path: root/hardening-patch-4.4.3-0.4.15.patch

diff -Nura php-4.4.3/Changelog.hphp hardening-patch-4.4.3-0.4.15/Changelog.hphp
--- php-4.4.3/Changelog.hphp	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-4.4.3-0.4.15/Changelog.hphp	2006-09-07 19:32:48.000000000 +0200
@@ -0,0 +1,61 @@
+Changelog of the Hardening-Patch
+--------------------------------
+
+0.4.15 - 07. September 2006
+
+	PHP4:
+		[+] Fix for potential DOS in handling of include blacklists
+		
+	PHP4+5:
+		[+] Backported a fix for open_basedir problems with insanse PHP scripts
+		[+] Added a fix for ini_restore() PHP security vulnerability
+
+0.4.14 - 11. August 2006
+
+    PHP4:
+        [+] Remove unecessary call to AC_BROKEN_REALPATH
+
+    PHP5:
+        [+] Fix Remote URL Include Protection - Thanks to: Bart Vanbrabant
+	
+    PHP4+5:
+        [+] Added a few PHP security fixes / see changelog.secfix for details
+	[+] Fixed the memory_limit protection for systems with different perdir memory_limits
+	[+] Fixed a possible memory corruption when foreach() is used with wrong arguments
+
+0.4.13 - 07. August 2006
+
+    PHP4+5:
+        [+] Added a fix for a compile problem on solaris due to missing strcasestr()
+
+0.4.12 - 19. July 2006
+
+    PHP4:
+        [+] Added fixes from sf4 security patch / see changelog.secfix for details
+
+    PHP5:
+        [+] Added fixes from sf5 security patch / see changelog.secfix for details
+	
+    PHP4+5:
+	[+] Added anti mail spam feature
+	[+] Speedup of zend_hash canary (clear/destroy)
+	[+] Added a fix for a DOS in the handling of URL blacklists
+
+0.4.11 - 13. May 2006
+
+    PHP5:
+        [+] tsrm_virtual_cwd.c: close open_basedir, safe_mode hole introduced by realpath() cache
+	[+] install-pear-nozlib.phar: bundle in full package download of 5.1.4
+	
+    PHP4+5:
+	[+] tsrm_virtual_cwd.c: realpath() hotfix to solve problems with non existing directories
+
+
+0.4.10 - 11. May 2006
+	
+    PHP4:
+	[+] info.c: backport from 5.1.4 contained TSRMLS macro that had to be removed
+	
+    PHP4+5:
+	[+] fopen_wrappers.c: fix for a trailing slash problem with open_basedir
+	
diff -Nura php-4.4.3/Changelog.secfix hardening-patch-4.4.3-0.4.15/Changelog.secfix
--- php-4.4.3/Changelog.secfix	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-4.4.3-0.4.15/Changelog.secfix	2006-09-05 20:30:44.000000000 +0200
@@ -0,0 +1,17 @@
+Changelog of PHP 4.4.3 Security Fixes
+
+Release 2 - 11. August 2006
+
+    [+] Added IMAP open_basedir/safe_mode check
+    [+] Added a upstream fix for previous ext/session fixes
+    [+] Added upstream fix to ext/socket
+    [+] Added sscanf() security fix
+    [+] Added fixes for handling of corrupt .gif files to gdlib
+
+Release 1 - 4. August 2006
+
+    [+] Added a fix to disable CURLOPT_FOLLOWLOCATION while in safe_mode()/open_basedir
+    [+] Added a *working* wordwrap() fix
+    [+] Added code to make memory_limit work on 64bit systems
+    [+] Added a fix for an integer overflow in str_repeat()
+
diff -Nura php-4.4.3/configure hardening-patch-4.4.3-0.4.15/configure
--- php-4.4.3/configure	2006-08-01 09:39:10.000000000 +0200
+++ hardening-patch-4.4.3-0.4.15/configure	2006-09-05 20:30:44.000000000 +0200
@@ -402,6 +402,16 @@
 ac_default_prefix=/usr/local
 # Any additions from configure.in:
 ac_help="$ac_help
+  --disable-hardening-patch-mm-protect    Disable the Memory Manager protection."
+ac_help="$ac_help
+  --disable-hardening-patch-ll-protect    Disable the Linked List protection."
+ac_help="$ac_help
+  --disable-hardening-patch-inc-protect   Disable include/require protection."
+ac_help="$ac_help
+  --disable-hardening-patch-fmt-protect   Disable format string protection."
+ac_help="$ac_help
+  --disable-hardening-patch-hash-protect  Disable Zend HashTable DTOR protection."
+ac_help="$ac_help
 
 SAPI modules:
 "
@@ -854,6 +864,8 @@
 ac_help="$ac_help
   --disable-tokenizer     Disable tokenizer support"
 ac_help="$ac_help
+  --disable-varfilter     Disable Hardening-Patch's variable filter"
+ac_help="$ac_help
   --enable-wddx           Enable WDDX support."
 ac_help="$ac_help
   --disable-xml           Disable XML support using bundled expat lib"
@@ -2942,6 +2954,157 @@
 
 
 
+# Check whether --enable-hardening-patch-mm-protect or --disable-hardening-patch-mm-protect was given.
+if test "${enable_hardening_patch_mm_protect+set}" = set; then
+  enableval="$enable_hardening_patch_mm_protect"
+  
+  DO_HARDENING_PATCH_MM_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_MM_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-ll-protect or --disable-hardening-patch-ll-protect was given.
+if test "${enable_hardening_patch_ll_protect+set}" = set; then
+  enableval="$enable_hardening_patch_ll_protect"
+  
+  DO_HARDENING_PATCH_LL_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_LL_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-inc-protect or --disable-hardening-patch-inc-protect was given.
+if test "${enable_hardening_patch_inc_protect+set}" = set; then
+  enableval="$enable_hardening_patch_inc_protect"
+  
+  DO_HARDENING_PATCH_INC_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_INC_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-fmt-protect or --disable-hardening-patch-fmt-protect was given.
+if test "${enable_hardening_patch_fmt_protect+set}" = set; then
+  enableval="$enable_hardening_patch_fmt_protect"
+  
+  DO_HARDENING_PATCH_FMT_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_FMT_PROTECT=yes
+
+fi
+
+
+# Check whether --enable-hardening-patch-hash-protect or --disable-hardening-patch-hash-protect was given.
+if test "${enable_hardening_patch_hash_protect+set}" = set; then
+  enableval="$enable_hardening_patch_hash_protect"
+  
+  DO_HARDENING_PATCH_HASH_PROTECT=$enableval
+
+else
+  
+  DO_HARDENING_PATCH_HASH_PROTECT=yes
+
+fi
+
+
+echo $ac_n "checking whether to protect the Zend Memory Manager""... $ac_c" 1>&6
+echo "configure:2725: checking whether to protect the Zend Memory Manager" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_MM_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect the Zend Linked Lists""... $ac_c" 1>&6
+echo "configure:2729: checking whether to protect the Zend Linked Lists" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_LL_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect include/require statements""... $ac_c" 1>&6
+echo "configure:2733: checking whether to protect include/require statements" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_INC_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect PHP Format String functions""... $ac_c" 1>&6
+echo "configure:2737: checking whether to protect PHP Format String functions" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_FMT_PROTECT" 1>&6
+
+echo $ac_n "checking whether to protect the Zend HashTable Destructors""... $ac_c" 1>&6
+echo "configure:2737: checking whether to protect the Zend HashTable Destructors" >&5
+echo "$ac_t""$DO_HARDENING_PATCH_HASH_PROTECT" 1>&6
+
+
+cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH 1
+EOF
+
+
+
+if test "$DO_HARDENING_PATCH_MM_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_MM_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_MM_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_LL_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_LL_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_LL_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_INC_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_INC_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_INC_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_FMT_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_FMT_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_FMT_PROTECT 0
+EOF
+
+fi
+
+if test "$DO_HARDENING_PATCH_HASH_PROTECT" = "yes"; then
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_HASH_PROTECT 1
+EOF
+
+else
+  cat >> confdefs.h <<\EOF
+#define HARDENING_PATCH_HASH_PROTECT 0
+EOF
+
+fi
 
 
 
@@ -16017,6 +16180,62 @@
 fi
 
 
+  echo $ac_n "checking whether realpath is broken""... $ac_c" 1>&6
+echo "configure:14928: checking whether realpath is broken" >&5
+if eval "test \"`echo '$''{'ac_cv_broken_realpath'+set}'`\" = set"; then
+  echo $ac_n "(cached) $ac_c" 1>&6
+else
+  
+    if test "$cross_compiling" = yes; then
+  
+      ac_cv_broken_realpath=no
+    
+else
+  cat > conftest.$ac_ext <<EOF
+#line 14939 "configure"
+#include "confdefs.h"
+
+main() {
+	char buf[4096+1];
+	buf[0] = 0;
+	realpath("/etc/hosts/../passwd", buf);
+	exit(strcmp(buf, "/etc/passwd")==0); 
+}
+    
+EOF
+if { (eval echo configure:14958: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+  
+      ac_cv_broken_realpath=no
+    
+else
+  echo "configure: failed program was:" >&5
+  cat conftest.$ac_ext >&5
+  rm -fr conftest*
+  
+      ac_cv_broken_realpath=yes
+    
+fi
+rm -fr conftest*
+fi
+
+  
+fi
+
+echo "$ac_t""$ac_cv_broken_realpath" 1>&6
+  if test "$ac_cv_broken_realpath" = "yes"; then
+    cat >> confdefs.h <<\EOF
+#define PHP_BROKEN_REALPATH 1
+EOF
+
+  else
+    cat >> confdefs.h <<\EOF
+#define PHP_BROKEN_REALPATH 0
+EOF
+
+  fi
+
+
   echo $ac_n "checking for declared timezone""... $ac_c" 1>&6
 echo "configure:16022: checking for declared timezone" >&5
 if eval "test \"`echo '$''{'ac_cv_declared_timezone'+set}'`\" = set"; then
@@ -86718,7 +86937,7 @@
   if test "$ac_cv_crypt_blowfish" = "yes"; then
     ac_result=1
   else
-    ac_result=0
+    ac_result=1
   fi
   cat >> confdefs.h <<EOF
 #define PHP_BLOWFISH_CRYPT $ac_result
@@ -87420,7 +87639,7 @@
                             url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
-                            var_unserializer.c ftok.c aggregation.c sha1.c ; do
+                            var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -87475,7 +87694,7 @@
                             url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
-                            var_unserializer.c ftok.c aggregation.c sha1.c ; do
+                            var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -87601,7 +87820,7 @@
                             url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
-                            var_unserializer.c ftok.c aggregation.c sha1.c ; do
+                            var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -87653,7 +87872,7 @@
                             url_scanner.c var.c versioning.c assert.c strnatcmp.c levenshtein.c \
                             incomplete_class.c url_scanner_ex.c ftp_fopen_wrapper.c \
                             http_fopen_wrapper.c php_fopen_wrapper.c credits.c css.c \
-                            var_unserializer.c ftok.c aggregation.c sha1.c ; do
+                            var_unserializer.c ftok.c aggregation.c sha1.c sha256.c crypt_blowfish.c ; do
   
       IFS=.
       set $ac_src
@@ -91124,6 +91343,265 @@
 fi
 
 
+echo $ac_n "checking whether to enable Hardening-Patch's variable filter""... $ac_c" 1>&6
+echo "configure:82041: checking whether to enable Hardening-Patch's variable filter" >&5
+# Check whether --enable-varfilter or --disable-varfilter was given.
+if test "${enable_varfilter+set}" = set; then
+  enableval="$enable_varfilter"
+  PHP_VARFILTER=$enableval
+else
+  
+  PHP_VARFILTER=yes
+
+  if test "$PHP_ENABLE_ALL" && test "yes" = "yes"; then
+    PHP_VARFILTER=$PHP_ENABLE_ALL
+  fi
+
+fi
+
+
+
+ext_output="yes, shared"
+ext_shared=yes
+case $PHP_VARFILTER in
+shared,*)
+  PHP_VARFILTER=`echo "$PHP_VARFILTER"|sed 's/^shared,//'`
+  ;;
+shared)
+  PHP_VARFILTER=yes
+  ;;
+no)
+  ext_output=no
+  ext_shared=no
+  ;;
+*)
+  ext_output=yes
+  ext_shared=no
+  ;;
+esac
+
+
+
+echo "$ac_t""$ext_output" 1>&6
+
+
+
+
+if test "$PHP_VARFILTER" != "no"; then
+  cat >> confdefs.h <<\EOF
+#define HAVE_VARFILTER 1
+EOF
+
+  
+  ext_builddir=ext/varfilter
+  ext_srcdir=$abs_srcdir/ext/varfilter
+
+  ac_extra=
+
+  if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" != "cli"; then
+
+    
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+    EXT_STATIC="$EXT_STATIC varfilter"
+    if test "$ext_shared" != "nocli"; then
+      EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
+    fi
+  else
+    if test "$ext_shared" = "shared" || test "$ext_shared" = "yes"; then
+      
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$shared_c_pre
+  b_cxx_pre=$shared_cxx_pre
+  b_c_meta=$shared_c_meta
+  b_cxx_meta=$shared_cxx_meta
+  b_c_post=$shared_c_post
+  b_cxx_post=$shared_cxx_post
+  b_lo=$shared_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      shared_objects_varfilter="$shared_objects_varfilter $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+      
+  install_modules="install-modules"
+  PHP_MODULES="$PHP_MODULES \$(phplibdir)/varfilter.la"
+  
+  PHP_VAR_SUBST="$PHP_VAR_SUBST shared_objects_varfilter"
+
+  cat >>Makefile.objects<<EOF
+\$(phplibdir)/varfilter.la: $ext_builddir/varfilter.la
+	\$(LIBTOOL) --mode=install cp $ext_builddir/varfilter.la \$(phplibdir)
+
+$ext_builddir/varfilter.la: \$(shared_objects_varfilter) \$(VARFILTER_SHARED_DEPENDENCIES)
+	\$(LIBTOOL) --mode=link \$(CC) \$(COMMON_FLAGS) \$(CFLAGS_CLEAN) \$(EXTRA_CFLAGS) \$(LDFLAGS) -o \$@ -export-dynamic -avoid-version -prefer-pic -module -rpath \$(phplibdir) \$(EXTRA_LDFLAGS) \$(shared_objects_varfilter) \$(VARFILTER_SHARED_LIBADD)
+
+EOF
+
+      cat >> confdefs.h <<EOF
+#define COMPILE_DL_VARFILTER 1
+EOF
+
+    fi
+  fi
+
+  if test "$ext_shared" != "shared" && test "$ext_shared" != "yes" && test "" = "cli"; then
+    if test "$PHP_SAPI" = "cgi"; then
+      
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_GLOBAL_OBJS="$PHP_GLOBAL_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+      EXT_STATIC="$EXT_STATIC varfilter"
+    else
+      
+  
+  case ext/varfilter in
+  "") ac_srcdir="$abs_srcdir/"; unset ac_bdir; ac_inc="-I. -I$abs_srcdir" ;;
+  /*) ac_srcdir=`echo "ext/varfilter"|cut -c 2-`"/"; ac_bdir=$ac_srcdir; ac_inc="-I$ac_bdir -I$abs_srcdir/$ac_bdir" ;;
+  *) ac_srcdir="$abs_srcdir/ext/varfilter/"; ac_bdir="ext/varfilter/"; ac_inc="-I$ac_bdir -I$ac_srcdir" ;;
+  esac
+  
+  
+
+  b_c_pre=$php_c_pre
+  b_cxx_pre=$php_cxx_pre
+  b_c_meta=$php_c_meta
+  b_cxx_meta=$php_cxx_meta
+  b_c_post=$php_c_post
+  b_cxx_post=$php_cxx_post
+  b_lo=$php_lo
+
+
+  old_IFS=$IFS
+  for ac_src in varfilter.c; do
+  
+      IFS=.
+      set $ac_src
+      ac_obj=$1
+      IFS=$old_IFS
+      
+      PHP_CLI_OBJS="$PHP_CLI_OBJS $ac_bdir$ac_obj.lo"
+
+      case $ac_src in
+	  *.c) ac_comp="$b_c_pre $ac_extra $ac_inc $b_c_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_c_post" ;;
+	  *.cpp) ac_comp="$b_cxx_pre $ac_extra $ac_inc $b_cxx_meta -c $ac_srcdir$ac_src -o $ac_bdir$ac_obj.$b_lo $b_cxx_post" ;;
+      esac
+
+	  cat >>Makefile.objects<<EOF
+$ac_bdir$ac_obj.lo: $ac_srcdir$ac_src
+	$ac_comp
+EOF
+  done
+
+
+    fi
+    EXT_CLI_STATIC="$EXT_CLI_STATIC varfilter"
+  fi
+  
+  BUILD_DIR="$BUILD_DIR $ext_builddir"
+
+
+fi
 
 
 echo $ac_n "checking whether to enable WDDX support""... $ac_c" 1>&6
@@ -104088,7 +104566,7 @@
        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
        streams.c network.c php_open_temporary_file.c php_logos.c \
-       output.c memory_streams.c user_streams.c; do
+       output.c memory_streams.c user_streams.c hardening_patch.c; do
   
       IFS=.
       set $ac_src
@@ -104273,7 +104751,7 @@
     zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
-    zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c; do
+    zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c; do
   
       IFS=.
       set $ac_src
diff -Nura php-4.4.3/configure.in hardening-patch-4.4.3-0.4.15/configure.in
--- php-4.4.3/configure.in	2006-07-31 17:04:53.000000000 +0200
+++ hardening-patch-4.4.3-0.4.15/configure.in	2006-09-05 20:30:44.000000000 +0200
@@ -247,7 +247,7 @@
 sinclude(Zend/acinclude.m4)
 sinclude(Zend/Zend.m4)
 sinclude(TSRM/tsrm.m4)
-
+sinclude(main/hardening_patch.m4)
 
 
 divert(2)
@@ -621,6 +621,7 @@
 AC_FUNC_ALLOCA
 dnl PHP_AC_BROKEN_SPRINTF
 dnl PHP_AC_BROKEN_SNPRINTF
+dnl PHP_AC_BROKEN_REALPATH
 PHP_DECLARED_TIMEZONE
 PHP_TIME_R_TYPE
 PHP_READDIR_R_TYPE
@@ -1260,7 +1261,7 @@
        php_ini.c SAPI.c rfc1867.c php_content_types.c strlcpy.c \
        strlcat.c mergesort.c reentrancy.c php_variables.c php_ticks.c \
        streams.c network.c php_open_temporary_file.c php_logos.c \
-       output.c memory_streams.c user_streams.c)
+       output.c memory_streams.c user_streams.c hardening_patch.c)
 PHP_ADD_SOURCES(/main, internal_functions.c,, sapi)
 case $host_alias in
 *netware*)
@@ -1281,7 +1282,7 @@
     zend_opcode.c zend_operators.c zend_ptr_stack.c zend_stack.c \
     zend_variables.c zend.c zend_API.c zend_extensions.c zend_hash.c \
     zend_list.c zend_indent.c zend_builtin_functions.c zend_sprintf.c \
-    zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c)
+    zend_ini.c zend_qsort.c zend_multibyte.c zend_strtod.c zend_canary.c )
 
 if test -r "$abs_srcdir/Zend/zend_objects.c"; then
   PHP_ADD_SOURCES(Zend, zend_objects.c zend_object_handlers.c zend_objects_API.c zend_mm.c)
diff -Nura php-4.4.3/ext/curl/curl.c hardening-patch-4.4.3-0.4.15/ext/curl/curl.c
--- php-4.4.3/ext/curl/curl.c	2006-05-21 20:48:50.000000000 +0200
+++ hardening-patch-4.4.3-0.4.15/ext/curl/curl.c	2006-09-05 20:30:44.000000000 +0200
@@ -924,7 +924,6 @@
 		case CURLOPT_FTPLISTONLY:
 		case CURLOPT_FTPAPPEND:
 		case CURLOPT_NETRC:
-		case CURLOPT_FOLLOWLOCATION:
 		case CURLOPT_PUT:
 #if CURLOPT_MUTE != 0
 		 case CURLOPT_MUTE:
@@ -961,6 +960,16 @@
 			convert_to_long_ex(zvalue);
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_FOLLOWLOCATION:
+			convert_to_long_ex(zvalue);
+			if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+				if (Z_LVAL_PP(zvalue) != 0) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set");
+					RETURN_FALSE;
+				}
+			}
+			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+			break;
 		case CURLOPT_URL:
 		case CURLOPT_PROXY:
 		case CURLOPT_USERPWD:
diff -Nura php-4.4.3/ext/curl/curlstreams.c hardening-patch-4.4.3-0.4.15/ext/curl/curlstreams.c
--- php-4.4.3/ext/curl/curlstreams.c	2006-01-01 14:46:50.000000000 +0100
+++ hardening-patch-4.4.3-0.4.15/ext/curl/curlstreams.c	2006-09-05 20:30:44.000000000 +0200
@@ -297,7 +297,11 @@
 	curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream);
 
 	/* currently buggy (bug is in curl) */
-	curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+	} else {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	}
 	
 	curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr);
 	curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0);
diff -Nura php-4.4.3/ext/fbsql/php_fbsql.c hardening-patch-4.4.3-0.4.15/ext/fbsql/php_fbsql.c
--- php-4.4.3/ext/fbsql/php_fbsql.c	2006-01-01 14:46:52.000000000 +0100
+++ hardening-patch-4.4.3-0.4.15/ext/fbsql/php_fbsql.c	2006-09-05 20:30:44.000000000 +0200
@@ -1797,8 +1797,24 @@
 	}
 	else if (fbcmdErrorsFound(md))
 	{
+#if HARDENING_PATCH
+		char*	query_copy;
+		int i;
+#endif
 		FBCErrorMetaData* emd = fbcdcErrorMetaData(c, md);
 		char*             emg = fbcemdAllErrorMessages(emd);
+#if HARDENING_PATCH
+		query_copy=estrdup(query_copy);
+		for (i=0; query_copy[i]; i++) if (query_copy[i]<32) query_copy[i]='.';
+		php_security_log(S_SQL, "fbsql error: %s - query: %s", emg, query_copy);
+		efree(query_copy);
+		if (HG(hphp_sql_bailout_on_error)) {
+			free(emg);
+			fbcemdRelease(emd);
+			result = 0;
+			zend_bailout();
+		}
+#endif
 		if (FB_SQL_G(generateWarnings))
 		{
 			if (emg)
diff -Nura php-4.4.3/ext/gd/libgd/gd_gif_in.c hardening-patch-4.4.3-0.4.15/ext/gd/libgd/gd_gif_in.c
--- php-4.4.3/ext/gd/libgd/gd_gif_in.c	2006-05-08 16:04:39.000000000 +0200
+++ hardening-patch-4.4.3-0.4.15/ext/gd/libgd/gd_gif_in.c	2006-09-05 20:30:44.000000000 +0200
@@ -216,6 +216,12 @@
        if (!im) {
 		return 0;
        }
+
+		if (!im->colorsTotal) {
+			gdImageDestroy(im);
+			return 0;
+		}
+
        /* Check for open colors at the end, so
           we can reduce colorsTotal and ultimately
           BitsPerPixel */
@@ -506,6 +512,19 @@
        int             v;
        int             xpos = 0, ypos = 0, pass = 0;
        int i;
+
+	   /*
+		**  Initialize the Compression routines
+		*/
+	   if (! ReadOK(fd,&c,1)) {
+		   return;
+	   }
+
+	   if (c > MAX_LWZ_BITS) {
+		   return;	
+	   }
+
+
        /* Stash the color map into the image */
        for (i=0; (i<gdMaxColors); i++) {
                im->red[i] = cmap[CM_RED][i];	
@@ -515,12 +534,7 @@
        }
        /* Many (perhaps most) of these colors will remain marked open. */
        im->colorsTotal = gdMaxColors;
-       /*
-       **  Initialize the Compression routines
-       */
-       if (! ReadOK(fd,&c,1)) {
-               return; 
-       }
+
        if (LWZReadByte(fd, TRUE, c) < 0) {
                return;
        }
diff -Nura php-4.4.3/ext/gd/tests/bug38112.gif hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.gif
--- php-4.4.3/ext/gd/tests/bug38112.gif	1970-01-01 01:00:00.000000000 +0100
+++ hardening-patch-4.4.3-0.4.15/ext/gd/tests/bug38112.gif	2006-09-05 20:30:44.000000000 +0200
@@ -0,0 +1,140 @@
+GIF89a‚