[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c
iliaa Sun Mar 1 17:35:26 2009 UTC Modified files: (Branch: PHP_5_2) /php-srcNEWS /php-src/ext/zipphp_zip.c Log: MFB: Fixed 2 memory corruptions in zip extension idenfied by oo_properties.phpt test http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1430r2=1.2027.2.547.2.1431diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.1430 php-src/NEWS:1.2027.2.547.2.1431 --- php-src/NEWS:1.2027.2.547.2.1430Wed Feb 25 15:34:33 2009 +++ php-src/NEWSSun Mar 1 17:35:25 2009 @@ -1,6 +1,7 @@ PHPNEWS ||| ?? ??? 2009, PHP 5.2.10 +- Fixed memory corruptions while reading properties of zip files. (Ilia) 26 Feb 2009, PHP 5.2.9 - Changed __call() to be invoked on private/protected method access, similar to http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49r2=1.1.2.50diff_format=u Index: php-src/ext/zip/php_zip.c diff -u php-src/ext/zip/php_zip.c:1.1.2.49 php-src/ext/zip/php_zip.c:1.1.2.50 --- php-src/ext/zip/php_zip.c:1.1.2.49 Thu Feb 5 19:53:22 2009 +++ php-src/ext/zip/php_zip.c Sun Mar 1 17:35:25 2009 @@ -16,7 +16,7 @@ +--+ */ -/* $Id: php_zip.c,v 1.1.2.49 2009/02/05 19:53:22 pajoye Exp $ */ +/* $Id: php_zip.c,v 1.1.2.50 2009/03/01 17:35:25 iliaa Exp $ */ #ifdef HAVE_CONFIG_H #include config.h @@ -806,6 +806,7 @@ } else { if (hnd-read_const_char_from_obj_func) { retchar = hnd-read_const_char_from_obj_func(obj TSRMLS_CC); + len = strlen(retchar); } } } @@ -818,7 +819,7 @@ switch (hnd-type) { case IS_STRING: if (retchar) { - ZVAL_STRING(*retval, (char *) retchar, 1); + ZVAL_STRINGL(*retval, (char *) retchar, len, 1); } else { ZVAL_EMPTY_STRING(*retval); } @@ -941,10 +942,11 @@ if (ret == SUCCESS) { zval *tmp; + ALLOC_INIT_ZVAL(tmp); if (type == 2) { retval = 1; - } else if (php_zip_property_reader(obj, hnd, tmp, 1 TSRMLS_CC) == SUCCESS) { + } else if (php_zip_property_reader(obj, hnd, tmp, 0 TSRMLS_CC) == SUCCESS) { Z_SET_REFCOUNT_P(tmp, 1); Z_UNSET_ISREF_P(tmp); if (type == 1) { @@ -952,8 +954,9 @@ } else if (type == 0) { retval = (Z_TYPE_P(tmp) != IS_NULL); } - zval_ptr_dtor(tmp); } + + zval_ptr_dtor(tmp); } else { std_hnd = zend_get_std_object_handlers(); retval = std_hnd-has_property(object, member, type TSRMLS_CC); @@ -2557,7 +2560,7 @@ php_info_print_table_start(); php_info_print_table_row(2, Zip, enabled); - php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v 1.1.2.49 2009/02/05 19:53:22 pajoye Exp $); + php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v 1.1.2.50 2009/03/01 17:35:25 iliaa Exp $); php_info_print_table_row(2, Zip version, PHP_ZIP_VERSION_STRING); php_info_print_table_row(2, Libzip version, 0.9.0); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c /ext/zip/tests bug11216.phpt
On 6/3/07, Pierre-Alain Joye [EMAIL PROTECTED] wrote: - if (zip_add_dir(intern, (const char *)s) == -1) { - RETURN_FALSE; + if (zip_add_dir(intern, (const char *)s) == -1) { + RETVAL_FALSE; + } + RETVAL_TRUE; I doubt this is correct... -Hannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c php_zip.h zip_stream.c
pajoye Wed Mar 14 11:08:58 2007 UTC Modified files: (Branch: PHP_5_2) /php-srcNEWS /php-src/ext/zipzip_stream.c php_zip.c php_zip.h Log: - rename SAFEMODE_CHECKFILE to OPENBASEDIR_CHECKPATH (can be used without confusing in head without confusion) - Add safemode and open basedir checks in zip:// wrapper (revert Ilia's patch). Bug found by Stefan Esser in his MOPB-20-2007 http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.587r2=1.2027.2.547.2.588diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.587 php-src/NEWS:1.2027.2.547.2.588 --- php-src/NEWS:1.2027.2.547.2.587 Mon Mar 12 16:59:51 2007 +++ php-src/NEWSWed Mar 14 11:08:57 2007 @@ -14,6 +14,7 @@ . Added SplFileInfo::getLinkTarget(), SplFileInfo::getRealPath(). - Added --ri switch to CLI which allows to check extension information. (Marcus) - Added tidyNode::getParent() method (John, Nuno) +- Added openbasedir and safemode checks in zip:// stream wrapper (Pierre) - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry) - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek) - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre) http://cvs.php.net/viewvc.cgi/php-src/ext/zip/zip_stream.c?r1=1.1.2.4r2=1.1.2.5diff_format=u Index: php-src/ext/zip/zip_stream.c diff -u php-src/ext/zip/zip_stream.c:1.1.2.4 php-src/ext/zip/zip_stream.c:1.1.2.5 --- php-src/ext/zip/zip_stream.c:1.1.2.4Wed Mar 14 03:50:18 2007 +++ php-src/ext/zip/zip_stream.cWed Mar 14 11:08:57 2007 @@ -1,4 +1,4 @@ -/* $Id: zip_stream.c,v 1.1.2.4 2007/03/14 03:50:18 iliaa Exp $ */ +/* $Id: zip_stream.c,v 1.1.2.5 2007/03/14 11:08:57 pajoye Exp $ */ #ifdef HAVE_CONFIG_H # include config.h #endif @@ -12,6 +12,7 @@ #include ext/standard/file.h #include ext/standard/php_string.h #include fopen_wrappers.h +#include php_zip.h #include ext/standard/url.h @@ -112,7 +113,7 @@ } if (filename) { - if ((PG(safe_mode) (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(filename TSRMLS_CC)) { + if (OPENBASEDIR_CHECKPATH(filename)) { return NULL; } @@ -193,7 +194,7 @@ php_basename(path, path_len - fragment_len, NULL, 0, file_basename, file_basename_len TSRMLS_CC); fragment++; - if ((PG(safe_mode) (!php_checkuid(file_dirname, NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(file_dirname TSRMLS_CC)) { + if (OPENBASEDIR_CHECKPATH(file_dirname)) { efree(file_basename); return NULL; } http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.27r2=1.1.2.28diff_format=u Index: php-src/ext/zip/php_zip.c diff -u php-src/ext/zip/php_zip.c:1.1.2.27 php-src/ext/zip/php_zip.c:1.1.2.28 --- php-src/ext/zip/php_zip.c:1.1.2.27 Mon Jan 29 15:25:06 2007 +++ php-src/ext/zip/php_zip.c Wed Mar 14 11:08:57 2007 @@ -16,7 +16,7 @@ +--+ */ -/* $Id: php_zip.c,v 1.1.2.27 2007/01/29 15:25:06 pajoye Exp $ */ +/* $Id: php_zip.c,v 1.1.2.28 2007/03/14 11:08:57 pajoye Exp $ */ #ifdef HAVE_CONFIG_H #include config.h @@ -49,11 +49,6 @@ #define le_zip_entry_name Zip Entry /* }}} */ -/* {{{ SAFEMODE_CHECKFILE(filename) */ -#define SAFEMODE_CHECKFILE(filename) \ - (PG(safe_mode) (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(filename TSRMLS_CC) -/* }}} */ - /* {{{ PHP_ZIP_STAT_INDEX(za, index, flags, sb) */ #define PHP_ZIP_STAT_INDEX(za, index, flags, sb) \ if (zip_stat_index(za, index, flags, sb) != 0) { \ @@ -127,7 +122,7 @@ php_basename(file, file_len, NULL, 0, file_basename, (unsigned int *)file_basename_len TSRMLS_CC); - if (SAFEMODE_CHECKFILE(file_dirname_fullpath)) { + if (OPENBASEDIR_CHECKPATH(file_dirname_fullpath)) { efree(file_dirname_fullpath); efree(file_basename); return 0; @@ -164,7 +159,7 @@ * is required, does a file can have a different * safemode status as its parent folder? */ - if (SAFEMODE_CHECKFILE(fullpath)) { + if (OPENBASEDIR_CHECKPATH(fullpath)) { efree(file_dirname_fullpath); efree(file_basename); return 0; @@ -627,7 +622,7 @@ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, filename, filename_len) == FAILURE) { return; } - if (SAFEMODE_CHECKFILE(filename)) { + if (OPENBASEDIR_CHECKPATH(filename)) { RETURN_FALSE; } @@ -1032,7 +1027,7 @@ entry_name_len = filename_len; } - if (SAFEMODE_CHECKFILE(filename)) { + if (OPENBASEDIR_CHECKPATH(filename)) { RETURN_FALSE;
[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c
pajoye Wed Mar 14 11:32:25 2007 UTC Modified files: (Branch: PHP_5_2) /php-srcNEWS /php-src/ext/zipphp_zip.c Log: - MFH: Fixed possible relative path issues in zip_open in TS mode (old API) http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.588r2=1.2027.2.547.2.589diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.588 php-src/NEWS:1.2027.2.547.2.589 --- php-src/NEWS:1.2027.2.547.2.588 Wed Mar 14 11:08:57 2007 +++ php-src/NEWSWed Mar 14 11:32:25 2007 @@ -15,6 +15,7 @@ - Added --ri switch to CLI which allows to check extension information. (Marcus) - Added tidyNode::getParent() method (John, Nuno) - Added openbasedir and safemode checks in zip:// stream wrapper (Pierre) +- Fixed possible relative path issues in zip_open and TS mode (old API) (Pierre) - Fixed zend_llist_remove_tail (Michael Wallner, Dmitry) - Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek) - Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre) http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.28r2=1.1.2.29diff_format=u Index: php-src/ext/zip/php_zip.c diff -u php-src/ext/zip/php_zip.c:1.1.2.28 php-src/ext/zip/php_zip.c:1.1.2.29 --- php-src/ext/zip/php_zip.c:1.1.2.28 Wed Mar 14 11:08:57 2007 +++ php-src/ext/zip/php_zip.c Wed Mar 14 11:32:25 2007 @@ -16,7 +16,7 @@ +--+ */ -/* $Id: php_zip.c,v 1.1.2.28 2007/03/14 11:08:57 pajoye Exp $ */ +/* $Id: php_zip.c,v 1.1.2.29 2007/03/14 11:32:25 pajoye Exp $ */ #ifdef HAVE_CONFIG_H #include config.h @@ -616,16 +616,27 @@ { char *filename; int filename_len; + char resolved_path[MAXPATHLEN + 1]; zip_rsrc *rsrc_int; int err = 0; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, filename, filename_len) == FAILURE) { return; } + + if (filename_len == 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Empty string as source); + RETURN_FALSE; + } + if (OPENBASEDIR_CHECKPATH(filename)) { RETURN_FALSE; } + if(!expand_filepath(filename, resolved_path TSRMLS_CC)) { + RETURN_FALSE; + } + rsrc_int = (zip_rsrc *)emalloc(sizeof(zip_rsrc)); rsrc_int-za = zip_open(filename, 0, err); @@ -2011,7 +2022,7 @@ php_info_print_table_start(); php_info_print_table_row(2, Zip, enabled); - php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v 1.1.2.28 2007/03/14 11:08:57 pajoye Exp $); + php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v 1.1.2.29 2007/03/14 11:32:25 pajoye Exp $); php_info_print_table_row(2, Zip version, 2.0.0); php_info_print_table_row(2, Libzip version, 0.7.1); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php