Re: [oe] [meta-oe][PATCH 2/2] php: Security Advisory - php - CVE-2018-5712

2018-03-08 Thread Zhou, Li 



On 03/08/2018 03:40 AM, akuster808 wrote:


On 03/04/2018 09:08 PM, Zhou, Li wrote:


On 03/04/2018 11:00 PM, akuster808 wrote:

On 02/25/2018 11:50 PM, Li Zhou wrote:

Porting the patch from  to solve CVE-2018-5712.

Signed-off-by: Li Zhou 

This would not apply.
can you double check?

I just downloaded the newest code and it can apply successfully.
Have you already applied the patch for CVE-2018-5711 which I sent
together with this patch?

yes.


If yes, please give me more information about the failure. Thanks.

./contrib/pw-am.sh 148343
2018-03-07 11:39:39
URL:https://patchwork.openembedded.org/patch/148343/mbox/ [24852] ->
"pw-am-148343.patch" [1]
Applying: php: Security Advisory - php - CVE-2018-5712
.git/rebase-apply/patch:57: space before tab in indent.
  static const char newstub0[] = " 2,\n'c' =>
'text/plain',\n'cc' => 'text/plain',\n'cpp' => 'text/plain',\n'c++' =>
'text/plain',\n'dtd' => 'text/plain',\n'h' => 'text/plain',\n'log' =>
'text/plain',\n'rng' => 'text/plain',\n'txt' => 'text/plain',\n'xsd' =>
'text/plain',\n'php' => 1,\n'inc' => 1,\n'avi' => 'video/avi',\n'bmp' =>
'image/bmp',\n'css' => 'text/css',\n'gif' => 'image/gif',\n'htm' =>
'text/html',\n'html' => 'text/html',\n'htmls' => 'text/html',\n'ico' =>
'image/x-ico',
.git/rebase-apply/patch:63: space before tab in indent.
  static const char newstub2[] = "';\nconst LEN = ";
.git/rebase-apply/patch:64: space before tab in indent.
  static const char newstub3_0[] = ";\n\nstatic function go($return =
false)\n{\n$fp = fopen(__FILE__, 'rb');\nfseek($fp, self::LEN);\n$L =
unpack('V', $a = fread($fp, 4));\n$m = '';\n\ndo {\n$read = 8192;\nif
($L[1] - strlen($m) < 8192) {\n$read = $L[1] - strlen($m);\n}\n$last =
fread($fp, $read);\n$m .= $last;\n} while (strlen($last) && strlen($m) <
$L[1]);\n\nif (strlen($m) < $L[1]) {\ndie('ERROR: manifest length read
was \"' .\nstrlen($m) .'\" should be \"' .\n$L[1] . '\"');\n}\n\n$info =
self::_unpack($m);\n$f = $info['c'];\n\nif ($f & self::GZ) {\nif
(!function_exists('gzinflate')) {\ndie('Error: zlib extension is not
enabled -' .\n' gzinflate() function needed for zlib-compressed
.phars');\n}\n}\n\nif ($f & self::BZ2) {\nif
(!function_exists('bzdecompress')) {\ndie('Error: bzip2 extension is not
enabled -' .\n' bzdecompress() function needed for bz2-compressed
.phars');\n}\n}\n\n$temp = self::tmpdir();\n\nif (!$temp ||
!is_writable($temp)) {\n$sessionpath = session_sa
.git/rebase-apply/patch:67: space before tab in indent.
  static const char newstub3_1[] = "ction tmpdir()\n{\nif
(strpos(PHP_OS, 'WIN') !== false) {\nif ($var = getenv('TMP') ?
getenv('TMP') : getenv('TEMP')) {\nreturn $var;\n}\nif (is_dir('/temp')
|| mkdir('/temp')) {\nreturn realpath('/temp');\n}\nreturn false;\n}\nif
($var = getenv('TMPDIR')) {\nreturn $var;\n}\nreturn
realpath('/tmp');\n}\n\nstatic function _unpack($m)\n{\n$info =
unpack('V', substr($m, 0, 4));\n $l = unpack('V', substr($m, 10,
4));\n$m = substr($m, 14 + $l[1]);\n$s = unpack('V', substr($m, 0,
4));\n$o = 0;\n$start = 4 + $s[1];\n$ret['c'] = 0;\n\nfor ($i = 0; $i <
$info[1]; $i++) {\n $len = unpack('V', substr($m, $start, 4));\n$start
+= 4;\n $savepath = substr($m, $start, $len[1]);\n$start += $len[1];\n
$ret['m'][$savepath] = array_values(unpack('Va/Vb/Vc/Vd/Ve/Vf',
substr($m, $start, 24)));\n$ret['m'][$savepath][3] = sprintf('%u',
$ret['m'][$savepath][3]\n& 0x);\n$ret['m'][$savepath][7] =
$o;\n$o += $ret['m'][$savepath][2];\n$start += 24 + $ret['m
fatal: corrupt patch at line 451


line 451 is the end of the new added patch file CVE-2018-5712.patch in 
meta-oe/recipes-devtools/php/php-7.1.9.

I never see this when I run "git am" directly.
Not sure if this is related with that the new added file contains lines 
longer than the max length limit.



Patch failed at 0001 php: Security Advisory - php - CVE-2018-5712


- amrin

---
   .../php/php-7.1.9/CVE-2018-5712.patch  | 432
+
   meta-oe/recipes-devtools/php/php_7.1.9.bb  |   1 +
   2 files changed, 433 insertions(+)
   create mode 100644
meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch

diff --git
a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
new file mode 100644
index 000..87ccc02
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
@@ -0,0 +1,432 @@
+From fc2ac180fdaf4589c203802fff308fb8cbce58c6 Mon Sep 17 00:00:00 2001
+From: Li Zhou 
+Date: Sun, 11 Feb 2018 15:45:32 +0800
+Subject: [PATCH] Fix bug #74782: remove file name from output to
avoid XSS
+
+Upstream-Status: Backport
+CVE: CVE-2018-5712
+Signed-off-by: Li Zhou 
+---
+ ext/phar/shortarc.php |  2 +-
+ ext/phar/stub.h   |  4 ++--
+ ext/phar/tests/cache_list/copyonwrite11.phar.phpt |  4 ++--
+ ext/phar/tests/phar_commitwrite.phpt

Re: [oe] [meta-oe][PATCH 2/2] php: Security Advisory - php - CVE-2018-5712

2018-03-07 Thread akuster808 


On 03/04/2018 09:08 PM, Zhou, Li wrote:
>
>
> On 03/04/2018 11:00 PM, akuster808 wrote:
>>
>> On 02/25/2018 11:50 PM, Li Zhou wrote:
>>> Porting the patch from >> h=73ca9b37731dd9690ffd9706333b17eaf90ea091> to solve CVE-2018-5712.
>>>
>>> Signed-off-by: Li Zhou 
>> This would not apply.
>> can you double check?
>
> I just downloaded the newest code and it can apply successfully.
> Have you already applied the patch for CVE-2018-5711 which I sent
> together with this patch?
yes.

> If yes, please give me more information about the failure. Thanks.

./contrib/pw-am.sh 148343
2018-03-07 11:39:39
URL:https://patchwork.openembedded.org/patch/148343/mbox/ [24852] ->
"pw-am-148343.patch" [1]
Applying: php: Security Advisory - php - CVE-2018-5712
.git/rebase-apply/patch:57: space before tab in indent.
 static const char newstub0[] = " 2,\n'c' =>
'text/plain',\n'cc' => 'text/plain',\n'cpp' => 'text/plain',\n'c++' =>
'text/plain',\n'dtd' => 'text/plain',\n'h' => 'text/plain',\n'log' =>
'text/plain',\n'rng' => 'text/plain',\n'txt' => 'text/plain',\n'xsd' =>
'text/plain',\n'php' => 1,\n'inc' => 1,\n'avi' => 'video/avi',\n'bmp' =>
'image/bmp',\n'css' => 'text/css',\n'gif' => 'image/gif',\n'htm' =>
'text/html',\n'html' => 'text/html',\n'htmls' => 'text/html',\n'ico' =>
'image/x-ico',
.git/rebase-apply/patch:63: space before tab in indent.
 static const char newstub2[] = "';\nconst LEN = ";
.git/rebase-apply/patch:64: space before tab in indent.
 static const char newstub3_0[] = ";\n\nstatic function go($return =
false)\n{\n$fp = fopen(__FILE__, 'rb');\nfseek($fp, self::LEN);\n$L =
unpack('V', $a = fread($fp, 4));\n$m = '';\n\ndo {\n$read = 8192;\nif
($L[1] - strlen($m) < 8192) {\n$read = $L[1] - strlen($m);\n}\n$last =
fread($fp, $read);\n$m .= $last;\n} while (strlen($last) && strlen($m) <
$L[1]);\n\nif (strlen($m) < $L[1]) {\ndie('ERROR: manifest length read
was \"' .\nstrlen($m) .'\" should be \"' .\n$L[1] . '\"');\n}\n\n$info =
self::_unpack($m);\n$f = $info['c'];\n\nif ($f & self::GZ) {\nif
(!function_exists('gzinflate')) {\ndie('Error: zlib extension is not
enabled -' .\n' gzinflate() function needed for zlib-compressed
.phars');\n}\n}\n\nif ($f & self::BZ2) {\nif
(!function_exists('bzdecompress')) {\ndie('Error: bzip2 extension is not
enabled -' .\n' bzdecompress() function needed for bz2-compressed
.phars');\n}\n}\n\n$temp = self::tmpdir();\n\nif (!$temp ||
!is_writable($temp)) {\n$sessionpath = session_sa
.git/rebase-apply/patch:67: space before tab in indent.
 static const char newstub3_1[] = "ction tmpdir()\n{\nif
(strpos(PHP_OS, 'WIN') !== false) {\nif ($var = getenv('TMP') ?
getenv('TMP') : getenv('TEMP')) {\nreturn $var;\n}\nif (is_dir('/temp')
|| mkdir('/temp')) {\nreturn realpath('/temp');\n}\nreturn false;\n}\nif
($var = getenv('TMPDIR')) {\nreturn $var;\n}\nreturn
realpath('/tmp');\n}\n\nstatic function _unpack($m)\n{\n$info =
unpack('V', substr($m, 0, 4));\n $l = unpack('V', substr($m, 10,
4));\n$m = substr($m, 14 + $l[1]);\n$s = unpack('V', substr($m, 0,
4));\n$o = 0;\n$start = 4 + $s[1];\n$ret['c'] = 0;\n\nfor ($i = 0; $i <
$info[1]; $i++) {\n $len = unpack('V', substr($m, $start, 4));\n$start
+= 4;\n $savepath = substr($m, $start, $len[1]);\n$start += $len[1];\n  
$ret['m'][$savepath] = array_values(unpack('Va/Vb/Vc/Vd/Ve/Vf',
substr($m, $start, 24)));\n$ret['m'][$savepath][3] = sprintf('%u',
$ret['m'][$savepath][3]\n& 0x);\n$ret['m'][$savepath][7] =
$o;\n$o += $ret['m'][$savepath][2];\n$start += 24 + $ret['m
fatal: corrupt patch at line 451
Patch failed at 0001 php: Security Advisory - php - CVE-2018-5712

>
>> - amrin
>>> ---
>>>   .../php/php-7.1.9/CVE-2018-5712.patch  | 432
>>> +
>>>   meta-oe/recipes-devtools/php/php_7.1.9.bb  |   1 +
>>>   2 files changed, 433 insertions(+)
>>>   create mode 100644
>>> meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
>>>
>>> diff --git
>>> a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
>>> b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
>>> new file mode 100644
>>> index 000..87ccc02
>>> --- /dev/null
>>> +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
>>> @@ -0,0 +1,432 @@
>>> +From fc2ac180fdaf4589c203802fff308fb8cbce58c6 Mon Sep 17 00:00:00 2001
>>> +From: Li Zhou 
>>> +Date: Sun, 11 Feb 2018 15:45:32 +0800
>>> +Subject: [PATCH] Fix bug #74782: remove file name from output to
>>> avoid XSS
>>> +
>>> +Upstream-Status: Backport
>>> +CVE: CVE-2018-5712
>>> +Signed-off-by: Li Zhou 
>>> +---
>>> + ext/phar/shortarc.php |  2 +-
>>> + ext/phar/stub.h   |  4 ++--
>>> + ext/phar/tests/cache_list/copyonwrite11.phar.phpt |  4 ++--
>>> + ext/phar/tests/phar_commitwrite.phpt  |  2 +-
>>> + ext/phar/tests/phar_convert_repeated.phpt |  2 +-
>>> + ext/phar/tests/phar_create_in_cwd.phpt    |  2 +-
>>> + ext/phar/tests/p

Re: [oe] [meta-oe][PATCH 2/2] php: Security Advisory - php - CVE-2018-5712

2018-03-04 Thread Zhou, Li 



On 03/04/2018 11:00 PM, akuster808 wrote:


On 02/25/2018 11:50 PM, Li Zhou wrote:

Porting the patch from  to solve CVE-2018-5712.

Signed-off-by: Li Zhou 

This would not apply.
can you double check?


I just downloaded the newest code and it can apply successfully.
Have you already applied the patch for CVE-2018-5711 which I sent 
together with this patch?

If yes, please give me more information about the failure. Thanks.


- amrin

---
  .../php/php-7.1.9/CVE-2018-5712.patch  | 432 +
  meta-oe/recipes-devtools/php/php_7.1.9.bb  |   1 +
  2 files changed, 433 insertions(+)
  create mode 100644 meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch

diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch 
b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
new file mode 100644
index 000..87ccc02
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
@@ -0,0 +1,432 @@
+From fc2ac180fdaf4589c203802fff308fb8cbce58c6 Mon Sep 17 00:00:00 2001
+From: Li Zhou 
+Date: Sun, 11 Feb 2018 15:45:32 +0800
+Subject: [PATCH] Fix bug #74782: remove file name from output to avoid XSS
+
+Upstream-Status: Backport
+CVE: CVE-2018-5712
+Signed-off-by: Li Zhou 
+---
+ ext/phar/shortarc.php |  2 +-
+ ext/phar/stub.h   |  4 ++--
+ ext/phar/tests/cache_list/copyonwrite11.phar.phpt |  4 ++--
+ ext/phar/tests/phar_commitwrite.phpt  |  2 +-
+ ext/phar/tests/phar_convert_repeated.phpt |  2 +-
+ ext/phar/tests/phar_create_in_cwd.phpt|  2 +-
+ ext/phar/tests/phar_createdefaultstub.phpt| 22 +++---
+ ext/phar/tests/phar_offset_check.phpt |  4 ++--
+ ext/phar/tests/phar_setdefaultstub.phpt   | 20 ++--
+ ext/phar/tests/tar/phar_convert_phar.phpt |  6 +++---
+ ext/phar/tests/tar/phar_convert_phar2.phpt|  6 +++---
+ ext/phar/tests/tar/phar_convert_phar3.phpt|  6 +++---
+ ext/phar/tests/tar/phar_convert_phar4.phpt|  6 +++---
+ ext/phar/tests/zip/phar_convert_phar.phpt |  6 +++---
+ 14 files changed, 46 insertions(+), 46 deletions(-)
+
+diff --git a/ext/phar/shortarc.php b/ext/phar/shortarc.php
+index 1bf3baa..e5ac8ba 100644
+--- a/ext/phar/shortarc.php
 b/ext/phar/shortarc.php
+@@ -74,7 +74,7 @@ if (@(isset($_SERVER['REQUEST_URI']) && 
isset($_SERVER['REQUEST_METHOD']) && ($_
+ $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt);
+ if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) {
+ header('HTTP/1.0 404 Not Found');
+-echo "\n \n  File Not Found\n \n \n  404 - File ", 
$pt, " Not Found\n \n";
++echo "\n \n  File Not Found\n \n \n  404 - File 
Not Found\n \n";
+ exit;
+ }
+ $b = pathinfo($a);
+diff --git a/ext/phar/stub.h b/ext/phar/stub.h
+index 28e3252..dd8baed 100644
+--- a/ext/phar/stub.h
 b/ext/phar/stub.h
+@@ -22,12 +22,12 @@ static inline zend_string* phar_get_stub(const char 
*index_php, const char *web,
+ {
+   static const char newstub0[] = " 2,\n'c' => 'text/plain',\n'cc' => 'text/plain',\n'cpp' => 
'text/plain',\n'c++' => 'text/plain',\n'dtd' => 'text/plain',\n'h' => 'text/plain',\n'log' => 'text/plain',\n'rng' => 'text/plain',\n'txt' => 
'text/plain',\n'xsd' => 'text/plain',\n'php' => 1,\n'inc' => 1,\n'avi' => 'video/avi',\n'bmp' => 'image/bmp',\n'css' => 'text/css',\n'gif' => 
'image/gif',\n'htm' => 'text/html',\n'html' => 'text/html',\n'htmls' => 'text/html',\n'ico' => 'image/x-ic

o',

  \n'jpe' => 'image/jpeg',\n'jpg' => 'image/jpeg',\n'jpeg' => 'image/jpeg',\n'js' => 'application/x-javascript',\n'midi' => 
'audio/midi',\n'mid' => 'audio/midi',\n'mod' => 'audio/mod',\n'mov' => 'movie/quicktime',\n'mp3' => 'audio/mp3',\n'mpg' => 
'video/mpeg',\n'mpeg' => 'video/mpeg',\n'pdf' => 'application/pdf',\n'png' => 'image/png',\n'swf' => 'application/shockwave-flash',\n'tif' => 
'image/tiff',\n'tiff' => 'image/tiff',\n'wav' => 'audio/wav',\n'xbm' => 'image/xbm',\n'xml' => 'text/xml',\n);\n\nheader(\"Cache-Control: 
no-cache, must-revalidate\");\nheader(\"Pragma: no-cache\");\n\n$basename = basename(__FILE__);\nif (!strpos($_SERVER['REQUEST_URI'], 
$basename)) {\nchdir(Extract_Phar::$temp);\ninclude $web;\nreturn;\n}\n$pt = substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], $basename) + 
strlen($basename));\nif (!$pt || $pt == '/') {\n$pt = $web;\nheader('HTTP/1.1 301 Moved Permanently');\nheader('Location: ' . $_SERVER['REQUEST_URI'] . '/' 
. $pt);\nexit;\n

}\n$

  a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt);\nif (!$a || 
strlen(dirname($a)) < strlen(";
+-  static const char newstub1_1[] = "Extract_Phar::$temp)) {\nheader('HTTP/1.0 404 Not Found');\necho \"\\n \\n  File 
Not Found\\n \\n \\n  404 - File \", $pt, \" Not Found\\n 
\\n\";\nexit;\n

Re: [oe] [meta-oe][PATCH 2/2] php: Security Advisory - php - CVE-2018-5712

2018-03-04 Thread akuster808 


On 02/25/2018 11:50 PM, Li Zhou wrote:
> Porting the patch from  h=73ca9b37731dd9690ffd9706333b17eaf90ea091> to solve CVE-2018-5712.
>
> Signed-off-by: Li Zhou 
This would not apply.
can you double check?
- amrin
> ---
>  .../php/php-7.1.9/CVE-2018-5712.patch  | 432 
> +
>  meta-oe/recipes-devtools/php/php_7.1.9.bb  |   1 +
>  2 files changed, 433 insertions(+)
>  create mode 100644 meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
>
> diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch 
> b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
> new file mode 100644
> index 000..87ccc02
> --- /dev/null
> +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5712.patch
> @@ -0,0 +1,432 @@
> +From fc2ac180fdaf4589c203802fff308fb8cbce58c6 Mon Sep 17 00:00:00 2001
> +From: Li Zhou 
> +Date: Sun, 11 Feb 2018 15:45:32 +0800
> +Subject: [PATCH] Fix bug #74782: remove file name from output to avoid XSS
> +
> +Upstream-Status: Backport
> +CVE: CVE-2018-5712
> +Signed-off-by: Li Zhou 
> +---
> + ext/phar/shortarc.php |  2 +-
> + ext/phar/stub.h   |  4 ++--
> + ext/phar/tests/cache_list/copyonwrite11.phar.phpt |  4 ++--
> + ext/phar/tests/phar_commitwrite.phpt  |  2 +-
> + ext/phar/tests/phar_convert_repeated.phpt |  2 +-
> + ext/phar/tests/phar_create_in_cwd.phpt|  2 +-
> + ext/phar/tests/phar_createdefaultstub.phpt| 22 
> +++---
> + ext/phar/tests/phar_offset_check.phpt |  4 ++--
> + ext/phar/tests/phar_setdefaultstub.phpt   | 20 ++--
> + ext/phar/tests/tar/phar_convert_phar.phpt |  6 +++---
> + ext/phar/tests/tar/phar_convert_phar2.phpt|  6 +++---
> + ext/phar/tests/tar/phar_convert_phar3.phpt|  6 +++---
> + ext/phar/tests/tar/phar_convert_phar4.phpt|  6 +++---
> + ext/phar/tests/zip/phar_convert_phar.phpt |  6 +++---
> + 14 files changed, 46 insertions(+), 46 deletions(-)
> +
> +diff --git a/ext/phar/shortarc.php b/ext/phar/shortarc.php
> +index 1bf3baa..e5ac8ba 100644
> +--- a/ext/phar/shortarc.php
>  b/ext/phar/shortarc.php
> +@@ -74,7 +74,7 @@ if (@(isset($_SERVER['REQUEST_URI']) && 
> isset($_SERVER['REQUEST_METHOD']) && ($_
> + $a = realpath(Extract_Phar::$temp . DIRECTORY_SEPARATOR . $pt);
> + if (!$a || strlen(dirname($a)) < strlen(Extract_Phar::$temp)) {
> + header('HTTP/1.0 404 Not Found');
> +-echo "\n \n  File Not Found\n \n 
> \n  404 - File ", $pt, " Not Found\n \n";
> ++echo "\n \n  File Not Found\n \n 
> \n  404 - File Not Found\n \n";
> + exit;
> + }
> + $b = pathinfo($a);
> +diff --git a/ext/phar/stub.h b/ext/phar/stub.h
> +index 28e3252..dd8baed 100644
> +--- a/ext/phar/stub.h
>  b/ext/phar/stub.h
> +@@ -22,12 +22,12 @@ static inline zend_string* phar_get_stub(const char 
> *index_php, const char *web,
> + {
> + static const char newstub0[] = " + static const char newstub1_0[] = "';\n\nif (in_array('phar', 
> stream_get_wrappers()) && class_exists('Phar', 0)) 
> {\nPhar::interceptFileFuncs();\nset_include_path('phar://' . __FILE__ . 
> PATH_SEPARATOR . get_include_path());\nPhar::webPhar(null, $web);\ninclude 
> 'phar://' . __FILE__ . '/' . Extract_Phar::START;\nreturn;\n}\n\nif 
> (@(isset($_SERVER['REQUEST_URI']) && isset($_SERVER['REQUEST_METHOD']) && 
> ($_SERVER['REQUEST_METHOD'] == 'GET' || $_SERVER['REQUEST_METHOD'] == 
> 'POST'))) {\nExtract_Phar::go(true);\n$mimes = array(\n'phps' => 2,\n'c' => 
> 'text/plain',\n'cc' => 'text/plain',\n'cpp' => 'text/plain',\n'c++' => 
> 'text/plain',\n'dtd' => 'text/plain',\n'h' => 'text/plain',\n'log' => 
> 'text/plain',\n'rng' => 'text/plain',\n'txt' => 'text/plain',\n'xsd' => 
> 'text/plain',\n'php' => 1,\n'inc' => 1,\n'avi' => 'video/avi',\n'bmp' => 
> 'image/bmp',\n'css' => 'text/css',\n'gif' => 'image/gif',\n'htm' => 
> 'text/html',\n'html' => 'text/html',\n'htmls' => 'text/html',\n'ico' => 
> 'image/x-ico
 ',
>  \n'jpe' => 'image/jpeg',\n'jpg' => 'image/jpeg',\n'jpeg' => 
> 'image/jpeg',\n'js' => 'application/x-javascript',\n'midi' => 
> 'audio/midi',\n'mid' => 'audio/midi',\n'mod' => 'audio/mod',\n'mov' => 
> 'movie/quicktime',\n'mp3' => 'audio/mp3',\n'mpg' => 'video/mpeg',\n'mpeg' => 
> 'video/mpeg',\n'pdf' => 'application/pdf',\n'png' => 'image/png',\n'swf' => 
> 'application/shockwave-flash',\n'tif' => 'image/tiff',\n'tiff' => 
> 'image/tiff',\n'wav' => 'audio/wav',\n'xbm' => 'image/xbm',\n'xml' => 
> 'text/xml',\n);\n\nheader(\"Cache-Control: no-cache, 
> must-revalidate\");\nheader(\"Pragma: no-cache\");\n\n$basename = 
> basename(__FILE__);\nif (!strpos($_SERVER['REQUEST_URI'], $basename)) 
> {\nchdir(Extract_Phar::$temp);\ninclude $web;\nreturn;\n}\n$pt = 
> substr($_SERVER['REQUEST_URI'], strpos($_SERVER['REQUEST_URI'], $basename) + 
> strlen($basename));\nif (!