via long array variables, including (1) a large number of dimensions or
(2) long values, which prevents HTML tags from being removed.
-Patch pulled from cvs.php.net
+Patch based on php-CVE-2006-0996.patch + gcc 2.95 compilation fix from PHP CVS
---- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
-+++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
-@@ -58,6 +58,21 @@
+--- php-4.4.2/ext/standard/info.c 2006-04-19 18:55:10.405669500 +0200
++++ php-4.4.2/ext/standard/info.c 2006-04-19 18:57:39.610994250 +0200
+@@ -58,6 +58,23 @@
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
++ int new_len, written;
++ char *elem_esc;
++
+ TSRMLS_FETCH();
+
-+ int new_len, written;
-+ char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
++ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
/* {{{ _display_module_info
*/
-@@ -135,30 +150,13 @@
+@@ -133,23 +148,12 @@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
--
- MAKE_STD_ZVAL(tmp3);
--
if (!sapi_module.phpinfo_as_text) {
PUTS("<pre>");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
--
-- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
--
+- zend_print_zval_r(*tmp, 0);
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
+- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+- PUTS(elem_esc);
+- efree(elem_esc);
+- zval_ptr_dtor(&tmp3);
+-
- if (!sapi_module.phpinfo_as_text) {
-- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
-- PUTS(elem_esc);
-- efree(elem_esc);
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("</pre>");
- } else {
-- PUTS(Z_STRVAL_P(tmp3));
-+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
++ } else {
++ zend_print_zval_r(*tmp, 0);
}
-- zval_ptr_dtor(&tmp3);
--
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
- zval_copy_ctor(&tmp2);
Patch pulled from cvs.php.net
---- php-5.1.2/ext/standard/html.c 2006/01/01 12:50:14 1.111.2.1
-+++ php-5.1.2/ext/standard/html.c 2006/02/25 21:32:11 1.111.2.2
-@@ -884,7 +884,7 @@
+--- php-4.4.2/ext/standard/html.c 2006/01/01 13:46:57 1.63.2.23.2.1
++++ php-4.4.2/ext/standard/html.c 2006/02/25 21:33:06 1.63.2.23.2.2
+@@ -793,7 +793,7 @@
+ enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC);
unsigned char replacement[15];
- int replacement_len;
-
+
- ret = estrdup(old);
+ ret = estrndup(old, oldlen);
retlen = oldlen;
see also http://bugs.php.net/bug.php?id=34793
---- php-5.1.2/main/php_ini.c~ 2006-01-12 23:46:12.000000000 +0200
-+++ php-5.1.2/main/php_ini.c 2006-01-17 17:01:16.000000000 +0200
-@@ -330,6 +330,7 @@
- strcat(php_ini_search_path, env_location);
- }
+--- php-4.4.2/main/php_ini.c~ 2006-01-17 19:02:09.000000000 +0200
++++ php-4.4.2/main/php_ini.c 2006-01-17 19:26:46.000000000 +0200
+@@ -19,7 +19,7 @@
+ /* $Id$ */
-+#ifdef PHP_WIN32
- /* Add cwd (only with CLI) */
- if (strcmp(sapi_module.name, "cli") == 0) {
- if (*php_ini_search_path) {
-@@ -339,7 +340,6 @@
- }
+ /* Check CWD for php.ini */
+-#define INI_CHECK_CWD
++#undef INI_CHECK_CWD
- /* Add binary directory */
--#ifdef PHP_WIN32
- binary_location = (char *) emalloc(MAXPATHLEN);
- if (GetModuleFileName(0, binary_location, MAXPATHLEN) == 0) {
+ #include "php.h"
+ #include "ext/standard/info.h"
+@@ -328,13 +327,13 @@
efree(binary_location);
-@@ -356,6 +356,8 @@
binary_location = NULL;
}
- #endif
+-#else
++
+ if (sapi_module.executable_location) {
+ binary_location = estrdup(sapi_module.executable_location);
+ } else {
+ binary_location = NULL;
+ }
+-#endif
+
-+#ifdef PHP_WIN32
if (binary_location) {
char *separator_location = strrchr(binary_location, DEFAULT_SLASH);
-@@ -370,7 +372,6 @@
+@@ -349,7 +348,6 @@
}
/* Add default location */
-diff -urN php-5.1.2.org/ext/curl/interface.c php-5.1.2/ext/curl/interface.c
---- php-5.1.2.org/ext/curl/interface.c 2006-01-05 19:07:55.000000000 +0100
-+++ php-5.1.2/ext/curl/interface.c 2006-01-25 14:42:08.980963000 +0100
-@@ -476,6 +476,8 @@
+diff -urN php-4.4.2.org/ext/curl/curl.c php-4.4.2/ext/curl/curl.c
+--- php-4.4.2.org/ext/curl/curl.c 2006-01-05 19:03:18.000000000 +0100
++++ php-4.4.2/ext/curl/curl.c 2006-01-25 22:23:03.429339500 +0100
+@@ -427,6 +427,8 @@
}
/* }}} */
/* {{{ PHP_MSHUTDOWN_FUNCTION
*/
PHP_MSHUTDOWN_FUNCTION(curl)
-@@ -486,6 +488,7 @@
+@@ -437,6 +439,7 @@
php_unregister_url_stream_wrapper("ftp" TSRMLS_CC);
php_unregister_url_stream_wrapper("ldap" TSRMLS_CC);
#endif
curl_global_cleanup();
#ifdef PHP_CURL_NEED_SSL_TSL
php_curl_ssl_cleanup();
-@@ -1621,9 +1624,8 @@
+@@ -1465,9 +1468,8 @@
for (i = 0; i < c; ++i) {
php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
}
}
static inline void php_curl_ssl_cleanup(void)
-@@ -1645,6 +1647,17 @@
+@@ -1489,6 +1491,17 @@
#endif /* PHP_CURL_NEED_OPENSSL_TSL */
/* }}} */
link core php with -lz for getimagesize()
see also http://bugs.php.net/bug.php?id=29611
+--- php-4.4.1/ext/zlib/config0.m4~ 2006-01-06 19:09:51.000000000 +0200
++++ php-4.4.1/ext/zlib/config0.m4 2006-01-06 19:09:52.000000000 +0200
+@@ -49,5 +49,6 @@
+ PHP_ZLIB_DIR=$ZLIB_DIR
+ PHP_ADD_LIBRARY(z,, ZLIB_SHARED_LIBADD)
+ PHP_ADD_INCLUDE($ZLIB_INCDIR)
++ EXTRA_LIBS="$EXTRA_LIBS $ZLIB_SHARED_LIBADD"
+
+ fi
--- php-4.4.1/ext/standard/image.c 2005-07-27 14:22:36.000000000 +0300
+++ /tmp/image.c 2006-01-06 19:14:00.000000000 +0200
@@ -31,7 +31,7 @@
projects / packages / php.git / commitdiff