sixd                                     Tue, 16 Nov 2010 19:33:31 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=305412

Log:
Protect against null bytes in LOB filenames (rasmus)

Changed paths:
    U   php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c
    U   php/php-src/branches/PHP_5_3/ext/oci8/package.xml
    U   php/php-src/branches/PHP_5_3/ext/oci8/php_oci8.h
    A   php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_1.phpt
    A   php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_2.phpt
    U   php/php-src/trunk/ext/oci8/oci8_interface.c
    U   php/php-src/trunk/ext/oci8/package.xml
    U   php/php-src/trunk/ext/oci8/php_oci8.h
    A   php/php-src/trunk/ext/oci8/tests/null_byte_1.phpt
    A   php/php-src/trunk/ext/oci8/tests/null_byte_2.phpt

Modified: php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/branches/PHP_5_3/ext/oci8/oci8_interface.c	2010-11-16 19:33:31 UTC (rev 305412)
@@ -242,7 +242,12 @@
 			return;
 		}
 	}
-
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -894,7 +899,12 @@
 			RETURN_FALSE;
 		}
 	}
-
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -1666,8 +1676,8 @@
 }
 /* }}} */

-/* {{{ proto resource oci_parse(resource connection, string query)
-   Parse a query and return a statement */
+/* {{{ proto resource oci_parse(resource connection, string statement)
+   Parse a SQL or PL/SQL statement and return a statement resource */
 PHP_FUNCTION(oci_parse)
 {
 	zval *z_connection;

Modified: php/php-src/branches/PHP_5_3/ext/oci8/package.xml
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/package.xml	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/branches/PHP_5_3/ext/oci8/package.xml	2010-11-16 19:33:31 UTC (rev 305412)
@@ -33,21 +33,20 @@
   <active>no</active>
  </lead>

- <date>2010-11-10</date>
+ <date>2010-11-16</date>
  <time>15:00:00</time>

  <version>
-  <release>1.4.4</release>
-  <api>1.4.4</api>
+  <release>1.4.5</release>
+  <api>1.4.5</api>
  </version>
  <stability>
-  <release>stable</release>
+  <release>devel</release>
   <api>stable</api>
  </stability>
  <license uri="http://www.php.net/license";>PHP</license>
  <notes>
-    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
-    Enhancement - improve startup failure error messages
+    Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
  </notes>
  <contents>
   <dir name="/">
@@ -306,6 +305,8 @@
     <file name="lob_temp1.phpt" role="test" />
     <file name="lob_temp.phpt" role="test" />
     <file name="minfo.phpt" role="test" />
+    <file name="null_byte_1.phpt" role="test" />
+    <file name="null_byte_2.phpt" role="test" />
     <file name="num.phpt" role="test" />
     <file name="oci8safemode.phpt" role="test" />
     <file name="oci_execute_segfault.phpt" role="test" />
@@ -379,6 +380,22 @@

 <release>
  <version>
+  <release>1.4.4</release>
+  <api>1.4.4</api>
+ </version>
+ <stability>
+  <release>stable</release>
+  <api>stable</api>
+ </stability>
+ <license uri="http://www.php.net/license";>PHP</license>
+ <notes>
+    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
+    Enhancement - improve startup failure error messages
+ </notes>
+</release>
+
+<release>
+ <version>
   <release>1.4.3</release>
   <api>1.4.3</api>
  </version>

Modified: php/php-src/branches/PHP_5_3/ext/oci8/php_oci8.h
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/php_oci8.h	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/branches/PHP_5_3/ext/oci8/php_oci8.h	2010-11-16 19:33:31 UTC (rev 305412)
@@ -46,7 +46,7 @@
  */
 #undef PHP_OCI8_VERSION
 #endif
-#define PHP_OCI8_VERSION "1.4.4"
+#define PHP_OCI8_VERSION "1.4.5-devel"

 extern zend_module_entry oci8_module_entry;
 #define phpext_oci8_ptr &oci8_module_entry

Added: php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_1.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_1.phpt	                        (rev 0)
+++ php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_1.phpt	2010-11-16 19:33:31 UTC (rev 305412)
@@ -0,0 +1,38 @@
+--TEST--
+Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Import\n";
+
+$lob = oci_new_descriptor($c, OCI_D_LOB);
+$r = $lob->savefile("/tmp/abc\0def");
+var_dump($r);
+
+echo "Test 2: Export\n";
+
+$r = $lob->export("/tmp/abc\0def");
+var_dump($r);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Import
+
+Warning: OCI-Lob::savefile(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+Test 2: Export
+
+Warning: OCI-Lob::export(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+===DONE===


Property changes on: php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_1.phpt
___________________________________________________________________
Added: svn:keywords
   + Id Rev Revision
Added: svn:eol-style
   + native

Added: php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_2.phpt
===================================================================
--- php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_2.phpt	                        (rev 0)
+++ php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_2.phpt	2010-11-16 19:33:31 UTC (rev 305412)
@@ -0,0 +1,69 @@
+--TEST--
+Null bytes in SQL statements
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Valid use of a null byte\n";
+
+$s = oci_parse($c, "select * \0from dual");
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+echo "Test 2: Invalid use of a null byte\n";
+
+$s = oci_parse($c, "select * from du\0al");
+oci_execute($s);
+
+echo "Test 3: Using a null byte in a bind variable name\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 1");
+$bv = 1;
+oci_bind_by_name($s, ":bv\0:bv", $bv);
+oci_execute($s);
+
+echo "Test 4: Using a null byte in a bind variable value causing WHERE clause to fail\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 'abc'");
+$bv = 'abc\0abc';
+oci_bind_by_name($s, ":bv", $bv);
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Valid use of a null byte
+array(1) {
+  ["DUMMY"]=>
+  array(1) {
+    [0]=>
+    string(1) "X"
+  }
+}
+Test 2: Invalid use of a null byte
+
+Warning: oci_execute(): ORA-00942: %s in %snull_byte_2.php on line %d
+Test 3: Using a null byte in a bind variable name
+
+Warning: oci_bind_by_name(): ORA-01036: %s in %snull_byte_2.php on line %d
+
+Warning: oci_execute(): ORA-01008: %s in %snull_byte_2.php on line %d
+Test 4: Using a null byte in a bind variable value causing WHERE clause to fail
+array(1) {
+  ["DUMMY"]=>
+  array(0) {
+  }
+}
+===DONE===


Property changes on: php/php-src/branches/PHP_5_3/ext/oci8/tests/null_byte_2.phpt
___________________________________________________________________
Added: svn:keywords
   + Id Rev Revision
Added: svn:eol-style
   + native

Modified: php/php-src/trunk/ext/oci8/oci8_interface.c
===================================================================
--- php/php-src/trunk/ext/oci8/oci8_interface.c	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/trunk/ext/oci8/oci8_interface.c	2010-11-16 19:33:31 UTC (rev 305412)
@@ -242,7 +242,12 @@
 			return;
 		}
 	}
-
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -894,7 +899,12 @@
 			RETURN_FALSE;
 		}
 	}
-
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -1662,8 +1672,8 @@
 }
 /* }}} */

-/* {{{ proto resource oci_parse(resource connection, string query)
-   Parse a query and return a statement */
+/* {{{ proto resource oci_parse(resource connection, string statement)
+   Parse a SQL or PL/SQL statement and return a statement resource */
 PHP_FUNCTION(oci_parse)
 {
 	zval *z_connection;

Modified: php/php-src/trunk/ext/oci8/package.xml
===================================================================
--- php/php-src/trunk/ext/oci8/package.xml	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/trunk/ext/oci8/package.xml	2010-11-16 19:33:31 UTC (rev 305412)
@@ -33,21 +33,20 @@
   <active>no</active>
  </lead>

- <date>2010-11-10</date>
+ <date>2010-11-16</date>
  <time>15:00:00</time>

  <version>
-  <release>1.4.4</release>
-  <api>1.4.4</api>
+  <release>1.4.5</release>
+  <api>1.4.5</api>
  </version>
  <stability>
-  <release>stable</release>
+  <release>devel</release>
   <api>stable</api>
  </stability>
  <license uri="http://www.php.net/license";>PHP</license>
  <notes>
-    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
-    Enhancement - improve startup failure error messages
+    Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
  </notes>
  <contents>
   <dir name="/">
@@ -306,6 +305,8 @@
     <file name="lob_temp1.phpt" role="test" />
     <file name="lob_temp.phpt" role="test" />
     <file name="minfo.phpt" role="test" />
+    <file name="null_byte_1.phpt" role="test" />
+    <file name="null_byte_2.phpt" role="test" />
     <file name="num.phpt" role="test" />
     <file name="oci8safemode.phpt" role="test" />
     <file name="oci_execute_segfault.phpt" role="test" />
@@ -379,6 +380,22 @@

 <release>
  <version>
+  <release>1.4.4</release>
+  <api>1.4.4</api>
+ </version>
+ <stability>
+  <release>stable</release>
+  <api>stable</api>
+ </stability>
+ <license uri="http://www.php.net/license";>PHP</license>
+ <notes>
+    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
+    Enhancement - improve startup failure error messages
+ </notes>
+</release>
+
+<release>
+ <version>
   <release>1.4.3</release>
   <api>1.4.3</api>
  </version>

Modified: php/php-src/trunk/ext/oci8/php_oci8.h
===================================================================
--- php/php-src/trunk/ext/oci8/php_oci8.h	2010-11-16 18:39:35 UTC (rev 305411)
+++ php/php-src/trunk/ext/oci8/php_oci8.h	2010-11-16 19:33:31 UTC (rev 305412)
@@ -46,7 +46,7 @@
  */
 #undef PHP_OCI8_VERSION
 #endif
-#define PHP_OCI8_VERSION "1.4.4"
+#define PHP_OCI8_VERSION "1.4.5-devel"

 extern zend_module_entry oci8_module_entry;
 #define phpext_oci8_ptr &oci8_module_entry

Added: php/php-src/trunk/ext/oci8/tests/null_byte_1.phpt
===================================================================
--- php/php-src/trunk/ext/oci8/tests/null_byte_1.phpt	                        (rev 0)
+++ php/php-src/trunk/ext/oci8/tests/null_byte_1.phpt	2010-11-16 19:33:31 UTC (rev 305412)
@@ -0,0 +1,38 @@
+--TEST--
+Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Import\n";
+
+$lob = oci_new_descriptor($c, OCI_D_LOB);
+$r = $lob->savefile("/tmp/abc\0def");
+var_dump($r);
+
+echo "Test 2: Export\n";
+
+$r = $lob->export("/tmp/abc\0def");
+var_dump($r);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Import
+
+Warning: OCI-Lob::savefile(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+Test 2: Export
+
+Warning: OCI-Lob::export(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+===DONE===


Property changes on: php/php-src/trunk/ext/oci8/tests/null_byte_1.phpt
___________________________________________________________________
Added: svn:keywords
   + Id Rev Revision
Added: svn:eol-style
   + native

Added: php/php-src/trunk/ext/oci8/tests/null_byte_2.phpt
===================================================================
--- php/php-src/trunk/ext/oci8/tests/null_byte_2.phpt	                        (rev 0)
+++ php/php-src/trunk/ext/oci8/tests/null_byte_2.phpt	2010-11-16 19:33:31 UTC (rev 305412)
@@ -0,0 +1,69 @@
+--TEST--
+Null bytes in SQL statements
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Valid use of a null byte\n";
+
+$s = oci_parse($c, "select * \0from dual");
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+echo "Test 2: Invalid use of a null byte\n";
+
+$s = oci_parse($c, "select * from du\0al");
+oci_execute($s);
+
+echo "Test 3: Using a null byte in a bind variable name\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 1");
+$bv = 1;
+oci_bind_by_name($s, ":bv\0:bv", $bv);
+oci_execute($s);
+
+echo "Test 4: Using a null byte in a bind variable value causing WHERE clause to fail\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 'abc'");
+$bv = 'abc\0abc';
+oci_bind_by_name($s, ":bv", $bv);
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Valid use of a null byte
+array(1) {
+  ["DUMMY"]=>
+  array(1) {
+    [0]=>
+    string(1) "X"
+  }
+}
+Test 2: Invalid use of a null byte
+
+Warning: oci_execute(): ORA-00942: %s in %snull_byte_2.php on line %d
+Test 3: Using a null byte in a bind variable name
+
+Warning: oci_bind_by_name(): ORA-01036: %s in %snull_byte_2.php on line %d
+
+Warning: oci_execute(): ORA-01008: %s in %snull_byte_2.php on line %d
+Test 4: Using a null byte in a bind variable value causing WHERE clause to fail
+array(1) {
+  ["DUMMY"]=>
+  array(0) {
+  }
+}
+===DONE===


Property changes on: php/php-src/trunk/ext/oci8/tests/null_byte_2.phpt
___________________________________________________________________
Added: svn:keywords
   + Id Rev Revision
Added: svn:eol-style
   + native
-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to