[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c
iliaa Sun Mar 1 17:35:26 2009 UTC
Modified files: (Branch: PHP_5_2)
/php-srcNEWS
/php-src/ext/zipphp_zip.c
Log:
MFB: Fixed 2 memory corruptions in zip extension idenfied by
oo_properties.phpt test
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1430r2=1.2027.2.547.2.1431diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.1430 php-src/NEWS:1.2027.2.547.2.1431
--- php-src/NEWS:1.2027.2.547.2.1430Wed Feb 25 15:34:33 2009
+++ php-src/NEWSSun Mar 1 17:35:25 2009
@@ -1,6 +1,7 @@
PHPNEWS
|||
?? ??? 2009, PHP 5.2.10
+- Fixed memory corruptions while reading properties of zip files. (Ilia)
26 Feb 2009, PHP 5.2.9
- Changed __call() to be invoked on private/protected method access, similar to
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.49r2=1.1.2.50diff_format=u
Index: php-src/ext/zip/php_zip.c
diff -u php-src/ext/zip/php_zip.c:1.1.2.49 php-src/ext/zip/php_zip.c:1.1.2.50
--- php-src/ext/zip/php_zip.c:1.1.2.49 Thu Feb 5 19:53:22 2009
+++ php-src/ext/zip/php_zip.c Sun Mar 1 17:35:25 2009
@@ -16,7 +16,7 @@
+--+
*/
-/* $Id: php_zip.c,v 1.1.2.49 2009/02/05 19:53:22 pajoye Exp $ */
+/* $Id: php_zip.c,v 1.1.2.50 2009/03/01 17:35:25 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include config.h
@@ -806,6 +806,7 @@
} else {
if (hnd-read_const_char_from_obj_func) {
retchar =
hnd-read_const_char_from_obj_func(obj TSRMLS_CC);
+ len = strlen(retchar);
}
}
}
@@ -818,7 +819,7 @@
switch (hnd-type) {
case IS_STRING:
if (retchar) {
- ZVAL_STRING(*retval, (char *) retchar, 1);
+ ZVAL_STRINGL(*retval, (char *) retchar, len, 1);
} else {
ZVAL_EMPTY_STRING(*retval);
}
@@ -941,10 +942,11 @@
if (ret == SUCCESS) {
zval *tmp;
+ ALLOC_INIT_ZVAL(tmp);
if (type == 2) {
retval = 1;
- } else if (php_zip_property_reader(obj, hnd, tmp, 1 TSRMLS_CC)
== SUCCESS) {
+ } else if (php_zip_property_reader(obj, hnd, tmp, 0 TSRMLS_CC)
== SUCCESS) {
Z_SET_REFCOUNT_P(tmp, 1);
Z_UNSET_ISREF_P(tmp);
if (type == 1) {
@@ -952,8 +954,9 @@
} else if (type == 0) {
retval = (Z_TYPE_P(tmp) != IS_NULL);
}
- zval_ptr_dtor(tmp);
}
+
+ zval_ptr_dtor(tmp);
} else {
std_hnd = zend_get_std_object_handlers();
retval = std_hnd-has_property(object, member, type TSRMLS_CC);
@@ -2557,7 +2560,7 @@
php_info_print_table_start();
php_info_print_table_row(2, Zip, enabled);
- php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v
1.1.2.49 2009/02/05 19:53:22 pajoye Exp $);
+ php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v
1.1.2.50 2009/03/01 17:35:25 iliaa Exp $);
php_info_print_table_row(2, Zip version, PHP_ZIP_VERSION_STRING);
php_info_print_table_row(2, Libzip version, 0.9.0);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c /ext/zip/tests bug11216.phpt
On 6/3/07, Pierre-Alain Joye [EMAIL PROTECTED] wrote:
- if (zip_add_dir(intern, (const char *)s) == -1) {
- RETURN_FALSE;
+ if (zip_add_dir(intern, (const char *)s) == -1) {
+ RETVAL_FALSE;
+ }
+ RETVAL_TRUE;
I doubt this is correct...
-Hannes
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c php_zip.h zip_stream.c
pajoye Wed Mar 14 11:08:58 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-srcNEWS
/php-src/ext/zipzip_stream.c php_zip.c php_zip.h
Log:
- rename SAFEMODE_CHECKFILE to OPENBASEDIR_CHECKPATH (can be used without
confusing in head without confusion)
- Add safemode and open basedir checks in zip:// wrapper (revert Ilia's
patch). Bug found by Stefan Esser in his MOPB-20-2007
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.587r2=1.2027.2.547.2.588diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.587 php-src/NEWS:1.2027.2.547.2.588
--- php-src/NEWS:1.2027.2.547.2.587 Mon Mar 12 16:59:51 2007
+++ php-src/NEWSWed Mar 14 11:08:57 2007
@@ -14,6 +14,7 @@
. Added SplFileInfo::getLinkTarget(), SplFileInfo::getRealPath().
- Added --ri switch to CLI which allows to check extension information.
(Marcus)
- Added tidyNode::getParent() method (John, Nuno)
+- Added openbasedir and safemode checks in zip:// stream wrapper (Pierre)
- Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
- Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/zip_stream.c?r1=1.1.2.4r2=1.1.2.5diff_format=u
Index: php-src/ext/zip/zip_stream.c
diff -u php-src/ext/zip/zip_stream.c:1.1.2.4
php-src/ext/zip/zip_stream.c:1.1.2.5
--- php-src/ext/zip/zip_stream.c:1.1.2.4Wed Mar 14 03:50:18 2007
+++ php-src/ext/zip/zip_stream.cWed Mar 14 11:08:57 2007
@@ -1,4 +1,4 @@
-/* $Id: zip_stream.c,v 1.1.2.4 2007/03/14 03:50:18 iliaa Exp $ */
+/* $Id: zip_stream.c,v 1.1.2.5 2007/03/14 11:08:57 pajoye Exp $ */
#ifdef HAVE_CONFIG_H
# include config.h
#endif
@@ -12,6 +12,7 @@
#include ext/standard/file.h
#include ext/standard/php_string.h
#include fopen_wrappers.h
+#include php_zip.h
#include ext/standard/url.h
@@ -112,7 +113,7 @@
}
if (filename) {
- if ((PG(safe_mode) (!php_checkuid(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(filename TSRMLS_CC)) {
+ if (OPENBASEDIR_CHECKPATH(filename)) {
return NULL;
}
@@ -193,7 +194,7 @@
php_basename(path, path_len - fragment_len, NULL, 0, file_basename,
file_basename_len TSRMLS_CC);
fragment++;
- if ((PG(safe_mode) (!php_checkuid(file_dirname, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(file_dirname
TSRMLS_CC)) {
+ if (OPENBASEDIR_CHECKPATH(file_dirname)) {
efree(file_basename);
return NULL;
}
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.27r2=1.1.2.28diff_format=u
Index: php-src/ext/zip/php_zip.c
diff -u php-src/ext/zip/php_zip.c:1.1.2.27 php-src/ext/zip/php_zip.c:1.1.2.28
--- php-src/ext/zip/php_zip.c:1.1.2.27 Mon Jan 29 15:25:06 2007
+++ php-src/ext/zip/php_zip.c Wed Mar 14 11:08:57 2007
@@ -16,7 +16,7 @@
+--+
*/
-/* $Id: php_zip.c,v 1.1.2.27 2007/01/29 15:25:06 pajoye Exp $ */
+/* $Id: php_zip.c,v 1.1.2.28 2007/03/14 11:08:57 pajoye Exp $ */
#ifdef HAVE_CONFIG_H
#include config.h
@@ -49,11 +49,6 @@
#define le_zip_entry_name Zip Entry
/* }}} */
-/* {{{ SAFEMODE_CHECKFILE(filename) */
-#define SAFEMODE_CHECKFILE(filename) \
- (PG(safe_mode) (!php_checkuid(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(filename TSRMLS_CC)
-/* }}} */
-
/* {{{ PHP_ZIP_STAT_INDEX(za, index, flags, sb) */
#define PHP_ZIP_STAT_INDEX(za, index, flags, sb) \
if (zip_stat_index(za, index, flags, sb) != 0) { \
@@ -127,7 +122,7 @@
php_basename(file, file_len, NULL, 0, file_basename, (unsigned
int *)file_basename_len TSRMLS_CC);
- if (SAFEMODE_CHECKFILE(file_dirname_fullpath)) {
+ if (OPENBASEDIR_CHECKPATH(file_dirname_fullpath)) {
efree(file_dirname_fullpath);
efree(file_basename);
return 0;
@@ -164,7 +159,7 @@
* is required, does a file can have a different
* safemode status as its parent folder?
*/
- if (SAFEMODE_CHECKFILE(fullpath)) {
+ if (OPENBASEDIR_CHECKPATH(fullpath)) {
efree(file_dirname_fullpath);
efree(file_basename);
return 0;
@@ -627,7 +622,7 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, filename,
filename_len) == FAILURE) {
return;
}
- if (SAFEMODE_CHECKFILE(filename)) {
+ if (OPENBASEDIR_CHECKPATH(filename)) {
RETURN_FALSE;
}
@@ -1032,7 +1027,7 @@
entry_name_len = filename_len;
}
- if (SAFEMODE_CHECKFILE(filename)) {
+ if (OPENBASEDIR_CHECKPATH(filename)) {
RETURN_FALSE;
[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/zip php_zip.c
pajoye Wed Mar 14 11:32:25 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-srcNEWS
/php-src/ext/zipphp_zip.c
Log:
- MFH: Fixed possible relative path issues in zip_open in TS mode (old API)
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.588r2=1.2027.2.547.2.589diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.588 php-src/NEWS:1.2027.2.547.2.589
--- php-src/NEWS:1.2027.2.547.2.588 Wed Mar 14 11:08:57 2007
+++ php-src/NEWSWed Mar 14 11:32:25 2007
@@ -15,6 +15,7 @@
- Added --ri switch to CLI which allows to check extension information.
(Marcus)
- Added tidyNode::getParent() method (John, Nuno)
- Added openbasedir and safemode checks in zip:// stream wrapper (Pierre)
+- Fixed possible relative path issues in zip_open and TS mode (old API)
(Pierre)
- Fixed zend_llist_remove_tail (Michael Wallner, Dmitry)
- Fixed a thread safety issue in gd gif read code (Nuno, Roman Nemecek)
- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
http://cvs.php.net/viewvc.cgi/php-src/ext/zip/php_zip.c?r1=1.1.2.28r2=1.1.2.29diff_format=u
Index: php-src/ext/zip/php_zip.c
diff -u php-src/ext/zip/php_zip.c:1.1.2.28 php-src/ext/zip/php_zip.c:1.1.2.29
--- php-src/ext/zip/php_zip.c:1.1.2.28 Wed Mar 14 11:08:57 2007
+++ php-src/ext/zip/php_zip.c Wed Mar 14 11:32:25 2007
@@ -16,7 +16,7 @@
+--+
*/
-/* $Id: php_zip.c,v 1.1.2.28 2007/03/14 11:08:57 pajoye Exp $ */
+/* $Id: php_zip.c,v 1.1.2.29 2007/03/14 11:32:25 pajoye Exp $ */
#ifdef HAVE_CONFIG_H
#include config.h
@@ -616,16 +616,27 @@
{
char *filename;
int filename_len;
+ char resolved_path[MAXPATHLEN + 1];
zip_rsrc *rsrc_int;
int err = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, filename,
filename_len) == FAILURE) {
return;
}
+
+ if (filename_len == 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, Empty string as
source);
+ RETURN_FALSE;
+ }
+
if (OPENBASEDIR_CHECKPATH(filename)) {
RETURN_FALSE;
}
+ if(!expand_filepath(filename, resolved_path TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
rsrc_int = (zip_rsrc *)emalloc(sizeof(zip_rsrc));
rsrc_int-za = zip_open(filename, 0, err);
@@ -2011,7 +2022,7 @@
php_info_print_table_start();
php_info_print_table_row(2, Zip, enabled);
- php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v
1.1.2.28 2007/03/14 11:08:57 pajoye Exp $);
+ php_info_print_table_row(2, Extension Version,$Id: php_zip.c,v
1.1.2.29 2007/03/14 11:32:25 pajoye Exp $);
php_info_print_table_row(2, Zip version, 2.0.0);
php_info_print_table_row(2, Libzip version, 0.7.1);
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
