4068+ index = strchr(var, '[');
4069+ total_len = strlen(var);
4070+ var_len = index ? index-var : total_len;
4071+
4072+ /* Drop this variable if it exceeds the varname/total length limit */
4073+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
4074+ php_security_log(S_FILES, "configured request variable name length limit exceeded - dropped %s", var);
4075+ goto return_failure;
4076+ }
4077+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
4078+ php_security_log(S_FILES, "configured request variable total name length limit exceeded - dropped %s", var);
4079+ goto return_failure;
4080+ }
4081+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
4082+ php_security_log(S_FILES, "configured POST variable name length limit exceeded - dropped %s", var);
4083+
4084+ goto return_failure;
4085+ }
4086+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
4087+ php_security_log(S_FILES, "configured POST variable total name length limit exceeded - dropped %s", var);
4088+ goto return_failure;
4089+ }
4090+
4091+ /* Find out array depth */
4092+ while (index) {
4093+ unsigned int index_length;
4094+
4095+ depth++;
4096+ index = strchr(index+1, '[');
4097+
4098+ if (prev_index) {
4099+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
4100+
4101+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
4102+ php_security_log(S_FILES, "configured request variable array index length limit exceeded - dropped %s", var);
4103+ goto return_failure;
4104+ }
4105+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
4106+ php_security_log(S_FILES, "configured POST variable array index length limit exceeded - dropped %s", var);
4107+ goto return_failure;
4108+ }
4109+ prev_index = index;
4110+ }
4111+
4112+ }
4113+
4114+ /* Drop this variable if it exceeds the array depth limit */
4115+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
4116+ php_security_log(S_FILES, "configured request variable array depth limit exceeded - dropped %s", var);
4117+ goto return_failure;
4118+ }
4119+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
4120+ php_security_log(S_FILES, "configured POST variable array depth limit exceeded - dropped %s", var);
4121+ goto return_failure;
4122+ }
4123+
4124+
4125+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
4126+ /* This is to protect several silly scripts that do globalizing themself */
4127+
4128+ switch (var_len) {
4129+ case 18:
4130+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname2;
4131+ break;
4132+ case 17:
4133+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname2;
4134+ break;
4135+ case 16:
4136+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname2;
4137+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname2;
4138+ break;
4139+ case 15:
4140+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname2;
4141+ break;
4142+ case 14:
4143+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname2;
4144+ break;
4145+ case 13:
4146+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname2;
4147+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname2;
4148+ break;
4149+ case 8:
4150+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname2;
4151+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname2;
4152+ break;
4153+ case 7:
4154+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname2;
4155+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname2;
4156+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname2;
4157+ break;
4158+ case 6:
4159+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname2;
4160+ break;
4161+ case 5:
4162+ if (memcmp(var, "_POST", 5)==0) goto protected_varname2;
4163+ break;
4164+ case 4:
4165+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname2;
4166+ if (memcmp(var, "_GET", 4)==0) goto protected_varname2;
4167+ break;
4168+ }
4169+
4170+ efree(var);
4171+ return SUCCESS;
4172+protected_varname2:
4173+ php_security_log(S_FILES, "tried to register forbidden variable '%s' through FILE variables", var);
4174+return_failure:
4175+ efree(var);
4176+ return FAILURE;
4177+}
4178+/* }}} */
4179+
4180+/* {{{ SAPI_PRE_UPLOAD_FILTER_FUNC
4181+ */
4182+SAPI_PRE_UPLOAD_FILTER_FUNC(varfilter_pre_upload_filter)
4183+{
4184+ /* Drop if no more variables flag is set */
4185+ if (VARFILTER_G(no_more_uploads)) {
4186+ return FAILURE;
4187+ }
4188+ /* Drop this fileupload if the limit is reached */
4189+ if (VARFILTER_G(max_uploads) && VARFILTER_G(max_uploads) <= VARFILTER_G(cur_uploads)) {
4190+ php_security_log(S_FILES, "configured fileupload limit exceeded - file dropped");
4191+ VARFILTER_G(no_more_uploads) = 1;
4192+ return FAILURE;
4193+ }
4194+
4195+ return SUCCESS;
4196+}
4197+/* }}} */
4198+
4199+/* {{{ SAPI_UPLOAD_CONTENT_FILTER_FUNC
4200+ */
4201+SAPI_UPLOAD_CONTENT_FILTER_FUNC(varfilter_upload_content_filter)
4202+{
4203+
4204+ if (VARFILTER_G(disallow_elf_files)) {
4205+
4206+ if (offset == 0 && buffer_len > 10) {
4207+
4208+ if (buffer[0] == 0x7F && buffer[1] == 'E' && buffer[2] == 'L' && buffer[3] == 'F') {
4209+ php_security_log(S_FILES, "uploaded file is an ELF executable - file dropped");
4210+ return FAILURE;
4211+ }
4212+ }
4213+
4214+ }
4215+
4216+ return SUCCESS;
4217+}
4218+/* }}} */
4219+
4220+/* {{{ SAPI_POST_UPLOAD_FILTER_FUNC
4221+ */
4222+SAPI_POST_UPLOAD_FILTER_FUNC(varfilter_post_upload_filter)
4223+{
4224+ int retval = SUCCESS;
4225+
4226+ if (VARFILTER_G(verification_script)) {
4227+ char cmd[8192];
4228+ FILE *in;
4229+ int first=1;
4230+
4231+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s", VARFILTER_G(verification_script), tmpfilename);
4232+
4233+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
4234+ php_security_log(S_FILES, "unable to execute fileupload verification script %s - file dropped", VARFILTER_G(verification_script));
4235+ return FAILURE;
4236+ }
4237+
4238+ retval = FAILURE;
4239+
4240+ /* read and forget the result */
4241+ while (1) {
4242+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
4243+ if (readbytes<=0) {
4244+ break;
4245+ }
4246+ if (first) {
4247+ retval = atoi(cmd) == 1 ? SUCCESS : FAILURE;
4248+ first = 0;
4249+ }
4250+ }
4251+ pclose(in);
4252+ }
4253+
4254+ if (retval != SUCCESS) {
4255+ php_security_log(S_FILES, "fileupload verification script disallows file - file dropped");
4256+ return FAILURE;
4257+ }
4258+
4259+ VARFILTER_G(cur_uploads)++;
4260+ return SUCCESS;
4261+}
4262+/* }}} */
4263+
4264+/* {{{ SAPI_INPUT_FILTER_FUNC
4265+ */
4266+SAPI_INPUT_FILTER_FUNC(varfilter_input_filter)
4267+{
4268+ char *index, *prev_index = NULL;
4269+ unsigned int var_len, total_len, depth = 0;
4270+
4271+ /* Drop this variable if the limit was reached */
4272+ switch (arg) {
4273+ case PARSE_GET:
4274+ if (VARFILTER_G(no_more_get_variables)) {
4275+ return 0;
4276+ }
4277+ break;
4278+ case PARSE_POST:
4279+ if (VARFILTER_G(no_more_post_variables)) {
4280+ return 0;
4281+ }
4282+ break;
4283+ case PARSE_COOKIE:
4284+ if (VARFILTER_G(no_more_cookie_variables)) {
4285+ return 0;
4286+ }
4287+ break;
4288+ default: /* we do not want to protect parse_str() and friends */
4289+ if (new_val_len) {
4290+ *new_val_len = val_len;
4291+ }
4292+ return 1;
4293+ }
4294+ if (VARFILTER_G(no_more_variables)) {
4295+ return 0;
4296+ }
4297+
4298+ /* Drop this variable if the limit is now reached */
4299+ if (VARFILTER_G(max_request_variables) && VARFILTER_G(max_request_variables) <= VARFILTER_G(cur_request_variables)) {
4300+ php_security_log(S_VARS, "configured request variable limit exceeded - dropped %s", var);
4301+ VARFILTER_G(no_more_variables) = 1;
4302+ return 0;
4303+ }
4304+ switch (arg) {
4305+ case PARSE_GET:
4306+ if (VARFILTER_G(max_get_vars) && VARFILTER_G(max_get_vars) <= VARFILTER_G(cur_get_vars)) {
4307+ php_security_log(S_VARS, "configured GET variable limit exceeded - dropped %s", var);
4308+ VARFILTER_G(no_more_get_variables) = 1;
4309+ return 0;
4310+ }
4311+ break;
4312+ case PARSE_COOKIE:
4313+ if (VARFILTER_G(max_cookie_vars) && VARFILTER_G(max_cookie_vars) <= VARFILTER_G(cur_cookie_vars)) {
4314+ php_security_log(S_VARS, "configured COOKIE variable limit exceeded - dropped %s", var);
4315+ VARFILTER_G(no_more_cookie_variables) = 1;
4316+ return 0;
4317+ }
4318+ break;
4319+ case PARSE_POST:
4320+ if (VARFILTER_G(max_post_vars) && VARFILTER_G(max_post_vars) <= VARFILTER_G(cur_post_vars)) {
4321+ php_security_log(S_VARS, "configured POST variable limit exceeded - dropped %s", var);
4322+ VARFILTER_G(no_more_post_variables) = 1;
4323+ return 0;
4324+ }
4325+ break;
4326+ }
4327+
4328+
4329+ /* Drop this variable if it exceeds the value length limit */
4330+ if (VARFILTER_G(max_value_length) && VARFILTER_G(max_value_length) < val_len) {
4331+ php_security_log(S_VARS, "configured request variable value length limit exceeded - dropped %s", var);
4332+ return 0;
4333+ }
4334+ switch (arg) {
4335+ case PARSE_GET:
4336+ if (VARFILTER_G(max_get_value_length) && VARFILTER_G(max_get_value_length) < val_len) {
4337+ php_security_log(S_VARS, "configured GET variable value length limit exceeded - dropped %s", var);
4338+ return 0;
4339+ }
4340+ break;
4341+ case PARSE_COOKIE:
4342+ if (VARFILTER_G(max_cookie_value_length) && VARFILTER_G(max_cookie_value_length) < val_len) {
4343+ php_security_log(S_VARS, "configured COOKIE variable value length limit exceeded - dropped %s", var);
4344+ return 0;
4345+ }
4346+ break;
4347+ case PARSE_POST:
4348+ if (VARFILTER_G(max_post_value_length) && VARFILTER_G(max_post_value_length) < val_len) {
4349+ php_security_log(S_VARS, "configured POST variable value length limit exceeded - dropped %s", var);
4350+ return 0;
4351+ }
4352+ break;
4353+ }
4354+
4355+ /* Normalize the variable name */
4356+ normalize_varname(var);
4357+
4358+ /* Find length of variable name */
4359+ index = strchr(var, '[');
4360+ total_len = strlen(var);
4361+ var_len = index ? index-var : total_len;
4362+
4363+ /* Drop this variable if it exceeds the varname/total length limit */
4364+ if (VARFILTER_G(max_varname_length) && VARFILTER_G(max_varname_length) < var_len) {
4365+ php_security_log(S_VARS, "configured request variable name length limit exceeded - dropped %s", var);
4366+ return 0;
4367+ }
4368+ if (VARFILTER_G(max_totalname_length) && VARFILTER_G(max_totalname_length) < total_len) {
4369+ php_security_log(S_VARS, "configured request variable total name length limit exceeded - dropped %s", var);
4370+ return 0;
4371+ }
4372+ switch (arg) {
4373+ case PARSE_GET:
4374+ if (VARFILTER_G(max_get_name_length) && VARFILTER_G(max_get_name_length) < var_len) {
4375+ php_security_log(S_VARS, "configured GET variable name length limit exceeded - dropped %s", var);
4376+ return 0;
4377+ }
4378+ if (VARFILTER_G(max_get_totalname_length) && VARFILTER_G(max_get_totalname_length) < var_len) {
4379+ php_security_log(S_VARS, "configured GET variable total name length limit exceeded - dropped %s", var);
4380+ return 0;
4381+ }
4382+ break;
4383+ case PARSE_COOKIE:
4384+ if (VARFILTER_G(max_cookie_name_length) && VARFILTER_G(max_cookie_name_length) < var_len) {
4385+ php_security_log(S_VARS, "configured COOKIE variable name length limit exceeded - dropped %s", var);
4386+ return 0;
4387+ }
4388+ if (VARFILTER_G(max_cookie_totalname_length) && VARFILTER_G(max_cookie_totalname_length) < var_len) {
4389+ php_security_log(S_VARS, "configured COOKIE variable total name length limit exceeded - dropped %s", var);
4390+ return 0;
4391+ }
4392+ break;
4393+ case PARSE_POST:
4394+ if (VARFILTER_G(max_post_name_length) && VARFILTER_G(max_post_name_length) < var_len) {
4395+ php_security_log(S_VARS, "configured POST variable name length limit exceeded - dropped %s", var);
4396+ return 0;
4397+ }
4398+ if (VARFILTER_G(max_post_totalname_length) && VARFILTER_G(max_post_totalname_length) < var_len) {
4399+ php_security_log(S_VARS, "configured POST variable total name length limit exceeded - dropped %s", var);
4400+ return 0;
4401+ }
4402+ break;
4403+ }
4404+
4405+ /* Find out array depth */
4406+ while (index) {
4407+ unsigned int index_length;
4408+
4409+ depth++;
4410+ index = strchr(index+1, '[');
4411+
4412+ if (prev_index) {
4413+ index_length = index ? index - 1 - prev_index - 1: strlen(prev_index);
4414+
4415+ if (VARFILTER_G(max_array_index_length) && VARFILTER_G(max_array_index_length) < index_length) {
4416+ php_security_log(S_VARS, "configured request variable array index length limit exceeded - dropped %s", var);
4417+ return 0;
4418+ }
4419+ switch (arg) {
4420+ case PARSE_GET:
4421+ if (VARFILTER_G(max_get_array_index_length) && VARFILTER_G(max_get_array_index_length) < index_length) {
4422+ php_security_log(S_VARS, "configured GET variable array index length limit exceeded - dropped %s", var);
4423+ return 0;
4424+ }
4425+ break;
4426+ case PARSE_COOKIE:
4427+ if (VARFILTER_G(max_cookie_array_index_length) && VARFILTER_G(max_cookie_array_index_length) < index_length) {
4428+ php_security_log(S_VARS, "configured COOKIE variable array index length limit exceeded - dropped %s", var);
4429+ return 0;
4430+ }
4431+ break;
4432+ case PARSE_POST:
4433+ if (VARFILTER_G(max_post_array_index_length) && VARFILTER_G(max_post_array_index_length) < index_length) {
4434+ php_security_log(S_VARS, "configured POST variable array index length limit exceeded - dropped %s", var);
4435+ return 0;
4436+ }
4437+ break;
4438+ }
4439+ prev_index = index;
4440+ }
4441+
4442+ }
4443+
4444+ /* Drop this variable if it exceeds the array depth limit */
4445+ if (VARFILTER_G(max_array_depth) && VARFILTER_G(max_array_depth) < depth) {
4446+ php_security_log(S_VARS, "configured request variable array depth limit exceeded - dropped %s", var);
4447+ return 0;
4448+ }
4449+ switch (arg) {
4450+ case PARSE_GET:
4451+ if (VARFILTER_G(max_get_array_depth) && VARFILTER_G(max_get_array_depth) < depth) {
4452+ php_security_log(S_VARS, "configured GET variable array depth limit exceeded - dropped %s", var);
4453+ return 0;
4454+ }
4455+ break;
4456+ case PARSE_COOKIE:
4457+ if (VARFILTER_G(max_cookie_array_depth) && VARFILTER_G(max_cookie_array_depth) < depth) {
4458+ php_security_log(S_VARS, "configured COOKIE variable array depth limit exceeded - dropped %s", var);
4459+ return 0;
4460+ }
4461+ break;
4462+ case PARSE_POST:
4463+ if (VARFILTER_G(max_post_array_depth) && VARFILTER_G(max_post_array_depth) < depth) {
4464+ php_security_log(S_VARS, "configured POST variable array depth limit exceeded - dropped %s", var);
4465+ return 0;
4466+ }
4467+ break;
4468+ }
4469+
4470+ /* Check if variable value is truncated by a \0 */
4471+
4472+ if (val && *val && val_len != strlen(*val)) {
4473+
4474+ if (VARFILTER_G(disallow_nul)) {
4475+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within request variables - dropped %s", var);
4476+ return 0;
4477+ }
4478+ switch (arg) {
4479+ case PARSE_GET:
4480+ if (VARFILTER_G(disallow_get_nul)) {
4481+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within GET variables - dropped %s", var);
4482+ return 0;
4483+ }
4484+ break;
4485+ case PARSE_COOKIE:
4486+ if (VARFILTER_G(disallow_cookie_nul)) {
4487+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within COOKIE variables - dropped %s", var);
4488+ return 0;
4489+ }
4490+ break;
4491+ case PARSE_POST:
4492+ if (VARFILTER_G(disallow_post_nul)) {
4493+ php_security_log(S_VARS, "ASCII-NUL chars not allowed within POST variables - dropped %s", var);
4494+ return 0;
4495+ }
4496+ break;
4497+ }
4498+ }
4499+
4500+ /* Drop this variable if it is one of GLOBALS, _GET, _POST, ... */
4501+ /* This is to protect several silly scripts that do globalizing themself */
4502+
4503+ switch (var_len) {
4504+ case 18:
4505+ if (memcmp(var, "HTTP_RAW_POST_DATA", 18)==0) goto protected_varname;
4506+ break;
4507+ case 17:
4508+ if (memcmp(var, "HTTP_SESSION_VARS", 17)==0) goto protected_varname;
4509+ break;
4510+ case 16:
4511+ if (memcmp(var, "HTTP_SERVER_VARS", 16)==0) goto protected_varname;
4512+ if (memcmp(var, "HTTP_COOKIE_VARS", 16)==0) goto protected_varname;
4513+ break;
4514+ case 15:
4515+ if (memcmp(var, "HTTP_POST_FILES", 15)==0) goto protected_varname;
4516+ break;
4517+ case 14:
4518+ if (memcmp(var, "HTTP_POST_VARS", 14)==0) goto protected_varname;
4519+ break;
4520+ case 13:
4521+ if (memcmp(var, "HTTP_GET_VARS", 13)==0) goto protected_varname;
4522+ if (memcmp(var, "HTTP_ENV_VARS", 13)==0) goto protected_varname;
4523+ break;
4524+ case 8:
4525+ if (memcmp(var, "_SESSION", 8)==0) goto protected_varname;
4526+ if (memcmp(var, "_REQUEST", 8)==0) goto protected_varname;
4527+ break;
4528+ case 7:
4529+ if (memcmp(var, "GLOBALS", 7)==0) goto protected_varname;
4530+ if (memcmp(var, "_COOKIE", 7)==0) goto protected_varname;
4531+ if (memcmp(var, "_SERVER", 7)==0) goto protected_varname;
4532+ break;
4533+ case 6:
4534+ if (memcmp(var, "_FILES", 6)==0) goto protected_varname;
4535+ break;
4536+ case 5:
4537+ if (memcmp(var, "_POST", 5)==0) goto protected_varname;
4538+ break;
4539+ case 4:
4540+ if (memcmp(var, "_ENV", 4)==0) goto protected_varname;
4541+ if (memcmp(var, "_GET", 4)==0) goto protected_varname;
4542+ break;
4543+ }
4544+
4545+ /* Okay let PHP register this variable */
4546+ VARFILTER_G(cur_request_variables)++;
4547+ switch (arg) {
4548+ case PARSE_GET:
4549+ VARFILTER_G(cur_get_vars)++;
4550+ break;
4551+ case PARSE_COOKIE:
4552+ VARFILTER_G(cur_cookie_vars)++;
4553+ break;
4554+ case PARSE_POST:
4555+ VARFILTER_G(cur_post_vars)++;
4556+ break;
4557+ }
4558+
4559+ if (new_val_len) {
4560+ *new_val_len = val_len;
4561+ }
4562+
4563+ return 1;
4564+protected_varname:
4565+ php_security_log(S_VARS, "tried to register forbidden variable '%s' through %s variables", var, arg == PARSE_GET ? "GET" : arg == PARSE_POST ? "POST" : "COOKIE");
4566+ return 0;
4567+}
4568+/* }}} */
4569+
4570+/*
4571+ * Local variables:
4572+ * tab-width: 4
4573+ * c-basic-offset: 4
4574+ * End:
4575+ * vim600: noet sw=4 ts=4 fdm=marker
4576+ * vim<600: noet sw=4 ts=4
4577+ */
4578+
4579+
4580diff -Nura php-4.4.3/main/fopen_wrappers.c hardening-patch-4.4.3-0.4.15/main/fopen_wrappers.c
4581--- php-4.4.3/main/fopen_wrappers.c 2006-01-01 14:46:59.000000000 +0100
4582+++ hardening-patch-4.4.3-0.4.15/main/fopen_wrappers.c 2006-09-07 18:53:34.000000000 +0200
4583@@ -106,7 +106,10 @@
4584 }
4585
4586 /* Resolve the real path into resolved_name */
4587- if ((expand_filepath(path, resolved_name TSRMLS_CC) != NULL) && (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL)) {
4588+ if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL) {
4589+ return -2;
4590+ }
4591+ if (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL) {
4592 /* Handler for basedirs that end with a / */
4593 resolved_basedir_len = strlen(resolved_basedir);
4594 if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
4595@@ -116,14 +119,20 @@
4596 }
4597 }
4598
4599+ resolved_name_len = strlen(resolved_name);
4600 if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
4601- resolved_name_len = strlen(resolved_name);
4602 if (resolved_name[resolved_name_len - 1] != PHP_DIR_SEPARATOR) {
4603 resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
4604 resolved_name[++resolved_name_len] = '\0';
4605 }
4606 }
4607
4608+ if (resolved_name_len == resolved_basedir_len - 1) {
4609+ if (resolved_basedir[resolved_basedir_len - 1] == PHP_DIR_SEPARATOR) {
4610+ resolved_basedir_len--;
4611+ }
4612+ }
4613+
4614 /* Check the path */
4615 #ifdef PHP_WIN32
4616 if (strncasecmp(resolved_basedir, resolved_name, resolved_basedir_len) == 0) {
4617@@ -137,7 +146,7 @@
4618 }
4619 } else {
4620 /* Unable to resolve the real path, return -1 */
4621- return -1;
4622+ return -3;
4623 }
4624 }
4625 /* }}} */
4626@@ -156,22 +165,44 @@
4627 char *pathbuf;
4628 char *ptr;
4629 char *end;
4630+ char path_copy[MAXPATHLEN];
4631+ int path_len;
4632+
4633+ /* Special case path ends with a trailing slash */
4634+ path_len = strlen(path);
4635+ if (path_len >= MAXPATHLEN) {
4636+ errno = EPERM; /* we deny permission to open it */
4637+ return -1;
4638+ }
4639+ if (path_len > 0 && path[path_len-1] == PHP_DIR_SEPARATOR) {
4640+ memcpy(path_copy, path, path_len+1);
4641+ while (path_len > 0 && path_copy[path_len-1] == PHP_DIR_SEPARATOR) path_len--;
4642+ path_copy[path_len] = '\0';
4643+ path = (const char *)&path_copy;
4644+ }
4645
4646 pathbuf = estrdup(PG(open_basedir));
4647
4648 ptr = pathbuf;
4649
4650 while (ptr && *ptr) {
4651+ int res;
4652 end = strchr(ptr, DEFAULT_DIR_SEPARATOR);
4653 if (end != NULL) {
4654 *end = '\0';
4655 end++;
4656 }
4657
4658- if (php_check_specific_open_basedir(ptr, path TSRMLS_CC) == 0) {
4659+ res = php_check_specific_open_basedir(ptr, path TSRMLS_CC);
4660+ if (res == 0) {
4661 efree(pathbuf);
4662 return 0;
4663 }
4664+ if (res == -2) {
4665+ efree(pathbuf);
4666+ errno = EPERM;
4667+ return -1;
4668+ }
4669
4670 ptr = end;
4671 }
4672diff -Nura php-4.4.3/main/hardened_globals.h hardening-patch-4.4.3-0.4.15/main/hardened_globals.h
4673--- php-4.4.3/main/hardened_globals.h 1970-01-01 01:00:00.000000000 +0100
4674+++ hardening-patch-4.4.3-0.4.15/main/hardened_globals.h 2006-09-05 20:30:45.000000000 +0200
4675@@ -0,0 +1,64 @@
4676+/*
4677+ +----------------------------------------------------------------------+
4678+ | Hardening-Patch for PHP |
4679+ +----------------------------------------------------------------------+
4680+ | Copyright (c) 2004-2005 Stefan Esser |
4681+ +----------------------------------------------------------------------+
4682+ | This source file is subject to version 2.02 of the PHP license, |
4683+ | that is bundled with this package in the file LICENSE, and is |
4684+ | available at through the world-wide-web at |
4685+ | http://www.php.net/license/2_02.txt. |
4686+ | If you did not receive a copy of the PHP license and are unable to |
4687+ | obtain it through the world-wide-web, please send a note to |
4688+ | license@php.net so we can mail you a copy immediately. |
4689+ +----------------------------------------------------------------------+
4690+ | Author: Stefan Esser <sesser@hardened-php.net> |
4691+ +----------------------------------------------------------------------+
4692+ */
4693+
4694+#ifndef HARDENED_GLOBALS_H
4695+#define HARDENED_GLOBALS_H
4696+
4697+typedef struct _hardened_globals hardened_globals_struct;
4698+
4699+#ifdef ZTS
4700+# define HG(v) TSRMG(hardened_globals_id, hardened_globals_struct *, v)
4701+extern int hardened_globals_id;
4702+#else
4703+# define HG(v) (hardened_globals.v)
4704+extern struct _hardened_globals hardened_globals;
4705+#endif
4706+
4707+
4708+struct _hardened_globals {
4709+#if HARDENING_PATCH_MM_PROTECT
4710+ unsigned int canary_1;
4711+ unsigned int canary_2;
4712+#endif
4713+#if HARDENING_PATCH_LL_PROTECT
4714+ unsigned int canary_3;
4715+ unsigned int canary_4;
4716+ unsigned int ll_canary_inited;
4717+#endif
4718+ zend_bool hphp_sql_bailout_on_error;
4719+ zend_bool hphp_multiheader;
4720+ unsigned long hphp_mailprotect;
4721+ long hard_memory_limit;
4722+ HashTable *eval_whitelist;
4723+ HashTable *eval_blacklist;
4724+ HashTable *func_whitelist;
4725+ HashTable *func_blacklist;
4726+ HashTable *include_whitelist;
4727+ HashTable *include_blacklist;
4728+ unsigned int dummy;
4729+};
4730+
4731+
4732+#endif /* HARDENED_GLOBALS_H */
4733+
4734+/*
4735+ * Local variables:
4736+ * tab-width: 4
4737+ * c-basic-offset: 4
4738+ * End:
4739+ */
4740diff -Nura php-4.4.3/main/hardening_patch.c hardening-patch-4.4.3-0.4.15/main/hardening_patch.c
4741--- php-4.4.3/main/hardening_patch.c 1970-01-01 01:00:00.000000000 +0100
4742+++ hardening-patch-4.4.3-0.4.15/main/hardening_patch.c 2006-09-07 18:48:07.000000000 +0200
4743@@ -0,0 +1,430 @@
4744+/*
4745+ +----------------------------------------------------------------------+
4746+ | Hardening Patch for PHP |
4747+ +----------------------------------------------------------------------+
4748+ | Copyright (c) 2004-2005 Stefan Esser |
4749+ +----------------------------------------------------------------------+
4750+ | This source file is subject to version 2.02 of the PHP license, |
4751+ | that is bundled with this package in the file LICENSE, and is |
4752+ | available at through the world-wide-web at |
4753+ | http://www.php.net/license/2_02.txt. |
4754+ | If you did not receive a copy of the PHP license and are unable to |
4755+ | obtain it through the world-wide-web, please send a note to |
4756+ | license@php.net so we can mail you a copy immediately. |
4757+ +----------------------------------------------------------------------+
4758+ | Author: Stefan Esser <sesser@hardened-php.net> |
4759+ +----------------------------------------------------------------------+
4760+ */
4761+/* $Id: hardening_patch.c,v 1.2 2004/11/21 09:38:52 ionic Exp $ */
4762+
4763+#include "php.h"
4764+
4765+#include <stdio.h>
4766+#include <stdlib.h>
4767+
4768+#if HAVE_UNISTD_H
4769+#include <unistd.h>
4770+#endif
4771+#include "SAPI.h"
4772+#include "php_globals.h"
4773+
4774+#if HARDENING_PATCH
4775+
4776+#ifdef HAVE_SYS_SOCKET_H
4777+#include <sys/socket.h>
4778+#endif
4779+
4780+#if defined(PHP_WIN32) || defined(__riscos__) || defined(NETWARE)
4781+#undef AF_UNIX
4782+#endif
4783+
4784+#if defined(AF_UNIX)
4785+#include <sys/un.h>
4786+#endif
4787+
4788+#define SYSLOG_PATH "/dev/log"
4789+
4790+#include "snprintf.h"
4791+
4792+#include "hardening_patch.h"
4793+
4794+#ifdef ZTS
4795+#include "hardened_globals.h"
4796+int hardened_globals_id;
4797+#else
4798+struct _hardened_globals hardened_globals;
4799+#endif
4800+
4801+static void hardened_globals_ctor(hardened_globals_struct *hardened_globals TSRMLS_DC)
4802+{
4803+ memset(hardened_globals, 0, sizeof(*hardened_globals));
4804+}
4805+
4806+
4807+PHPAPI void hardened_startup()
4808+{
4809+#ifdef ZTS
4810+ ts_allocate_id(&hardened_globals_id, sizeof(hardened_globals_struct), (ts_allocate_ctor) hardened_globals_ctor, NULL);
4811+#else
4812+ hardened_globals_ctor(&hardened_globals TSRMLS_CC);
4813+#endif
4814+}
4815+
4816+PHPAPI void hardened_clear_mm_canaries(TSRMLS_D)
4817+{
4818+ HG(canary_1) = php_canary();
4819+ HG(canary_2) = php_canary();
4820+}
4821+
4822+char *loglevel2string(int loglevel)
4823+{
4824+ switch (loglevel) {
4825+ case S_FILES:
4826+ return "FILES";
4827+ case S_INCLUDE:
4828+ return "INCLUDE";
4829+ case S_MEMORY:
4830+ return "MEMORY";
4831+ case S_MISC:
4832+ return "MISC";
4833+ case S_SQL:
4834+ return "SQL";
4835+ case S_EXECUTOR:
4836+ return "EXECUTOR";
4837+ case S_VARS:
4838+ return "VARS";
4839+ default:
4840+ return "UNKNOWN";
4841+ }
4842+}
4843+
4844+PHPAPI void php_security_log(int loglevel, char *fmt, ...)
4845+{
4846+#if defined(AF_UNIX)
4847+ int s, r, i=0;
4848+ struct sockaddr_un saun;
4849+ char buf[4096+64];
4850+ char error[4096+100];
4851+ char *ip_address;
4852+ char *fname;
4853+ int lineno;
4854+ va_list ap;
4855+ TSRMLS_FETCH();
4856+
4857+ if (EG(hphp_log_use_x_forwarded_for)) {
4858+ ip_address = sapi_getenv("HTTP_X_FORWARDED_FOR", 20 TSRMLS_CC);
4859+ if (ip_address == NULL) {
4860+ ip_address = "X-FORWARDED-FOR not set";
4861+ }
4862+ } else {
4863+ ip_address = sapi_getenv("REMOTE_ADDR", 11 TSRMLS_CC);
4864+ if (ip_address == NULL) {
4865+ ip_address = "REMOTE_ADDR not set";
4866+ }
4867+ }
4868+
4869+
4870+ va_start(ap, fmt);
4871+ ap_php_vsnprintf(error, sizeof(error), fmt, ap);
4872+ va_end(ap);
4873+ while (error[i]) {
4874+ if (error[i] < 32) error[i] = '.';
4875+ i++;
4876+ }
4877+
4878+ if (zend_is_executing(TSRMLS_C)) {
4879+ lineno = zend_get_executed_lineno(TSRMLS_C);
4880+ fname = zend_get_executed_filename(TSRMLS_C);
4881+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s', line %u)", error, ip_address, fname, lineno);
4882+ } else {
4883+ fname = sapi_getenv("SCRIPT_FILENAME", 15 TSRMLS_CC);
4884+ if (fname==NULL) {
4885+ fname = "unknown";
4886+ }
4887+ ap_php_snprintf(buf, sizeof(buf), "ALERT - %s (attacker '%s', file '%s')", error, ip_address, fname);
4888+ }
4889+
4890+ /* Syslog-Logging disabled? */
4891+ if ((EG(hphp_log_syslog) & loglevel)==0) {
4892+ goto log_sapi;
4893+ }
4894+
4895+ ap_php_snprintf(error, sizeof(error), "<%u>hphp[%u]: %s\n", EG(hphp_log_syslog_facility)|EG(hphp_log_syslog_priority),getpid(),buf);
4896+
4897+ s = socket(AF_UNIX, SOCK_DGRAM, 0);
4898+ if (s == -1) {
4899+ goto log_sapi;
4900+ }
4901+
4902+ memset(&saun, 0, sizeof(saun));
4903+ saun.sun_family = AF_UNIX;
4904+ strcpy(saun.sun_path, SYSLOG_PATH);
4905+ /*saun.sun_len = sizeof(saun);*/
4906+
4907+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4908+ if (r) {
4909+ close(s);
4910+ s = socket(AF_UNIX, SOCK_STREAM, 0);
4911+ if (s == -1) {
4912+ goto log_sapi;
4913+ }
4914+
4915+ memset(&saun, 0, sizeof(saun));
4916+ saun.sun_family = AF_UNIX;
4917+ strcpy(saun.sun_path, SYSLOG_PATH);
4918+ /*saun.sun_len = sizeof(saun);*/
4919+
4920+ r = connect(s, (struct sockaddr *)&saun, sizeof(saun));
4921+ if (r) {
4922+ close(s);
4923+ goto log_sapi;
4924+ }
4925+ }
4926+ send(s, error, strlen(error), 0);
4927+
4928+ close(s);
4929+
4930+log_sapi:
4931+ /* SAPI Logging activated? */
4932+ if ((EG(hphp_log_sapi) & loglevel)!=0) {
4933+ sapi_module.log_message(buf);
4934+ }
4935+
4936+log_script:
4937+ /* script logging activaed? */
4938+ if (((EG(hphp_log_script) & loglevel)!=0) && EG(hphp_log_scriptname)!=NULL) {
4939+ char cmd[8192], *cmdpos, *bufpos;
4940+ FILE *in;
4941+ int space;
4942+
4943+ ap_php_snprintf(cmd, sizeof(cmd), "%s %s \'", EG(hphp_log_scriptname), loglevel2string(loglevel));
4944+ space = sizeof(cmd) - strlen(cmd);
4945+ cmdpos = cmd + strlen(cmd);
4946+ bufpos = buf;
4947+ if (space <= 1) return;
4948+ while (space > 2 && *bufpos) {
4949+ if (*bufpos == '\'') {
4950+ if (space<=5) break;
4951+ *cmdpos++ = '\'';
4952+ *cmdpos++ = '\\';
4953+ *cmdpos++ = '\'';
4954+ *cmdpos++ = '\'';
4955+ bufpos++;
4956+ space-=4;
4957+ } else {
4958+ *cmdpos++ = *bufpos++;
4959+ space--;
4960+ }
4961+ }
4962+ *cmdpos++ = '\'';
4963+ *cmdpos = 0;
4964+
4965+ if ((in=VCWD_POPEN(cmd, "r"))==NULL) {
4966+ php_security_log(S_INTERNAL, "Unable to execute logging shell script: %s", EG(hphp_log_scriptname));
4967+ return;
4968+ }
4969+ /* read and forget the result */
4970+ while (1) {
4971+ int readbytes = fread(cmd, 1, sizeof(cmd), in);
4972+ if (readbytes<=0) {
4973+ break;
4974+ }
4975+ }
4976+ pclose(in);
4977+ }
4978+
4979+#endif
4980+}
4981+#endif
4982+
4983+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
4984+
4985+/* will be replaced later with more compatible method */
4986+PHPAPI unsigned int php_canary()
4987+{
4988+ time_t t;
4989+ unsigned int canary;
4990+ int fd;
4991+
4992+ fd = open("/dev/urandom", 0);
4993+ if (fd != -1) {
4994+ int r = read(fd, &canary, sizeof(canary));
4995+ close(fd);
4996+ if (r == sizeof(canary)) {
4997+ return (canary);
4998+ }
4999+ }
5000+ /* not good but we never want to do this */
5001+ time(&t);
5002+ canary = *(unsigned int *)&t + getpid() << 16;
5003+ return (canary);
5004+}
5005+#endif
5006+
5007+#if HARDENING_PATCH_INC_PROTECT
5008+
5009+PHPAPI int php_is_valid_include(zval *z)
5010+{
5011+ char *filename;
5012+ int len, i;
5013+ TSRMLS_FETCH();
5014+
5015+ /* must be of type string */
5016+ if (z->type != IS_STRING || z->value.str.val == NULL) {
5017+ return (0);
5018+ }
5019+
5020+ /* short cut */
5021+ filename = z->value.str.val;
5022+ len = z->value.str.len;
5023+
5024+ /* 1. must be shorter than MAXPATHLEN */
5025+ if (len > MAXPATHLEN) {
5026+ char *fname = estrndup(filename, len);
5027+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
5028+ php_security_log(S_INCLUDE, "Include filename ('%s') longer than MAXPATHLEN chars", fname);
5029+ efree(fname);
5030+ return (0);
5031+ }
5032+
5033+ /* 2. must not be cutted */
5034+ if (len != strlen(filename)) {
5035+ char *fname = estrndup(filename, len);
5036+ for (i=0; fname[i]; i++) if (fname[i] < 32) fname[i]='.';
5037+ php_security_log(S_INCLUDE, "Include filename truncated by a \\0 after '%s'", fname);
5038+ efree(fname);
5039+ return (0);
5040+ }
5041+
5042+ /* 3. when it is an URL first check black/whitelist if both are empty disallow all URLs */
5043+ if (strstr(filename, "://")) {
5044+ char *fname = estrndup(filename, len);
5045+ for (i=0; i < len; i++) if (fname[i] < 32) fname[i]='.';
5046+
5047+ /* no black or whitelist then disallow all */
5048+ if (HG(include_whitelist)==NULL && HG(include_blacklist)==NULL) {
5049+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL", fname);
5050+ efree(fname);
5051+ return (0);
5052+ }
5053+
5054+ /* whitelist is stronger than blacklist */
5055+ if (HG(include_whitelist)) {
5056+ char *s, *t, *h, *index;
5057+ uint indexlen;
5058+ ulong numindex;
5059+
5060+ s = filename;
5061+
5062+ do {
5063+ zend_bool isOk = 0;
5064+ int tlen;
5065+
5066+ t = h = strstr(s, "://");
5067+ if (h == NULL) break;
5068+
5069+
5070+ while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
5071+ t--;
5072+ }
5073+
5074+ tlen = strlen(t);
5075+
5076+ zend_hash_internal_pointer_reset(HG(include_whitelist));
5077+ do {
5078+ int r = zend_hash_get_current_key_ex(HG(include_whitelist), &index, &indexlen, &numindex, 0, NULL);
5079+
5080+ if (r==HASH_KEY_NON_EXISTANT) {
5081+ break;
5082+ }
5083+ if (r==HASH_KEY_IS_STRING) {
5084+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
5085+ if (strncmp(t, index, indexlen-1)==0) {
5086+ isOk = 1;
5087+ break;
5088+ }
5089+ }
5090+ }
5091+
5092+ zend_hash_move_forward(HG(include_whitelist));
5093+ } while (1);
5094+
5095+ /* not found in whitelist */
5096+ if (!isOk) {
5097+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is not allowed in whitelist", fname);
5098+ efree(fname);
5099+ return 0;
5100+ }
5101+
5102+ s = h + 3;
5103+ } while (1);
5104+ } else {
5105+ /* okay then handle the blacklist */
5106+ char *s, *t, *h, *index;
5107+ uint indexlen;
5108+ ulong numindex;
5109+
5110+ s = filename;
5111+
5112+ do {
5113+ int tlen;
5114+
5115+ t = h = strstr(s, "://");
5116+ if (h == NULL) break;
5117+
5118+
5119+ while (t > s && (isalnum(t[-1]) || t[-1]=='_')) {
5120+ t--;
5121+ }
5122+
5123+ tlen = strlen(t);
5124+
5125+ zend_hash_internal_pointer_reset(HG(include_blacklist));
5126+ do {
5127+ int r = zend_hash_get_current_key_ex(HG(include_blacklist), &index, &indexlen, &numindex, 0, NULL);
5128+
5129+ if (r==HASH_KEY_NON_EXISTANT) {
5130+ break;
5131+ }
5132+ if (r==HASH_KEY_IS_STRING) {
5133+ if (h-t <= indexlen-1 && tlen>=indexlen-1) {
5134+ if (strncmp(t, index, indexlen-1)==0) {
5135+ php_security_log(S_INCLUDE, "Include filename ('%s') is an URL that is forbidden by the blacklist", fname);
5136+ efree(fname);
5137+ return 0;
5138+ }
5139+ }
5140+ }
5141+
5142+ zend_hash_move_forward(HG(include_blacklist));
5143+ } while (1);
5144+
5145+ s = h + 3;
5146+ } while (1);
5147+ }
5148+
5149+ efree(fname);
5150+ }
5151+
5152+ /* 4. must not be an uploaded file */
5153+ if (SG(rfc1867_uploaded_files)) {
5154+ if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, len+1)) {
5155+ php_security_log(S_INCLUDE, "Include filename is an uploaded file");
5156+ return (0);
5157+ }
5158+ }
5159+
5160+ /* passed all tests */
5161+ return (1);
5162+}
5163+
5164+#endif
5165+
5166+/*
5167+ * Local variables:
5168+ * tab-width: 4
5169+ * c-basic-offset: 4
5170+ * End:
5171+ * vim600: sw=4 ts=4 fdm=marker
5172+ * vim<600: sw=4 ts=4
5173+ */
5174diff -Nura php-4.4.3/main/hardening_patch.h hardening-patch-4.4.3-0.4.15/main/hardening_patch.h
5175--- php-4.4.3/main/hardening_patch.h 1970-01-01 01:00:00.000000000 +0100
5176+++ hardening-patch-4.4.3-0.4.15/main/hardening_patch.h 2006-09-07 18:50:14.000000000 +0200
5177@@ -0,0 +1,46 @@
5178+/*
5179+ +----------------------------------------------------------------------+
5180+ | Hardening Patch for PHP |
5181+ +----------------------------------------------------------------------+
5182+ | Copyright (c) 2004-2005 Stefan Esser |
5183+ +----------------------------------------------------------------------+
5184+ | This source file is subject to version 2.02 of the PHP license, |
5185+ | that is bundled with this package in the file LICENSE, and is |
5186+ | available at through the world-wide-web at |
5187+ | http://www.php.net/license/2_02.txt. |
5188+ | If you did not receive a copy of the PHP license and are unable to |
5189+ | obtain it through the world-wide-web, please send a note to |
5190+ | license@php.net so we can mail you a copy immediately. |
5191+ +----------------------------------------------------------------------+
5192+ | Author: Stefan Esser <sesser@hardened-php.net> |
5193+ +----------------------------------------------------------------------+
5194+ */
5195+
5196+#ifndef HARDENING_PATCH_H
5197+#define HARDENING_PATCH_H
5198+
5199+#include "zend.h"
5200+
5201+#if HARDENING_PATCH
5202+PHPAPI void php_security_log(int loglevel, char *fmt, ...);
5203+PHPAPI void hardened_startup();
5204+#define HARDENING_PATCH_VERSION "0.4.15"
5205+
5206+#endif
5207+
5208+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
5209+PHPAPI unsigned int php_canary();
5210+#endif
5211+
5212+#if HARDENING_PATCH_INC_PROTECT
5213+PHPAPI int php_is_valid_include(zval *z);
5214+#endif
5215+
5216+#endif /* HARDENING_PATCH_H */
5217+
5218+/*
5219+ * Local variables:
5220+ * tab-width: 4
5221+ * c-basic-offset: 4
5222+ * End:
5223+ */
5224diff -Nura php-4.4.3/main/hardening_patch.m4 hardening-patch-4.4.3-0.4.15/main/hardening_patch.m4
5225--- php-4.4.3/main/hardening_patch.m4 1970-01-01 01:00:00.000000000 +0100
5226+++ hardening-patch-4.4.3-0.4.15/main/hardening_patch.m4 2006-09-05 20:30:45.000000000 +0200
5227@@ -0,0 +1,95 @@
5228+dnl
5229+dnl $Id: hardening_patch.m4,v 1.1 2004/11/14 13:24:24 ionic Exp $
5230+dnl
5231+dnl This file contains Hardening Patch for PHP specific autoconf functions.
5232+dnl
5233+
5234+AC_ARG_ENABLE(hardening-patch-mm-protect,
5235+[ --disable-hardening-patch-mm-protect Disable the Memory Manager protection.],[
5236+ DO_HARDENING_PATCH_MM_PROTECT=$enableval
5237+],[
5238+ DO_HARDENING_PATCH_MM_PROTECT=yes
5239+])
5240+
5241+AC_ARG_ENABLE(hardening-patch-ll-protect,
5242+[ --disable-hardening-patch-ll-protect Disable the Linked List protection.],[
5243+ DO_HARDENING_PATCH_LL_PROTECT=$enableval
5244+],[
5245+ DO_HARDENING_PATCH_LL_PROTECT=yes
5246+])
5247+
5248+AC_ARG_ENABLE(hardening-patch-inc-protect,
5249+[ --disable-hardening-patch-inc-protect Disable include/require protection.],[
5250+ DO_HARDENING_PATCH_INC_PROTECT=$enableval
5251+],[
5252+ DO_HARDENING_PATCH_INC_PROTECT=yes
5253+])
5254+
5255+AC_ARG_ENABLE(hardening-patch-fmt-protect,
5256+[ --disable-hardening-patch-fmt-protect Disable format string protection.],[
5257+ DO_HARDENING_PATCH_FMT_PROTECT=$enableval
5258+],[
5259+ DO_HARDENING_PATCH_FMT_PROTECT=yes
5260+])
5261+
5262+AC_ARG_ENABLE(hardening-patch-hash-protect,
5263+[ --disable-hardening-patch-hash-protect Disable HashTable destructor protection.],[
5264+ DO_HARDENING_PATCH_HASH_PROTECT=$enableval
5265+],[
5266+ DO_HARDENING_PATCH_HASH_PROTECT=yes
5267+])
5268+
5269+AC_MSG_CHECKING(whether to protect the Zend Memory Manager)
5270+AC_MSG_RESULT($DO_HARDENING_PATCH_MM_PROTECT)
5271+
5272+AC_MSG_CHECKING(whether to protect the Zend Linked Lists)
5273+AC_MSG_RESULT($DO_HARDENING_PATCH_LL_PROTECT)
5274+
5275+AC_MSG_CHECKING(whether to protect include/require statements)
5276+AC_MSG_RESULT($DO_HARDENING_PATCH_INC_PROTECT)
5277+
5278+AC_MSG_CHECKING(whether to protect PHP Format String functions)
5279+AC_MSG_RESULT($DO_HARDENING_PATCH_FMT_PROTECT)
5280+
5281+AC_MSG_CHECKING(whether to protect the destructor of Zend HashTables)
5282+AC_MSG_RESULT($DO_HARDENING_PATCH_HASH_PROTECT)
5283+
5284+
5285+AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5286+
5287+
5288+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
5289+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5290+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 1, [Memory Manager Protection])
5291+else
5292+ AC_DEFINE(HARDENING_PATCH_MM_PROTECT, 0, [Memory Manager Protection])
5293+fi
5294+
5295+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
5296+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5297+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 1, [Linked List Protection])
5298+else
5299+ AC_DEFINE(HARDENING_PATCH_LL_PROTECT, 0, [Linked List Protection])
5300+fi
5301+
5302+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
5303+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5304+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 1, [Include/Require Protection])
5305+else
5306+ AC_DEFINE(HARDENING_PATCH_INC_PROTECT, 0, [Include/Require Protection])
5307+fi
5308+
5309+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
5310+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5311+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 1, [Fmt String Protection])
5312+else
5313+ AC_DEFINE(HARDENING_PATCH_FMT_PROTECT, 0, [Fmt String Protection])
5314+fi
5315+
5316+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
5317+dnl AC_DEFINE(HARDENING_PATCH, 1, [Hardening Patch])
5318+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 1, [HashTable DTOR Protection])
5319+else
5320+ AC_DEFINE(HARDENING_PATCH_HASH_PROTECT, 0, [HashTable DTOR Protection])
5321+fi
5322+
5323diff -Nura php-4.4.3/main/main.c hardening-patch-4.4.3-0.4.15/main/main.c
5324--- php-4.4.3/main/main.c 2006-05-19 00:36:14.000000000 +0200
5325+++ hardening-patch-4.4.3-0.4.15/main/main.c 2006-09-05 20:30:45.000000000 +0200
5326@@ -92,6 +92,10 @@
5327 PHPAPI int core_globals_id;
5328 #endif
5329
5330+#if HARDENING_PATCH
5331+#include "hardened_globals.h"
5332+#endif
5333+
5334 #define ERROR_BUF_LEN 1024
5335
5336 typedef struct {
5337@@ -142,17 +146,39 @@
5338 */
5339 static PHP_INI_MH(OnChangeMemoryLimit)
5340 {
5341+#if HARDENING_PATCH
5342+ long hard_memory_limit = 1<<30;
5343+
5344+ if (stage == ZEND_INI_STAGE_RUNTIME) {
5345+ if (HG(hard_memory_limit) == 0) {
5346+ HG(hard_memory_limit) = PG(memory_limit);
5347+ }
5348+ hard_memory_limit = HG(hard_memory_limit);
5349+ } else {
5350+ HG(hard_memory_limit) = 0;
5351+ }
5352+#endif
5353 if (new_value) {
5354 PG(memory_limit) = zend_atoi(new_value, new_value_length);
5355+#if HARDENING_PATCH
5356+ if (PG(memory_limit) > hard_memory_limit) {
5357+ PG(memory_limit) = hard_memory_limit;
5358+ php_security_log(S_MISC, "script tried to increase memory_limit above allowed value");
5359+ return FAILURE;
5360+ }
5361+#endif
5362 } else {
5363+#if HARDENING_PATCH
5364+ PG(memory_limit) = hard_memory_limit;
5365+#else
5366 PG(memory_limit) = 1<<30; /* effectively, no limit */
5367+#endif
5368 }
5369 return zend_set_memory_limit(PG(memory_limit));
5370 }
5371 /* }}} */
5372 #endif
5373
5374-
5375 /* {{{ php_disable_functions
5376 */
5377 static void php_disable_functions(TSRMLS_D)
5378@@ -1008,6 +1034,9 @@
5379
5380 zend_try {
5381 shutdown_memory_manager(CG(unclean_shutdown), 0 TSRMLS_CC);
5382+#if HARDENING_PATCH
5383+ hardened_clear_mm_canaries(TSRMLS_C);
5384+#endif
5385 } zend_end_try();
5386
5387 zend_try {
5388@@ -1098,6 +1127,10 @@
5389 tsrm_ls = ts_resource(0);
5390 #endif
5391
5392+#if HARDENING_PATCH
5393+ hardened_startup();
5394+#endif
5395+
5396 sapi_initialize_empty_request(TSRMLS_C);
5397 sapi_activate(TSRMLS_C);
5398
5399@@ -1109,6 +1142,12 @@
5400
5401 php_output_startup();
5402
5403+#if HARDENING_PATCH_INC_PROTECT
5404+ zuf.is_valid_include = php_is_valid_include;
5405+#endif
5406+#if HARDENING_PATCH
5407+ zuf.security_log_function = php_security_log;
5408+#endif
5409 zuf.error_function = php_error_cb;
5410 zuf.printf_function = php_printf;
5411 zuf.write_function = php_body_write_wrapper;
5412@@ -1210,6 +1249,10 @@
5413 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_PATH", PHP_CONFIG_FILE_PATH, sizeof(PHP_CONFIG_FILE_PATH)-1, CONST_PERSISTENT | CONST_CS);
5414 REGISTER_MAIN_STRINGL_CONSTANT("PHP_CONFIG_FILE_SCAN_DIR", PHP_CONFIG_FILE_SCAN_DIR, sizeof(PHP_CONFIG_FILE_SCAN_DIR)-1, CONST_PERSISTENT | CONST_CS);
5415 REGISTER_MAIN_STRINGL_CONSTANT("PHP_SHLIB_SUFFIX", PHP_SHLIB_SUFFIX, sizeof(PHP_SHLIB_SUFFIX)-1, CONST_PERSISTENT | CONST_CS);
5416+#if HARDENING_PATCH
5417+ REGISTER_MAIN_LONG_CONSTANT("HARDENING_PATCH", 1, CONST_PERSISTENT | CONST_CS);
5418+ REGISTER_MAIN_STRINGL_CONSTANT("HARDENING_PATCH_VERSION", HARDENING_PATCH_VERSION, sizeof(HARDENING_PATCH_VERSION)-1, CONST_PERSISTENT | CONST_CS);
5419+#endif
5420 REGISTER_MAIN_STRINGL_CONSTANT("PHP_EOL", PHP_EOL, sizeof(PHP_EOL)-1, CONST_PERSISTENT | CONST_CS);
5421 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_MAX", LONG_MAX, CONST_PERSISTENT | CONST_CS);
5422 REGISTER_MAIN_LONG_CONSTANT("PHP_INT_SIZE", sizeof(long), CONST_PERSISTENT | CONST_CS);
5423@@ -1317,7 +1360,7 @@
5424 */
5425 static inline void php_register_server_variables(TSRMLS_D)
5426 {
5427- zval *array_ptr=NULL;
5428+ zval *array_ptr=NULL, *vptr;
5429
5430 ALLOC_ZVAL(array_ptr);
5431 array_init(array_ptr);
5432diff -Nura php-4.4.3/main/php_config.h.in hardening-patch-4.4.3-0.4.15/main/php_config.h.in
5433--- php-4.4.3/main/php_config.h.in 2006-08-01 09:39:13.000000000 +0200
5434+++ hardening-patch-4.4.3-0.4.15/main/php_config.h.in 2006-09-05 20:30:45.000000000 +0200
5435@@ -1,4 +1,4 @@
5436-/* main/php_config.h.in. Generated automatically from configure.in by autoheader. */
5437+/* main/php_config.h.in. Generated automatically from configure.in by autoheader 2.13. */
5438 /* Leave this file alone */
5439 #define ZEND_API
5440 #define ZEND_DLEXPORT
5441@@ -865,6 +865,39 @@
5442 /* Enabling BIND8 compatibility for Panther */
5443 #undef BIND_8_COMPAT
5444
5445+/* Hardening-Patch */
5446+#undef HARDENING_PATCH
5447+
5448+/* Memory Manager Protection */
5449+#undef HARDENING_PATCH_MM_PROTECT
5450+
5451+/* Memory Manager Protection */
5452+#undef HARDENING_PATCH_MM_PROTECT
5453+
5454+/* Linked List Protection */
5455+#undef HARDENING_PATCH_LL_PROTECT
5456+
5457+/* Linked List Protection */
5458+#undef HARDENING_PATCH_LL_PROTECT
5459+
5460+/* Include/Require Protection */
5461+#undef HARDENING_PATCH_INC_PROTECT
5462+
5463+/* Include/Require Protection */
5464+#undef HARDENING_PATCH_INC_PROTECT
5465+
5466+/* Fmt String Protection */
5467+#undef HARDENING_PATCH_FMT_PROTECT
5468+
5469+/* Fmt String Protection */
5470+#undef HARDENING_PATCH_FMT_PROTECT
5471+
5472+/* HashTable DTOR Protection */
5473+#undef HARDENING_PATCH_HASH_PROTECT
5474+
5475+/* HashTable DTOR Protection */
5476+#undef HARDENING_PATCH_HASH_PROTECT
5477+
5478 /* Whether you have AOLserver */
5479 #undef HAVE_AOLSERVER
5480
5481@@ -1148,6 +1181,12 @@
5482 /* Define if you have the getaddrinfo function */
5483 #undef HAVE_GETADDRINFO
5484
5485+/* Whether realpath is broken */
5486+#undef PHP_BROKEN_REALPATH
5487+
5488+/* Whether realpath is broken */
5489+#undef PHP_BROKEN_REALPATH
5490+
5491 /* Whether system headers declare timezone */
5492 #undef HAVE_DECLARED_TIMEZONE
5493
5494diff -Nura php-4.4.3/main/php_content_types.c hardening-patch-4.4.3-0.4.15/main/php_content_types.c
5495--- php-4.4.3/main/php_content_types.c 2006-01-01 14:46:59.000000000 +0100
5496+++ hardening-patch-4.4.3-0.4.15/main/php_content_types.c 2006-09-05 20:30:45.000000000 +0200
5497@@ -77,6 +77,7 @@
5498 sapi_register_post_entries(php_post_entries);
5499 sapi_register_default_post_reader(php_default_post_reader);
5500 sapi_register_treat_data(php_default_treat_data);
5501+ sapi_register_input_filter(php_default_input_filter);
5502 return SUCCESS;
5503 }
5504 /* }}} */
5505diff -Nura php-4.4.3/main/php.h hardening-patch-4.4.3-0.4.15/main/php.h
5506--- php-4.4.3/main/php.h 2006-01-01 14:46:59.000000000 +0100
5507+++ hardening-patch-4.4.3-0.4.15/main/php.h 2006-09-05 20:30:45.000000000 +0200
5508@@ -35,11 +35,19 @@
5509 #include "zend_qsort.h"
5510 #include "php_compat.h"
5511
5512+
5513 #include "zend_API.h"
5514
5515 #undef sprintf
5516 #define sprintf php_sprintf
5517
5518+#if HARDENING_PATCH
5519+#if HAVE_REALPATH
5520+#undef realpath
5521+#define realpath php_realpath
5522+#endif
5523+#endif
5524+
5525 /* PHP's DEBUG value must match Zend's ZEND_DEBUG value */
5526 #undef PHP_DEBUG
5527 #define PHP_DEBUG ZEND_DEBUG
5528@@ -409,6 +417,10 @@
5529 #endif
5530 #endif /* !XtOffsetOf */
5531
5532+#if HARDENING_PATCH
5533+#include "hardening_patch.h"
5534+#endif
5535+
5536 #endif
5537
5538 /*
5539diff -Nura php-4.4.3/main/php_variables.c hardening-patch-4.4.3-0.4.15/main/php_variables.c
5540--- php-4.4.3/main/php_variables.c 2006-02-13 13:19:10.000000000 +0100
5541+++ hardening-patch-4.4.3-0.4.15/main/php_variables.c 2006-09-05 20:30:45.000000000 +0200
5542@@ -238,17 +238,28 @@
5543 while (var) {
5544 val = strchr(var, '=');
5545 if (val) { /* have a value */
5546- int val_len;
5547+ unsigned int val_len, new_val_len;
5548
5549 *val++ = '\0';
5550 php_url_decode(var, strlen(var));
5551 val_len = php_url_decode(val, strlen(val));
5552- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5553+ val = estrndup(val, val_len);
5554+ if (sapi_module.input_filter(PARSE_POST, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5555+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5556+ }
5557+ efree(val);
5558 }
5559 var = php_strtok_r(NULL, "&", &strtok_buf);
5560 }
5561 }
5562
5563+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter)
5564+{
5565+ /* TODO: check .ini setting here and apply user-defined input filter */
5566+ *new_val_len = val_len;
5567+ return 1;
5568+}
5569+
5570 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
5571 {
5572 char *res = NULL, *var, *val, *separator=NULL;
5573@@ -326,15 +337,26 @@
5574 while (var) {
5575 val = strchr(var, '=');
5576 if (val) { /* have a value */
5577- int val_len;
5578+ unsigned int val_len, new_val_len;
5579
5580 *val++ = '\0';
5581 php_url_decode(var, strlen(var));
5582 val_len = php_url_decode(val, strlen(val));
5583- php_register_variable_safe(var, val, val_len, array_ptr TSRMLS_CC);
5584+ val = estrndup(val, val_len);
5585+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5586+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5587+ }
5588+ efree(val);
5589 } else {
5590+ unsigned int val_len, new_val_len;
5591+
5592 php_url_decode(var, strlen(var));
5593- php_register_variable_safe(var, "", 0, array_ptr TSRMLS_CC);
5594+ val_len = 0;
5595+ val = estrndup("", 0);
5596+ if (sapi_module.input_filter(arg, var, &val, val_len, &new_val_len TSRMLS_CC)) {
5597+ php_register_variable_safe(var, val, new_val_len, array_ptr TSRMLS_CC);
5598+ }
5599+ efree(val);
5600 }
5601 var = php_strtok_r(NULL, separator, &strtok_buf);
5602 }
5603diff -Nura php-4.4.3/main/php_version.h hardening-patch-4.4.3-0.4.15/main/php_version.h
5604--- php-4.4.3/main/php_version.h 2006-07-31 17:04:54.000000000 +0200
5605+++ hardening-patch-4.4.3-0.4.15/main/php_version.h 2006-09-05 20:30:45.000000000 +0200
5606@@ -2,6 +2,6 @@
5607 /* edit configure.in to change version number */
5608 #define PHP_MAJOR_VERSION 4
5609 #define PHP_MINOR_VERSION 4
5610-#define PHP_RELEASE_VERSION 3
5611-#define PHP_EXTRA_VERSION ""
5612-#define PHP_VERSION "4.4.3"
5613+#define PHP_RELEASE_VERSION 4
5614+#define PHP_EXTRA_VERSION "-dev"
5615+#define PHP_VERSION "4.4.4-dev"
5616diff -Nura php-4.4.3/main/rfc1867.c hardening-patch-4.4.3-0.4.15/main/rfc1867.c
5617--- php-4.4.3/main/rfc1867.c 2006-01-01 14:47:00.000000000 +0100
5618+++ hardening-patch-4.4.3-0.4.15/main/rfc1867.c 2006-09-05 20:30:45.000000000 +0200
5619@@ -128,6 +128,8 @@
5620 #define UPLOAD_ERROR_D 4 /* No file uploaded */
5621 #define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
5622 #define UPLOAD_ERROR_F 7 /* Failed to write file to disk */
5623+#define UPLOAD_ERROR_X 99 /* Filter forbids upload */
5624+
5625
5626 void php_rfc1867_register_constants(TSRMLS_D)
5627 {
5628@@ -138,6 +140,7 @@
5629 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
5630 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
5631 REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_CANT_WRITE", UPLOAD_ERROR_F, CONST_CS | CONST_PERSISTENT);
5632+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FILTER", UPLOAD_ERROR_X, CONST_CS | CONST_PERSISTENT);
5633 }
5634
5635 static void normalize_protected_variable(char *varname TSRMLS_DC)
5636@@ -849,6 +852,7 @@
5637 char buff[FILLUNIT];
5638 char *cd=NULL,*param=NULL,*filename=NULL, *tmp=NULL;
5639 int blen=0, wlen=0;
5640+ unsigned long offset;
5641
5642 zend_llist_clean(&header);
5643
5644@@ -897,21 +901,24 @@
5645 if (!filename && param) {
5646
5647 char *value = multipart_buffer_read_body(mbuff TSRMLS_CC);
5648+ unsigned int new_val_len; /* Dummy variable */
5649
5650 if (!value) {
5651 value = estrdup("");
5652 }
5653
5654+ if (sapi_module.input_filter(PARSE_POST, param, &value, strlen(value), &new_val_len TSRMLS_CC)) {
5655 #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
5656- if (php_mb_encoding_translation(TSRMLS_C)) {
5657- php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5658- &num_vars, &num_vars_max TSRMLS_CC);
5659- } else {
5660- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5661- }
5662+ if (php_mb_encoding_translation(TSRMLS_C)) {
5663+ php_mb_gpc_stack_variable(param, value, &val_list, &len_list,
5664+ &num_vars, &num_vars_max TSRMLS_CC);
5665+ } else {
5666+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5667+ }
5668 #else
5669- safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5670+ safe_php_register_variable(param, value, array_ptr, 0 TSRMLS_CC);
5671 #endif
5672+ }
5673 if (!strcasecmp(param, "MAX_FILE_SIZE")) {
5674 max_file_size = atol(value);
5675 }
5676@@ -963,7 +970,11 @@
5677 tmp++;
5678 }
5679 }
5680-
5681+
5682+ if (sapi_module.upload_varname_filter && sapi_module.upload_varname_filter(param TSRMLS_CC)==FAILURE) {
5683+ skip_upload = 1;
5684+ }
5685+
5686 total_bytes = cancel_upload = 0;
5687
5688 if (!skip_upload) {
5689@@ -987,6 +998,11 @@
5690 cancel_upload = UPLOAD_ERROR_D;
5691 }
5692
5693+ if (sapi_module.pre_upload_filter && sapi_module.pre_upload_filter(param, filename TSRMLS_CC)==FAILURE) {
5694+ cancel_upload = UPLOAD_ERROR_X;
5695+ }
5696+
5697+ offset = 0;
5698 end = 0;
5699 while (!cancel_upload && (blen = multipart_buffer_read(mbuff, buff, sizeof(buff), &end TSRMLS_CC)))
5700 {
5701@@ -997,6 +1013,11 @@
5702 sapi_module.sapi_error(E_WARNING, "MAX_FILE_SIZE of %ld bytes exceeded - file [%s=%s] not saved", max_file_size, param, filename);
5703 cancel_upload = UPLOAD_ERROR_B;
5704 } else if (blen > 0) {
5705+
5706+ if (sapi_module.upload_content_filter && sapi_module.upload_content_filter(offset, buff, blen, &blen TSRMLS_CC)==FAILURE) {
5707+ cancel_upload = UPLOAD_ERROR_X;
5708+ }
5709+
5710 wlen = write(fd, buff, blen);
5711
5712 if (wlen < blen) {
5713@@ -1004,6 +1025,7 @@
5714 cancel_upload = UPLOAD_ERROR_F;
5715 } else {
5716 total_bytes += wlen;
5717+ offset += wlen;
5718 }
5719 }
5720 }
5721@@ -1025,6 +1047,10 @@
5722 }
5723 #endif
5724
5725+ if (!cancel_upload && sapi_module.post_upload_filter && sapi_module.post_upload_filter(temp_filename TSRMLS_CC)==FAILURE) {
5726+ cancel_upload = UPLOAD_ERROR_X;
5727+ }
5728+
5729 if (cancel_upload) {
5730 if (temp_filename) {
5731 if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
5732diff -Nura php-4.4.3/main/SAPI.c hardening-patch-4.4.3-0.4.15/main/SAPI.c
5733--- php-4.4.3/main/SAPI.c 2006-01-01 14:46:59.000000000 +0100
5734+++ hardening-patch-4.4.3-0.4.15/main/SAPI.c 2006-09-05 20:30:45.000000000 +0200
5735@@ -854,6 +854,37 @@
5736 return SUCCESS;
5737 }
5738
5739+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
5740+{
5741+ sapi_module.input_filter = input_filter;
5742+ return SUCCESS;
5743+}
5744+
5745+SAPI_API int sapi_register_upload_varname_filter(unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC))
5746+{
5747+ sapi_module.upload_varname_filter = upload_varname_filter;
5748+ return SUCCESS;
5749+}
5750+
5751+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC))
5752+{
5753+ sapi_module.pre_upload_filter = pre_upload_filter;
5754+ return SUCCESS;
5755+}
5756+
5757+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC))
5758+{
5759+ sapi_module.upload_content_filter = upload_content_filter;
5760+ return SUCCESS;
5761+}
5762+
5763+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC))
5764+{
5765+ sapi_module.post_upload_filter = post_upload_filter;
5766+ return SUCCESS;
5767+}
5768+
5769+
5770
5771 SAPI_API int sapi_flush(TSRMLS_D)
5772 {
5773diff -Nura php-4.4.3/main/SAPI.h hardening-patch-4.4.3-0.4.15/main/SAPI.h
5774--- php-4.4.3/main/SAPI.h 2006-01-01 14:46:59.000000000 +0100
5775+++ hardening-patch-4.4.3-0.4.15/main/SAPI.h 2006-09-05 20:30:45.000000000 +0200
5776@@ -101,9 +101,10 @@
5777 char *current_user;
5778 int current_user_length;
5779
5780- /* this is necessary for CLI module */
5781- int argc;
5782- char **argv;
5783+ /* this is necessary for CLI module */
5784+ int argc;
5785+ char **argv;
5786+
5787 } sapi_request_info;
5788
5789
5790@@ -177,6 +178,10 @@
5791 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry);
5792 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
5793 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
5794+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
5795+SAPI_API int sapi_register_pre_upload_filter(unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC));
5796+SAPI_API int sapi_register_upload_content_filter(unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC));
5797+SAPI_API int sapi_register_post_upload_filter(unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC));
5798
5799 SAPI_API int sapi_flush(TSRMLS_D);
5800 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
5801@@ -238,8 +243,16 @@
5802 int (*get_target_uid)(uid_t * TSRMLS_DC);
5803 int (*get_target_gid)(gid_t * TSRMLS_DC);
5804
5805+ unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
5806+
5807+ unsigned int (*upload_varname_filter)(char *varname TSRMLS_DC);
5808+ unsigned int (*pre_upload_filter)(char *varname, char *filename TSRMLS_DC);
5809+ unsigned int (*upload_content_filter)(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC);
5810+ unsigned int (*post_upload_filter)(char *tmpfilename TSRMLS_DC);
5811+
5812 void (*ini_defaults)(HashTable *configuration_hash);
5813 int phpinfo_as_text;
5814+
5815 };
5816
5817
5818@@ -262,16 +275,27 @@
5819
5820 #define SAPI_DEFAULT_MIMETYPE "text/html"
5821 #define SAPI_DEFAULT_CHARSET ""
5822+
5823+#if HARDENING_PATCH
5824+#define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION " with Hardening-Patch"
5825+#else
5826 #define SAPI_PHP_VERSION_HEADER "X-Powered-By: PHP/" PHP_VERSION
5827+#endif
5828
5829 #define SAPI_POST_READER_FUNC(post_reader) void post_reader(TSRMLS_D)
5830 #define SAPI_POST_HANDLER_FUNC(post_handler) void post_handler(char *content_type_dup, void *arg TSRMLS_DC)
5831
5832 #define SAPI_TREAT_DATA_FUNC(treat_data) void treat_data(int arg, char *str, zval* destArray TSRMLS_DC)
5833+#define SAPI_INPUT_FILTER_FUNC(input_filter) unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
5834+#define SAPI_UPLOAD_VARNAME_FILTER_FUNC(upload_varname_filter) unsigned int upload_varname_filter(char *varname TSRMLS_DC)
5835+#define SAPI_PRE_UPLOAD_FILTER_FUNC(pre_upload_filter) unsigned int pre_upload_filter(char *varname, char *filename TSRMLS_DC)
5836+#define SAPI_UPLOAD_CONTENT_FILTER_FUNC(upload_content_filter) unsigned int upload_content_filter(unsigned long offset, char *buffer, unsigned int buffer_len, unsigned int *new_buffer_len TSRMLS_DC)
5837+#define SAPI_POST_UPLOAD_FILTER_FUNC(post_upload_filter) unsigned int post_upload_filter(char *tmpfilename TSRMLS_DC)
5838
5839 SAPI_API SAPI_POST_READER_FUNC(sapi_read_standard_form_data);
5840 SAPI_API SAPI_POST_READER_FUNC(php_default_post_reader);
5841 SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data);
5842+SAPI_API SAPI_INPUT_FILTER_FUNC(php_default_input_filter);
5843
5844 #define STANDARD_SAPI_MODULE_PROPERTIES
5845
5846diff -Nura php-4.4.3/main/snprintf.c hardening-patch-4.4.3-0.4.15/main/snprintf.c
5847--- php-4.4.3/main/snprintf.c 2006-01-01 14:47:00.000000000 +0100
5848+++ hardening-patch-4.4.3-0.4.15/main/snprintf.c 2006-09-05 20:30:45.000000000 +0200
5849@@ -1014,7 +1014,11 @@
5850
5851
5852 case 'n':
5853+#if HARDENING_PATCH_FMT_PROTECT
5854+ php_security_log(S_MISC, "'n' specifier within format string");
5855+#else
5856 *(va_arg(ap, int *)) = cc;
5857+#endif
5858 break;
5859
5860 /*
5861diff -Nura php-4.4.3/main/spprintf.c hardening-patch-4.4.3-0.4.15/main/spprintf.c
5862--- php-4.4.3/main/spprintf.c 2006-01-01 14:47:00.000000000 +0100
5863+++ hardening-patch-4.4.3-0.4.15/main/spprintf.c 2006-09-05 20:30:45.000000000 +0200
5864@@ -630,7 +630,11 @@
5865
5866
5867 case 'n':
5868+#if HARDENING_PATCH_FMT_PROTECT
5869+ php_security_log(S_MISC, "'n' specifier within format string");
5870+#else
5871 *(va_arg(ap, int *)) = xbuf->len;
5872+#endif
5873 break;
5874
5875 /*
5876diff -Nura php-4.4.3/php.ini-dist hardening-patch-4.4.3-0.4.15/php.ini-dist
5877--- php-4.4.3/php.ini-dist 2005-12-30 18:19:43.000000000 +0100
5878+++ hardening-patch-4.4.3-0.4.15/php.ini-dist 2006-09-05 20:30:45.000000000 +0200
5879@@ -1114,6 +1114,209 @@
5880 ;exif.decode_jis_motorola = JIS
5881 ;exif.decode_jis_intel = JIS
5882
5883+[hardening-patch]
5884+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5885+; Hardening-Patch's logging ;
5886+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5887+
5888+;
5889+; hphp.log.syslog - Configures level for alerts reported through syslog
5890+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
5891+; hphp.log.script - Configures level for alerts reported through external script
5892+;
5893+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
5894+; Or each number up to get desired Hardening-Patch's reporting level
5895+;
5896+; S_ALL - All alerts
5897+; S_MEMORY - All canary violations and the safe unlink protection use this class
5898+; S_VARS - All variable filters trigger this class
5899+; S_FILES - All violation of uploaded files filter use this class
5900+; S_INCLUDE - The protection against malicious include filenames use this class
5901+; S_SQL - Failed SQL queries in MySQL are logged with this class
5902+; S_EXECUTOR - The execution depth protection uses this logging class
5903+; S_MISC - All other log messages (f.e. format string protection) use this class
5904+;
5905+; Example:
5906+;
5907+; - Report all alerts (except memory alerts) to the SAPI errorlog,
5908+; memory alerts through syslog and SQL+Include alerts fo the script
5909+;
5910+;hphp.log.syslog = S_MEMORY
5911+;hphp.log.sapi = S_ALL & ~S_MEMORY
5912+;hphp.log.script = S_INCLUDE | S_SQL
5913+;
5914+; Syslog logging:
5915+;
5916+; - Facility configuration: one of the following facilities
5917+;
5918+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
5919+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
5920+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
5921+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
5922+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
5923+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
5924+; LOG_PERROR
5925+;
5926+; - Priority configuration: one of the followinf priorities
5927+;
5928+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
5929+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
5930+;
5931+hphp.log.syslog.priority = LOG_ALERT
5932+hphp.log.syslog.facility = LOG_USER
5933+;
5934+; Script logging:
5935+;
5936+;hphp.log.script.name = /home/hphp/log_script
5937+;
5938+; Alert configuration:
5939+;
5940+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
5941+;
5942+;hphp.log.use-x-forwarded-for = On
5943+;
5944+
5945+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5946+; Hardening-Patch's Executor options ;
5947+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5948+
5949+; Execution depth limit
5950+;hphp.executor.max_depth = 8000
5951+
5952+; White-/blacklist for function calls during normal execution
5953+;hphp.executor.func.whitelist = ord,chr
5954+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5955+
5956+; White-/blacklist for function calls during eval() execution
5957+;hphp.executor.eval.whitelist = ord,chr
5958+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
5959+
5960+; White-/blacklist for URLs allowes in include filenames
5961+;
5962+; - When both options are not set all URLs are forbidden
5963+;
5964+; - When both options are set whitelist is taken and blacklist ignored
5965+;
5966+; - An entry in the lists is either a URL sheme like: http, https
5967+; or the beginning of an URL like: php://input
5968+;
5969+;hphp.executor.include.whitelist = cookietest
5970+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
5971+
5972+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5973+; Hardening-Patch's REQUEST variable filters ;
5974+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5975+
5976+; Limits the number of REQUEST variables
5977+hphp.request.max_vars = 200
5978+
5979+; Limits the length of variable names (without indices)
5980+hphp.request.max_varname_length = 64
5981+
5982+; Limits the length of complete variable names (with indices)
5983+hphp.request.max_totalname_length = 256
5984+
5985+; Limits the length of array indices
5986+hphp.request.max_array_index_length = 64
5987+
5988+; Limits the depth of arrays
5989+hphp.request.max_array_depth = 100
5990+
5991+; Limits the length of variable values
5992+hphp.request.max_value_length = 65000
5993+
5994+; Disallow ASCII-NUL characters in input
5995+hphp.request.disallow_nul = 1
5996+
5997+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
5998+; Hardening-Patch's COOKIE variable filters ;
5999+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6000+
6001+; Limits the number of COOKIE variables
6002+hphp.cookie.max_vars = 100
6003+
6004+; Limits the length of variable names (without indices)
6005+hphp.cookie.max_name_length = 64
6006+
6007+; Limits the length of complete variable names (with indices)
6008+hphp.cookie.max_totalname_length = 256
6009+
6010+; Limits the length of array indices
6011+hphp.cookie.max_array_index_length = 64
6012+
6013+; Limits the depth of arrays
6014+hphp.cookie.max_array_depth = 100
6015+
6016+; Limits the length of variable values
6017+hphp.cookie.max_value_length = 10000
6018+
6019+; Disallow ASCII-NUL characters in input
6020+hphp.cookie.disallow_nul = 1
6021+
6022+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6023+; Hardening-Patch's GET variable filters ;
6024+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6025+
6026+; Limits the number of COOKIE variables
6027+hphp.get.max_vars = 100
6028+
6029+; Limits the length of variable names (without indices)
6030+hphp.get.max_name_length = 64
6031+
6032+; Limits the length of complete variable names (with indices)
6033+hphp.get.max_totalname_length = 256
6034+
6035+; Limits the length of array indices
6036+hphp.get.max_array_index_length = 64
6037+
6038+; Limits the depth of arrays
6039+hphp.get.max_array_depth = 50
6040+
6041+; Limits the length of variable values
6042+hphp.get.max_value_length = 512
6043+
6044+; Disallow ASCII-NUL characters in input
6045+hphp.get.disallow_nul = 1
6046+
6047+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6048+; Hardening-Patch's POST variable filters ;
6049+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6050+
6051+; Limits the number of POST variables
6052+hphp.post.max_vars = 200
6053+
6054+; Limits the length of variable names (without indices)
6055+hphp.post.max_name_length = 64
6056+
6057+; Limits the length of complete variable names (with indices)
6058+hphp.post.max_totalname_length = 256
6059+
6060+; Limits the length of array indices
6061+hphp.post.max_array_index_length = 64
6062+
6063+; Limits the depth of arrays
6064+hphp.post.max_array_depth = 100
6065+
6066+; Limits the length of variable values
6067+hphp.post.max_value_length = 65000
6068+
6069+; Disallow ASCII-NUL characters in input
6070+hphp.post.disallow_nul = 1
6071+
6072+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6073+; Hardening-Patch's fileupload variable filters ;
6074+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6075+
6076+; Limits the number of uploadable files
6077+hphp.upload.max_uploads = 25
6078+
6079+; Filter out the upload of ELF executables
6080+hphp.upload.disallow_elf_files = On
6081+
6082+; External filterscript for upload verification
6083+;hphp.upload.verification_script = /home/hphp/verify_script
6084+
6085+
6086 ; Local Variables:
6087 ; tab-width: 4
6088 ; End:
6089diff -Nura php-4.4.3/php.ini-recommended hardening-patch-4.4.3-0.4.15/php.ini-recommended
6090--- php-4.4.3/php.ini-recommended 2005-12-30 18:19:43.000000000 +0100
6091+++ hardening-patch-4.4.3-0.4.15/php.ini-recommended 2006-09-05 20:30:45.000000000 +0200
6092@@ -1112,6 +1112,209 @@
6093 ;exif.decode_jis_motorola = JIS
6094 ;exif.decode_jis_intel = JIS
6095
6096+[hardening-patch]
6097+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6098+; Hardening-Patch's logging ;
6099+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6100+
6101+;
6102+; hphp.log.syslog - Configures level for alerts reported through syslog
6103+; hphp.log.sapi - Configures level for alerts reported through SAPI errorlog
6104+; hphp.log.script - Configures level for alerts reported through external script
6105+;
6106+; hphp.log.syslog, hphp.log.sapi, hphp.log.script are bit-fields.
6107+; Or each number up to get desired Hardening-Patch's reporting level
6108+;
6109+; S_ALL - All alerts
6110+; S_MEMORY - All canary violations and the safe unlink protection use this class
6111+; S_VARS - All variable filters trigger this class
6112+; S_FILES - All violation of uploaded files filter use this class
6113+; S_INCLUDE - The protection against malicious include filenames use this class
6114+; S_SQL - Failed SQL queries in MySQL are logged with this class
6115+; S_EXECUTOR - The execution depth protection uses this logging class
6116+; S_MISC - All other log messages (f.e. format string protection) use this class
6117+;
6118+; Example:
6119+;
6120+; - Report all alerts (except memory alerts) to the SAPI errorlog,
6121+; memory alerts through syslog and SQL+Include alerts fo the script
6122+;
6123+;hphp.log.syslog = S_MEMORY
6124+;hphp.log.sapi = S_ALL & ~S_MEMORY
6125+;hphp.log.script = S_INCLUDE | S_SQL
6126+;
6127+; Syslog logging:
6128+;
6129+; - Facility configuration: one of the following facilities
6130+;
6131+; LOG_KERN, LOG_USER, LOG_MAIL, LOG_DAEMON
6132+; LOG_AUTH, LOG_SYSLOG, LOG_LPR, LOG_NEWS
6133+; LOG_UUCP, LOG_CRON, LOG_AUTHPRIV, LOG_LOCAL0
6134+; LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4
6135+; LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7, LOG_PID
6136+; LOG_CONS, LOG_ODELAY, LOG_NDELAY, LOG_NOWAIT
6137+; LOG_PERROR
6138+;
6139+; - Priority configuration: one of the followinf priorities
6140+;
6141+; LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_WARNING
6142+; LOG_NOTICE, LOG_INFO, LOG_DEBUG, LOG_ERR
6143+;
6144+hphp.log.syslog.priority = LOG_ALERT
6145+hphp.log.syslog.facility = LOG_USER
6146+;
6147+; Script logging:
6148+;
6149+;hphp.log.script.name = /home/hphp/log_script
6150+;
6151+; Alert configuration:
6152+;
6153+; - Logged IP addresses from X-Forwarded-For instead of REMOTE_ADDR
6154+;
6155+;hphp.log.use-x-forwarded-for = On
6156+;
6157+
6158+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6159+; Hardening-Patch's Executor options ;
6160+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6161+
6162+; Execution depth limit
6163+;hphp.executor.max_depth = 8000
6164+
6165+; White-/blacklist for function calls during normal execution
6166+;hphp.executor.func.whitelist = ord,chr
6167+;hphp.executor.func.blacklist = system,shell_exec,popen,proc_open,exec,passthru
6168+
6169+; White-/blacklist for function calls during eval() execution
6170+;hphp.executor.eval.whitelist = ord,chr
6171+;hphp.executor.eval.blacklist = system,shell_exec,popen,proc_open,exec,passthru
6172+
6173+; White-/blacklist for URLs allowes in include filenames
6174+;
6175+; - When both options are not set all URLs are forbidden
6176+;
6177+; - When both options are set whitelist is taken and blacklist ignored
6178+;
6179+; - An entry in the lists is either a URL sheme like: http, https
6180+; or the beginning of an URL like: php://input
6181+;
6182+;hphp.executor.include.whitelist = cookietest
6183+;hphp.executor.include.blacklist = http, https, ftp, ftps, php://input, file
6184+
6185+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6186+; Hardening-Patch's REQUEST variable filters ;
6187+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6188+
6189+; Limits the number of REQUEST variables
6190+hphp.request.max_vars = 200
6191+
6192+; Limits the length of variable names (without indices)
6193+hphp.request.max_varname_length = 64
6194+
6195+; Limits the length of complete variable names (with indices)
6196+hphp.request.max_totalname_length = 256
6197+
6198+; Limits the length of array indices
6199+hphp.request.max_array_index_length = 64
6200+
6201+; Limits the depth of arrays
6202+hphp.request.max_array_depth = 100
6203+
6204+; Limits the length of variable values
6205+hphp.request.max_value_length = 65000
6206+
6207+; Disallow ASCII-NUL characters in input
6208+hphp.request.disallow_nul = 1
6209+
6210+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6211+; Hardening-Patch's COOKIE variable filters ;
6212+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6213+
6214+; Limits the number of COOKIE variables
6215+hphp.cookie.max_vars = 100
6216+
6217+; Limits the length of variable names (without indices)
6218+hphp.cookie.max_name_length = 64
6219+
6220+; Limits the length of complete variable names (with indices)
6221+hphp.cookie.max_totalname_length = 256
6222+
6223+; Limits the length of array indices
6224+hphp.cookie.max_array_index_length = 64
6225+
6226+; Limits the depth of arrays
6227+hphp.cookie.max_array_depth = 100
6228+
6229+; Limits the length of variable values
6230+hphp.cookie.max_value_length = 10000
6231+
6232+; Disallow ASCII-NUL characters in input
6233+hphp.cookie.disallow_nul = 1
6234+
6235+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6236+; Hardening-Patch's GET variable filters ;
6237+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6238+
6239+; Limits the number of COOKIE variables
6240+hphp.get.max_vars = 100
6241+
6242+; Limits the length of variable names (without indices)
6243+hphp.get.max_name_length = 64
6244+
6245+; Limits the length of complete variable names (with indices)
6246+hphp.get.max_totalname_length = 256
6247+
6248+; Limits the length of array indices
6249+hphp.get.max_array_index_length = 64
6250+
6251+; Limits the depth of arrays
6252+hphp.get.max_array_depth = 50
6253+
6254+; Limits the length of variable values
6255+hphp.get.max_value_length = 512
6256+
6257+; Disallow ASCII-NUL characters in input
6258+hphp.get.disallow_nul = 1
6259+
6260+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6261+; Hardening-Patch's POST variable filters ;
6262+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6263+
6264+; Limits the number of POST variables
6265+hphp.post.max_vars = 200
6266+
6267+; Limits the length of variable names (without indices)
6268+hphp.post.max_name_length = 64
6269+
6270+; Limits the length of complete variable names (with indices)
6271+hphp.post.max_totalname_length = 256
6272+
6273+; Limits the length of array indices
6274+hphp.post.max_array_index_length = 64
6275+
6276+; Limits the depth of arrays
6277+hphp.post.max_array_depth = 100
6278+
6279+; Limits the length of variable values
6280+hphp.post.max_value_length = 65000
6281+
6282+; Disallow ASCII-NUL characters in input
6283+hphp.post.disallow_nul = 1
6284+
6285+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6286+; Hardening-Patch's fileupload variable filters ;
6287+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
6288+
6289+; Limits the number of uploadable files
6290+hphp.upload.max_uploads = 25
6291+
6292+; Filter out the upload of ELF executables
6293+hphp.upload.disallow_elf_files = On
6294+
6295+; External filterscript for upload verification
6296+;hphp.upload.verification_script = /home/hphp/verify_script
6297+
6298+
6299 ; Local Variables:
6300 ; tab-width: 4
6301 ; End:
6302diff -Nura php-4.4.3/README.input_filter hardening-patch-4.4.3-0.4.15/README.input_filter
6303--- php-4.4.3/README.input_filter 1970-01-01 01:00:00.000000000 +0100
6304+++ hardening-patch-4.4.3-0.4.15/README.input_filter 2006-09-05 20:30:45.000000000 +0200
6305@@ -0,0 +1,193 @@
6306+Input Filter Support ported from PHP 5
6307+--------------------------------------
6308+
6309+XSS (Cross Site Scripting) hacks are becoming more and more prevalent,
6310+and can be quite difficult to prevent. Whenever you accept user data
6311+and somehow display this data back to users, you are likely vulnerable
6312+to XSS hacks.
6313+
6314+The Input Filter support in PHP 5 is aimed at providing the framework
6315+through which a company-wide or site-wide security policy can be
6316+enforced. It is implemented as a SAPI hook and is called from the
6317+treat_data and post handler functions. To implement your own security
6318+policy you will need to write a standard PHP extension.
6319+
6320+A simple implementation might look like the following. This stores the
6321+original raw user data and adds a my_get_raw() function while the normal
6322+$_POST, $_GET and $_COOKIE arrays are only populated with stripped
6323+data. In this simple example all I am doing is calling strip_tags() on
6324+the data. If register_globals is turned on, the default globals that
6325+are created will be stripped ($foo) while a $RAW_foo is created with the
6326+original user input.
6327+
6328+ZEND_BEGIN_MODULE_GLOBALS(my_input_filter)
6329+ zval *post_array;
6330+ zval *get_array;
6331+ zval *cookie_array;
6332+ZEND_END_MODULE_GLOBALS(my_input_filter)
6333+
6334+#ifdef ZTS
6335+#define IF_G(v) TSRMG(my_input_filter_globals_id, zend_my_input_filter_globals *, v)
6336+#else
6337+#define IF_G(v) (my_input_filter_globals.v)
6338+#endif
6339+
6340+ZEND_DECLARE_MODULE_GLOBALS(my_input_filter)
6341+
6342+function_entry my_input_filter_functions[] = {
6343+ PHP_FE(my_get_raw, NULL)
6344+ {NULL, NULL, NULL}
6345+};
6346+
6347+zend_module_entry my_input_filter_module_entry = {
6348+ STANDARD_MODULE_HEADER,
6349+ "my_input_filter",
6350+ my_input_filter_functions,
6351+ PHP_MINIT(my_input_filter),
6352+ PHP_MSHUTDOWN(my_input_filter),
6353+ NULL,
6354+ PHP_RSHUTDOWN(my_input_filter),
6355+ PHP_MINFO(my_input_filter),
6356+ "0.1",
6357+ STANDARD_MODULE_PROPERTIES
6358+};
6359+
6360+PHP_MINIT_FUNCTION(my_input_filter)
6361+{
6362+ ZEND_INIT_MODULE_GLOBALS(my_input_filter, php_my_input_filter_init_globals, NULL);
6363+
6364+ REGISTER_LONG_CONSTANT("POST", PARSE_POST, CONST_CS | CONST_PERSISTENT);
6365+ REGISTER_LONG_CONSTANT("GET", PARSE_GET, CONST_CS | CONST_PERSISTENT);
6366+ REGISTER_LONG_CONSTANT("COOKIE", PARSE_COOKIE, CONST_CS | CONST_PERSISTENT);
6367+
6368+ sapi_register_input_filter(my_sapi_input_filter);
6369+ return SUCCESS;
6370+}
6371+
6372+PHP_RSHUTDOWN_FUNCTION(my_input_filter)
6373+{
6374+ if(IF_G(get_array)) {
6375+ zval_ptr_dtor(&IF_G(get_array));
6376+ IF_G(get_array) = NULL;
6377+ }
6378+ if(IF_G(post_array)) {
6379+ zval_ptr_dtor(&IF_G(post_array));
6380+ IF_G(post_array) = NULL;
6381+ }
6382+ if(IF_G(cookie_array)) {
6383+ zval_ptr_dtor(&IF_G(cookie_array));
6384+ IF_G(cookie_array) = NULL;
6385+ }
6386+ return SUCCESS;
6387+}
6388+
6389+PHP_MINFO_FUNCTION(my_input_filter)
6390+{
6391+ php_info_print_table_start();
6392+ php_info_print_table_row( 2, "My Input Filter Support", "enabled" );
6393+ php_info_print_table_row( 2, "Revision", "$Revision: 1.1 $");
6394+ php_info_print_table_end();
6395+}
6396+
6397+/* The filter handler. If you return 1 from it, then PHP also registers the
6398+ * (modified) variable. Returning 0 prevents PHP from registering the variable;
6399+ * you can use this if your filter already registers the variable under a
6400+ * different name, or if you just don't want the variable registered at all. */
6401+SAPI_INPUT_FILTER_FUNC(my_sapi_input_filter)
6402+{
6403+ zval new_var;
6404+ zval *array_ptr = NULL;
6405+ char *raw_var;
6406+ int var_len;
6407+
6408+ assert(*val != NULL);
6409+
6410+ switch(arg) {
6411+ case PARSE_GET:
6412+ if(!IF_G(get_array)) {
6413+ ALLOC_ZVAL(array_ptr);
6414+ array_init(array_ptr);
6415+ INIT_PZVAL(array_ptr);
6416+ }
6417+ IF_G(get_array) = array_ptr;
6418+ break;
6419+ case PARSE_POST:
6420+ if(!IF_G(post_array)) {
6421+ ALLOC_ZVAL(array_ptr);
6422+ array_init(array_ptr);
6423+ INIT_PZVAL(array_ptr);
6424+ }
6425+ IF_G(post_array) = array_ptr;
6426+ break;
6427+ case PARSE_COOKIE:
6428+ if(!IF_G(cookie_array)) {
6429+ ALLOC_ZVAL(array_ptr);
6430+ array_init(array_ptr);
6431+ INIT_PZVAL(array_ptr);
6432+ }
6433+ IF_G(cookie_array) = array_ptr;
6434+ break;
6435+ }
6436+ Z_STRLEN(new_var) = val_len;
6437+ Z_STRVAL(new_var) = estrndup(*val, val_len);
6438+ Z_TYPE(new_var) = IS_STRING;
6439+
6440+ var_len = strlen(var);
6441+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
6442+ strcpy(raw_var, "RAW_");
6443+ strlcat(raw_var,var,var_len+5);
6444+
6445+ php_register_variable_ex(raw_var, &new_var, array_ptr TSRMLS_DC);
6446+
6447+ php_strip_tags(*val, val_len, NULL, NULL, 0);
6448+
6449+ *new_val_len = strlen(*val);
6450+ return 1;
6451+}
6452+
6453+PHP_FUNCTION(my_get_raw)
6454+{
6455+ long arg;
6456+ char *var;
6457+ int var_len;
6458+ zval **tmp;
6459+ zval *array_ptr = NULL;
6460+ HashTable *hash_ptr;
6461+ char *raw_var;
6462+
6463+ if(zend_parse_parameters(2 TSRMLS_CC, "ls", &arg, &var, &var_len) == FAILURE) {
6464+ return;
6465+ }
6466+
6467+ switch(arg) {
6468+ case PARSE_GET:
6469+ array_ptr = IF_G(get_array);
6470+ break;
6471+ case PARSE_POST:
6472+ array_ptr = IF_G(post_array);
6473+ break;
6474+ case PARSE_COOKIE:
6475+ array_ptr = IF_G(post_array);
6476+ break;
6477+ }
6478+
6479+ if(!array_ptr) RETURN_FALSE;
6480+
6481+ /*
6482+ * I'm changing the variable name here because when running with register_globals on,
6483+ * the variable will end up in the global symbol table
6484+ */
6485+ raw_var = emalloc(var_len+5); /* RAW_ and a \0 */
6486+ strcpy(raw_var, "RAW_");
6487+ strlcat(raw_var,var,var_len+5);
6488+ hash_ptr = HASH_OF(array_ptr);
6489+
6490+ if(zend_hash_find(hash_ptr, raw_var, var_len+5, (void **)&tmp) == SUCCESS) {
6491+ *return_value = **tmp;
6492+ zval_copy_ctor(return_value);
6493+ } else {
6494+ RETVAL_FALSE;
6495+ }
6496+ efree(raw_var);
6497+}
6498+
6499diff -Nura php-4.4.3/run-tests.php hardening-patch-4.4.3-0.4.15/run-tests.php
6500--- php-4.4.3/run-tests.php 2006-01-18 18:59:41.000000000 +0100
6501+++ hardening-patch-4.4.3-0.4.15/run-tests.php 2006-09-05 20:30:45.000000000 +0200
6502@@ -152,6 +152,10 @@
6503 'error_reporting=2047',
6504 'display_errors=1',
6505 'log_errors=0',
6506+ 'hphp.executor.include.whitelist=cookietest',
6507+ 'hphp.log.syslog=0',
6508+ 'hphp.log.sapi=0',
6509+ 'hphp.log.script=0',
6510 'html_errors=0',
6511 'track_errors=1',
6512 'report_memleaks=1',
6513diff -Nura php-4.4.3/sapi/apache/mod_php4.c hardening-patch-4.4.3-0.4.15/sapi/apache/mod_php4.c
6514--- php-4.4.3/sapi/apache/mod_php4.c 2006-05-13 23:42:14.000000000 +0200
6515+++ hardening-patch-4.4.3-0.4.15/sapi/apache/mod_php4.c 2006-09-05 20:30:45.000000000 +0200
6516@@ -451,7 +451,7 @@
6517 sapi_apache_get_fd,
6518 sapi_apache_force_http_10,
6519 sapi_apache_get_target_uid,
6520- sapi_apache_get_target_gid
6521+ sapi_apache_get_target_gid,
6522 };
6523 /* }}} */
6524
6525@@ -897,7 +897,11 @@
6526 {
6527 TSRMLS_FETCH();
6528 if (PG(expose_php)) {
6529+#if HARDENING_PATCH
6530+ ap_add_version_component("PHP/" PHP_VERSION " with Hardening-Patch");
6531+#else
6532 ap_add_version_component("PHP/" PHP_VERSION);
6533+#endif
6534 }
6535 }
6536 #endif
6537diff -Nura php-4.4.3/sapi/apache2filter/sapi_apache2.c hardening-patch-4.4.3-0.4.15/sapi/apache2filter/sapi_apache2.c
6538--- php-4.4.3/sapi/apache2filter/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6539+++ hardening-patch-4.4.3-0.4.15/sapi/apache2filter/sapi_apache2.c 2006-09-05 20:30:45.000000000 +0200
6540@@ -562,7 +562,11 @@
6541 {
6542 TSRMLS_FETCH();
6543 if (PG(expose_php)) {
6544+#if HARDENING_PATCH
6545+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6546+#else
6547 ap_add_version_component(p, "PHP/" PHP_VERSION);
6548+#endif
6549 }
6550 }
6551
6552diff -Nura php-4.4.3/sapi/apache2handler/sapi_apache2.c hardening-patch-4.4.3-0.4.15/sapi/apache2handler/sapi_apache2.c
6553--- php-4.4.3/sapi/apache2handler/sapi_apache2.c 2006-01-01 14:47:01.000000000 +0100
6554+++ hardening-patch-4.4.3-0.4.15/sapi/apache2handler/sapi_apache2.c 2006-09-05 20:30:45.000000000 +0200
6555@@ -340,7 +340,11 @@
6556 {
6557 TSRMLS_FETCH();
6558 if (PG(expose_php)) {
6559+#if HARDENING_PATCH
6560+ ap_add_version_component(p, "PHP/" PHP_VERSION " with Hardening-Patch");
6561+#else
6562 ap_add_version_component(p, "PHP/" PHP_VERSION);
6563+#endif
6564 }
6565 }
6566
6567diff -Nura php-4.4.3/sapi/cgi/cgi_main.c hardening-patch-4.4.3-0.4.15/sapi/cgi/cgi_main.c
6568--- php-4.4.3/sapi/cgi/cgi_main.c 2006-02-22 16:11:53.000000000 +0100
6569+++ hardening-patch-4.4.3-0.4.15/sapi/cgi/cgi_main.c 2006-09-05 20:30:46.000000000 +0200
6570@@ -1435,11 +1435,19 @@
6571 SG(headers_sent) = 1;
6572 SG(request_info).no_headers = 1;
6573 }
6574+#if HARDENING_PATCH
6575+#if ZEND_DEBUG
6576+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6577+#else
6578+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6579+#endif
6580+#else
6581 #if ZEND_DEBUG
6582 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6583 #else
6584 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6585 #endif
6586+#endif
6587 php_end_ob_buffers(1 TSRMLS_CC);
6588 exit(0);
6589 break;
6590diff -Nura php-4.4.3/sapi/cli/php_cli.c hardening-patch-4.4.3-0.4.15/sapi/cli/php_cli.c
6591--- php-4.4.3/sapi/cli/php_cli.c 2006-05-18 22:33:46.000000000 +0200
6592+++ hardening-patch-4.4.3-0.4.15/sapi/cli/php_cli.c 2006-09-05 20:30:46.000000000 +0200
6593@@ -656,11 +656,19 @@
6594 if (php_request_startup(TSRMLS_C)==FAILURE) {
6595 goto err;
6596 }
6597+#if HARDENING_PATCH
6598+#if ZEND_DEBUG
6599+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6600+#else
6601+ php_printf("PHP %s with Hardening-Patch %s (%s) (built: %s %s)\nCopyright (c) 1997-2004 The PHP Group\n%s", PHP_VERSION, HARDENING_PATCH_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6602+#endif
6603+#else
6604 #if ZEND_DEBUG
6605 php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6606 #else
6607 php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2006 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
6608 #endif
6609+#endif
6610 php_end_ob_buffers(1 TSRMLS_CC);
6611 exit_status=0;
6612 goto out;
6613diff -Nura php-4.4.3/tests/lang/bug35239.phpt hardening-patch-4.4.3-0.4.15/tests/lang/bug35239.phpt
6614--- php-4.4.3/tests/lang/bug35239.phpt 2006-05-19 13:17:53.000000000 +0200
6615+++ hardening-patch-4.4.3-0.4.15/tests/lang/bug35239.phpt 2006-09-05 20:30:46.000000000 +0200
6616@@ -10,16 +10,16 @@
6617 $a->x0->y0 = 'b';
6618 var_dump($a);
6619 $a->x0->y1 = "ok\n";
6620-echo $a->x0;
6621+var_dump($a->x0);
6622 ?>
6623 --EXPECT--
6624-object(stdClass)#1 (1) {
6625+object(stdClass)(1) {
6626 ["x0"]=>
6627- &object(stdClass)#2 (3) {
6628+ &object(stdClass)(3) {
6629 ["y0"]=>
6630 string(1) "b"
6631 ["y1"]=>
6632- &object(stdClass)#2 (3) {
6633+ &object(stdClass)(3) {
6634 ["y0"]=>
6635 string(1) "b"
6636 ["y1"]=>
6637@@ -28,7 +28,7 @@
6638 *RECURSION*
6639 }
6640 ["y2"]=>
6641- &object(stdClass)#2 (3) {
6642+ &object(stdClass)(3) {
6643 ["y0"]=>
6644 string(1) "b"
6645 ["y1"]=>
6646@@ -38,4 +38,4 @@
6647 }
6648 }
6649 }
6650-ok
6651+string(2) "ok"
6652diff -Nura php-4.4.3/TSRM/TSRM.h hardening-patch-4.4.3-0.4.15/TSRM/TSRM.h
6653--- php-4.4.3/TSRM/TSRM.h 2005-07-26 15:34:52.000000000 +0200
6654+++ hardening-patch-4.4.3-0.4.15/TSRM/TSRM.h 2006-09-05 20:30:46.000000000 +0200
6655@@ -33,6 +33,13 @@
6656 # define TSRM_API
6657 #endif
6658
6659+#if HARDENING_PATCH
6660+# if HAVE_REALPATH
6661+# undef realpath
6662+# define realpath php_realpath
6663+# endif
6664+#endif
6665+
6666 /* Only compile multi-threading functions if we're in ZTS mode */
6667 #ifdef ZTS
6668
6669@@ -84,6 +91,7 @@
6670
6671 #define THREAD_HASH_OF(thr,ts) (unsigned long)thr%(unsigned long)ts
6672
6673+
6674 #ifdef __cplusplus
6675 extern "C" {
6676 #endif
6677diff -Nura php-4.4.3/TSRM/tsrm_virtual_cwd.c hardening-patch-4.4.3-0.4.15/TSRM/tsrm_virtual_cwd.c
6678--- php-4.4.3/TSRM/tsrm_virtual_cwd.c 2006-01-01 14:46:48.000000000 +0100
6679+++ hardening-patch-4.4.3-0.4.15/TSRM/tsrm_virtual_cwd.c 2006-09-05 20:30:46.000000000 +0200
6680@@ -179,6 +179,178 @@
6681 return p;
6682 }
6683
6684+#if HARDENING_PATCH
6685+CWD_API char *php_realpath(const char *path, char *resolved)
6686+{
6687+ struct stat sb;
6688+ char *p, *q, *s;
6689+ size_t left_len, resolved_len;
6690+ unsigned symlinks;
6691+ int serrno, slen;
6692+ int is_dir = 1;
6693+ char left[PATH_MAX], next_token[PATH_MAX], symlink[PATH_MAX];
6694+
6695+ serrno = errno;
6696+ symlinks = 0;
6697+ if (path[0] == '/') {
6698+ resolved[0] = '/';
6699+ resolved[1] = '\0';
6700+ if (path[1] == '\0')
6701+ return (resolved);
6702+ resolved_len = 1;
6703+ left_len = strlcpy(left, path + 1, sizeof(left));
6704+ } else {
6705+ if (getcwd(resolved, PATH_MAX) == NULL) {
6706+ strlcpy(resolved, ".", PATH_MAX);
6707+ return (NULL);
6708+ }
6709+ resolved_len = strlen(resolved);
6710+ left_len = strlcpy(left, path, sizeof(left));
6711+ }
6712+ if (left_len >= sizeof(left) || resolved_len >= PATH_MAX) {
6713+ errno = ENAMETOOLONG;
6714+ return (NULL);
6715+ }
6716+
6717+ /*
6718+ * Iterate over path components in `left'.
6719+ */
6720+ while (left_len != 0) {
6721+ /*
6722+ * Extract the next path component and adjust `left'
6723+ * and its length.
6724+ */
6725+ p = strchr(left, '/');
6726+ s = p ? p : left + left_len;
6727+ if (s - left >= sizeof(next_token)) {
6728+ errno = ENAMETOOLONG;
6729+ return (NULL);
6730+ }
6731+ memcpy(next_token, left, s - left);
6732+ next_token[s - left] = '\0';
6733+ left_len -= s - left;
6734+ if (p != NULL)
6735+ memmove(left, s + 1, left_len + 1);
6736+ if (resolved[resolved_len - 1] != '/') {
6737+ if (resolved_len + 1 >= PATH_MAX) {
6738+ errno = ENAMETOOLONG;
6739+ return (NULL);
6740+ }
6741+ resolved[resolved_len++] = '/';
6742+ resolved[resolved_len] = '\0';
6743+ }
6744+ if (next_token[0] == '\0')
6745+ continue;
6746+ else if (strcmp(next_token, ".") == 0)
6747+ continue;
6748+ else if (strcmp(next_token, "..") == 0) {
6749+ /*
6750+ * Strip the last path component except when we have
6751+ * single "/"
6752+ */
6753+ if (!is_dir) {
6754+ errno = ENOENT;
6755+ return (NULL);
6756+ }
6757+ if (resolved_len > 1) {
6758+ resolved[resolved_len - 1] = '\0';
6759+ q = strrchr(resolved, '/');
6760+ *q = '\0';
6761+ resolved_len = q - resolved;
6762+ }
6763+ continue;
6764+ }
6765+
6766+ /*
6767+ * Append the next path component and lstat() it. If
6768+ * lstat() fails we still can return successfully if
6769+ * there are no more path components left.
6770+ */
6771+ resolved_len = strlcat(resolved, next_token, PATH_MAX);
6772+ if (resolved_len >= PATH_MAX) {
6773+ errno = ENAMETOOLONG;
6774+ return (NULL);
6775+ }
6776+ if (lstat(resolved, &sb) != 0) {
6777+ if (errno == ENOENT) {
6778+ if (p == NULL) {
6779+ errno = serrno;
6780+ return (resolved);
6781+ } else
6782+ /* dirty hack to support a vanilla PHP feature */
6783+ if (strstr(left, "/.") == NULL && strstr(left, "./") == NULL) {
6784+ resolved_len = strlcat(resolved, "/", PATH_MAX);
6785+ resolved_len = strlcat(resolved, left, PATH_MAX);
6786+ if (resolved_len >= PATH_MAX) {
6787+ errno = ENAMETOOLONG;
6788+ return (NULL);
6789+ }
6790+ errno = serrno;
6791+ return (resolved);
6792+ }
6793+ }
6794+ return (NULL);
6795+ }
6796+ if (S_ISLNK(sb.st_mode)) {
6797+ if (symlinks++ > MAXSYMLINKS) {
6798+ errno = ELOOP;
6799+ return (NULL);
6800+ }
6801+ slen = readlink(resolved, symlink, sizeof(symlink) - 1);
6802+ if (slen < 0)
6803+ return (NULL);
6804+ symlink[slen] = '\0';
6805+ if (symlink[0] == '/') {
6806+ resolved[1] = 0;
6807+ resolved_len = 1;
6808+ } else if (resolved_len > 1) {
6809+ /* Strip the last path component. */
6810+ resolved[resolved_len - 1] = '\0';
6811+ q = strrchr(resolved, '/');
6812+ *q = '\0';
6813+ resolved_len = q - resolved;
6814+ }
6815+
6816+ /*
6817+ * If there are any path components left, then
6818+ * append them to symlink. The result is placed
6819+ * in `left'.
6820+ */
6821+ if (p != NULL) {
6822+ if (symlink[slen - 1] != '/') {
6823+ if (slen + 1 >= sizeof(symlink)) {
6824+ errno = ENAMETOOLONG;
6825+ return (NULL);
6826+ }
6827+ symlink[slen] = '/';
6828+ symlink[slen + 1] = 0;
6829+ }
6830+ left_len = strlcat(symlink, left, sizeof(left));
6831+ if (left_len >= sizeof(left)) {
6832+ errno = ENAMETOOLONG;
6833+ return (NULL);
6834+ }
6835+ }
6836+ left_len = strlcpy(left, symlink, sizeof(left));
6837+ } else {
6838+ if (S_ISDIR(sb.st_mode)) {
6839+ is_dir = 1;
6840+ } else {
6841+ is_dir = 0;
6842+ }
6843+ }
6844+ }
6845+
6846+ /*
6847+ * Remove trailing slash except when the resolved pathname
6848+ * is a single "/".
6849+ */
6850+ if (resolved_len > 1 && resolved[resolved_len - 1] == '/')
6851+ resolved[resolved_len - 1] = '\0';
6852+ return (resolved);
6853+}
6854+#endif
6855+
6856 CWD_API void virtual_cwd_startup(void)
6857 {
6858 char cwd[MAXPATHLEN];
6859@@ -300,8 +472,11 @@
6860
6861 if (path_length == 0)
6862 return (0);
6863- if (path_length >= MAXPATHLEN)
6864+ if (path_length >= MAXPATHLEN) {
6865+ state->cwd[0] = 0;
6866+ state->cwd_length = 0;
6867 return (1);
6868+ }
6869
6870 #if !defined(TSRM_WIN32) && !defined(NETWARE)
6871 /* cwd_length can be 0 when getcwd() fails.
6872@@ -313,8 +488,9 @@
6873 path = resolved_path;
6874 path_length = strlen(path);
6875 } else {
6876- /* disable for now
6877- return 1; */
6878+ state->cwd[0] = 0;
6879+ state->cwd_length = 0;
6880+ return 1;
6881 }
6882 }
6883 } else { /* Concat current directory with relative path and then run realpath() on it */
6884@@ -323,6 +499,8 @@
6885
6886 ptr = tmp = (char *) malloc(state->cwd_length+path_length+sizeof("/"));
6887 if (!tmp) {
6888+ state->cwd[0] = 0;
6889+ state->cwd_length = 0;
6890 return 1;
6891 }
6892 memcpy(ptr, state->cwd, state->cwd_length);
6893@@ -332,6 +510,8 @@
6894 ptr += path_length;
6895 *ptr = '\0';
6896 if (strlen(tmp) >= MAXPATHLEN) {
6897+ state->cwd[0] = 0;
6898+ state->cwd_length = 0;
6899 free(tmp);
6900 return 1;
6901 }
6902@@ -340,9 +520,10 @@
6903 path = resolved_path;
6904 path_length = strlen(path);
6905 } else {
6906- /* disable for now
6907+ state->cwd[0] = 0;
6908+ state->cwd_length = 0;
6909 free(tmp);
6910- return 1; */
6911+ return 1;
6912 }
6913 }
6914 free(tmp);
6915diff -Nura php-4.4.3/TSRM/tsrm_virtual_cwd.h hardening-patch-4.4.3-0.4.15/TSRM/tsrm_virtual_cwd.h
6916--- php-4.4.3/TSRM/tsrm_virtual_cwd.h 2006-01-01 14:46:49.000000000 +0100
6917+++ hardening-patch-4.4.3-0.4.15/TSRM/tsrm_virtual_cwd.h 2006-09-05 20:30:46.000000000 +0200
6918@@ -128,6 +128,22 @@
6919
6920 typedef int (*verify_path_func)(const cwd_state *);
6921
6922+#ifndef HAVE_STRLCPY
6923+CWD_API size_t php_strlcpy(char *dst, const char *src, size_t siz);
6924+#undef strlcpy
6925+#define strlcpy php_strlcpy
6926+#endif
6927+
6928+#ifndef HAVE_STRLCAT
6929+CWD_API size_t php_strlcat(char *dst, const char *src, size_t siz);
6930+#undef strlcat
6931+#define strlcat php_strlcat
6932+#endif
6933+
6934+
6935+#if HARDENING_PATCH
6936+CWD_API char *php_realpath(const char *path, char *resolved);
6937+#endif
6938 CWD_API void virtual_cwd_startup(void);
6939 CWD_API void virtual_cwd_shutdown(void);
6940 CWD_API char *virtual_getcwd_ex(size_t *length TSRMLS_DC);
6941diff -Nura php-4.4.3/Zend/zend_alloc.c hardening-patch-4.4.3-0.4.15/Zend/zend_alloc.c
6942--- php-4.4.3/Zend/zend_alloc.c 2006-01-01 14:46:49.000000000 +0100
6943+++ hardening-patch-4.4.3-0.4.15/Zend/zend_alloc.c 2006-09-05 20:30:46.000000000 +0200
6944@@ -56,6 +56,11 @@
6945 # define END_MAGIC_SIZE 0
6946 #endif
6947
6948+#if HARDENING_PATCH_MM_PROTECT
6949+# define CANARY_SIZE sizeof(unsigned int)
6950+#else
6951+# define CANARY_SIZE 0
6952+#endif
6953
6954 # if MEMORY_LIMIT
6955 # if ZEND_DEBUG
6956@@ -64,7 +69,15 @@
6957 #define CHECK_MEMORY_LIMIT(s, rs) _CHECK_MEMORY_LIMIT(s, rs, NULL, 0)
6958 # endif
6959
6960-#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\
6961+#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { if ((ssize_t)(rs) > (ssize_t)(INT_MAX - AG(allocated_memory))) { \
6962+ if (file) { \
6963+ fprintf(stderr, "Integer overflow in memory_limit check detected at %s:%d\n", file, lineno); \
6964+ } else { \
6965+ fprintf(stderr, "Integer overflow in memory_limit check detected\n"); \
6966+ } \
6967+ exit(1); \
6968+ } \
6969+ AG(allocated_memory) += rs;\
6970 if (AG(memory_limit)<AG(allocated_memory)) {\
6971 int php_mem_limit = AG(memory_limit); \
6972 AG(allocated_memory) -= rs; \
6973@@ -96,9 +109,17 @@
6974 if (p==AG(head)) { \
6975 AG(head) = p->pNext; \
6976 } else { \
6977+ if (p != p->pLast->pNext) { \
6978+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6979+ exit(1); \
6980+ } \
6981 p->pLast->pNext = p->pNext; \
6982 } \
6983 if (p->pNext) { \
6984+ if (p != p->pNext->pLast) { \
6985+ zend_security_log(S_MEMORY, "linked list corrupt on efree() - heap corruption detected"); \
6986+ exit(1); \
6987+ } \
6988 p->pNext->pLast = p->pLast; \
6989 }
6990
6991@@ -111,7 +132,7 @@
6992 p->pLast = (zend_mem_header *) NULL;
6993
6994 #define DECLARE_CACHE_VARS() \
6995- unsigned int real_size; \
6996+ size_t real_size; \
6997 unsigned int cache_index
6998
6999 #define REAL_SIZE(size) ((size+7) & ~0x7)
7000@@ -126,12 +147,22 @@
7001
7002 ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
7003 {
7004- zend_mem_header *p;
7005+ zend_mem_header *p = NULL;
7006 DECLARE_CACHE_VARS();
7007 TSRMLS_FETCH();
7008
7009+#if HARDENING_PATCH_MM_PROTECT
7010+ if (size > LONG_MAX - sizeof(zend_mem_header) - MEM_HEADER_PADDING - END_MAGIC_SIZE - CANARY_SIZE) {
7011+ zend_security_log(S_MEMORY, "emalloc() - requested size would result in integer overflow");
7012+ exit(1);
7013+ }
7014+#endif
7015 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
7016
7017+ if (size > INT_MAX || SIZE < size) {
7018+ goto emalloc_error;
7019+ }
7020+
7021 if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
7022 p = AG(cache)[CACHE_INDEX][--AG(cache_count)[CACHE_INDEX]];
7023 #if ZEND_DEBUG
7024@@ -147,6 +178,10 @@
7025 AG(cache_stats)[CACHE_INDEX][1]++;
7026 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
7027 #endif
7028+#if HARDENING_PATCH_MM_PROTECT
7029+ p->canary = HG(canary_1);
7030+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
7031+#endif
7032 p->cached = 0;
7033 p->size = size;
7034 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
7035@@ -162,9 +197,11 @@
7036 AG(allocated_memory_peak) = AG(allocated_memory);
7037 }
7038 #endif
7039- p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
7040+ p = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE + CANARY_SIZE);
7041 }
7042
7043+emalloc_error:
7044+
7045 HANDLE_BLOCK_INTERRUPTIONS();
7046
7047 if (!p) {
7048@@ -192,7 +229,10 @@
7049 # endif
7050 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
7051 #endif
7052-
7053+#if HARDENING_PATCH_MM_PROTECT
7054+ p->canary = HG(canary_1);
7055+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
7056+#endif
7057 HANDLE_UNBLOCK_INTERRUPTIONS();
7058 return (void *)((char *)p + sizeof(zend_mem_header) + MEM_HEADER_PADDING);
7059 }
7060@@ -219,17 +259,36 @@
7061 return emalloc_rel(lval + offset);
7062 }
7063 }
7064-
7065+
7066+#if HARDENING_PATCH
7067+ zend_security_log(S_MEMORY, "Possible integer overflow catched by safe_emalloc()");
7068+#endif
7069 zend_error(E_ERROR, "Possible integer overflow in memory allocation (%ld * %ld + %ld)", nmemb, size, offset);
7070 return 0;
7071 }
7072
7073 ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
7074 {
7075+#if HARDENING_PATCH_MM_PROTECT
7076+ unsigned int canary_2;
7077+#endif
7078 zend_mem_header *p = (zend_mem_header *) ((char *)ptr - sizeof(zend_mem_header) - MEM_HEADER_PADDING);
7079 DECLARE_CACHE_VARS();
7080 TSRMLS_FETCH();
7081
7082+#if HARDENING_PATCH_MM_PROTECT
7083+ if (p->canary != HG(canary_1)) goto efree_canary_mismatch;
7084+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
7085+ if (canary_2 != HG(canary_2)) {
7086+efree_canary_mismatch:
7087+ zend_security_log(S_MEMORY, "canary mismatch on efree() - heap overflow or double efree detected");
7088+ exit(1);
7089+ }
7090+ /* to catch double efree()s */
7091+ memset((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), 0, CANARY_SIZE);
7092+ p->canary = 0;
7093+#endif
7094+
7095 #if defined(ZTS) && TSRM_DEBUG
7096 if (p->thread_id != tsrm_thread_id()) {
7097 tsrm_error(TSRM_ERROR_LEVEL_ERROR, "Memory block allocated at %s:(%d) on thread %x freed at %s:(%d) on thread %x, ignoring",
7098@@ -274,6 +333,9 @@
7099 size_t _size = nmemb * size;
7100
7101 if (nmemb && (_size/nmemb!=size)) {
7102+#if HARDENING_PATCH
7103+ zend_security_log(S_MEMORY, "Possible integer overflow catched by ecalloc()");
7104+#endif
7105 fprintf(stderr,"FATAL: ecalloc(): Unable to allocate %ld * %ld bytes\n", (long) nmemb, (long) size);
7106 #if ZEND_DEBUG && HAVE_KILL && HAVE_GETPID
7107 kill(getpid(), SIGSEGV);
7108@@ -293,6 +355,9 @@
7109
7110 ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
7111 {
7112+#if HARDENING_PATCH_MM_PROTECT
7113+ unsigned int canary_2;
7114+#endif
7115 zend_mem_header *p;
7116 zend_mem_header *orig;
7117 DECLARE_CACHE_VARS();
7118@@ -304,6 +369,16 @@
7119
7120 p = orig = (zend_mem_header *) ((char *)ptr-sizeof(zend_mem_header)-MEM_HEADER_PADDING);
7121
7122+#if HARDENING_PATCH_MM_PROTECT
7123+ if (p->canary != HG(canary_1)) goto erealloc_canary_mismatch;
7124+ memcpy(&canary_2, (((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + p->size + END_MAGIC_SIZE), CANARY_SIZE);
7125+ if (canary_2 != HG(canary_2)) {
7126+erealloc_canary_mismatch:
7127+ zend_security_log(S_MEMORY, "canary mismatch on erealloc() - heap overflow detected");
7128+ exit(1);
7129+ }
7130+#endif
7131+
7132 #if defined(ZTS) && TSRM_DEBUG
7133 if (p->thread_id != tsrm_thread_id()) {
7134 void *new_p;
7135@@ -320,6 +395,13 @@
7136 CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
7137
7138 HANDLE_BLOCK_INTERRUPTIONS();
7139+
7140+ if (size > INT_MAX || SIZE < size) {
7141+ REMOVE_POINTER_FROM_LIST(p);
7142+ p = NULL;
7143+ goto erealloc_error;
7144+ }
7145+
7146 #if MEMORY_LIMIT
7147 CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
7148 if (AG(allocated_memory) > AG(allocated_memory_peak)) {
7149@@ -327,7 +409,8 @@
7150 }
7151 #endif
7152 REMOVE_POINTER_FROM_LIST(p);
7153- p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
7154+ p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE+CANARY_SIZE);
7155+erealloc_error:
7156 if (!p) {
7157 if (!allow_failure) {
7158 fprintf(stderr,"FATAL: erealloc(): Unable to allocate %ld bytes\n", (long) size);
7159@@ -349,6 +432,9 @@
7160 memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size), &mem_block_end_magic, sizeof(long));
7161 #endif
7162
7163+#if HARDENING_PATCH_MM_PROTECT
7164+ memcpy((((char *) p) + sizeof(zend_mem_header) + MEM_HEADER_PADDING + size + END_MAGIC_SIZE), &HG(canary_2), CANARY_SIZE);
7165+#endif
7166 p->size = size;
7167
7168 HANDLE_UNBLOCK_INTERRUPTIONS();
7169@@ -423,6 +509,10 @@
7170 {
7171 AG(head) = NULL;
7172
7173+#if HARDENING_PATCH_MM_PROTECT
7174+ HG(canary_1) = zend_canary();
7175+ HG(canary_2) = zend_canary();
7176+#endif
7177 #if MEMORY_LIMIT
7178 AG(memory_limit) = 1<<30; /* ridiculous limit, effectively no limit */
7179 AG(allocated_memory) = 0;
7180diff -Nura php-4.4.3/Zend/zend_alloc.h hardening-patch-4.4.3-0.4.15/Zend/zend_alloc.h
7181--- php-4.4.3/Zend/zend_alloc.h 2006-01-01 14:46:49.000000000 +0100
7182+++ hardening-patch-4.4.3-0.4.15/Zend/zend_alloc.h 2006-09-05 20:30:46.000000000 +0200
7183@@ -32,6 +32,9 @@
7184 #define MEM_BLOCK_CACHED_MAGIC 0xFB8277DCL
7185
7186 typedef struct _zend_mem_header {
7187+#if HARDENING_PATCH_MM_PROTECT
7188+ unsigned int canary;
7189+#endif
7190 #if ZEND_DEBUG
7191 long magic;
7192 char *filename;
7193diff -Nura php-4.4.3/Zend/zend_builtin_functions.c hardening-patch-4.4.3-0.4.15/Zend/zend_builtin_functions.c
7194--- php-4.4.3/Zend/zend_builtin_functions.c 2006-01-01 14:46:49.000000000 +0100
7195+++ hardening-patch-4.4.3-0.4.15/Zend/zend_builtin_functions.c 2006-09-05 20:30:46.000000000 +0200
7196@@ -49,6 +49,9 @@
7197 static ZEND_FUNCTION(crash);
7198 #endif
7199 #endif
7200+#if HARDENING_PATCH_MM_PROTECT_DEBUG
7201+static ZEND_FUNCTION(heap_overflow);
7202+#endif
7203 static ZEND_FUNCTION(get_included_files);
7204 static ZEND_FUNCTION(is_subclass_of);
7205 static ZEND_FUNCTION(is_a);
7206@@ -101,6 +104,9 @@
7207 ZEND_FE(crash, NULL)
7208 #endif
7209 #endif
7210+#if HARDENING_PATCH_MM_PROTECT_DEBUG
7211+ ZEND_FE(heap_overflow, NULL)
7212+#endif
7213 ZEND_FE(get_included_files, NULL)
7214 ZEND_FALIAS(get_required_files, get_included_files, NULL)
7215 ZEND_FE(is_subclass_of, NULL)
7216@@ -805,6 +811,19 @@
7217
7218 #endif /* ZEND_DEBUG */
7219
7220+
7221+#if HARDENING_PATCH_MM_PROTECT_DEBUG
7222+ZEND_FUNCTION(heap_overflow)
7223+{
7224+ char *nowhere = emalloc(10);
7225+
7226+ memcpy(nowhere, "something1234567890", sizeof("something1234567890"));
7227+
7228+ efree(nowhere);
7229+}
7230+#endif
7231+
7232+
7233 /* {{{ proto array get_included_files(void)
7234 Returns an array with the file names that were include_once()'d */
7235 ZEND_FUNCTION(get_included_files)
7236diff -Nura php-4.4.3/Zend/zend.c hardening-patch-4.4.3-0.4.15/Zend/zend.c
7237--- php-4.4.3/Zend/zend.c 2006-01-01 14:46:49.000000000 +0100
7238+++ hardening-patch-4.4.3-0.4.15/Zend/zend.c 2006-09-05 20:30:46.000000000 +0200
7239@@ -53,6 +53,12 @@
7240 ZEND_API void (*zend_unblock_interruptions)(void);
7241 ZEND_API void (*zend_ticks_function)(int ticks);
7242 ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args);
7243+#if HARDENING_PATCH
7244+ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
7245+#endif
7246+#if HARDENING_PATCH_INC_PROTECT
7247+ZEND_API int (*zend_is_valid_include)(zval *z);
7248+#endif
7249
7250 void (*zend_on_timeout)(int seconds TSRMLS_DC);
7251
7252@@ -70,9 +76,391 @@
7253 return SUCCESS;
7254 }
7255
7256+#if HARDENING_PATCH
7257+static ZEND_INI_MH(OnUpdateHPHP_log_syslog)
7258+{
7259+ if (!new_value) {
7260+ EG(hphp_log_syslog) = S_ALL & ~S_SQL | S_MEMORY | S_INTERNAL;
7261+ } else {
7262+ EG(hphp_log_syslog) = atoi(new_value) | S_MEMORY | S_INTERNAL;
7263+ }
7264+ return SUCCESS;
7265+}
7266+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_facility)
7267+{
7268+ if (!new_value) {
7269+ EG(hphp_log_syslog_facility) = LOG_USER;
7270+ } else {
7271+ EG(hphp_log_syslog_facility) = atoi(new_value);
7272+ }
7273+ return SUCCESS;
7274+}
7275+static ZEND_INI_MH(OnUpdateHPHP_log_syslog_priority)
7276+{
7277+ if (!new_value) {
7278+ EG(hphp_log_syslog_priority) = LOG_ALERT;
7279+ } else {
7280+ EG(hphp_log_syslog_priority) = atoi(new_value);
7281+ }
7282+ return SUCCESS;
7283+}
7284+static ZEND_INI_MH(OnUpdateHPHP_log_sapi)
7285+{
7286+ if (!new_value) {
7287+ EG(hphp_log_sapi) = S_ALL & ~S_SQL | S_INTERNAL;
7288+ } else {
7289+ EG(hphp_log_sapi) = atoi(new_value) | S_INTERNAL;
7290+ }
7291+ return SUCCESS;
7292+}
7293+static ZEND_INI_MH(OnUpdateHPHP_log_script)
7294+{
7295+ if (!new_value) {
7296+ EG(hphp_log_script) = S_ALL & (~S_MEMORY) & (~S_INTERNAL);
7297+ } else {
7298+ EG(hphp_log_script) = atoi(new_value) & (~S_MEMORY) & (~S_INTERNAL);
7299+ }
7300+ return SUCCESS;
7301+}
7302+static ZEND_INI_MH(OnUpdateHPHP_log_scriptname)
7303+{
7304+ if (EG(hphp_log_scriptname)) {
7305+ pefree(EG(hphp_log_scriptname),1);
7306+ }
7307+ EG(hphp_log_scriptname) = NULL;
7308+ if (new_value) {
7309+ EG(hphp_log_scriptname) = pestrdup(new_value,1);
7310+ }
7311+ return SUCCESS;
7312+}
7313+
7314+static ZEND_INI_MH(OnUpdateHPHP_include_whitelist)
7315+{
7316+ char *s = NULL, *e, *val;
7317+ unsigned long dummy = 1;
7318+
7319+ if (!new_value) {
7320+include_whitelist_destroy:
7321+ if (HG(include_whitelist)) {
7322+ zend_hash_destroy(HG(include_whitelist));
7323+ pefree(HG(include_whitelist),1);
7324+ }
7325+ HG(include_whitelist) = NULL;
7326+ return SUCCESS;
7327+ }
7328+ if (!(*new_value)) {
7329+ goto include_whitelist_destroy;
7330+ }
7331+
7332+ HG(include_whitelist) = pemalloc(sizeof(HashTable), 1);
7333+ zend_hash_init(HG(include_whitelist), 5, NULL, NULL, 1);
7334+
7335+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7336+ e = val;
7337+
7338+ while (*e) {
7339+ switch (*e) {
7340+ case ' ':
7341+ case ',':
7342+ if (s) {
7343+ *e = '\0';
7344+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7345+ s = NULL;
7346+ }
7347+ break;
7348+ default:
7349+ if (!s) {
7350+ s = e;
7351+ }
7352+ break;
7353+ }
7354+ e++;
7355+ }
7356+ if (s) {
7357+ zend_hash_add(HG(include_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7358+ }
7359+ efree(val);
7360+
7361+ return SUCCESS;
7362+}
7363+
7364+static ZEND_INI_MH(OnUpdateHPHP_include_blacklist)
7365+{
7366+ char *s = NULL, *e, *val;
7367+ unsigned long dummy = 1;
7368+
7369+ if (!new_value) {
7370+include_blacklist_destroy:
7371+ if (HG(include_blacklist)) {
7372+ zend_hash_destroy(HG(include_blacklist));
7373+ pefree(HG(include_blacklist),1);
7374+ }
7375+ HG(include_blacklist) = NULL;
7376+ return SUCCESS;
7377+ }
7378+ if (!(*new_value)) {
7379+ goto include_blacklist_destroy;
7380+ }
7381+
7382+ HG(include_blacklist) = pemalloc(sizeof(HashTable), 1);
7383+ zend_hash_init(HG(include_blacklist), 5, NULL, NULL, 1);
7384+
7385+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7386+ e = val;
7387+
7388+ while (*e) {
7389+ switch (*e) {
7390+ case ' ':
7391+ case ',':
7392+ if (s) {
7393+ *e = '\0';
7394+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7395+ s = NULL;
7396+ }
7397+ break;
7398+ default:
7399+ if (!s) {
7400+ s = e;
7401+ }
7402+ break;
7403+ }
7404+ e++;
7405+ }
7406+ if (s) {
7407+ zend_hash_add(HG(include_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7408+ }
7409+ efree(val);
7410+
7411+ return SUCCESS;
7412+}
7413+
7414+static ZEND_INI_MH(OnUpdateHPHP_eval_whitelist)
7415+{
7416+ char *s = NULL, *e, *val;
7417+ unsigned long dummy = 1;
7418+
7419+ if (!new_value) {
7420+eval_whitelist_destroy:
7421+ if (HG(eval_whitelist)) {
7422+ zend_hash_destroy(HG(eval_whitelist));
7423+ pefree(HG(eval_whitelist),1);
7424+ }
7425+ HG(eval_whitelist) = NULL;
7426+ return SUCCESS;
7427+ }
7428+ if (!(*new_value)) {
7429+ goto eval_whitelist_destroy;
7430+ }
7431+
7432+ HG(eval_whitelist) = pemalloc(sizeof(HashTable), 1);
7433+ zend_hash_init(HG(eval_whitelist), 5, NULL, NULL, 1);
7434+
7435+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7436+ e = val;
7437+
7438+ while (*e) {
7439+ switch (*e) {
7440+ case ' ':
7441+ case ',':
7442+ if (s) {
7443+ *e = '\0';
7444+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7445+ s = NULL;
7446+ }
7447+ break;
7448+ default:
7449+ if (!s) {
7450+ s = e;
7451+ }
7452+ break;
7453+ }
7454+ e++;
7455+ }
7456+ if (s) {
7457+ zend_hash_add(HG(eval_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7458+ }
7459+ efree(val);
7460+
7461+ return SUCCESS;
7462+}
7463+
7464+static ZEND_INI_MH(OnUpdateHPHP_eval_blacklist)
7465+{
7466+ char *s = NULL, *e, *val;
7467+ unsigned long dummy = 1;
7468+
7469+ if (!new_value) {
7470+eval_blacklist_destroy:
7471+ if (HG(eval_blacklist)) {
7472+ zend_hash_destroy(HG(eval_blacklist));
7473+ pefree(HG(eval_blacklist), 1);
7474+ }
7475+ HG(eval_blacklist) = NULL;
7476+ return SUCCESS;
7477+ }
7478+ if (!(*new_value)) {
7479+ goto eval_blacklist_destroy;
7480+ }
7481+
7482+ HG(eval_blacklist) = pemalloc(sizeof(HashTable), 1);
7483+ zend_hash_init(HG(eval_blacklist), 5, NULL, NULL, 1);
7484+
7485+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7486+ e = val;
7487+
7488+ while (*e) {
7489+ switch (*e) {
7490+ case ' ':
7491+ case ',':
7492+ if (s) {
7493+ *e = '\0';
7494+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7495+ s = NULL;
7496+ }
7497+ break;
7498+ default:
7499+ if (!s) {
7500+ s = e;
7501+ }
7502+ break;
7503+ }
7504+ e++;
7505+ }
7506+ if (s) {
7507+ zend_hash_add(HG(eval_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7508+ }
7509+ efree(val);
7510+
7511+
7512+ return SUCCESS;
7513+}
7514+
7515+static ZEND_INI_MH(OnUpdateHPHP_func_whitelist)
7516+{
7517+ char *s = NULL, *e, *val;
7518+ unsigned long dummy = 1;
7519+
7520+ if (!new_value) {
7521+func_whitelist_destroy:
7522+ if (HG(func_whitelist)) {
7523+ zend_hash_destroy(HG(func_whitelist));
7524+ pefree(HG(func_whitelist),1);
7525+ }
7526+ HG(func_whitelist) = NULL;
7527+ return SUCCESS;
7528+ }
7529+ if (!(*new_value)) {
7530+ goto func_whitelist_destroy;
7531+ }
7532+
7533+ HG(func_whitelist) = pemalloc(sizeof(HashTable), 1);
7534+ zend_hash_init(HG(func_whitelist), 5, NULL, NULL, 1);
7535+
7536+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7537+ e = val;
7538+
7539+ while (*e) {
7540+ switch (*e) {
7541+ case ' ':
7542+ case ',':
7543+ if (s) {
7544+ *e = '\0';
7545+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7546+ s = NULL;
7547+ }
7548+ break;
7549+ default:
7550+ if (!s) {
7551+ s = e;
7552+ }
7553+ break;
7554+ }
7555+ e++;
7556+ }
7557+ if (s) {
7558+ zend_hash_add(HG(func_whitelist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7559+ }
7560+ efree(val);
7561+
7562+ return SUCCESS;
7563+}
7564+
7565+static ZEND_INI_MH(OnUpdateHPHP_func_blacklist)
7566+{
7567+ char *s = NULL, *e, *val;
7568+ unsigned long dummy = 1;
7569+
7570+ if (!new_value) {
7571+func_blacklist_destroy:
7572+ if (HG(func_blacklist)) {
7573+ zend_hash_destroy(HG(func_blacklist));
7574+ pefree(HG(func_blacklist),1);
7575+ }
7576+ HG(func_blacklist) = NULL;
7577+ return SUCCESS;
7578+ }
7579+ if (!(*new_value)) {
7580+ goto func_blacklist_destroy;
7581+ }
7582+
7583+ HG(func_blacklist) = pemalloc(sizeof(HashTable), 1);
7584+ zend_hash_init(HG(func_blacklist), 5, NULL, NULL, 1);
7585+
7586+ val = zend_str_tolower_dup(new_value, strlen(new_value));
7587+ e = val;
7588+
7589+ while (*e) {
7590+ switch (*e) {
7591+ case ' ':
7592+ case ',':
7593+ if (s) {
7594+ *e = '\0';
7595+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7596+ s = NULL;
7597+ }
7598+ break;
7599+ default:
7600+ if (!s) {
7601+ s = e;
7602+ }
7603+ break;
7604+ }
7605+ e++;
7606+ }
7607+ if (s) {
7608+ zend_hash_add(HG(func_blacklist), s, e-s+1, &dummy, sizeof(unsigned long), NULL);
7609+ }
7610+ efree(val);
7611+
7612+
7613+ return SUCCESS;
7614+}
7615+
7616+#endif
7617
7618 ZEND_INI_BEGIN()
7619 ZEND_INI_ENTRY("error_reporting", NULL, ZEND_INI_ALL, OnUpdateErrorReporting)
7620+#if HARDENING_PATCH
7621+ ZEND_INI_ENTRY("hphp.log.syslog", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog)
7622+ ZEND_INI_ENTRY("hphp.log.syslog.facility", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_facility)
7623+ ZEND_INI_ENTRY("hphp.log.syslog.priority", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_syslog_priority)
7624+ ZEND_INI_ENTRY("hphp.log.sapi", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_sapi)
7625+ ZEND_INI_ENTRY("hphp.log.script", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_script)
7626+ ZEND_INI_ENTRY("hphp.log.script.name", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_log_scriptname)
7627+ STD_ZEND_INI_BOOLEAN("hphp.log.use-x-forwarded-for", "0", ZEND_INI_SYSTEM, OnUpdateBool, hphp_log_use_x_forwarded_for, zend_executor_globals, executor_globals)
7628+
7629+ ZEND_INI_ENTRY("hphp.executor.include.whitelist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_whitelist)
7630+ ZEND_INI_ENTRY("hphp.executor.include.blacklist", NULL, ZEND_INI_SYSTEM, OnUpdateHPHP_include_blacklist)
7631+ ZEND_INI_ENTRY("hphp.executor.eval.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_whitelist)
7632+ ZEND_INI_ENTRY("hphp.executor.eval.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_eval_blacklist)
7633+ ZEND_INI_ENTRY("hphp.executor.func.whitelist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_whitelist)
7634+ ZEND_INI_ENTRY("hphp.executor.func.blacklist", NULL, ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateHPHP_func_blacklist)
7635+
7636+ STD_ZEND_INI_ENTRY("hphp.executor.max_depth", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_executor_max_depth, zend_executor_globals, executor_globals)
7637+ STD_ZEND_INI_BOOLEAN("hphp.sql.bailout_on_error", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_sql_bailout_on_error, hardened_globals_struct, hardened_globals)
7638+ STD_ZEND_INI_BOOLEAN("hphp.multiheader", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateBool, hphp_multiheader, hardened_globals_struct, hardened_globals)
7639+ STD_ZEND_INI_ENTRY("hphp.mail.protect", "0", ZEND_INI_PERDIR|ZEND_INI_SYSTEM, OnUpdateLong, hphp_mailprotect, hardened_globals_struct, hardened_globals)
7640+#endif
7641 ZEND_INI_END()
7642
7643
7644@@ -354,8 +742,12 @@
7645 zend_init_rsrc_plist(TSRMLS_C);
7646 EG(lambda_count)=0;
7647 EG(user_error_handler) = NULL;
7648+ EG(in_code_type) = 0;
7649 EG(in_execution) = 0;
7650 EG(current_execute_data) = NULL;
7651+#if HARDENING_PATCH
7652+ EG(hphp_log_scriptname) = NULL;
7653+#endif
7654 }
7655
7656
7657@@ -420,6 +812,14 @@
7658 extern zend_scanner_globals language_scanner_globals;
7659 #endif
7660
7661+ /* Set up Hardening-Patch utility functions first */
7662+#if HARDENING_PATCH
7663+ zend_security_log = utility_functions->security_log_function;
7664+#endif
7665+#if HARDENING_PATCH_INC_PROTECT
7666+ zend_is_valid_include = utility_functions->is_valid_include;
7667+#endif
7668+
7669 #ifdef ZTS
7670 ts_allocate_id(&alloc_globals_id, sizeof(zend_alloc_globals), (ts_allocate_ctor) alloc_globals_ctor, (ts_allocate_dtor) alloc_globals_dtor);
7671 #else
7672@@ -619,6 +1019,7 @@
7673 }
7674 CG(unclean_shutdown) = 1;
7675 CG(in_compilation) = EG(in_execution) = 0;
7676+ EG(in_code_type) = 0;
7677 EG(current_execute_data) = NULL;
7678 longjmp(EG(bailout), FAILURE);
7679 }
7680diff -Nura php-4.4.3/Zend/zend_canary.c hardening-patch-4.4.3-0.4.15/Zend/zend_canary.c
7681--- php-4.4.3/Zend/zend_canary.c 1970-01-01 01:00:00.000000000 +0100
7682+++ hardening-patch-4.4.3-0.4.15/Zend/zend_canary.c 2006-09-05 20:30:46.000000000 +0200
7683@@ -0,0 +1,58 @@
7684+/*
7685+ +----------------------------------------------------------------------+
7686+ | Hardening-Patch for PHP |
7687+ +----------------------------------------------------------------------+
7688+ | Copyright (c) 2004-2005 Stefan Esser |
7689+ +----------------------------------------------------------------------+
7690+ | This source file is subject to version 2.02 of the PHP license, |
7691+ | that is bundled with this package in the file LICENSE, and is |
7692+ | available at through the world-wide-web at |
7693+ | http://www.php.net/license/2_02.txt. |
7694+ | If you did not receive a copy of the PHP license and are unable to |
7695+ | obtain it through the world-wide-web, please send a note to |
7696+ | license@php.net so we can mail you a copy immediately. |
7697+ +----------------------------------------------------------------------+
7698+ | Author: Stefan Esser <sesser@hardened-php.net> |
7699+ +----------------------------------------------------------------------+
7700+ */
7701+/* $Id: zend_canary.c,v 1.1 2004/11/26 12:45:41 ionic Exp $ */
7702+
7703+#include "zend.h"
7704+
7705+#include <stdio.h>
7706+#include <stdlib.h>
7707+
7708+
7709+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
7710+
7711+/* will be replaced later with more compatible method */
7712+ZEND_API unsigned int zend_canary()
7713+{
7714+ time_t t;
7715+ unsigned int canary;
7716+ int fd;
7717+
7718+ fd = open("/dev/urandom", 0);
7719+ if (fd != -1) {
7720+ int r = read(fd, &canary, sizeof(canary));
7721+ close(fd);
7722+ if (r == sizeof(canary)) {
7723+ return (canary);
7724+ }
7725+ }
7726+ /* not good but we never want to do this */
7727+ time(&t);
7728+ canary = *(unsigned int *)&t + getpid() << 16;
7729+ return (canary);
7730+}
7731+#endif
7732+
7733+
7734+/*
7735+ * Local variables:
7736+ * tab-width: 4
7737+ * c-basic-offset: 4
7738+ * End:
7739+ * vim600: sw=4 ts=4 fdm=marker
7740+ * vim<600: sw=4 ts=4
7741+ */
7742diff -Nura php-4.4.3/Zend/zend_compile.c hardening-patch-4.4.3-0.4.15/Zend/zend_compile.c
7743--- php-4.4.3/Zend/zend_compile.c 2006-02-23 19:07:16.000000000 +0100
7744+++ hardening-patch-4.4.3-0.4.15/Zend/zend_compile.c 2006-09-05 20:30:46.000000000 +0200
7745@@ -768,6 +768,13 @@
7746 op_array.function_name = name;
7747 op_array.arg_types = NULL;
7748 op_array.return_reference = return_reference;
7749+#if HARDENING_PATCH
7750+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
7751+ op_array.created_by_eval = 1;
7752+ } else {
7753+ op_array.created_by_eval = 0;
7754+ }
7755+#endif
7756
7757 if (is_method) {
7758 if (zend_hash_add(&CG(active_class_entry)->function_table, name, name_len+1, &op_array, sizeof(zend_op_array), (void **) &CG(active_op_array)) == FAILURE) {
7759diff -Nura php-4.4.3/Zend/zend_compile.h hardening-patch-4.4.3-0.4.15/Zend/zend_compile.h
7760--- php-4.4.3/Zend/zend_compile.h 2006-01-01 14:46:49.000000000 +0100
7761+++ hardening-patch-4.4.3-0.4.15/Zend/zend_compile.h 2006-09-05 20:30:46.000000000 +0200
7762@@ -106,6 +106,9 @@
7763 char *filename;
7764
7765 void *reserved[ZEND_MAX_RESERVED_RESOURCES];
7766+#if HARDENING_PATCH
7767+ zend_bool created_by_eval;
7768+#endif
7769 };
7770
7771
7772@@ -549,6 +552,7 @@
7773 #define ZEND_USER_FUNCTION 2
7774 #define ZEND_OVERLOADED_FUNCTION 3
7775 #define ZEND_EVAL_CODE 4
7776+#define ZEND_SANDBOX_CODE 6
7777
7778 #define ZEND_INTERNAL_CLASS 1
7779 #define ZEND_USER_CLASS 2
7780diff -Nura php-4.4.3/Zend/zend_constants.c hardening-patch-4.4.3-0.4.15/Zend/zend_constants.c
7781--- php-4.4.3/Zend/zend_constants.c 2006-01-01 14:46:49.000000000 +0100
7782+++ hardening-patch-4.4.3-0.4.15/Zend/zend_constants.c 2006-09-05 20:30:46.000000000 +0200
7783@@ -111,6 +111,74 @@
7784 REGISTER_MAIN_LONG_CONSTANT("E_USER_NOTICE", E_USER_NOTICE, CONST_PERSISTENT | CONST_CS);
7785
7786 REGISTER_MAIN_LONG_CONSTANT("E_ALL", E_ALL, CONST_PERSISTENT | CONST_CS);
7787+#if HARDENING_PATCH
7788+ REGISTER_MAIN_LONG_CONSTANT("S_MEMORY", S_MEMORY, CONST_PERSISTENT | CONST_CS);
7789+ REGISTER_MAIN_LONG_CONSTANT("S_VARS", S_VARS, CONST_PERSISTENT | CONST_CS);
7790+ REGISTER_MAIN_LONG_CONSTANT("S_FILES", S_FILES, CONST_PERSISTENT | CONST_CS);
7791+ REGISTER_MAIN_LONG_CONSTANT("S_INCLUDE", S_INCLUDE, CONST_PERSISTENT | CONST_CS);
7792+ REGISTER_MAIN_LONG_CONSTANT("S_SQL", S_SQL, CONST_PERSISTENT | CONST_CS);
7793+ REGISTER_MAIN_LONG_CONSTANT("S_EXECUTOR", S_EXECUTOR, CONST_PERSISTENT | CONST_CS);
7794+ REGISTER_MAIN_LONG_CONSTANT("S_MAIL", S_MAIL, CONST_PERSISTENT | CONST_CS);
7795+ REGISTER_MAIN_LONG_CONSTANT("S_MISC", S_MISC, CONST_PERSISTENT | CONST_CS);
7796+ REGISTER_MAIN_LONG_CONSTANT("S_INTERNAL", S_INTERNAL, CONST_PERSISTENT | CONST_CS);
7797+ REGISTER_MAIN_LONG_CONSTANT("S_ALL", S_ALL, CONST_PERSISTENT | CONST_CS);
7798+
7799+ /* error levels */
7800+ REGISTER_MAIN_LONG_CONSTANT("LOG_EMERG", LOG_EMERG, CONST_CS | CONST_PERSISTENT); /* system unusable */
7801+ REGISTER_MAIN_LONG_CONSTANT("LOG_ALERT", LOG_ALERT, CONST_CS | CONST_PERSISTENT); /* immediate action required */
7802+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRIT", LOG_CRIT, CONST_CS | CONST_PERSISTENT); /* critical conditions */
7803+ REGISTER_MAIN_LONG_CONSTANT("LOG_ERR", LOG_ERR, CONST_CS | CONST_PERSISTENT);
7804+ REGISTER_MAIN_LONG_CONSTANT("LOG_WARNING", LOG_WARNING, CONST_CS | CONST_PERSISTENT);
7805+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOTICE", LOG_NOTICE, CONST_CS | CONST_PERSISTENT);
7806+ REGISTER_MAIN_LONG_CONSTANT("LOG_INFO", LOG_INFO, CONST_CS | CONST_PERSISTENT);
7807+ REGISTER_MAIN_LONG_CONSTANT("LOG_DEBUG", LOG_DEBUG, CONST_CS | CONST_PERSISTENT);
7808+ /* facility: type of program logging the message */
7809+ REGISTER_MAIN_LONG_CONSTANT("LOG_KERN", LOG_KERN, CONST_CS | CONST_PERSISTENT);
7810+ REGISTER_MAIN_LONG_CONSTANT("LOG_USER", LOG_USER, CONST_CS | CONST_PERSISTENT); /* generic user level */
7811+ REGISTER_MAIN_LONG_CONSTANT("LOG_MAIL", LOG_MAIL, CONST_CS | CONST_PERSISTENT); /* log to email */
7812+ REGISTER_MAIN_LONG_CONSTANT("LOG_DAEMON", LOG_DAEMON, CONST_CS | CONST_PERSISTENT); /* other system daemons */
7813+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTH", LOG_AUTH, CONST_CS | CONST_PERSISTENT);
7814+ REGISTER_MAIN_LONG_CONSTANT("LOG_SYSLOG", LOG_SYSLOG, CONST_CS | CONST_PERSISTENT);
7815+ REGISTER_MAIN_LONG_CONSTANT("LOG_LPR", LOG_LPR, CONST_CS | CONST_PERSISTENT);
7816+#ifdef LOG_NEWS
7817+ /* No LOG_NEWS on HP-UX */
7818+ REGISTER_MAIN_LONG_CONSTANT("LOG_NEWS", LOG_NEWS, CONST_CS | CONST_PERSISTENT); /* usenet new */
7819+#endif
7820+#ifdef LOG_UUCP
7821+ /* No LOG_UUCP on HP-UX */
7822+ REGISTER_MAIN_LONG_CONSTANT("LOG_UUCP", LOG_UUCP, CONST_CS | CONST_PERSISTENT);
7823+#endif
7824+#ifdef LOG_CRON
7825+ /* apparently some systems don't have this one */
7826+ REGISTER_MAIN_LONG_CONSTANT("LOG_CRON", LOG_CRON, CONST_CS | CONST_PERSISTENT);
7827+#endif
7828+#ifdef LOG_AUTHPRIV
7829+ /* AIX doesn't have LOG_AUTHPRIV */
7830+ REGISTER_MAIN_LONG_CONSTANT("LOG_AUTHPRIV", LOG_AUTHPRIV, CONST_CS | CONST_PERSISTENT);
7831+#endif
7832+#if !defined(PHP_WIN32) && !defined(NETWARE)
7833+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL0", LOG_LOCAL0, CONST_CS | CONST_PERSISTENT);
7834+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL1", LOG_LOCAL1, CONST_CS | CONST_PERSISTENT);
7835+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL2", LOG_LOCAL2, CONST_CS | CONST_PERSISTENT);
7836+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL3", LOG_LOCAL3, CONST_CS | CONST_PERSISTENT);
7837+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL4", LOG_LOCAL4, CONST_CS | CONST_PERSISTENT);
7838+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL5", LOG_LOCAL5, CONST_CS | CONST_PERSISTENT);
7839+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL6", LOG_LOCAL6, CONST_CS | CONST_PERSISTENT);
7840+ REGISTER_MAIN_LONG_CONSTANT("LOG_LOCAL7", LOG_LOCAL7, CONST_CS | CONST_PERSISTENT);
7841+#endif
7842+ /* options */
7843+ REGISTER_MAIN_LONG_CONSTANT("LOG_PID", LOG_PID, CONST_CS | CONST_PERSISTENT);
7844+ REGISTER_MAIN_LONG_CONSTANT("LOG_CONS", LOG_CONS, CONST_CS | CONST_PERSISTENT);
7845+ REGISTER_MAIN_LONG_CONSTANT("LOG_ODELAY", LOG_ODELAY, CONST_CS | CONST_PERSISTENT);
7846+ REGISTER_MAIN_LONG_CONSTANT("LOG_NDELAY", LOG_NDELAY, CONST_CS | CONST_PERSISTENT);
7847+#ifdef LOG_NOWAIT
7848+ REGISTER_MAIN_LONG_CONSTANT("LOG_NOWAIT", LOG_NOWAIT, CONST_CS | CONST_PERSISTENT);
7849+#endif
7850+#ifdef LOG_PERROR
7851+ /* AIX doesn't have LOG_PERROR */
7852+ REGISTER_MAIN_LONG_CONSTANT("LOG_PERROR", LOG_PERROR, CONST_CS | CONST_PERSISTENT); /*log to stderr*/
7853+#endif
7854+#endif
7855
7856 /* true/false constants */
7857 {
7858diff -Nura php-4.4.3/Zend/zend_errors.h hardening-patch-4.4.3-0.4.15/Zend/zend_errors.h
7859--- php-4.4.3/Zend/zend_errors.h 2006-01-01 14:46:49.000000000 +0100
7860+++ hardening-patch-4.4.3-0.4.15/Zend/zend_errors.h 2006-09-05 20:30:46.000000000 +0200
7861@@ -36,5 +36,18 @@
7862 #define E_ALL (E_ERROR | E_WARNING | E_PARSE | E_NOTICE | E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_COMPILE_WARNING | E_USER_ERROR | E_USER_WARNING | E_USER_NOTICE)
7863 #define E_CORE (E_CORE_ERROR | E_CORE_WARNING)
7864
7865+#if HARDENING_PATCH
7866+#define S_MEMORY (1<<0L)
7867+#define S_VARS (1<<1L)
7868+#define S_FILES (1<<2L)
7869+#define S_INCLUDE (1<<3L)
7870+#define S_SQL (1<<4L)
7871+#define S_EXECUTOR (1<<5L)
7872+#define S_MAIL (1<<6L)
7873+#define S_MISC (1<<30L)
7874+#define S_INTERNAL (1<<29L)
7875+#define S_ALL (S_MEMORY | S_VARS | S_INCLUDE | S_FILES | S_MAIL | S_MISC | S_SQL | S_EXECUTOR)
7876+#endif
7877+
7878 #endif /* ZEND_ERRORS_H */
7879
7880diff -Nura php-4.4.3/Zend/zend_execute_API.c hardening-patch-4.4.3-0.4.15/Zend/zend_execute_API.c
7881--- php-4.4.3/Zend/zend_execute_API.c 2006-01-01 14:46:49.000000000 +0100
7882+++ hardening-patch-4.4.3-0.4.15/Zend/zend_execute_API.c 2006-09-05 20:30:46.000000000 +0200
7883@@ -142,6 +142,7 @@
7884 EG(class_table) = CG(class_table);
7885
7886 EG(in_execution) = 0;
7887+ EG(in_code_type) = 0;
7888
7889 zend_ptr_stack_init(&EG(argument_stack));
7890
7891@@ -431,12 +432,14 @@
7892 zend_execute_data execute_data;
7893
7894 /* Initialize execute_data */
7895+ memset(&execute_data, 0, sizeof(execute_data));
7896 EX(fbc) = NULL;
7897 EX(object).ptr = NULL;
7898 EX(ce) = NULL;
7899 EX(Ts) = NULL;
7900 EX(op_array) = NULL;
7901 EX(opline) = NULL;
7902+ EX(execute_depth) = 0;
7903
7904 *retval_ptr_ptr = NULL;
7905
7906@@ -494,6 +497,39 @@
7907 zval_dtor(&function_name_copy);
7908 return FAILURE;
7909 }
7910+#if HARDENING_PATCH
7911+ if (EX(function_state).function->type == ZEND_INTERNAL_FUNCTION) {
7912+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
7913+ if (HG(eval_whitelist) != NULL) {
7914+ if (!zend_hash_exists(HG(eval_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7915+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name_copy.value.str.val);
7916+ zval_dtor(&function_name_copy);
7917+ zend_bailout();
7918+ }
7919+ } else if (HG(eval_blacklist) != NULL) {
7920+ if (zend_hash_exists(HG(eval_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7921+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name_copy.value.str.val);
7922+ zval_dtor(&function_name_copy);
7923+ zend_bailout();
7924+ }
7925+ }
7926+ }
7927+
7928+ if (HG(func_whitelist) != NULL) {
7929+ if (!zend_hash_exists(HG(func_whitelist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7930+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name_copy.value.str.val);
7931+ zval_dtor(&function_name_copy);
7932+ zend_bailout();
7933+ }
7934+ } else if (HG(func_blacklist) != NULL) {
7935+ if (zend_hash_exists(HG(func_blacklist), function_name_copy.value.str.val, function_name_copy.value.str.len+1)) {
7936+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name_copy.value.str.val);
7937+ zval_dtor(&function_name_copy);
7938+ zend_bailout();
7939+ }
7940+ }
7941+ }
7942+#endif
7943 zval_dtor(&function_name_copy);
7944
7945 for (i=0; i<param_count; i++) {
7946@@ -606,8 +642,7 @@
7947 return SUCCESS;
7948 }
7949
7950-
7951-ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7952+ZEND_API int zend_eval_string_ex(char *str, zval *retval_ptr, char *string_name, int type TSRMLS_DC)
7953 {
7954 zval pv;
7955 zend_op_array *new_op_array;
7956@@ -640,6 +675,7 @@
7957 zval **original_return_value_ptr_ptr = EG(return_value_ptr_ptr);
7958 zend_op **original_opline_ptr = EG(opline_ptr);
7959
7960+ new_op_array->type = type;
7961 EG(return_value_ptr_ptr) = &local_retval_ptr;
7962 EG(active_op_array) = new_op_array;
7963 EG(no_extensions)=1;
7964@@ -673,6 +709,10 @@
7965 return retval;
7966 }
7967
7968+ZEND_API int zend_eval_string(char *str, zval *retval_ptr, char *string_name TSRMLS_DC)
7969+{
7970+ return (zend_eval_string_ex(str, retval_ptr, string_name, ZEND_EVAL_CODE TSRMLS_CC));
7971+}
7972
7973 void execute_new_code(TSRMLS_D)
7974 {
7975diff -Nura php-4.4.3/Zend/zend_execute.c hardening-patch-4.4.3-0.4.15/Zend/zend_execute.c
7976--- php-4.4.3/Zend/zend_execute.c 2006-04-13 08:16:42.000000000 +0200
7977+++ hardening-patch-4.4.3-0.4.15/Zend/zend_execute.c 2006-09-05 20:30:46.000000000 +0200
7978@@ -1042,6 +1042,7 @@
7979 zend_execute_data execute_data;
7980
7981 /* Initialize execute_data */
7982+ memset(&execute_data, 0, sizeof(execute_data));
7983 EX(fbc) = NULL;
7984 EX(ce) = NULL;
7985 EX(object).ptr = NULL;
7986@@ -1053,9 +1054,21 @@
7987 }
7988 EX(prev_execute_data) = EG(current_execute_data);
7989 EX(original_in_execution)=EG(in_execution);
7990+ EX(original_in_code_type)=EG(in_code_type);
7991
7992 EG(current_execute_data) = &execute_data;
7993
7994+#if HARDENING_PATCH
7995+ EX(execute_depth) = 0;
7996+
7997+ if ((op_array->type == ZEND_EVAL_CODE || op_array->created_by_eval) && EG(in_code_type) != ZEND_SANDBOX_CODE) {
7998+ EG(in_code_type) = ZEND_EVAL_CODE;
7999+ } else if (op_array->type == ZEND_SANDBOX_CODE) {
8000+ EG(in_code_type) = ZEND_SANDBOX_CODE;
8001+ op_array->type = ZEND_EVAL_CODE;
8002+ }
8003+#endif
8004+
8005 EG(in_execution) = 1;
8006 if (op_array->start_op) {
8007 EX(opline) = op_array->start_op;
8008@@ -1087,6 +1100,19 @@
8009 }
8010 }
8011
8012+#if HARDENING_PATCH
8013+ if (EX(prev_execute_data) == NULL) {
8014+ EX(execute_depth) = 0;
8015+ } else {
8016+ EX(execute_depth) = EX(prev_execute_data)->execute_depth + 1;
8017+ }
8018+
8019+ if (EG(hphp_executor_max_depth) > 0 && EX(execute_depth) > EG(hphp_executor_max_depth)) {
8020+ zend_security_log(S_EXECUTOR, "Maximum execution depth of %u violated", EG(hphp_executor_max_depth));
8021+ zend_bailout();
8022+ }
8023+#endif
8024+
8025 while (1) {
8026 #ifdef ZEND_WIN32
8027 if (EG(timed_out)) {
8028@@ -1634,6 +1660,36 @@
8029 if (zend_hash_find(active_function_table, function_name->value.str.val, function_name->value.str.len+1, (void **) &function)==FAILURE) {
8030 zend_error(E_ERROR, "Call to undefined function: %s()", function_name->value.str.val);
8031 }
8032+#if HARDENING_PATCH
8033+ if (active_function_table == EG(function_table)) {
8034+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
8035+ if (HG(eval_whitelist) != NULL) {
8036+ if (!zend_hash_exists(HG(eval_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
8037+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", function_name->value.str.val);
8038+ zend_bailout();
8039+ }
8040+ } else if (HG(eval_blacklist) != NULL) {
8041+ if (zend_hash_exists(HG(eval_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
8042+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", function_name->value.str.val);
8043+ zend_bailout();
8044+ }
8045+ }
8046+ }
8047+
8048+ if (HG(func_whitelist) != NULL) {
8049+ if (!zend_hash_exists(HG(func_whitelist), function_name->value.str.val, function_name->value.str.len+1)) {
8050+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", function_name->value.str.val);
8051+ zend_bailout();
8052+ }
8053+ } else if (HG(func_blacklist) != NULL) {
8054+ if (zend_hash_exists(HG(func_blacklist), function_name->value.str.val, function_name->value.str.len+1)) {
8055+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", function_name->value.str.val);
8056+ zend_bailout();
8057+ }
8058+ }
8059+ }
8060+#endif
8061+
8062 zval_dtor(&tmp);
8063 EX(fbc) = function;
8064 overloaded_function_call_cont:
8065@@ -1649,6 +1705,35 @@
8066 if (zend_hash_find(EG(function_table), fname->value.str.val, fname->value.str.len+1, (void **) &EX(function_state).function)==FAILURE) {
8067 zend_error(E_ERROR, "Unknown function: %s()", fname->value.str.val);
8068 }
8069+#if HARDENING_PATCH
8070+ if (EX(function_state).function->type==ZEND_INTERNAL_FUNCTION) {
8071+ if (EG(in_code_type) == ZEND_EVAL_CODE) {
8072+ if (HG(eval_whitelist) != NULL) {
8073+ if (!zend_hash_exists(HG(eval_whitelist), fname->value.str.val, fname->value.str.len+1)) {
8074+ zend_security_log(S_EXECUTOR, "function outside of eval whitelist called: %s()", fname->value.str.val);
8075+ zend_bailout();
8076+ }
8077+ } else if (HG(eval_blacklist) != NULL) {
8078+ if (zend_hash_exists(HG(eval_blacklist), fname->value.str.val, fname->value.str.len+1)) {
8079+ zend_security_log(S_EXECUTOR, "function within eval blacklist called: %s()", fname->value.str.val);
8080+ zend_bailout();
8081+ }
8082+ }
8083+ }
8084+
8085+ if (HG(func_whitelist) != NULL) {
8086+ if (!zend_hash_exists(HG(func_whitelist), fname->value.str.val, fname->value.str.len+1)) {
8087+ zend_security_log(S_EXECUTOR, "function outside of whitelist called: %s()", fname->value.str.val);
8088+ zend_bailout();
8089+ }
8090+ } else if (HG(func_blacklist) != NULL) {
8091+ if (zend_hash_exists(HG(func_blacklist), fname->value.str.val, fname->value.str.len+1)) {
8092+ zend_security_log(S_EXECUTOR, "function within blacklist called: %s()", fname->value.str.val);
8093+ zend_bailout();
8094+ }
8095+ }
8096+ }
8097+#endif
8098 FREE_OP(EX(Ts), &EX(opline)->op1, EG(free_op1));
8099 zend_ptr_stack_n_push(&EG(arg_types_stack), 2, EX(object).ptr, EX(ce));
8100 EX(object).ptr = NULL;
8101@@ -1821,6 +1906,7 @@
8102 efree(EX(Ts));
8103 }
8104 EG(in_execution) = EX(original_in_execution);
8105+ EG(in_code_type) = EX(original_in_code_type);
8106 EG(current_execute_data) = EX(prev_execute_data);
8107 return;
8108 }
8109@@ -2210,7 +2296,12 @@
8110 int dummy = 1;
8111 zend_file_handle file_handle = {0};
8112
8113+#if HARDENING_PATCH_INC_PROTECT
8114+ if (zend_is_valid_include(inc_filename)
8115+ && zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
8116+#else
8117 if (zend_open(inc_filename->value.str.val, &file_handle) == SUCCESS
8118+#endif
8119 && ZEND_IS_VALID_FILE_HANDLE(&file_handle)) {
8120
8121 file_handle.filename = inc_filename->value.str.val;
8122@@ -2239,6 +2330,11 @@
8123 break;
8124 case ZEND_INCLUDE:
8125 case ZEND_REQUIRE:
8126+#if HARDENING_PATCH_INC_PROTECT
8127+ if (!zend_is_valid_include(inc_filename)) {
8128+ break;
8129+ }
8130+#endif
8131 new_op_array = compile_filename(EX(opline)->op2.u.constant.value.lval, inc_filename TSRMLS_CC);
8132 break;
8133 case ZEND_EVAL: {
8134@@ -2381,7 +2477,7 @@
8135 if (EX(opline)->extended_value) {
8136 array_ptr_ptr = get_zval_ptr_ptr(&EX(opline)->op1, EX(Ts), BP_VAR_R);
8137 if (array_ptr_ptr == NULL) {
8138- MAKE_STD_ZVAL(array_ptr);
8139+ ALLOC_INIT_ZVAL(array_ptr);
8140 } else {
8141 SEPARATE_ZVAL_IF_NOT_REF(array_ptr_ptr);
8142 array_ptr = *array_ptr_ptr;
8143diff -Nura php-4.4.3/Zend/zend_execute_globals.h hardening-patch-4.4.3-0.4.15/Zend/zend_execute_globals.h
8144--- php-4.4.3/Zend/zend_execute_globals.h 2006-01-01 14:46:49.000000000 +0100
8145+++ hardening-patch-4.4.3-0.4.15/Zend/zend_execute_globals.h 2006-09-05 20:30:46.000000000 +0200
8146@@ -60,6 +60,8 @@
8147 object_info object;
8148 temp_variable *Ts;
8149 zend_bool original_in_execution;
8150+ zend_uint original_in_code_type;
8151+ zend_uint execute_depth;
8152 zend_op_array *op_array;
8153 struct _zend_execute_data *prev_execute_data;
8154 } zend_execute_data;
8155diff -Nura php-4.4.3/Zend/zend_extensions.c hardening-patch-4.4.3-0.4.15/Zend/zend_extensions.c
8156--- php-4.4.3/Zend/zend_extensions.c 2006-01-01 14:46:49.000000000 +0100
8157+++ hardening-patch-4.4.3-0.4.15/Zend/zend_extensions.c 2006-09-05 20:30:46.000000000 +0200
8158@@ -54,23 +54,44 @@
8159 return FAILURE;
8160 }
8161
8162+ /* check if module is compiled against Hardening-Patch */
8163+ if (extension_version_info->zend_extension_api_no < 1000000000) {
8164+ fprintf(stderr, "%s is not compiled with Hardening-Patch.\n"
8165+ "The Hardening-Patch version %d is installed.\n\n",
8166+ new_extension->name,
8167+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
8168+ DL_UNLOAD(handle);
8169+ return FAILURE;
8170+ }
8171+
8172+
8173+ /* check if module is compiled against correct Hardening-Patch version */
8174+ if (extension_version_info->zend_extension_api_no != HARDENING_PATCH_ZEND_EXTENSION_API_NO) {
8175+ fprintf(stderr, "%s requires Hardening-Patch version %d.\n"
8176+ "The Hardening-Patch version %d is installed.\n\n",
8177+ new_extension->name,
8178+ extension_version_info->zend_extension_api_no,
8179+ HARDENING_PATCH_ZEND_EXTENSION_API_NO);
8180+ DL_UNLOAD(handle);
8181+ return FAILURE;
8182+ }
8183
8184 /* allow extension to proclaim compatibility with any Zend version */
8185- if (extension_version_info->zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
8186- if (extension_version_info->zend_extension_api_no > ZEND_EXTENSION_API_NO) {
8187+ if (extension_version_info->real_zend_extension_api_no != ZEND_EXTENSION_API_NO &&(!new_extension->api_no_check || new_extension->api_no_check(ZEND_EXTENSION_API_NO) != SUCCESS)) {
8188+ if (extension_version_info->real_zend_extension_api_no > ZEND_EXTENSION_API_NO) {
8189 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
8190 "The Zend Engine API version %d which is installed, is outdated.\n\n",
8191 new_extension->name,
8192- extension_version_info->zend_extension_api_no,
8193+ extension_version_info->real_zend_extension_api_no,
8194 ZEND_EXTENSION_API_NO);
8195 DL_UNLOAD(handle);
8196 return FAILURE;
8197- } else if (extension_version_info->zend_extension_api_no < ZEND_EXTENSION_API_NO) {
8198+ } else if (extension_version_info->real_zend_extension_api_no < ZEND_EXTENSION_API_NO) {
8199 fprintf(stderr, "%s requires Zend Engine API version %d.\n"
8200 "The Zend Engine API version %d which is installed, is newer.\n"
8201 "Contact %s at %s for a later version of %s.\n\n",
8202 new_extension->name,
8203- extension_version_info->zend_extension_api_no,
8204+ extension_version_info->real_zend_extension_api_no,
8205 ZEND_EXTENSION_API_NO,
8206 new_extension->author,
8207 new_extension->URL,
8208diff -Nura php-4.4.3/Zend/zend_extensions.h hardening-patch-4.4.3-0.4.15/Zend/zend_extensions.h
8209--- php-4.4.3/Zend/zend_extensions.h 2006-01-01 14:46:49.000000000 +0100
8210+++ hardening-patch-4.4.3-0.4.15/Zend/zend_extensions.h 2006-09-05 20:30:46.000000000 +0200
8211@@ -23,6 +23,9 @@
8212
8213 #include "zend_compile.h"
8214
8215+/* Create own API version number for Hardening-Patch */
8216+
8217+#define HARDENING_PATCH_ZEND_EXTENSION_API_NO 1001050805
8218 #define ZEND_EXTENSION_API_NO 20050606
8219
8220 typedef struct _zend_extension_version_info {
8221@@ -30,6 +33,7 @@
8222 char *required_zend_version;
8223 unsigned char thread_safe;
8224 unsigned char debug;
8225+ int real_zend_extension_api_no;
8226 } zend_extension_version_info;
8227
8228
8229@@ -96,7 +100,7 @@
8230
8231
8232 #define ZEND_EXTENSION() \
8233- ZEND_EXT_API zend_extension_version_info extension_version_info = { ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG }
8234+ ZEND_EXT_API zend_extension_version_info extension_version_info = { HARDENING_PATCH_ZEND_EXTENSION_API_NO, ZEND_VERSION, ZTS_V, ZEND_DEBUG, ZEND_EXTENSION_API_NO }
8235
8236 #define STANDARD_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
8237 #define COMPAT_ZEND_EXTENSION_PROPERTIES NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -1
8238diff -Nura php-4.4.3/Zend/zend_globals.h hardening-patch-4.4.3-0.4.15/Zend/zend_globals.h
8239--- php-4.4.3/Zend/zend_globals.h 2006-01-01 14:46:49.000000000 +0100
8240+++ hardening-patch-4.4.3-0.4.15/Zend/zend_globals.h 2006-09-05 20:30:46.000000000 +0200
8241@@ -163,6 +163,16 @@
8242
8243 int error_reporting;
8244 int orig_error_reporting;
8245+#if HARDENING_PATCH
8246+ int hphp_log_syslog;
8247+ int hphp_log_syslog_facility;
8248+ int hphp_log_syslog_priority;
8249+ int hphp_log_sapi;
8250+ int hphp_log_script;
8251+ char *hphp_log_scriptname;
8252+ zend_bool hphp_log_use_x_forwarded_for;
8253+ long hphp_executor_max_depth;
8254+#endif
8255 int exit_status;
8256
8257 zend_op_array *active_op_array;
8258@@ -176,6 +186,7 @@
8259 int ticks_count;
8260
8261 zend_bool in_execution;
8262+ zend_uint in_code_type;
8263 zend_bool bailout_set;
8264 zend_bool full_tables_cleanup;
8265
8266diff -Nura php-4.4.3/Zend/zend.h hardening-patch-4.4.3-0.4.15/Zend/zend.h
8267--- php-4.4.3/Zend/zend.h 2006-01-01 14:46:49.000000000 +0100
8268+++ hardening-patch-4.4.3-0.4.15/Zend/zend.h 2006-09-05 20:30:46.000000000 +0200
8269@@ -274,9 +274,10 @@
8270 struct _zval_struct {
8271 /* Variable information */
8272 zvalue_value value; /* value */
8273+ zend_uint refcount;
8274+ zend_ushort flags;
8275 zend_uchar type; /* active type */
8276 zend_uchar is_ref;
8277- zend_ushort refcount;
8278 };
8279
8280
8281@@ -337,6 +338,12 @@
8282 void (*ticks_function)(int ticks);
8283 void (*on_timeout)(int seconds TSRMLS_DC);
8284 zend_bool (*open_function)(const char *filename, struct _zend_file_handle *);
8285+#if HARDENING_PATCH
8286+ void (*security_log_function)(int loglevel, char *fmt, ...);
8287+#endif
8288+#if HARDENING_PATCH_INC_PROTECT
8289+ int (*is_valid_include)(zval *z);
8290+#endif
8291 } zend_utility_functions;
8292
8293
8294@@ -468,7 +475,16 @@
8295 extern ZEND_API void (*zend_ticks_function)(int ticks);
8296 extern ZEND_API void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 4, 0);
8297 extern void (*zend_on_timeout)(int seconds TSRMLS_DC);
8298+#if HARDENING_PATCH
8299+extern ZEND_API void (*zend_security_log)(int loglevel, char *fmt, ...);
8300+#endif
8301+#if HARDENING_PATCH_INC_PROTECT
8302+extern ZEND_API int (*zend_is_valid_include)(zval *z);
8303+#endif
8304
8305+#if HARDENING_PATCH_MM_PROTECT || HARDENING_PATCH_LL_PROTECT || HARDENING_PATCH_HASH_PROTECT
8306+ZEND_API unsigned int zend_canary(void);
8307+#endif
8308
8309 ZEND_API void zend_error(int type, const char *format, ...) ZEND_ATTRIBUTE_PTR_FORMAT(printf, 2, 3);
8310
8311@@ -575,6 +591,11 @@
8312
8313 #define ZEND_MAX_RESERVED_RESOURCES 4
8314
8315+#if HARDENING_PATCH
8316+#include "hardened_globals.h"
8317+#include "php_syslog.h"
8318+#endif
8319+
8320 #endif /* ZEND_H */
8321
8322 /*
8323diff -Nura php-4.4.3/Zend/zend_hash.c hardening-patch-4.4.3-0.4.15/Zend/zend_hash.c
8324--- php-4.4.3/Zend/zend_hash.c 2006-02-01 10:11:55.000000000 +0100
8325+++ hardening-patch-4.4.3-0.4.15/Zend/zend_hash.c 2006-09-05 20:30:46.000000000 +0200
8326@@ -26,6 +26,17 @@
8327 # include <stdlib.h>
8328 #endif
8329
8330+#if HARDENING_PATCH_HASH_PROTECT
8331+ unsigned int zend_hash_canary = 0x1234567;
8332+ zend_bool zend_hash_canary_inited = 0;
8333+#endif
8334+
8335+#define CHECK_HASH_CANARY(hash) \
8336+ if (zend_hash_canary != (hash)->canary) { \
8337+ zend_security_log(S_MEMORY, "Zend HashTable canary was overwritten"); \
8338+ exit(1); \
8339+ }
8340+
8341 #define HANDLE_NUMERIC(key, length, func) { \
8342 register char *tmp=key; \
8343 \
8344@@ -175,6 +186,9 @@
8345 {
8346 uint i = 3;
8347 Bucket **tmp;
8348+#if HARDENING_PATCH_HASH_PROTECT
8349+ TSRMLS_FETCH();
8350+#endif
8351
8352 SET_INCONSISTENT(HT_OK);
8353
8354@@ -184,6 +198,13 @@
8355
8356 ht->nTableSize = 1 << i;
8357 ht->nTableMask = ht->nTableSize - 1;
8358+#if HARDENING_PATCH_HASH_PROTECT
8359+ if (zend_hash_canary_inited==0) {
8360+ zend_hash_canary = zend_canary();
8361+ zend_hash_canary_inited = 1;
8362+ }
8363+ ht->canary = zend_hash_canary;
8364+#endif
8365 ht->pDestructor = pDestructor;
8366 ht->pListHead = NULL;
8367 ht->pListTail = NULL;
8368@@ -259,6 +280,9 @@
8369 }
8370 #endif
8371 if (ht->pDestructor) {
8372+#if HARDENING_PATCH_HASH_PROTECT
8373+ CHECK_HASH_CANARY(ht);
8374+#endif
8375 ht->pDestructor(p->pData);
8376 }
8377 UPDATE_DATA(ht, p, pData, nDataSize);
8378@@ -327,6 +351,9 @@
8379 }
8380 #endif
8381 if (ht->pDestructor) {
8382+#if HARDENING_PATCH_HASH_PROTECT
8383+ CHECK_HASH_CANARY(ht);
8384+#endif
8385 ht->pDestructor(p->pData);
8386 }
8387 UPDATE_DATA(ht, p, pData, nDataSize);
8388@@ -402,6 +429,9 @@
8389 }
8390 #endif
8391 if (ht->pDestructor) {
8392+#if HARDENING_PATCH_HASH_PROTECT
8393+ CHECK_HASH_CANARY(ht);
8394+#endif
8395 ht->pDestructor(p->pData);
8396 }
8397 UPDATE_DATA(ht, p, pData, nDataSize);
8398@@ -450,7 +480,7 @@
8399 IS_CONSISTENT(ht);
8400
8401 if ((ht->nTableSize << 1) > 0) { /* Let's double the table size */
8402- t = (Bucket **) perealloc_recoverable(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
8403+ t = (Bucket **) perealloc(ht->arBuckets, (ht->nTableSize << 1) * sizeof(Bucket *), ht->persistent);
8404 if (t) {
8405 HANDLE_BLOCK_INTERRUPTIONS();
8406 ht->arBuckets = t;
8407@@ -460,6 +490,7 @@
8408 HANDLE_UNBLOCK_INTERRUPTIONS();
8409 return SUCCESS;
8410 }
8411+ zend_error(E_ERROR, "zend_hash_do_resize - out of memory");
8412 return FAILURE;
8413 }
8414 return SUCCESS;
8415@@ -526,6 +557,9 @@
8416 ht->pInternalPointer = p->pListNext;
8417 }
8418 if (ht->pDestructor) {
8419+#if HARDENING_PATCH_HASH_PROTECT
8420+ CHECK_HASH_CANARY(ht);
8421+#endif
8422 ht->pDestructor(p->pData);
8423 }
8424 if (!p->pDataPtr) {
8425@@ -555,6 +589,9 @@
8426 q = p;
8427 p = p->pListNext;
8428 if (ht->pDestructor) {
8429+#if HARDENING_PATCH_HASH_PROTECT
8430+ CHECK_HASH_CANARY(ht);
8431+#endif
8432 ht->pDestructor(q->pData);
8433 }
8434 if (!q->pDataPtr && q->pData) {
8435@@ -581,6 +618,9 @@
8436 q = p;
8437 p = p->pListNext;
8438 if (ht->pDestructor) {
8439+#if HARDENING_PATCH_HASH_PROTECT
8440+ CHECK_HASH_CANARY(ht);
8441+#endif
8442 ht->pDestructor(q->pData);
8443 }
8444 if (!q->pDataPtr && q->pData) {
8445@@ -610,6 +650,9 @@
8446 HANDLE_BLOCK_INTERRUPTIONS();
8447
8448 if (ht->pDestructor) {
8449+#if HARDENING_PATCH_HASH_PROTECT
8450+ CHECK_HASH_CANARY(ht);
8451+#endif
8452 ht->pDestructor(p->pData);
8453 }
8454 if (!p->pDataPtr) {
8455diff -Nura php-4.4.3/Zend/zend_hash.h hardening-patch-4.4.3-0.4.15/Zend/zend_hash.h
8456--- php-4.4.3/Zend/zend_hash.h 2006-01-01 14:46:49.000000000 +0100
8457+++ hardening-patch-4.4.3-0.4.15/Zend/zend_hash.h 2006-09-05 20:30:46.000000000 +0200
8458@@ -54,6 +54,9 @@
8459 } Bucket;
8460
8461 typedef struct _hashtable {
8462+#if HARDENING_PATCH_HASH_PROTECT
8463+ unsigned int canary;
8464+#endif
8465 uint nTableSize;
8466 uint nTableMask;
8467 uint nNumOfElements;
8468diff -Nura php-4.4.3/Zend/zend_ini.c hardening-patch-4.4.3-0.4.15/Zend/zend_ini.c
8469--- php-4.4.3/Zend/zend_ini.c 2005-09-02 23:09:03.000000000 +0200
8470+++ hardening-patch-4.4.3-0.4.15/Zend/zend_ini.c 2006-09-07 19:13:56.000000000 +0200
8471@@ -256,7 +256,8 @@
8472 zend_ini_entry *ini_entry;
8473 TSRMLS_FETCH();
8474
8475- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
8476+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
8477+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifyable & ZEND_INI_USER) == 0)) {
8478 return FAILURE;
8479 }
8480
8481diff -Nura php-4.4.3/Zend/zend_ini.h hardening-patch-4.4.3-0.4.15/Zend/zend_ini.h
8482--- php-4.4.3/Zend/zend_ini.h 2005-01-09 18:00:16.000000000 +0100
8483+++ hardening-patch-4.4.3-0.4.15/Zend/zend_ini.h 2006-09-05 20:30:46.000000000 +0200
8484@@ -174,6 +174,7 @@
8485 /* Standard message handlers */
8486 BEGIN_EXTERN_C()
8487 ZEND_API ZEND_INI_MH(OnUpdateBool);
8488+#define OnUpdateLong OnUpdateInt
8489 ZEND_API ZEND_INI_MH(OnUpdateInt);
8490 ZEND_API ZEND_INI_MH(OnUpdateReal);
8491 ZEND_API ZEND_INI_MH(OnUpdateString);
8492diff -Nura php-4.4.3/Zend/zend_language_scanner.l hardening-patch-4.4.3-0.4.15/Zend/zend_language_scanner.l
8493--- php-4.4.3/Zend/zend_language_scanner.l 2006-04-13 15:52:24.000000000 +0200
8494+++ hardening-patch-4.4.3-0.4.15/Zend/zend_language_scanner.l 2006-09-05 20:30:46.000000000 +0200
8495@@ -393,6 +393,13 @@
8496 compilation_successful=0;
8497 } else {
8498 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
8499+#if HARDENING_PATCH
8500+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
8501+ op_array->created_by_eval = 1;
8502+ } else {
8503+ op_array->created_by_eval = 0;
8504+ }
8505+#endif
8506 CG(in_compilation) = 1;
8507 CG(active_op_array) = op_array;
8508 compiler_result = zendparse(TSRMLS_C);
8509diff -Nura php-4.4.3/Zend/zend_language_scanner.c hardening-patch-4.4.3-0.4.15/Zend/zend_language_scanner.c
8510--- php-4.4.3/Zend/zend_language_scanner.c 2006-08-01 09:39:14.000000000 +0200
8511+++ hardening-patch-4.4.3-0.4.15/Zend/zend_language_scanner.c 2006-09-05 20:30:46.000000000 +0200
8512@@ -3036,6 +3036,13 @@
8513 compilation_successful=0;
8514 } else {
8515 init_op_array(op_array, ZEND_USER_FUNCTION, INITIAL_OP_ARRAY_SIZE TSRMLS_CC);
8516+#if HARDENING_PATCH
8517+ if (EG(in_code_type)==ZEND_EVAL_CODE) {
8518+ op_array->created_by_eval = 1;
8519+ } else {
8520+ op_array->created_by_eval = 0;
8521+ }
8522+#endif
8523 CG(in_compilation) = 1;
8524 CG(active_op_array) = op_array;
8525 compiler_result = zendparse(TSRMLS_C);
8526diff -Nura php-4.4.3/Zend/zend_llist.c hardening-patch-4.4.3-0.4.15/Zend/zend_llist.c
8527--- php-4.4.3/Zend/zend_llist.c 2006-01-01 14:46:49.000000000 +0100
8528+++ hardening-patch-4.4.3-0.4.15/Zend/zend_llist.c 2006-09-05 20:30:46.000000000 +0200
8529@@ -21,9 +21,49 @@
8530 #include "zend.h"
8531 #include "zend_llist.h"
8532 #include "zend_qsort.h"
8533+#include "zend_globals.h"
8534+
8535+#if HARDENING_PATCH_LL_PROTECT
8536+ unsigned int zend_llist_canary_1 = 0x1234567;
8537+ unsigned int zend_llist_canary_2 = 0x1553425;
8538+ zend_bool zend_llist_canary_inited = 0;
8539+#endif
8540+
8541+#define CHECK_LIST_CANARY(list) \
8542+ if (((list)->persistent && (zend_llist_canary_1 != (list)->canary_h || zend_llist_canary_2 != (list)->canary_t)) \
8543+ ||(!(list)->persistent && (HG(canary_3) != (list)->canary_h || HG(canary_4) != (list)->canary_t))) { \
8544+ zend_security_log(S_MEMORY, "linked list canary was overwritten"); \
8545+ exit(1); \
8546+ }
8547+
8548+#define CHECK_LISTELEMENT_CANARY(elem, list) \
8549+ if (((list)->persistent && zend_llist_canary_1 != (elem)->canary)||(!(list)->persistent && HG(canary_3) != (elem)->canary)) { \
8550+ zend_security_log(S_MEMORY, "linked list element canary was overwritten"); \
8551+ exit(1); \
8552+ }
8553+
8554
8555 ZEND_API void zend_llist_init(zend_llist *l, size_t size, llist_dtor_func_t dtor, unsigned char persistent)
8556 {
8557+#if HARDENING_PATCH_LL_PROTECT
8558+ TSRMLS_FETCH();
8559+
8560+ if (persistent) {
8561+ if (!zend_llist_canary_inited) {
8562+ /* do not change order to ensure thread safety */
8563+ zend_llist_canary_1 = zend_canary();
8564+ zend_llist_canary_2 = zend_canary();
8565+ zend_llist_canary_inited = 1;
8566+ }
8567+ } else
8568+ if (!HG(ll_canary_inited)) {
8569+ HG(canary_3) = zend_canary();
8570+ HG(canary_4) = zend_canary();
8571+ HG(ll_canary_inited) = 1;
8572+ }
8573+ l->canary_h = persistent ? zend_llist_canary_1 : HG(canary_3);
8574+ l->canary_t = persistent ? zend_llist_canary_2 : HG(canary_4);
8575+#endif
8576 l->head = NULL;
8577 l->tail = NULL;
8578 l->count = 0;
8579@@ -37,6 +77,11 @@
8580 {
8581 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
8582
8583+#if HARDENING_PATCH_LL_PROTECT
8584+ TSRMLS_FETCH();
8585+ CHECK_LIST_CANARY(l)
8586+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
8587+#endif
8588 tmp->prev = l->tail;
8589 tmp->next = NULL;
8590 if (l->tail) {
8591@@ -55,6 +100,11 @@
8592 {
8593 zend_llist_element *tmp = pemalloc(sizeof(zend_llist_element)+l->size-1, l->persistent);
8594
8595+#if HARDENING_PATCH_LL_PROTECT
8596+ TSRMLS_FETCH();
8597+ CHECK_LIST_CANARY(l)
8598+ tmp->canary = l->persistent ? zend_llist_canary_1 : HG(canary_3);
8599+#endif
8600 tmp->next = l->head;
8601 tmp->prev = NULL;
8602 if (l->head) {
8603@@ -91,10 +141,20 @@
8604 zend_llist_element *current=l->head;
8605 zend_llist_element *next;
8606
8607+#if HARDENING_PATCH_LL_PROTECT
8608+ TSRMLS_FETCH();
8609+ CHECK_LIST_CANARY(l)
8610+#endif
8611 while (current) {
8612+#if HARDENING_PATCH_LL_PROTECT
8613+ CHECK_LISTELEMENT_CANARY(current, l)
8614+#endif
8615 next = current->next;
8616 if (compare(current->data, element)) {
8617 DEL_LLIST_ELEMENT(current, l);
8618+#if HARDENING_PATCH_LL_PROTECT
8619+ current->canary = 0;
8620+#endif
8621 break;
8622 }
8623 current = next;
8624@@ -106,7 +166,14 @@
8625 {
8626 zend_llist_element *current=l->head, *next;
8627
8628+#if HARDENING_PATCH_LL_PROTECT
8629+ TSRMLS_FETCH();
8630+ CHECK_LIST_CANARY(l)
8631+#endif
8632 while (current) {
8633+#if HARDENING_PATCH_LL_PROTECT
8634+ CHECK_LISTELEMENT_CANARY(current, l)
8635+#endif
8636 next = current->next;
8637 if (l->dtor) {
8638 l->dtor(current->data);
8639@@ -131,7 +198,14 @@
8640 zend_llist_element *old_tail;
8641 void *data;
8642
8643+#if HARDENING_PATCH_LL_PROTECT
8644+ TSRMLS_FETCH();
8645+ CHECK_LIST_CANARY(l)
8646+#endif
8647 if ((old_tail = l->tail)) {
8648+#if HARDENING_PATCH_LL_PROTECT
8649+ CHECK_LISTELEMENT_CANARY(old_tail, l)
8650+#endif
8651 if (l->tail->prev) {
8652 l->tail->prev->next = NULL;
8653 }
8654@@ -157,9 +231,16 @@
8655 {
8656 zend_llist_element *ptr;
8657
8658+#if HARDENING_PATCH_LL_PROTECT
8659+ TSRMLS_FETCH();
8660+ CHECK_LIST_CANARY(src)
8661+#endif
8662 zend_llist_init(dst, src->size, src->dtor, src->persistent);
8663 ptr = src->head;
8664 while (ptr) {
8665+#if HARDENING_PATCH_LL_PROTECT
8666+ CHECK_LISTELEMENT_CANARY(ptr, src)
8667+#endif
8668 zend_llist_add_element(dst, ptr->data);
8669 ptr = ptr->next;
8670 }
8671@@ -170,11 +251,21 @@
8672 {
8673 zend_llist_element *element, *next;
8674
8675+#if HARDENING_PATCH_LL_PROTECT
8676+ TSRMLS_FETCH();
8677+ CHECK_LIST_CANARY(l)
8678+#endif
8679 element=l->head;
8680 while (element) {
8681+#if HARDENING_PATCH_LL_PROTECT
8682+ CHECK_LISTELEMENT_CANARY(element, l)
8683+#endif
8684 next = element->next;
8685 if (func(element->data)) {
8686 DEL_LLIST_ELEMENT(element, l);
8687+#if HARDENING_PATCH_LL_PROTECT
8688+ element->canary = 0;
8689+#endif
8690 }
8691 element = next;
8692 }
8693@@ -185,7 +276,13 @@
8694 {
8695 zend_llist_element *element;
8696
8697+#if HARDENING_PATCH_LL_PROTECT
8698+ CHECK_LIST_CANARY(l)
8699+#endif
8700 for (element=l->head; element; element=element->next) {
8701+#if HARDENING_PATCH_LL_PROTECT
8702+ CHECK_LISTELEMENT_CANARY(element, l)
8703+#endif
8704 func(element->data TSRMLS_CC);
8705 }
8706 }
8707@@ -197,6 +294,9 @@
8708 zend_llist_element **elements;
8709 zend_llist_element *element, **ptr;
8710
8711+#if HARDENING_PATCH_LL_PROTECT
8712+ CHECK_LIST_CANARY(l)
8713+#endif
8714 if (l->count <= 0) {
8715 return;
8716 }
8717@@ -206,6 +306,9 @@
8718 ptr = &elements[0];
8719
8720 for (element=l->head; element; element=element->next) {
8721+#if HARDENING_PATCH_LL_PROTECT
8722+ CHECK_LISTELEMENT_CANARY(element, l)
8723+#endif
8724 *ptr++ = element;
8725 }
8726
8727@@ -228,7 +331,13 @@
8728 {
8729 zend_llist_element *element;
8730
8731+#if HARDENING_PATCH_LL_PROTECT
8732+ CHECK_LIST_CANARY(l)
8733+#endif
8734 for (element=l->head; element; element=element->next) {
8735+#if HARDENING_PATCH_LL_PROTECT
8736+ CHECK_LISTELEMENT_CANARY(element, l)
8737+#endif
8738 func(element->data, arg TSRMLS_CC);
8739 }
8740 }
8741@@ -239,8 +348,14 @@
8742 zend_llist_element *element;
8743 va_list args;
8744
8745+#if HARDENING_PATCH_LL_PROTECT
8746+ CHECK_LIST_CANARY(l)
8747+#endif
8748 va_start(args, num_args);
8749 for (element=l->head; element; element=element->next) {
8750+#if HARDENING_PATCH_LL_PROTECT
8751+ CHECK_LISTELEMENT_CANARY(element, l)
8752+#endif
8753 func(element->data, num_args, args TSRMLS_CC);
8754 }
8755 va_end(args);
8756@@ -249,6 +364,10 @@
8757
8758 ZEND_API int zend_llist_count(zend_llist *l)
8759 {
8760+#if HARDENING_PATCH_LL_PROTECT
8761+ TSRMLS_FETCH();
8762+ CHECK_LIST_CANARY(l)
8763+#endif
8764 return l->count;
8765 }
8766
8767@@ -256,8 +375,15 @@
8768 {
8769 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8770
8771+#if HARDENING_PATCH_LL_PROTECT
8772+ TSRMLS_FETCH();
8773+ CHECK_LIST_CANARY(l)
8774+#endif
8775 *current = l->head;
8776 if (*current) {
8777+#if HARDENING_PATCH_LL_PROTECT
8778+ CHECK_LISTELEMENT_CANARY(*current, l)
8779+#endif
8780 return (*current)->data;
8781 } else {
8782 return NULL;
8783@@ -269,8 +395,15 @@
8784 {
8785 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8786
8787+#if HARDENING_PATCH_LL_PROTECT
8788+ TSRMLS_FETCH();
8789+ CHECK_LIST_CANARY(l)
8790+#endif
8791 *current = l->tail;
8792 if (*current) {
8793+#if HARDENING_PATCH_LL_PROTECT
8794+ CHECK_LISTELEMENT_CANARY(*current, l)
8795+#endif
8796 return (*current)->data;
8797 } else {
8798 return NULL;
8799@@ -282,9 +415,19 @@
8800 {
8801 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8802
8803+#if HARDENING_PATCH_LL_PROTECT
8804+ TSRMLS_FETCH();
8805+ CHECK_LIST_CANARY(l)
8806+#endif
8807 if (*current) {
8808+#if HARDENING_PATCH_LL_PROTECT
8809+ CHECK_LISTELEMENT_CANARY(*current, l)
8810+#endif
8811 *current = (*current)->next;
8812 if (*current) {
8813+#if HARDENING_PATCH_LL_PROTECT
8814+ CHECK_LISTELEMENT_CANARY(*current, l)
8815+#endif
8816 return (*current)->data;
8817 }
8818 }
8819@@ -296,9 +439,19 @@
8820 {
8821 zend_llist_position *current = pos ? pos : &l->traverse_ptr;
8822
8823+#if HARDENING_PATCH_LL_PROTECT
8824+ TSRMLS_FETCH();
8825+ CHECK_LIST_CANARY(l)
8826+#endif
8827 if (*current) {
8828+#if HARDENING_PATCH_LL_PROTECT
8829+ CHECK_LISTELEMENT_CANARY(*current, l)
8830+#endif
8831 *current = (*current)->prev;
8832 if (*current) {
8833+#if HARDENING_PATCH_LL_PROTECT
8834+ CHECK_LISTELEMENT_CANARY(*current, l)
8835+#endif
8836 return (*current)->data;
8837 }
8838 }
8839diff -Nura php-4.4.3/Zend/zend_llist.h hardening-patch-4.4.3-0.4.15/Zend/zend_llist.h
8840--- php-4.4.3/Zend/zend_llist.h 2006-01-01 14:46:49.000000000 +0100
8841+++ hardening-patch-4.4.3-0.4.15/Zend/zend_llist.h 2006-09-05 20:30:46.000000000 +0200
8842@@ -24,6 +24,9 @@
8843 #include <stdlib.h>
8844
8845 typedef struct _zend_llist_element {
8846+#if HARDENING_PATCH_LL_PROTECT
8847+ unsigned int canary, padding;
8848+#endif
8849 struct _zend_llist_element *next;
8850 struct _zend_llist_element *prev;
8851 char data[1]; /* Needs to always be last in the struct */
8852@@ -36,6 +39,9 @@
8853 typedef void (*llist_apply_func_t)(void * TSRMLS_DC);
8854
8855 typedef struct _zend_llist {
8856+#if HARDENING_PATCH_LL_PROTECT
8857+ unsigned int canary_h; /* head */
8858+#endif
8859 zend_llist_element *head;
8860 zend_llist_element *tail;
8861 size_t size;
8862@@ -43,6 +49,9 @@
8863 llist_dtor_func_t dtor;
8864 unsigned char persistent;
8865 zend_llist_element *traverse_ptr;
8866+#if HARDENING_PATCH_LL_PROTECT
8867+ unsigned int canary_t; /* tail */
8868+#endif
8869 } zend_llist;
8870
8871 typedef zend_llist_element* zend_llist_position;
8872diff -Nura php-4.4.3/Zend/zend_modules.h hardening-patch-4.4.3-0.4.15/Zend/zend_modules.h
8873--- php-4.4.3/Zend/zend_modules.h 2006-01-01 14:46:49.000000000 +0100
8874+++ hardening-patch-4.4.3-0.4.15/Zend/zend_modules.h 2006-09-05 20:30:46.000000000 +0200
8875@@ -34,6 +34,7 @@
8876 ZEND_API extern unsigned char second_arg_force_ref[];
8877 ZEND_API extern unsigned char third_arg_force_ref[];
8878
8879+#define HARDENING_PATCH_ZEND_MODULE_API_NO 1001051112
8880 #define ZEND_MODULE_API_NO 20020429
8881 #ifdef ZTS
8882 #define USING_ZTS 1
8883@@ -41,9 +42,9 @@
8884 #define USING_ZTS 0
8885 #endif
8886
8887-#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8888+#define STANDARD_MODULE_HEADER sizeof(zend_module_entry), HARDENING_PATCH_ZEND_MODULE_API_NO, ZEND_DEBUG, USING_ZTS
8889
8890-#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0
8891+#define STANDARD_MODULE_PROPERTIES_EX 0, 0, 0, NULL, 0, ZEND_MODULE_API_NO
8892
8893 #define STANDARD_MODULE_PROPERTIES \
8894 NULL, NULL, STANDARD_MODULE_PROPERTIES_EX
8895@@ -75,6 +76,7 @@
8896 unsigned char type;
8897 void *handle;
8898 int module_number;
8899+ unsigned int real_zend_api;
8900 };
8901
8902
8903diff -Nura php-4.4.3/Zend/zend_opcode.c hardening-patch-4.4.3-0.4.15/Zend/zend_opcode.c
8904--- php-4.4.3/Zend/zend_opcode.c 2006-01-01 14:46:49.000000000 +0100
8905+++ hardening-patch-4.4.3-0.4.15/Zend/zend_opcode.c 2006-09-05 20:30:46.000000000 +0200
8906@@ -88,6 +88,9 @@
8907 op_array->done_pass_two = 0;
8908
8909 op_array->start_op = NULL;
8910+#if HARDENING_PATCH
8911+ op_array->created_by_eval = 0;
8912+#endif
8913
8914 zend_llist_apply_with_argument(&zend_extensions, (llist_apply_with_arg_func_t) zend_extension_op_array_ctor_handler, op_array TSRMLS_CC);
8915 }
8916diff -Nura php-4.4.3/Zend/zend_operators.c hardening-patch-4.4.3-0.4.15/Zend/zend_operators.c
8917--- php-4.4.3/Zend/zend_operators.c 2006-01-01 14:46:49.000000000 +0100
8918+++ hardening-patch-4.4.3-0.4.15/Zend/zend_operators.c 2006-09-05 20:30:46.000000000 +0200
8919@@ -1604,6 +1604,20 @@
8920 return (op->value.lval ? 1 : 0);
8921 }
8922
8923+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length)
8924+{
8925+ register unsigned char *str = (unsigned char*)source;
8926+ register unsigned char *result = (unsigned char*)dest;
8927+ register unsigned char *end = str + length;
8928+
8929+ while (str < end) {
8930+ *result++ = tolower((int)*str++);
8931+ }
8932+ *result = *end;
8933+
8934+ return dest;
8935+}
8936+
8937 ZEND_API void zend_str_tolower(char *str, unsigned int length)
8938 {
8939 register char *p=str, *end=p+length;
8940diff -Nura php-4.4.3/Zend/zend_operators.h hardening-patch-4.4.3-0.4.15/Zend/zend_operators.h
8941--- php-4.4.3/Zend/zend_operators.h 2006-01-01 14:46:49.000000000 +0100
8942+++ hardening-patch-4.4.3-0.4.15/Zend/zend_operators.h 2006-09-05 20:30:46.000000000 +0200
8943@@ -174,6 +174,14 @@
8944 #endif
8945
8946 ZEND_API void zend_str_tolower(char *str, unsigned int length);
8947+ZEND_API char *zend_str_tolower_copy(char *dest, const char *source, unsigned int length);
8948+
8949+static inline char *
8950+zend_str_tolower_dup(const char *source, unsigned int length)
8951+{
8952+ return zend_str_tolower_copy((char *)emalloc(length+1), source, length);
8953+}
8954+
8955 ZEND_API int zend_binary_zval_strcmp(zval *s1, zval *s2);
8956 ZEND_API int zend_binary_zval_strncmp(zval *s1, zval *s2, zval *s3);
8957 ZEND_API int zend_binary_zval_strcasecmp(zval *s1, zval *s2);