[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/openssl/openssl.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/openssl/openssl.c trunk/ext/openssl/openssl.c
iliaaMon, 14 Sep 2009 12:50:30 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=288329
Log:
Fixed certificate validation inside php_openssl_apply_verification_policy
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/openssl/openssl.c
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
U php/php-src/trunk/ext/openssl/openssl.c
Modified: php/php-src/branches/PHP_5_2/NEWS
===
--- php/php-src/branches/PHP_5_2/NEWS 2009-09-14 11:39:27 UTC (rev 288328)
+++ php/php-src/branches/PHP_5_2/NEWS 2009-09-14 12:50:30 UTC (rev 288329)
@@ -1,6 +1,8 @@
PHPNEWS
|||
?? Sep 2009, PHP 5.2.11
+- Fixed certificate validation inside php_openssl_apply_verification_policy
+ (Ryan Sleevi, Ilia)
10 Sep 2009, PHP 5.2.11RC3
- Updated timezone database to version 2009.13 (2009m) (Derick)
Modified: php/php-src/branches/PHP_5_2/ext/openssl/openssl.c
===
--- php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC
(rev 288328)
+++ php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC
(rev 288329)
@@ -3845,8 +3845,15 @@
GET_VER_OPT_STRING(CN_match, cnmatch);
if (cnmatch) {
int match = 0;
+ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
- X509_NAME_get_text_by_NID(name, NID_commonName, buf,
sizeof(buf));
+ if (name_len == -1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Unable to
locate peer certificate CN);
+ return FAILURE;
+ } else if (name_len != strlen(buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer
certificate CN=`%.*s' is malformed, name_len, buf);
+ return FAILURE;
+ }
match = strcmp(cnmatch, buf) == 0;
if (!match strlen(buf) 3 buf[0] == '*' buf[1] ==
'.') {
@@ -3861,10 +3868,7 @@
if (!match) {
/* didn't match */
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- Peer certificate CN=`%s' did not match
expected CN=`%s',
- buf, cnmatch);
-
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer
certificate CN=`%.*s' did not match expected CN=`%s', name_len, buf, cnmatch);
return FAILURE;
}
}
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2009-09-14 11:39:27 UTC (rev 288328)
+++ php/php-src/branches/PHP_5_3/NEWS 2009-09-14 12:50:30 UTC (rev 288329)
@@ -3,6 +3,8 @@
?? ??? 2009, PHP 5.3.2
?? ??? 2009, PHP 5.3.1RC?
+- Fixed certificate validation inside php_openssl_apply_verification_policy
+ (Ryan Sleevi, Ilia)
- Restored shebang line check to CGI sapi (not checked by scanner anymore).
(Jani)
- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters).
Modified: php/php-src/branches/PHP_5_3/ext/openssl/openssl.c
===
--- php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC
(rev 288328)
+++ php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC
(rev 288329)
@@ -4323,8 +4323,15 @@
GET_VER_OPT_STRING(CN_match, cnmatch);
if (cnmatch) {
int match = 0;
+ int name_len = X509_NAME_get_text_by_NID(name, NID_commonName,
buf, sizeof(buf));
- X509_NAME_get_text_by_NID(name, NID_commonName, buf,
sizeof(buf));
+ if (name_len == -1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Unable to
locate peer certificate CN);
+ return FAILURE;
+ } else if (name_len != strlen(buf)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer
certificate CN=`%.*s' is malformed, name_len, buf);
+ return FAILURE;
+ }
match = strcmp(cnmatch, buf) == 0;
if (!match strlen(buf) 3 buf[0] == '*' buf[1] ==
'.') {
@@ -4339,10 +4346,7 @@
if (!match) {
/* didn't match */
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
- Peer certificate CN=`%s' did not match
expected CN=`%s',
- buf, cnmatch);
-
+
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/mysqli/mysqli_api.c branches/PHP_5_3/ext/mysqli/php_mysqli_structs.h branches/PHP_5_3/ext/mysqli/tests/005.phpt trunk/ext/mysqli/mysqli_api.c trun
Jani Taskinen schrieb: What about fixing it also in PHP_5_2 ?? Or doesn't this exist there? ;) Sounds quite critical to be in there.. Good question. A precondition for the crash to happen is that ext/mysqli allocates a too small result buffer. This could happen due to bug which broke BC in 5.3.0. That bug has been fixed in the commit immerdiately followed after this commit: http://news.php.net/php.cvs/60379 I was wrong that the crash can be reproduced with the test 005.phpt and PHP 5.0.x-5.2.x. I checked again and found that I had messed up my PHP sources causing a similar but unrelated crash. I also checked a couple of SQL statements that caused headaches during the mysqlnd development (e.g. SELECT UNION) and the MySQL bugs database for a bug which may lead to a too small result buffer in order to break ext/mysqli: without success. Anyway, I can patch PHP 5.2 as well, just in case someone finds a way to make a current MySQL server report faulty meta data (length must be reported as 0 but the actual data returned needs to be longer than 256 bytes). Ulf -- Ulf Wendel, MySQL Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer Vorsitzender des Aufsichtsrates: Martin Haering Muenchen: HRB161028 -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
Ilia,
I guess this and the other mbstring patch should be applied to 5.2
branch as well. Is it ok to merge them?
Moriyoshi
On Sat, Sep 12, 2009 at 6:26 AM, Moriyoshi Koizumi moriyo...@php.net wrote:
moriyoshi Fri, 11 Sep 2009 21:26:18 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=288273
Log:
- Fix bug #49536 (mb_detect_encoding() returns incorrect results when
strict_mode is turned on.)
(patch by komura, thanks!)
Bug: http://bugs.php.net/49536 (Open) mb_detect_encoding() returns incorrect
results when strict_mode is turned on
Changed paths:
U
php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
U php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
A php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
U php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
U php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c
A php/php-src/trunk/ext/mbstring/tests/bug49536.phpt
Modified:
php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
===
--- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
2009-09-11 16:43:49 UTC (rev 288272)
+++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
2009-09-11 21:26:18 UTC (rev 288273)
@@ -220,7 +220,7 @@
if (c 0x80) {
if (c 0) {
filter-flag = 1; /* bad */
- } else if (c != 0 filter-status) {
+ } else if (filter-status) {
filter-flag = 1; /* bad */
}
filter-status = 0;
Modified: php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
===
--- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
2009-09-11 16:43:49 UTC (rev 288272)
+++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c
2009-09-11 21:26:18 UTC (rev 288273)
@@ -622,7 +622,7 @@
if (!encoding) {
for (i = 0; i num; i++) {
filter = flist[i];
- if (!filter-flag) {
+ if (!filter-flag (!strict || !filter-status)) {
encoding = filter-encoding;
break;
}
Added: php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
===
--- php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
(rev 0)
+++ php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
2009-09-11 21:26:18 UTC (rev 288273)
@@ -0,0 +1,20 @@
+--TEST--
+Bug #49536 (mb_detect_encoding() returns incorrect results when strict_mode
is turned on)
+--SKIPIF--
+?php extension_loaded('mbstring') or die('skip mbstring not available'); ?
+--FILE--
+?php
+// non-strict mode
+var_dump(mb_detect_encoding(A\x81, SJIS, false));
+// strict mode
+var_dump(mb_detect_encoding(A\x81, SJIS, true));
+// non-strict mode
+var_dump(mb_detect_encoding(\xc0\x00, UTF-8, false));
+// strict mode
+var_dump(mb_detect_encoding(\xc0\x00, UTF-8, true));
+?
+--EXPECT--
+string(4) SJIS
+bool(false)
+string(5) UTF-8
+bool(false)
Modified: php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
===
--- php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
2009-09-11 16:43:49 UTC (rev 288272)
+++ php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c
2009-09-11 21:26:18 UTC (rev 288273)
@@ -220,7 +220,7 @@
if (c 0x80) {
if (c 0) {
filter-flag = 1; /* bad */
- } else if (c != 0 filter-status) {
+ } else if (filter-status) {
filter-flag = 1; /* bad */
}
filter-status = 0;
Modified: php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c
===
--- php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11
16:43:49 UTC (rev 288272)
+++ php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11
21:26:18 UTC (rev 288273)
@@ -622,7 +622,7 @@
if (!encoding) {
for (i = 0; i num; i++) {
filter = flist[i];
- if (!filter-flag) {
+ if (!filter-flag (!strict || !filter-status)) {
encoding = filter-encoding;
break;
}
Added: php/php-src/trunk/ext/mbstring/tests/bug49536.phpt
[PHP-CVS] svn: /php/php-src/branches/PHP_5_2/ext/mysqli/ mysqli_api.c php_mysqli.h
uw Mon, 14 Sep 2009 16:51:11 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=288336
Log:
Backport of http://news.php.net/php.cvs/60381 to PHP 5_2 which fixes a
potential crash with ext/mysqli and Prepared Statements if the MySQL Server
sends faulty metadata, see also http://news.php.net/php.cvs/60389 . I don't
know of a way to crash PHP using a recent MySQL. But metadata has been a
troublemaker in the past. Just in case...
Changed paths:
U php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c
U php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h
Modified: php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c
===
--- php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c2009-09-14
16:14:48 UTC (rev 288335)
+++ php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c2009-09-14
16:51:11 UTC (rev 288336)
@@ -364,7 +364,7 @@
bind[ofs].buffer = stmt-result.buf[ofs].val;
bind[ofs].is_null = stmt-result.is_null[ofs];
bind[ofs].buffer_length =
stmt-result.buf[ofs].buflen;
- bind[ofs].length =
stmt-result.buf[ofs].buflen;
+ bind[ofs].length =
stmt-result.buf[ofs].output_len;
break;
}
default:
@@ -735,7 +735,7 @@
#else
{
#endif
-
ZVAL_STRINGL(stmt-result.vars[i], stmt-result.buf[i].val,
stmt-result.buf[i].buflen, 1);
+
ZVAL_STRINGL(stmt-result.vars[i], stmt-result.buf[i].val,
stmt-result.buf[i].output_len, 1);
}
}
break;
Modified: php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h
===
--- php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h2009-09-14
16:14:48 UTC (rev 288335)
+++ php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h2009-09-14
16:51:11 UTC (rev 288336)
@@ -52,8 +52,9 @@
};
typedef struct {
+char*val;
ulong buflen;
- char*val;
+ulong output_len;
ulong type;
} VAR_BUFFER;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_2/ NEWS
jani Mon, 14 Sep 2009 17:18:27 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288337 Log: pfft Changed paths: U php/php-src/branches/PHP_5_2/NEWS Modified: php/php-src/branches/PHP_5_2/NEWS === --- php/php-src/branches/PHP_5_2/NEWS 2009-09-14 16:51:11 UTC (rev 288336) +++ php/php-src/branches/PHP_5_2/NEWS 2009-09-14 17:18:27 UTC (rev 288337) @@ -1,13 +1,14 @@ PHPNEWS ||| ?? Sep 2009, PHP 5.2.11 -- Fixed certificate validation inside php_openssl_apply_verification_policy +- Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia) + 10 Sep 2009, PHP 5.2.11RC3 - Updated timezone database to version 2009.13 (2009m) (Derick) -- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). +- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia) - Fixed bug #49447 (php engine needs to correctly check for socket API return status on windows). (Sriram Natarajan) - Fixed bug #48060 (pdo_pgsql - large objects are returned as empty). (Matteo) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c trunk/TSRM/tsrm_virtual_cwd.c
pajoye Mon, 14 Sep 2009 18:46:56 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=288339
Log:
- Fix #48746, improve fix to support all possible cases (see latest comment in
the report)
Bug: http://bugs.php.net/48746 (Assigned) Unable to browse directories within
Junction Points
Changed paths:
U php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c
U php/php-src/trunk/TSRM/tsrm_virtual_cwd.c
Modified: php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c
===
--- php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c2009-09-14
18:12:51 UTC (rev 288338)
+++ php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c2009-09-14
18:46:56 UTC (rev 288339)
@@ -667,11 +667,14 @@
/* File is a reparse point. Get the target */
HANDLE hLink = NULL;
REPARSE_DATA_BUFFER * pbuffer;
- unsigned int retlength = 0, rname_off = 0;
- int bufindex = 0, rname_len = 0, isabsolute = 0;
+ unsigned int retlength = 0;
+ int bufindex = 0, isabsolute = 0;
wchar_t * reparsetarget;
- WCHAR szVolumePathNames[MAX_PATH];
BOOL isVolume = FALSE;
+ char printname[MAX_PATH];
+ char substitutename[MAX_PATH];
+ int printname_len, substitutename_len;
+ int substitutename_off = 0;
if(++(*ll) LINK_MAX) {
return -1;
@@ -692,33 +695,61 @@
CloseHandle(hLink);
if(pbuffer-ReparseTag == IO_REPARSE_TAG_SYMLINK) {
- rname_len =
pbuffer-SymbolicLinkReparseBuffer.PrintNameLength/2;
- rname_off =
pbuffer-SymbolicLinkReparseBuffer.PrintNameOffset/2;
- if(rname_len = 0) {
- rname_len =
pbuffer-SymbolicLinkReparseBuffer.SubstituteNameLength/2;
- rname_off =
pbuffer-SymbolicLinkReparseBuffer.SubstituteNameOffset/2;
- }
-
reparsetarget =
pbuffer-SymbolicLinkReparseBuffer.ReparseTarget;
+ printname_len =
pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR);
isabsolute =
(pbuffer-SymbolicLinkReparseBuffer.Flags == 0) ? 1 : 0;
+ if (!WideCharToMultiByte(CP_THREAD_ACP, 0,
+ reparsetarget +
pbuffer-MountPointReparseBuffer.PrintNameOffset / sizeof(WCHAR),
+ printname_len + 1,
+ printname, MAX_PATH, NULL, NULL
+ )) {
+ tsrm_free_alloca(pbuffer,
use_heap_large);
+ return -1;
+ };
+ printname_len =
pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR);
+ printname[printname_len] = 0;
+
+ substitutename_len =
pbuffer-MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
+ if (!WideCharToMultiByte(CP_THREAD_ACP, 0,
+ reparsetarget +
pbuffer-MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR),
+ substitutename_len + 1,
+ substitutename, MAX_PATH, NULL, NULL
+ )) {
+ tsrm_free_alloca(pbuffer,
use_heap_large);
+ return -1;
+ };
+ substitutename[substitutename_len] = 0;
}
else if(pbuffer-ReparseTag ==
IO_REPARSE_TAG_MOUNT_POINT) {
- rname_len =
pbuffer-MountPointReparseBuffer.PrintNameLength/2;
- rname_off =
pbuffer-MountPointReparseBuffer.PrintNameOffset/2;
- if(rname_len = 0) {
- rname_len =
pbuffer-MountPointReparseBuffer.SubstituteNameLength/2;
- rname_off =
pbuffer-MountPointReparseBuffer.SubstituteNameOffset/2;
- }
+ isabsolute = 1;
+ reparsetarget =
pbuffer-MountPointReparseBuffer.ReparseTarget;
+ printname_len =
pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR);
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/Zend/zend_execute_API.c branches/PHP_5_3/Zend/zend_execute_API.c trunk/Zend/zend_execute_API.c
moriyoshiTue, 15 Sep 2009 00:09:13 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=288345
Log:
- WS fix (spaces to tabs)
Changed paths:
U php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c
U php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c
U php/php-src/trunk/Zend/zend_execute_API.c
Modified: php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c
===
--- php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c2009-09-14
22:47:09 UTC (rev 288344)
+++ php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c2009-09-15
00:09:13 UTC (rev 288345)
@@ -921,7 +921,7 @@
for (i=0; ifci-param_count; i++) {
zval *param;
- if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
+ if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
!ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
PZVAL_IS_REF(*fci-params[i])) {
SEPARATE_ZVAL(fci-params[i]);
Modified: php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c
===
--- php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c2009-09-14
22:47:09 UTC (rev 288344)
+++ php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c2009-09-15
00:09:13 UTC (rev 288345)
@@ -837,7 +837,7 @@
for (i=0; ifci-param_count; i++) {
zval *param;
- if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
+ if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
!ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
PZVAL_IS_REF(*fci-params[i])) {
SEPARATE_ZVAL(fci-params[i]);
Modified: php/php-src/trunk/Zend/zend_execute_API.c
===
--- php/php-src/trunk/Zend/zend_execute_API.c 2009-09-14 22:47:09 UTC (rev
288344)
+++ php/php-src/trunk/Zend/zend_execute_API.c 2009-09-15 00:09:13 UTC (rev
288345)
@@ -872,7 +872,7 @@
for (i=0; ifci-param_count; i++) {
zval *param;
- if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
+ if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION
!ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1)
PZVAL_IS_REF(*fci-params[i])) {
SEPARATE_ZVAL(fci-params[i]);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
