[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/openssl/openssl.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/openssl/openssl.c trunk/ext/openssl/openssl.c
iliaaMon, 14 Sep 2009 12:50:30 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288329 Log: Fixed certificate validation inside php_openssl_apply_verification_policy Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/openssl/openssl.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/openssl/openssl.c U php/php-src/trunk/ext/openssl/openssl.c Modified: php/php-src/branches/PHP_5_2/NEWS === --- php/php-src/branches/PHP_5_2/NEWS 2009-09-14 11:39:27 UTC (rev 288328) +++ php/php-src/branches/PHP_5_2/NEWS 2009-09-14 12:50:30 UTC (rev 288329) @@ -1,6 +1,8 @@ PHPNEWS ||| ?? Sep 2009, PHP 5.2.11 +- Fixed certificate validation inside php_openssl_apply_verification_policy + (Ryan Sleevi, Ilia) 10 Sep 2009, PHP 5.2.11RC3 - Updated timezone database to version 2009.13 (2009m) (Derick) Modified: php/php-src/branches/PHP_5_2/ext/openssl/openssl.c === --- php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC (rev 288328) +++ php/php-src/branches/PHP_5_2/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC (rev 288329) @@ -3845,8 +3845,15 @@ GET_VER_OPT_STRING(CN_match, cnmatch); if (cnmatch) { int match = 0; + int name_len = X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); - X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); + if (name_len == -1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Unable to locate peer certificate CN); + return FAILURE; + } else if (name_len != strlen(buf)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer certificate CN=`%.*s' is malformed, name_len, buf); + return FAILURE; + } match = strcmp(cnmatch, buf) == 0; if (!match strlen(buf) 3 buf[0] == '*' buf[1] == '.') { @@ -3861,10 +3868,7 @@ if (!match) { /* didn't match */ - php_error_docref(NULL TSRMLS_CC, E_WARNING, - Peer certificate CN=`%s' did not match expected CN=`%s', - buf, cnmatch); - + php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer certificate CN=`%.*s' did not match expected CN=`%s', name_len, buf, cnmatch); return FAILURE; } } Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2009-09-14 11:39:27 UTC (rev 288328) +++ php/php-src/branches/PHP_5_3/NEWS 2009-09-14 12:50:30 UTC (rev 288329) @@ -3,6 +3,8 @@ ?? ??? 2009, PHP 5.3.2 ?? ??? 2009, PHP 5.3.1RC? +- Fixed certificate validation inside php_openssl_apply_verification_policy + (Ryan Sleevi, Ilia) - Restored shebang line check to CGI sapi (not checked by scanner anymore). (Jani) - Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). Modified: php/php-src/branches/PHP_5_3/ext/openssl/openssl.c === --- php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 11:39:27 UTC (rev 288328) +++ php/php-src/branches/PHP_5_3/ext/openssl/openssl.c 2009-09-14 12:50:30 UTC (rev 288329) @@ -4323,8 +4323,15 @@ GET_VER_OPT_STRING(CN_match, cnmatch); if (cnmatch) { int match = 0; + int name_len = X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); - X509_NAME_get_text_by_NID(name, NID_commonName, buf, sizeof(buf)); + if (name_len == -1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Unable to locate peer certificate CN); + return FAILURE; + } else if (name_len != strlen(buf)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Peer certificate CN=`%.*s' is malformed, name_len, buf); + return FAILURE; + } match = strcmp(cnmatch, buf) == 0; if (!match strlen(buf) 3 buf[0] == '*' buf[1] == '.') { @@ -4339,10 +4346,7 @@ if (!match) { /* didn't match */ - php_error_docref(NULL TSRMLS_CC, E_WARNING, - Peer certificate CN=`%s' did not match expected CN=`%s', - buf, cnmatch); - +
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/mysqli/mysqli_api.c branches/PHP_5_3/ext/mysqli/php_mysqli_structs.h branches/PHP_5_3/ext/mysqli/tests/005.phpt trunk/ext/mysqli/mysqli_api.c trun
Jani Taskinen schrieb: What about fixing it also in PHP_5_2 ?? Or doesn't this exist there? ;) Sounds quite critical to be in there.. Good question. A precondition for the crash to happen is that ext/mysqli allocates a too small result buffer. This could happen due to bug which broke BC in 5.3.0. That bug has been fixed in the commit immerdiately followed after this commit: http://news.php.net/php.cvs/60379 I was wrong that the crash can be reproduced with the test 005.phpt and PHP 5.0.x-5.2.x. I checked again and found that I had messed up my PHP sources causing a similar but unrelated crash. I also checked a couple of SQL statements that caused headaches during the mysqlnd development (e.g. SELECT UNION) and the MySQL bugs database for a bug which may lead to a too small result buffer in order to break ext/mysqli: without success. Anyway, I can patch PHP 5.2 as well, just in case someone finds a way to make a current MySQL server report faulty meta data (length must be reported as 0 but the actual data returned needs to be longer than 256 bytes). Ulf -- Ulf Wendel, MySQL Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels, Dr. Roland Boemer Vorsitzender des Aufsichtsrates: Martin Haering Muenchen: HRB161028 -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt
Ilia, I guess this and the other mbstring patch should be applied to 5.2 branch as well. Is it ok to merge them? Moriyoshi On Sat, Sep 12, 2009 at 6:26 AM, Moriyoshi Koizumi moriyo...@php.net wrote: moriyoshi Fri, 11 Sep 2009 21:26:18 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288273 Log: - Fix bug #49536 (mb_detect_encoding() returns incorrect results when strict_mode is turned on.) (patch by komura, thanks!) Bug: http://bugs.php.net/49536 (Open) mb_detect_encoding() returns incorrect results when strict_mode is turned on Changed paths: U php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c U php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c A php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt U php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c U php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c A php/php-src/trunk/ext/mbstring/tests/bug49536.phpt Modified: php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c === --- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c 2009-09-11 16:43:49 UTC (rev 288272) +++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/filters/mbfilter_utf8.c 2009-09-11 21:26:18 UTC (rev 288273) @@ -220,7 +220,7 @@ if (c 0x80) { if (c 0) { filter-flag = 1; /* bad */ - } else if (c != 0 filter-status) { + } else if (filter-status) { filter-flag = 1; /* bad */ } filter-status = 0; Modified: php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c === --- php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11 16:43:49 UTC (rev 288272) +++ php/php-src/branches/PHP_5_3/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11 21:26:18 UTC (rev 288273) @@ -622,7 +622,7 @@ if (!encoding) { for (i = 0; i num; i++) { filter = flist[i]; - if (!filter-flag) { + if (!filter-flag (!strict || !filter-status)) { encoding = filter-encoding; break; } Added: php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt === --- php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/mbstring/tests/bug49536.phpt 2009-09-11 21:26:18 UTC (rev 288273) @@ -0,0 +1,20 @@ +--TEST-- +Bug #49536 (mb_detect_encoding() returns incorrect results when strict_mode is turned on) +--SKIPIF-- +?php extension_loaded('mbstring') or die('skip mbstring not available'); ? +--FILE-- +?php +// non-strict mode +var_dump(mb_detect_encoding(A\x81, SJIS, false)); +// strict mode +var_dump(mb_detect_encoding(A\x81, SJIS, true)); +// non-strict mode +var_dump(mb_detect_encoding(\xc0\x00, UTF-8, false)); +// strict mode +var_dump(mb_detect_encoding(\xc0\x00, UTF-8, true)); +? +--EXPECT-- +string(4) SJIS +bool(false) +string(5) UTF-8 +bool(false) Modified: php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c === --- php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c 2009-09-11 16:43:49 UTC (rev 288272) +++ php/php-src/trunk/ext/mbstring/libmbfl/filters/mbfilter_utf8.c 2009-09-11 21:26:18 UTC (rev 288273) @@ -220,7 +220,7 @@ if (c 0x80) { if (c 0) { filter-flag = 1; /* bad */ - } else if (c != 0 filter-status) { + } else if (filter-status) { filter-flag = 1; /* bad */ } filter-status = 0; Modified: php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c === --- php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11 16:43:49 UTC (rev 288272) +++ php/php-src/trunk/ext/mbstring/libmbfl/mbfl/mbfilter.c 2009-09-11 21:26:18 UTC (rev 288273) @@ -622,7 +622,7 @@ if (!encoding) { for (i = 0; i num; i++) { filter = flist[i]; - if (!filter-flag) { + if (!filter-flag (!strict || !filter-status)) { encoding = filter-encoding; break; } Added: php/php-src/trunk/ext/mbstring/tests/bug49536.phpt
[PHP-CVS] svn: /php/php-src/branches/PHP_5_2/ext/mysqli/ mysqli_api.c php_mysqli.h
uw Mon, 14 Sep 2009 16:51:11 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288336 Log: Backport of http://news.php.net/php.cvs/60381 to PHP 5_2 which fixes a potential crash with ext/mysqli and Prepared Statements if the MySQL Server sends faulty metadata, see also http://news.php.net/php.cvs/60389 . I don't know of a way to crash PHP using a recent MySQL. But metadata has been a troublemaker in the past. Just in case... Changed paths: U php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c U php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h Modified: php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c === --- php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c2009-09-14 16:14:48 UTC (rev 288335) +++ php/php-src/branches/PHP_5_2/ext/mysqli/mysqli_api.c2009-09-14 16:51:11 UTC (rev 288336) @@ -364,7 +364,7 @@ bind[ofs].buffer = stmt-result.buf[ofs].val; bind[ofs].is_null = stmt-result.is_null[ofs]; bind[ofs].buffer_length = stmt-result.buf[ofs].buflen; - bind[ofs].length = stmt-result.buf[ofs].buflen; + bind[ofs].length = stmt-result.buf[ofs].output_len; break; } default: @@ -735,7 +735,7 @@ #else { #endif - ZVAL_STRINGL(stmt-result.vars[i], stmt-result.buf[i].val, stmt-result.buf[i].buflen, 1); + ZVAL_STRINGL(stmt-result.vars[i], stmt-result.buf[i].val, stmt-result.buf[i].output_len, 1); } } break; Modified: php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h === --- php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h2009-09-14 16:14:48 UTC (rev 288335) +++ php/php-src/branches/PHP_5_2/ext/mysqli/php_mysqli.h2009-09-14 16:51:11 UTC (rev 288336) @@ -52,8 +52,9 @@ }; typedef struct { +char*val; ulong buflen; - char*val; +ulong output_len; ulong type; } VAR_BUFFER; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/branches/PHP_5_2/ NEWS
jani Mon, 14 Sep 2009 17:18:27 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288337 Log: pfft Changed paths: U php/php-src/branches/PHP_5_2/NEWS Modified: php/php-src/branches/PHP_5_2/NEWS === --- php/php-src/branches/PHP_5_2/NEWS 2009-09-14 16:51:11 UTC (rev 288336) +++ php/php-src/branches/PHP_5_2/NEWS 2009-09-14 17:18:27 UTC (rev 288337) @@ -1,13 +1,14 @@ PHPNEWS ||| ?? Sep 2009, PHP 5.2.11 -- Fixed certificate validation inside php_openssl_apply_verification_policy +- Fixed certificate validation inside php_openssl_apply_verification_policy. (Ryan Sleevi, Ilia) + 10 Sep 2009, PHP 5.2.11RC3 - Updated timezone database to version 2009.13 (2009m) (Derick) -- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). +- Fixed bug #49470 (FILTER_SANITIZE_EMAIL allows disallowed characters). (Ilia) - Fixed bug #49447 (php engine needs to correctly check for socket API return status on windows). (Sriram Natarajan) - Fixed bug #48060 (pdo_pgsql - large objects are returned as empty). (Matteo) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c trunk/TSRM/tsrm_virtual_cwd.c
pajoye Mon, 14 Sep 2009 18:46:56 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288339 Log: - Fix #48746, improve fix to support all possible cases (see latest comment in the report) Bug: http://bugs.php.net/48746 (Assigned) Unable to browse directories within Junction Points Changed paths: U php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c U php/php-src/trunk/TSRM/tsrm_virtual_cwd.c Modified: php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c === --- php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c2009-09-14 18:12:51 UTC (rev 288338) +++ php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c2009-09-14 18:46:56 UTC (rev 288339) @@ -667,11 +667,14 @@ /* File is a reparse point. Get the target */ HANDLE hLink = NULL; REPARSE_DATA_BUFFER * pbuffer; - unsigned int retlength = 0, rname_off = 0; - int bufindex = 0, rname_len = 0, isabsolute = 0; + unsigned int retlength = 0; + int bufindex = 0, isabsolute = 0; wchar_t * reparsetarget; - WCHAR szVolumePathNames[MAX_PATH]; BOOL isVolume = FALSE; + char printname[MAX_PATH]; + char substitutename[MAX_PATH]; + int printname_len, substitutename_len; + int substitutename_off = 0; if(++(*ll) LINK_MAX) { return -1; @@ -692,33 +695,61 @@ CloseHandle(hLink); if(pbuffer-ReparseTag == IO_REPARSE_TAG_SYMLINK) { - rname_len = pbuffer-SymbolicLinkReparseBuffer.PrintNameLength/2; - rname_off = pbuffer-SymbolicLinkReparseBuffer.PrintNameOffset/2; - if(rname_len = 0) { - rname_len = pbuffer-SymbolicLinkReparseBuffer.SubstituteNameLength/2; - rname_off = pbuffer-SymbolicLinkReparseBuffer.SubstituteNameOffset/2; - } - reparsetarget = pbuffer-SymbolicLinkReparseBuffer.ReparseTarget; + printname_len = pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR); isabsolute = (pbuffer-SymbolicLinkReparseBuffer.Flags == 0) ? 1 : 0; + if (!WideCharToMultiByte(CP_THREAD_ACP, 0, + reparsetarget + pbuffer-MountPointReparseBuffer.PrintNameOffset / sizeof(WCHAR), + printname_len + 1, + printname, MAX_PATH, NULL, NULL + )) { + tsrm_free_alloca(pbuffer, use_heap_large); + return -1; + }; + printname_len = pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR); + printname[printname_len] = 0; + + substitutename_len = pbuffer-MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR); + if (!WideCharToMultiByte(CP_THREAD_ACP, 0, + reparsetarget + pbuffer-MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), + substitutename_len + 1, + substitutename, MAX_PATH, NULL, NULL + )) { + tsrm_free_alloca(pbuffer, use_heap_large); + return -1; + }; + substitutename[substitutename_len] = 0; } else if(pbuffer-ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) { - rname_len = pbuffer-MountPointReparseBuffer.PrintNameLength/2; - rname_off = pbuffer-MountPointReparseBuffer.PrintNameOffset/2; - if(rname_len = 0) { - rname_len = pbuffer-MountPointReparseBuffer.SubstituteNameLength/2; - rname_off = pbuffer-MountPointReparseBuffer.SubstituteNameOffset/2; - } + isabsolute = 1; + reparsetarget = pbuffer-MountPointReparseBuffer.ReparseTarget; + printname_len = pbuffer-MountPointReparseBuffer.PrintNameLength / sizeof(WCHAR);
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/Zend/zend_execute_API.c branches/PHP_5_3/Zend/zend_execute_API.c trunk/Zend/zend_execute_API.c
moriyoshiTue, 15 Sep 2009 00:09:13 + Revision: http://svn.php.net/viewvc?view=revisionrevision=288345 Log: - WS fix (spaces to tabs) Changed paths: U php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c U php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c U php/php-src/trunk/Zend/zend_execute_API.c Modified: php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c === --- php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c2009-09-14 22:47:09 UTC (rev 288344) +++ php/php-src/branches/PHP_5_2/Zend/zend_execute_API.c2009-09-15 00:09:13 UTC (rev 288345) @@ -921,7 +921,7 @@ for (i=0; ifci-param_count; i++) { zval *param; - if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION + if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1) PZVAL_IS_REF(*fci-params[i])) { SEPARATE_ZVAL(fci-params[i]); Modified: php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c2009-09-14 22:47:09 UTC (rev 288344) +++ php/php-src/branches/PHP_5_3/Zend/zend_execute_API.c2009-09-15 00:09:13 UTC (rev 288345) @@ -837,7 +837,7 @@ for (i=0; ifci-param_count; i++) { zval *param; - if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION + if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1) PZVAL_IS_REF(*fci-params[i])) { SEPARATE_ZVAL(fci-params[i]); Modified: php/php-src/trunk/Zend/zend_execute_API.c === --- php/php-src/trunk/Zend/zend_execute_API.c 2009-09-14 22:47:09 UTC (rev 288344) +++ php/php-src/trunk/Zend/zend_execute_API.c 2009-09-15 00:09:13 UTC (rev 288345) @@ -872,7 +872,7 @@ for (i=0; ifci-param_count; i++) { zval *param; - if(EX(function_state).function-type == ZEND_INTERNAL_FUNCTION + if (EX(function_state).function-type == ZEND_INTERNAL_FUNCTION !ARG_SHOULD_BE_SENT_BY_REF(EX(function_state).function, i + 1) PZVAL_IS_REF(*fci-params[i])) { SEPARATE_ZVAL(fci-params[i]); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php