subject:"\[PHP\-CVS\] svn\: \/php\/php\-src\/branches\/PHP_5

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/php.ini-development branches/PHP_5_3/php.ini-production branches/PHP_5_4/UPGRADING branches/PHP_5_4/php.ini-development branche

2011-12-15 Thread Dmitry Stogov

dmitry   Thu, 15 Dec 2011 10:31:02 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=321040

Log:
Added max_input_vars directive to prevent attacks based on hash collisions

Changed paths:
U   php/php-src/branches/PHP_5_3/UPGRADING
U   php/php-src/branches/PHP_5_3/php.ini-development
U   php/php-src/branches/PHP_5_3/php.ini-production
U   php/php-src/branches/PHP_5_4/UPGRADING
U   php/php-src/branches/PHP_5_4/php.ini-development
U   php/php-src/branches/PHP_5_4/php.ini-production
U   php/php-src/trunk/UPGRADING
U   php/php-src/trunk/php.ini-development
U   php/php-src/trunk/php.ini-production

Modified: php/php-src/branches/PHP_5_3/UPGRADING
===
--- php/php-src/branches/PHP_5_3/UPGRADING  2011-12-15 09:16:31 UTC (rev 
321039)
+++ php/php-src/branches/PHP_5_3/UPGRADING  2011-12-15 10:31:02 UTC (rev 
321040)
@@ -163,6 +163,11 @@
   xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
   Use the method XsltProcess::setSecurityPrefs($options) there.

+- the following new directives were added
+
+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+accepted. default value 1000.
+
 =
 5. Deprecated
 =

Modified: php/php-src/branches/PHP_5_3/php.ini-development
===
--- php/php-src/branches/PHP_5_3/php.ini-development2011-12-15 09:16:31 UTC 
(rev 321039)
+++ php/php-src/branches/PHP_5_3/php.ini-development2011-12-15 10:31:02 UTC 
(rev 321040)
@@ -457,6 +457,9 @@
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

Modified: php/php-src/branches/PHP_5_3/php.ini-production
===
--- php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 09:16:31 UTC 
(rev 321039)
+++ php/php-src/branches/PHP_5_3/php.ini-production 2011-12-15 10:31:02 UTC 
(rev 321040)
@@ -457,6 +457,9 @@
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

Modified: php/php-src/branches/PHP_5_4/UPGRADING
===
--- php/php-src/branches/PHP_5_4/UPGRADING  2011-12-15 09:16:31 UTC (rev 
321039)
+++ php/php-src/branches/PHP_5_4/UPGRADING  2011-12-15 10:31:02 UTC (rev 
321040)
@@ -75,7 +75,11 @@
   - safe_mode_protected_env_vars
   - zend.ze1_compatibility_mode

+- the following new directives were added

+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+accepted. default value 1000.
+
 =
 2. Reserved words and classes
 =

Modified: php/php-src/branches/PHP_5_4/php.ini-development
===
--- php/php-src/branches/PHP_5_4/php.ini-development2011-12-15 09:16:31 UTC 
(rev 321039)
+++ php/php-src/branches/PHP_5_4/php.ini-development2011-12-15 10:31:02 UTC 
(rev 321040)
@@ -397,6 +397,9 @@
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

Modified: php/php-src/branches/PHP_5_4/php.ini-production
===
--- php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 09:16:31 UTC 
(rev 321039)
+++ php/php-src/branches/PHP_5_4/php.ini-production 2011-12-15 10:31:02 UTC 
(rev 321040)
@@ -397,6 +397,9 @@
 ; http://php.net/max-input-nesting-level
 ;max_input_nesting_level = 64

+; How many GET/POST/COOKIE input variables may be accepted
+; max_input_vars = 1000
+
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
 memory_limit = 128M

Modified: php/php-src/trunk/UPGRADING
===
--- php/php-src/trunk/UPGRADING 2011-12-15 09:16:31 UTC (rev 321039)
+++ php/php-src/trunk/UPGRADING 2011-12-15 10:31:02 UTC (rev 321040)
@@ -82,6 +82,11 @@
   - safe_mode_protected_env_vars
   - zend.ze1_compatibility_mode

+- the following new directives were added
+
+  - max_input_vars - specifies how many GET/POST/COOKIE input variables may be
+accepted. default value 1000.
+
 =
 2. Reserved words and classes
 =

Modified:

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/main/main.c branches/PHP_5_3/main/php_globals.h branches/PHP_5_4/main/main.c trunk/main/main.c

2011-11-24 Thread Pierre Joye

pajoye   Thu, 24 Nov 2011 12:46:45 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=319750

Log:
- merge crt warning change (r216594) and rename the ini to 
windows.show_crt_warning

Changed paths:
U   php/php-src/branches/PHP_5_3/UPGRADING
U   php/php-src/branches/PHP_5_3/main/main.c
U   php/php-src/branches/PHP_5_3/main/php_globals.h
U   php/php-src/branches/PHP_5_4/main/main.c
U   php/php-src/trunk/main/main.c

Modified: php/php-src/branches/PHP_5_3/UPGRADING
===
--- php/php-src/branches/PHP_5_3/UPGRADING  2011-11-24 11:42:00 UTC (rev 
319749)
+++ php/php-src/branches/PHP_5_3/UPGRADING  2011-11-24 12:46:45 UTC (rev 
319750)
@@ -343,6 +343,9 @@

 - A new directive, request_order, controls the behavior of $_REQUEST
   independently of variables_order.
+- A new directive, called windows.show_crt_warning, has been introduced.
+  This directive shows the CRT warnings when enabled. These warnings were
+  displayed by default until now. It is disabled by default.

 - New INI directives:
   - mail.add_x_header

Modified: php/php-src/branches/PHP_5_3/main/main.c
===
--- php/php-src/branches/PHP_5_3/main/main.c2011-11-24 11:42:00 UTC (rev 
319749)
+++ php/php-src/branches/PHP_5_3/main/main.c2011-11-24 12:46:45 UTC (rev 
319750)
@@ -544,6 +544,9 @@
STD_PHP_INI_ENTRY(user_ini.filename,  .user.ini,
PHP_INI_SYSTEM, OnUpdateString, user_ini_filename,  
php_core_globals,   core_globals)
STD_PHP_INI_ENTRY(user_ini.cache_ttl, 300,  
PHP_INI_SYSTEM, OnUpdateLong,   user_ini_cache_ttl, 
php_core_globals,   core_globals)
STD_PHP_INI_BOOLEAN(exit_on_timeout,  0,
PHP_INI_ALL,OnUpdateBool,   exit_on_timeout,
php_core_globals,   core_globals)
+#ifdef PHP_WIN32
+   STD_PHP_INI_BOOLEAN(windows.show_crt_warning, 0,
PHP_INI_ALL,OnUpdateBool,   
windows_show_crt_warning,   php_core_globals,   
core_globals)
+#endif
 PHP_INI_END()
 /* }}} */

@@ -1787,18 +1790,21 @@
int len;

if (!called) {
-   called = 1;
-   if (function) {
-   if (file) {
-   len = _snprintf(buf, sizeof(buf)-1, Invalid 
parameter detected in CRT function '%ws' (%ws:%d), function, file, line);
+   TSRMLS_FETCH();
+   if(PG(windows_show_crt_warning)) {
+   called = 1;
+   if (function) {
+   if (file) {
+   len = _snprintf(buf, sizeof(buf)-1, 
Invalid parameter detected in CRT function '%ws' (%ws:%d), function, file, 
line);
+   } else {
+   len = _snprintf(buf, sizeof(buf)-1, 
Invalid parameter detected in CRT function '%ws', function);
+   }
} else {
-   len = _snprintf(buf, sizeof(buf)-1, Invalid 
parameter detected in CRT function '%ws', function);
+   len = _snprintf(buf, sizeof(buf)-1, Invalid 
CRT parameter detected (function not known));
}
-   } else {
-   len = _snprintf(buf, sizeof(buf)-1, Invalid CRT 
parameters detected);
+   zend_error(E_WARNING, %s, buf);
+   called = 0;
}
-   zend_error(E_WARNING, %s, buf);
-   called = 0;
}
 }
 #endif

Modified: php/php-src/branches/PHP_5_3/main/php_globals.h
===
--- php/php-src/branches/PHP_5_3/main/php_globals.h 2011-11-24 11:42:00 UTC 
(rev 319749)
+++ php/php-src/branches/PHP_5_3/main/php_globals.h 2011-11-24 12:46:45 UTC 
(rev 319750)
@@ -170,6 +170,10 @@
char *mail_log;

zend_bool in_error_log;
+
+#ifdef PHP_WIN32
+   zend_bool windows_show_crt_warning;
+#endif
 };



Modified: php/php-src/branches/PHP_5_4/main/main.c
===
--- php/php-src/branches/PHP_5_4/main/main.c2011-11-24 11:42:00 UTC (rev 
319749)
+++ php/php-src/branches/PHP_5_4/main/main.c2011-11-24 12:46:45 UTC (rev 
319750)
@@ -514,7 +514,7 @@
STD_PHP_INI_ENTRY(user_ini.cache_ttl, 300,  
PHP_INI_SYSTEM, OnUpdateLong,   user_ini_cache_ttl, 
php_core_globals,   core_globals)
STD_PHP_INI_BOOLEAN(exit_on_timeout,  0,
PHP_INI_ALL,OnUpdateBool,   exit_on_timeout,

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/ext/xsl/php_xsl.c branches/PHP_5_3/ext/xsl/php_xsl.h branches/PHP_5_3/ext/xsl/tests/bug54446.phpt branches/PHP_5_3/ext/xsl/test

2011-10-10 Thread Christian Stocker

chregu   Mon, 10 Oct 2011 07:59:19 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=317953

Log:
Added the xsl.security_prefs option to 5_4 and trunk and
mark it as deprecated for BC-reasons
Added tests for ini option and combination of both

Changed paths:
U   php/php-src/branches/PHP_5_3/UPGRADING
U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h
D   php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt
A + php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt
(from php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt:r317952)
U   php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c
U   php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c
U   php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h
A   php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt
U   php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c
U   php/php-src/trunk/ext/xsl/php_xsl.c
U   php/php-src/trunk/ext/xsl/php_xsl.h
A   php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt
U   php/php-src/trunk/ext/xsl/xsltprocessor.c

Modified: php/php-src/branches/PHP_5_3/UPGRADING
===
--- php/php-src/branches/PHP_5_3/UPGRADING	2011-10-10 05:33:29 UTC (rev 317952)
+++ php/php-src/branches/PHP_5_3/UPGRADING	2011-10-10 07:59:19 UTC (rev 317953)
@@ -153,7 +153,16 @@

 - SplObjectStorage now has ArrayAccess support. It is also now possible to
   store associative information with objects in SplObjectStorage.
+
+=
+4.1 New in PHP 5.3.9
+=

+- Write operations within XSLT (for example with the extension sax:output) are
+  disabled by default. You can define what is forbidden with the INI option
+  xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
+  Use the method XsltProcess::setSecurityPrefs($options) there.
+
 =
 5. Deprecated
 =

Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
===
--- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c	2011-10-10 05:33:29 UTC (rev 317952)
+++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c	2011-10-10 07:59:19 UTC (rev 317953)
@@ -180,6 +180,7 @@
 	REGISTER_LONG_CONSTANT(XSL_SECPREF_CREATE_DIRECTORY, XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT(XSL_SECPREF_READ_NETWORK, XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT(XSL_SECPREF_WRITE_NETWORK,XSL_SECPREF_WRITE_NETWORK,CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT(XSL_SECPREF_DEFAULT,  XSL_SECPREF_DEFAULT,  CONST_CS | CONST_PERSISTENT);

 	REGISTER_LONG_CONSTANT(LIBXSLT_VERSION,   LIBXSLT_VERSION,CONST_CS | CONST_PERSISTENT);
 	REGISTER_STRING_CONSTANT(LIBXSLT_DOTTED_VERSION,  LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);

Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h
===
--- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h	2011-10-10 05:33:29 UTC (rev 317952)
+++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h	2011-10-10 07:59:19 UTC (rev 317953)
@@ -50,6 +50,8 @@
 #define XSL_SECPREF_CREATE_DIRECTORY 8
 #define XSL_SECPREF_READ_NETWORK 16
 #define XSL_SECPREF_WRITE_NETWORK 32
+/* Default == disable all write access ==  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
+#define XSL_SECPREF_DEFAULT 44

 typedef struct _xsl_object {
 	zend_object  std;

Deleted: php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt
===
--- php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt	2011-10-10 05:33:29 UTC (rev 317952)
+++ php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt	2011-10-10 07:59:19 UTC (rev 317953)
@@ -1,95 +0,0 @@
---TEST--
-Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
---SKIPIF--
-?php
-if (!extension_loaded('xsl')) die(skip Extension XSL is required\n);
-?
---FILE--
-?php
-include(prepare.inc);
-
-$outputfile = dirname(__FILE__)./bug54446test.txt;
-if (file_exists($outputfile)) {
-unlink($outputfile);
-}
-
-$sXsl = EOT
-xsl:stylesheet version=1.0
-	xmlns:xsl=http://www.w3.org/1999/XSL/Transform;
-	xmlns:sax=http://icl.com/saxon;
-	extension-element-prefixes=sax
-
-	xsl:template match=/
-		sax:output href=$outputfile method=text
-			xsl:value-of select='0wn3d via PHP and libxslt ...'/
-		/sax:output
-	/xsl:template
-
-/xsl:stylesheet
-EOT;
-
-$xsl-loadXML( $sXsl );
-
-# START XSLT
-$proc-importStylesheet( $xsl );
-
-# TRASNFORM  PRINT
-print $proc-transformToXML( $dom );
-
-
-if (file_exists($outputfile)) {
-print $outputfile exists, but shouldn't!\n;
-} else {
-print OK, no file created\n;
-}
-
-#SET NO

[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING

2011-02-11 Thread Peter Cowburn

salathe  Fri, 11 Feb 2011 22:31:52 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=308266

Log:
Oopsie, fix typo in UPGRADING

Changed paths:
U   php/php-src/branches/PHP_5_3/UPGRADING

Modified: php/php-src/branches/PHP_5_3/UPGRADING
===
--- php/php-src/branches/PHP_5_3/UPGRADING  2011-02-11 22:16:33 UTC (rev 
308265)
+++ php/php-src/branches/PHP_5_3/UPGRADING  2011-02-11 22:31:52 UTC (rev 
308266)
@@ -671,7 +671,7 @@
ReflectionClass::getNamespaceName()
ReflectionClass::getShortName()
- SPL:  DirectoryIterator::getExtension()
-   SplFileObject::getExtension()
+   SplFileInfo::getExtension()
SplObjectStorage::addAll()
SplObjectStorage::removeAll()
- XSL:  XSLTProcessor::setProfiling()

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING

2010-12-08 Thread Pierre Joye

pajoye   Wed, 08 Dec 2010 09:38:47 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=306076

Log:
- new warning in imagepstext

Changed paths:
U   php/php-src/branches/PHP_5_3/UPGRADING

Modified: php/php-src/branches/PHP_5_3/UPGRADING
===
--- php/php-src/branches/PHP_5_3/UPGRADING  2010-12-08 08:45:56 UTC (rev 
306075)
+++ php/php-src/branches/PHP_5_3/UPGRADING  2010-12-08 09:38:47 UTC (rev 
306076)
@@ -276,6 +276,8 @@
 - MySQLi: Now supports persistent connections by prepending the 
hostname
   with p:.

+- imagepstext now rejects invalid antialiasing steps and raises a 
warning.
+
  d. no longer possible to disable

 - PCRE

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/php.ini-development branches/PHP_5_3/php.ini-production branches/PHP_5_4/UPGRADING branches/PHP_5_4/php.ini-development branche

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/main/main.c branches/PHP_5_3/main/php_globals.h branches/PHP_5_4/main/main.c trunk/main/main.c

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/UPGRADING branches/PHP_5_3/ext/xsl/php_xsl.c branches/PHP_5_3/ext/xsl/php_xsl.h branches/PHP_5_3/ext/xsl/tests/bug54446.phpt branches/PHP_5_3/ext/xsl/test

[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING

[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ UPGRADING

5 matches

Site Navigation

Mail list logo

Footer information