[PHP-CVS] svn: /SVNROOT/ header.ezt
philip Thu, 01 Apr 2010 03:35:38 + Revision: http://svn.php.net/viewvc?view=revision&revision=297255 Log: Changed 'PHP 6' reference to 'PHP Trunk' Changed paths: U SVNROOT/header.ezt Modified: SVNROOT/header.ezt === --- SVNROOT/header.ezt 2010-04-01 03:32:34 UTC (rev 297254) +++ SVNROOT/header.ezt 2010-04-01 03:35:38 UTC (rev 297255) @@ -30,7 +30,7 @@ Main trees: PHP 5.2 | PHP 5.3 | -PHP 6 | +PHP Trunk | pecl | pear | pear-core -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/ext/filter/logical_filters.c branches/PHP_5_3/ext/filter/logical_filters.c trunk/ext/filter/logical_filters.c
rasmus Wed, 31 Mar 2010 23:56:30 +
Revision: http://svn.php.net/viewvc?view=revision&revision=297250
Log:
Fix FILTER_VALIDATE_URL - Host names can't start with '.' or '-'
Changed paths:
U php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c
U php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c
U php/php-src/trunk/ext/filter/logical_filters.c
Modified: php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c
===
--- php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-03-31
23:11:35 UTC (rev 297249)
+++ php/php-src/branches/PHP_5_2/ext/filter/logical_filters.c 2010-03-31
23:56:30 UTC (rev 297250)
@@ -465,6 +465,11 @@
e = url->host + strlen(url->host);
s = url->host;
+ /* First char of hostname must be alphanumeric */
+ if(!isalnum((int)*(unsigned char *)s)) {
+ goto bad_url;
+ }
+
while (s < e) {
if (!isalnum((int)*(unsigned char *)s) && *s != '-' &&
*s != '.') {
goto bad_url;
Modified: php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c
===
--- php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c 2010-03-31
23:11:35 UTC (rev 297249)
+++ php/php-src/branches/PHP_5_3/ext/filter/logical_filters.c 2010-03-31
23:56:30 UTC (rev 297250)
@@ -465,6 +465,11 @@
e = url->host + strlen(url->host);
s = url->host;
+ /* First char of hostname must be alphanumeric */
+ if(!isalnum((int)*(unsigned char *)s)) {
+ goto bad_url;
+ }
+
while (s < e) {
if (!isalnum((int)*(unsigned char *)s) && *s != '-' &&
*s != '.') {
goto bad_url;
Modified: php/php-src/trunk/ext/filter/logical_filters.c
===
--- php/php-src/trunk/ext/filter/logical_filters.c 2010-03-31 23:11:35 UTC
(rev 297249)
+++ php/php-src/trunk/ext/filter/logical_filters.c 2010-03-31 23:56:30 UTC
(rev 297250)
@@ -465,6 +465,11 @@
e = url->host + strlen(url->host);
s = url->host;
+ /* First char of hostname must be alphanumeric */
+ if(!isalnum((int)*(unsigned char *)s)) {
+ goto bad_url;
+ }
+
while (s < e) {
if (!isalnum((int)*(unsigned char *)s) && *s != '-' &&
*s != '.') {
goto bad_url;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ NEWS
rasmus Wed, 31 Mar 2010 23:01:38 + Revision: http://svn.php.net/viewvc?view=revision&revision=297246 Log: Moved to 5.3 Changed paths: U php/php-src/trunk/NEWS Modified: php/php-src/trunk/NEWS === --- php/php-src/trunk/NEWS 2010-03-31 22:59:09 UTC (rev 297245) +++ php/php-src/trunk/NEWS 2010-03-31 23:01:38 UTC (rev 297246) @@ -11,7 +11,6 @@ ReflectionExtension::isPersistent(). (Johannes) - Added ReflectionZendExtension class. (Johannes) - Added command line option --rz to CLI. (Johannes) -- Added full_special_chars filter to ext/filter (Rasmus) - default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus) - default session.entropy_file is now /dev/urandom or /dev/arandom if either @@ -22,6 +21,7 @@ - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) +- Added full_special_chars filter to ext/filter (Rasmus) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS ext/filter/filter.c ext/filter/filter_private.h ext/filter/php_filter.h ext/filter/sanitizing_filters.c
rasmus Wed, 31 Mar 2010 22:59:09 +
Revision: http://svn.php.net/viewvc?view=revision&revision=297245
Log:
full_special_chars filter from trunk - approved by johannes
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/filter/filter.c
U php/php-src/branches/PHP_5_3/ext/filter/filter_private.h
U php/php-src/branches/PHP_5_3/ext/filter/php_filter.h
U php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2010-03-31 22:49:08 UTC (rev 297244)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-03-31 22:59:09 UTC (rev 297245)
@@ -6,6 +6,7 @@
- Added stream filter support to mcrypt extension (ported from
mcrypt_filter). (Stas)
+- Added full_special_chars filter to ext/filter (Rasmus)
- Fixed a NULL pointer dereference when processing invalid XML-RPC
requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)
Modified: php/php-src/branches/PHP_5_3/ext/filter/filter.c
===
--- php/php-src/branches/PHP_5_3/ext/filter/filter.c2010-03-31 22:49:08 UTC
(rev 297244)
+++ php/php-src/branches/PHP_5_3/ext/filter/filter.c2010-03-31 22:59:09 UTC
(rev 297245)
@@ -52,6 +52,7 @@
{ "stripped",FILTER_SANITIZE_STRING,php_filter_string
},
{ "encoded", FILTER_SANITIZE_ENCODED, php_filter_encoded
},
{ "special_chars", FILTER_SANITIZE_SPECIAL_CHARS,
php_filter_special_chars },
+ { "full_special_chars", FILTER_SANITIZE_FULL_SPECIAL_CHARS,
php_filter_full_special_chars },
{ "unsafe_raw", FILTER_UNSAFE_RAW,
php_filter_unsafe_raw },
{ "email", FILTER_SANITIZE_EMAIL, php_filter_email
},
{ "url", FILTER_SANITIZE_URL, php_filter_url
},
@@ -238,6 +239,7 @@
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_STRIPPED",
FILTER_SANITIZE_STRING, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_ENCODED",
FILTER_SANITIZE_ENCODED, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_SPECIAL_CHARS",
FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("FILTER_SANITIZE_FULL_SPECIAL_CHARS",
FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_EMAIL", FILTER_SANITIZE_EMAIL,
CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_URL", FILTER_SANITIZE_URL,
CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_NUMBER_INT",
FILTER_SANITIZE_NUMBER_INT, CONST_CS | CONST_PERSISTENT);
Modified: php/php-src/branches/PHP_5_3/ext/filter/filter_private.h
===
--- php/php-src/branches/PHP_5_3/ext/filter/filter_private.h2010-03-31
22:49:08 UTC (rev 297244)
+++ php/php-src/branches/PHP_5_3/ext/filter/filter_private.h2010-03-31
22:59:09 UTC (rev 297245)
@@ -78,7 +78,8 @@
#define FILTER_SANITIZE_NUMBER_INT0x0207
#define FILTER_SANITIZE_NUMBER_FLOAT 0x0208
#define FILTER_SANITIZE_MAGIC_QUOTES 0x0209
-#define FILTER_SANITIZE_LAST 0x0209
+#define FILTER_SANITIZE_FULL_SPECIAL_CHARS 0x020a
+#define FILTER_SANITIZE_LAST 0x020a
#define FILTER_SANITIZE_ALL 0x0200
Modified: php/php-src/branches/PHP_5_3/ext/filter/php_filter.h
===
--- php/php-src/branches/PHP_5_3/ext/filter/php_filter.h2010-03-31
22:49:08 UTC (rev 297244)
+++ php/php-src/branches/PHP_5_3/ext/filter/php_filter.h2010-03-31
22:59:09 UTC (rev 297245)
@@ -28,6 +28,7 @@
#include "php_ini.h"
#include "ext/standard/info.h"
#include "ext/standard/php_string.h"
+#include "ext/standard/html.h"
#include "php_variables.h"
extern zend_module_entry filter_module_entry;
@@ -81,6 +82,7 @@
void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL);
+void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL);
Modified: php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c
===
--- php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c
2010-03-31 22:49:08 UTC (rev 297244)
+++ php/php-src/branches/PHP_5_3/ext/filter/sanitizing_filters.c
2010-03-31 22:59:09 UTC (rev 297245)
@@ -242,6 +242,24 @@
}
/* }}} */
+/* {{{ php_filter_full_special_char
[PHP-CVS] svn: /php/php-src/trunk/ NEWS ext/filter/filter.c ext/filter/filter_private.h ext/filter/php_filter.h ext/filter/sanitizing_filters.c
rasmus Wed, 31 Mar 2010 21:50:36 +
Revision: http://svn.php.net/viewvc?view=revision&revision=297239
Log:
Added the full htmlspecialchars() functionality which includes utf-8
validation as a default filter.
Changed paths:
U php/php-src/trunk/NEWS
U php/php-src/trunk/ext/filter/filter.c
U php/php-src/trunk/ext/filter/filter_private.h
U php/php-src/trunk/ext/filter/php_filter.h
U php/php-src/trunk/ext/filter/sanitizing_filters.c
Modified: php/php-src/trunk/NEWS
===
--- php/php-src/trunk/NEWS 2010-03-31 21:38:38 UTC (rev 297238)
+++ php/php-src/trunk/NEWS 2010-03-31 21:50:36 UTC (rev 297239)
@@ -11,6 +11,7 @@
ReflectionExtension::isPersistent(). (Johannes)
- Added ReflectionZendExtension class. (Johannes)
- Added command line option --rz to CLI. (Johannes)
+- Added full_special_chars filter to ext/filter (Rasmus)
- default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus)
- default session.entropy_file is now /dev/urandom or /dev/arandom if either
Modified: php/php-src/trunk/ext/filter/filter.c
===
--- php/php-src/trunk/ext/filter/filter.c 2010-03-31 21:38:38 UTC (rev
297238)
+++ php/php-src/trunk/ext/filter/filter.c 2010-03-31 21:50:36 UTC (rev
297239)
@@ -52,6 +52,7 @@
{ "stripped",FILTER_SANITIZE_STRING,php_filter_string
},
{ "encoded", FILTER_SANITIZE_ENCODED, php_filter_encoded
},
{ "special_chars", FILTER_SANITIZE_SPECIAL_CHARS,
php_filter_special_chars },
+ { "full_special_chars", FILTER_SANITIZE_FULL_SPECIAL_CHARS,
php_filter_full_special_chars },
{ "unsafe_raw", FILTER_UNSAFE_RAW,
php_filter_unsafe_raw },
{ "email", FILTER_SANITIZE_EMAIL, php_filter_email
},
{ "url", FILTER_SANITIZE_URL, php_filter_url
},
@@ -238,6 +239,7 @@
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_STRIPPED",
FILTER_SANITIZE_STRING, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_ENCODED",
FILTER_SANITIZE_ENCODED, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_SPECIAL_CHARS",
FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("FILTER_SANITIZE_FULL_SPECIAL_CHARS",
FILTER_SANITIZE_SPECIAL_CHARS, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_EMAIL", FILTER_SANITIZE_EMAIL,
CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_URL", FILTER_SANITIZE_URL,
CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("FILTER_SANITIZE_NUMBER_INT",
FILTER_SANITIZE_NUMBER_INT, CONST_CS | CONST_PERSISTENT);
Modified: php/php-src/trunk/ext/filter/filter_private.h
===
--- php/php-src/trunk/ext/filter/filter_private.h 2010-03-31 21:38:38 UTC
(rev 297238)
+++ php/php-src/trunk/ext/filter/filter_private.h 2010-03-31 21:50:36 UTC
(rev 297239)
@@ -78,7 +78,8 @@
#define FILTER_SANITIZE_NUMBER_INT0x0207
#define FILTER_SANITIZE_NUMBER_FLOAT 0x0208
#define FILTER_SANITIZE_MAGIC_QUOTES 0x0209
-#define FILTER_SANITIZE_LAST 0x0209
+#define FILTER_SANITIZE_FULL_SPECIAL_CHARS 0x020a
+#define FILTER_SANITIZE_LAST 0x020a
#define FILTER_SANITIZE_ALL 0x0200
Modified: php/php-src/trunk/ext/filter/php_filter.h
===
--- php/php-src/trunk/ext/filter/php_filter.h 2010-03-31 21:38:38 UTC (rev
297238)
+++ php/php-src/trunk/ext/filter/php_filter.h 2010-03-31 21:50:36 UTC (rev
297239)
@@ -28,6 +28,7 @@
#include "php_ini.h"
#include "ext/standard/info.h"
#include "ext/standard/php_string.h"
+#include "ext/standard/html.h"
#include "php_variables.h"
extern zend_module_entry filter_module_entry;
@@ -81,6 +82,7 @@
void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_encoded(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_special_chars(PHP_INPUT_FILTER_PARAM_DECL);
+void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_unsafe_raw(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_email(PHP_INPUT_FILTER_PARAM_DECL);
void php_filter_url(PHP_INPUT_FILTER_PARAM_DECL);
Modified: php/php-src/trunk/ext/filter/sanitizing_filters.c
===
--- php/php-src/trunk/ext/filter/sanitizing_filters.c 2010-03-31 21:38:38 UTC
(rev 297238)
+++ php/php-src/trunk/ext/filter/sanitizing_filters.c 2010-03-31 21:50:36 UTC
(rev 297239)
@@ -242,6 +242,24 @@
}
/* }}} */
+/* {{{ php_filter_full_special_chars */
+void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL)
+{
+ char *buf
[PHP-CVS] svn: /php/php-src/trunk/ NEWS UPGRADING Zend/Zend.m4 ext/session/session.c php.ini-development php.ini-production
rasmus Wed, 31 Mar 2010 18:03:17 +
Revision: http://svn.php.net/viewvc?view=revision&revision=297232
Log:
Set session.entropy_file to /dev/urandom or /dev/arandom by
default if present at compile-time. Addresses part of bug #51436
Bug: http://bugs.php.net/51436 (Open) LCG entropy fix insufficient, uniqid
leaks entropy, leads to weak session IDs
Changed paths:
U php/php-src/trunk/NEWS
U php/php-src/trunk/UPGRADING
U php/php-src/trunk/Zend/Zend.m4
U php/php-src/trunk/ext/session/session.c
U php/php-src/trunk/php.ini-development
U php/php-src/trunk/php.ini-production
Modified: php/php-src/trunk/NEWS
===
--- php/php-src/trunk/NEWS 2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/NEWS 2010-03-31 18:03:17 UTC (rev 297232)
@@ -13,7 +13,9 @@
- Added command line option --rz to CLI. (Johannes)
- default_charset if not specified is now UTF-8 instead of ISO-8859-1. (Rasmus)
-
+- default session.entropy_file is now /dev/urandom or /dev/arandom if either
+ is present at compile time. (Rasmus)
+
?? ??? 20??, PHP 5.3.3
- Upgraded bundled PCRE to version 8.01. (Ilia)
Modified: php/php-src/trunk/UPGRADING
===
--- php/php-src/trunk/UPGRADING 2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/UPGRADING 2010-03-31 18:03:17 UTC (rev 297232)
@@ -40,8 +40,20 @@
default_charset = iso-8859-1
- to your php.ini to preserve pre-PHPX.Y behavior
+ to your php.ini to preserve pre-PHPX.Y behavior.
+- We now check at compile time if /dev/urandom or /dev/arandom
+ are present to provide non-blocking entropy to session id
+ generation. If either is present, session.entropy_file
+ now defaults to that file and session.entropy_length defaults
+ to 32. If you do not want extra entropy for your session ids
+ for some reason, add:
+
+session.entropy_file=
+session.entropy_length=0
+
+ to your php.ini to preserve pre-PHPX.Y behavior.
+
=
2. Reserved words and classes
=
Modified: php/php-src/trunk/Zend/Zend.m4
===
--- php/php-src/trunk/Zend/Zend.m4 2010-03-31 17:35:28 UTC (rev 297231)
+++ php/php-src/trunk/Zend/Zend.m4 2010-03-31 18:03:17 UTC (rev 297232)
@@ -419,4 +419,11 @@
AC_MSG_RESULT(yes)
else
AC_MSG_RESULT(no)
+ AC_MSG_CHECKING(whether /dev/arandom exists)
+ if test -r "/dev/arandom" && test -c "/dev/arandom"; then
+AC_DEFINE([HAVE_DEV_ARANDOM], 1, [Define if the target system has
/dev/arandom device])
+AC_MSG_RESULT(yes)
+ else
+AC_MSG_RESULT(no)
+ fi
fi
Modified: php/php-src/trunk/ext/session/session.c
===
--- php/php-src/trunk/ext/session/session.c 2010-03-31 17:35:28 UTC (rev
297231)
+++ php/php-src/trunk/ext/session/session.c 2010-03-31 18:03:17 UTC (rev
297232)
@@ -781,8 +781,16 @@
STD_PHP_INI_BOOLEAN("session.use_cookies", "1",
PHP_INI_ALL, OnUpdateBool, use_cookies,php_ps_globals,ps_globals)
STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",
PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals,ps_globals)
STD_PHP_INI_ENTRY("session.referer_check", "",
PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,ps_globals)
+#if HAVE_DEV_URANDOM
+ STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom",
PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals)
+ STD_PHP_INI_ENTRY("session.entropy_length", "32",
PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals)
+#elif HAVE_DEV_ARANDOM
+ STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom",
PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals)
+ STD_PHP_INI_ENTRY("session.entropy_length", "32",
PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals)
+#else
STD_PHP_INI_ENTRY("session.entropy_file", "",
PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals,ps_globals)
STD_PHP_INI_ENTRY("session.entropy_length", "0",
PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals,ps_globals)
+#endif
STD_PHP_INI_ENTRY("session.cache_limiter", "nocache",
PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals,ps_globals)
STD_PHP_INI_ENTRY("session.cache_expire", "180",
PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals,ps_globals)
PHP_INI_ENTRY("session.use_trans_sid", "0",
PHP_INI_ALL, OnUpdateTransSid)
Modified: php/php-src/trunk/php.ini-development
=
