[packages/php.git] / bug-47930.patch

PHP 5.2.x Remote Code Execution Vulnerability

http://securityvulns.ru/docs27701.html
http://www.securityfocus.com/archive/1/521695
http://www.securityfocus.com/bid/52065
http://xforce.iss.net/xforce/xfdb/73286

Description:

If PHP bails out in startup stage before setting PG(modules_activated)
to 1, the filter_globals struct is not cleaned up on shutdown stage.
The subsequence request will use uncleaned value in filter_globals
struct. With special crafted request, this problem can lead to
information disclosure and remote code execution.

Only apache modules SAPI are found to vulnerable to this problem.
While other SAPIs are safe because a PHP process exits when PHP bails
out before setting PG(modules_activated) to 1.

This bug was fixed before releasing 5.3.0.
http://svn.php.net/viewvc?view=revision&revision=279522. But the patch
is not backported to 5.2 version as described in
https://bugs.php.net/bug.php?id=47930

This patch backports it.
Index: branches/PHP_5_3/ext/filter/filter.c
===================================================================
diff -urNp -x '*.orig' php-5.2.17.org/ext/filter/filter.c php-5.2.17/ext/filter/filter.c
--- php-5.2.17.org/ext/filter/filter.c	2021-10-23 19:13:24.436458386 +0200
+++ php-5.2.17/ext/filter/filter.c	2021-10-23 19:13:27.149791720 +0200
@@ -76,6 +76,7 @@ filter_list_entry filter_list[] = {
 #endif
 
 static unsigned int php_sapi_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC);
+static unsigned int php_sapi_filter_init(TSRMLS_D);
 
 /* {{{ filter_functions[]
  */
@@ -233,7 +234,7 @@ PHP_MINIT_FUNCTION(filter)
 	REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS | CONST_PERSISTENT);
 
-	sapi_register_input_filter(php_sapi_filter);
+	sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init);
 
 	return SUCCESS;
 }
@@ -302,6 +303,17 @@ static filter_list_entry php_find_filter
 }
 /* }}} */
 
+static unsigned int php_sapi_filter_init(TSRMLS_D)
+{
+	IF_G(get_array) = NULL;
+	IF_G(post_array) = NULL;
+	IF_G(cookie_array) = NULL;
+	IF_G(server_array) = NULL;
+	IF_G(env_array) = NULL;
+	IF_G(session_array) = NULL;
+	return SUCCESS;
+}
+
 static void php_zval_filter(zval **value, long filter, long flags, zval *options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */
 {
 	filter_list_entry  filter_func;
diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.c php-5.2.17/main/SAPI.c
--- php-5.2.17.org/main/SAPI.c	2021-10-23 19:13:24.446458386 +0200
+++ php-5.2.17/main/SAPI.c	2021-10-23 19:13:27.149791720 +0200
@@ -323,6 +323,9 @@ SAPI_API void sapi_activate_headers_only
 			sapi_module.activate(TSRMLS_C);
 		}
 	}
+	if (sapi_module.input_filter_init ) {
+		sapi_module.input_filter_init(TSRMLS_C);
+	}
 }
 
 /*
@@ -389,6 +392,9 @@ SAPI_API void sapi_activate(TSRMLS_D)
 			sapi_module.activate(TSRMLS_C);
 		}
 	}
+	if (sapi_module.input_filter_init ) {
+		sapi_module.input_filter_init(TSRMLS_C);
+	}
 }
 
 
@@ -884,13 +890,14 @@ SAPI_API int sapi_register_treat_data(vo
 	return SUCCESS;
 }
 
-SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC))
+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D))
 {
 	TSRMLS_FETCH();
 	if (SG(sapi_started) && EG(in_execution)) {
 		return FAILURE;
 	}
 	sapi_module.input_filter = input_filter;
+	sapi_module.input_filter_init = input_filter_init;
 	return SUCCESS;
 }
 
diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.h php-5.2.17/main/SAPI.h
--- php-5.2.17.org/main/SAPI.h	2010-03-18 23:37:25.000000000 +0100
+++ php-5.2.17/main/SAPI.h	2021-10-23 19:13:27.149791720 +0200
@@ -188,7 +188,7 @@ SAPI_API int sapi_register_post_entry(sa
 SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC);
 SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
 SAPI_API int sapi_register_treat_data(void (*treat_data)(int arg, char *str, zval *destArray TSRMLS_DC));
-SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC));
+SAPI_API int sapi_register_input_filter(unsigned int (*input_filter)(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D));
 
 SAPI_API int sapi_flush(TSRMLS_D);
 SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
@@ -259,6 +259,7 @@ struct _sapi_module_struct {
 	int phpinfo_as_text;
 
 	char *ini_entries;
+	unsigned int (*input_filter_init)(TSRMLS_D);
 };
 
 
diff -urNp -x '*.orig' php-5.2.17.org/main/php_content_types.c php-5.2.17/main/php_content_types.c
--- php-5.2.17.org/main/php_content_types.c	2010-01-03 10:23:27.000000000 +0100
+++ php-5.2.17/main/php_content_types.c	2021-10-23 19:13:27.149791720 +0200
@@ -75,7 +75,7 @@ int php_startup_sapi_content_types(TSRML
 {
 	sapi_register_default_post_reader(php_default_post_reader);
 	sapi_register_treat_data(php_default_treat_data);
-	sapi_register_input_filter(php_default_input_filter);
+	sapi_register_input_filter(php_default_input_filter, NULL);
 	return SUCCESS;
 }
 /* }}} */
Commit	Line	Data
614e82b5 ER	1	PHP 5.2.x Remote Code Execution Vulnerability
	2
	3	http://securityvulns.ru/docs27701.html
	4	http://www.securityfocus.com/archive/1/521695
	5	http://www.securityfocus.com/bid/52065
	6	http://xforce.iss.net/xforce/xfdb/73286
	7
	8	Description:
	9
	10	If PHP bails out in startup stage before setting PG(modules_activated)
	11	to 1, the filter_globals struct is not cleaned up on shutdown stage.
	12	The subsequence request will use uncleaned value in filter_globals
	13	struct. With special crafted request, this problem can lead to
	14	information disclosure and remote code execution.
	15
	16	Only apache modules SAPI are found to vulnerable to this problem.
	17	While other SAPIs are safe because a PHP process exits when PHP bails
	18	out before setting PG(modules_activated) to 1.
	19
	20	This bug was fixed before releasing 5.3.0.
	21	http://svn.php.net/viewvc?view=revision&revision=279522. But the patch
	22	is not backported to 5.2 version as described in
	23	https://bugs.php.net/bug.php?id=47930
	24
	25	This patch backports it.
	26	Index: branches/PHP_5_3/ext/filter/filter.c
	27	===================================================================
f9fed404 AM	28	diff -urNp -x '*.orig' php-5.2.17.org/ext/filter/filter.c php-5.2.17/ext/filter/filter.c
	29	--- php-5.2.17.org/ext/filter/filter.c 2021-10-23 19:13:24.436458386 +0200
	30	+++ php-5.2.17/ext/filter/filter.c 2021-10-23 19:13:27.149791720 +0200
	31	@@ -76,6 +76,7 @@ filter_list_entry filter_list[] = {
614e82b5 ER	32	#endif
	33
	34	static unsigned int php_sapi_filter(int arg, char var, char val, unsigned int val_len, unsigned int new_val_len TSRMLS_DC);
	35	+static unsigned int php_sapi_filter_init(TSRMLS_D);
	36
f9fed404 AM	37	/* {{{ filter_functions[]
	38	*/
	39	@@ -233,7 +234,7 @@ PHP_MINIT_FUNCTION(filter)
614e82b5 ER	40	REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_RES_RANGE", FILTER_FLAG_NO_RES_RANGE, CONST_CS \| CONST_PERSISTENT);
	41	REGISTER_LONG_CONSTANT("FILTER_FLAG_NO_PRIV_RANGE", FILTER_FLAG_NO_PRIV_RANGE, CONST_CS \| CONST_PERSISTENT);
	42
	43	- sapi_register_input_filter(php_sapi_filter);
	44	+ sapi_register_input_filter(php_sapi_filter, php_sapi_filter_init);
	45
	46	return SUCCESS;
	47	}
f9fed404	48	@@ -302,6 +303,17 @@ static filter_list_entry php_find_filter
614e82b5 ER	49	}
	50	/* }}} */
	51
	52	+static unsigned int php_sapi_filter_init(TSRMLS_D)
	53	+{
	54	+ IF_G(get_array) = NULL;
	55	+ IF_G(post_array) = NULL;
	56	+ IF_G(cookie_array) = NULL;
	57	+ IF_G(server_array) = NULL;
	58	+ IF_G(env_array) = NULL;
	59	+ IF_G(session_array) = NULL;
	60	+ return SUCCESS;
	61	+}
	62	+
	63	static void php_zval_filter(zval *value, long filter, long flags, zval options, char* charset, zend_bool copy TSRMLS_DC) /* {{{ */
	64	{
	65	filter_list_entry filter_func;
f9fed404 AM	66	diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.c php-5.2.17/main/SAPI.c
	67	--- php-5.2.17.org/main/SAPI.c 2021-10-23 19:13:24.446458386 +0200
	68	+++ php-5.2.17/main/SAPI.c 2021-10-23 19:13:27.149791720 +0200
	69	@@ -323,6 +323,9 @@ SAPI_API void sapi_activate_headers_only
614e82b5 ER	70	sapi_module.activate(TSRMLS_C);
	71	}
	72	}
	73	+ if (sapi_module.input_filter_init ) {
	74	+ sapi_module.input_filter_init(TSRMLS_C);
	75	+ }
	76	}
	77
	78	/*
f9fed404	79	@@ -389,6 +392,9 @@ SAPI_API void sapi_activate(TSRMLS_D)
614e82b5 ER	80	sapi_module.activate(TSRMLS_C);
	81	}
	82	}
	83	+ if (sapi_module.input_filter_init ) {
	84	+ sapi_module.input_filter_init(TSRMLS_C);
	85	+ }
	86	}
	87
	88
f9fed404	89	@@ -884,13 +890,14 @@ SAPI_API int sapi_register_treat_data(vo
614e82b5 ER	90	return SUCCESS;
	91	}
	92
	93	-SAPI_API int sapi_register_input_filter(unsigned int (input_filter)(int arg, char var, char *val, unsigned int val_len, unsigned int new_val_len TSRMLS_DC))
	94	+SAPI_API int sapi_register_input_filter(unsigned int (input_filter)(int arg, char var, char *val, unsigned int val_len, unsigned int new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D))
	95	{
	96	TSRMLS_FETCH();
	97	if (SG(sapi_started) && EG(in_execution)) {
	98	return FAILURE;
	99	}
	100	sapi_module.input_filter = input_filter;
	101	+ sapi_module.input_filter_init = input_filter_init;
	102	return SUCCESS;
	103	}
	104
f9fed404 AM	105	diff -urNp -x '*.orig' php-5.2.17.org/main/SAPI.h php-5.2.17/main/SAPI.h
	106	--- php-5.2.17.org/main/SAPI.h 2010-03-18 23:37:25.000000000 +0100
	107	+++ php-5.2.17/main/SAPI.h 2021-10-23 19:13:27.149791720 +0200
	108	@@ -188,7 +188,7 @@ SAPI_API int sapi_register_post_entry(sa
614e82b5 ER	109	SAPI_API void sapi_unregister_post_entry(sapi_post_entry *post_entry TSRMLS_DC);
	110	SAPI_API int sapi_register_default_post_reader(void (*default_post_reader)(TSRMLS_D));
	111	SAPI_API int sapi_register_treat_data(void (treat_data)(int arg, char str, zval *destArray TSRMLS_DC));
	112	-SAPI_API int sapi_register_input_filter(unsigned int (input_filter)(int arg, char var, char *val, unsigned int val_len, unsigned int new_val_len TSRMLS_DC));
	113	+SAPI_API int sapi_register_input_filter(unsigned int (input_filter)(int arg, char var, char *val, unsigned int val_len, unsigned int new_val_len TSRMLS_DC), unsigned int (*input_filter_init)(TSRMLS_D));
	114
	115	SAPI_API int sapi_flush(TSRMLS_D);
	116	SAPI_API struct stat *sapi_get_stat(TSRMLS_D);
f9fed404	117	@@ -259,6 +259,7 @@ struct _sapi_module_struct {
614e82b5 ER	118	int phpinfo_as_text;
	119
	120	char *ini_entries;
	121	+ unsigned int (*input_filter_init)(TSRMLS_D);
	122	};
	123
	124
f9fed404 AM	125	diff -urNp -x '*.orig' php-5.2.17.org/main/php_content_types.c php-5.2.17/main/php_content_types.c
	126	--- php-5.2.17.org/main/php_content_types.c 2010-01-03 10:23:27.000000000 +0100
	127	+++ php-5.2.17/main/php_content_types.c 2021-10-23 19:13:27.149791720 +0200
	128	@@ -75,7 +75,7 @@ int php_startup_sapi_content_types(TSRML
614e82b5 ER	129	{
	130	sapi_register_default_post_reader(php_default_post_reader);
	131	sapi_register_treat_data(php_default_treat_data);
	132	- sapi_register_input_filter(php_default_input_filter);
	133	+ sapi_register_input_filter(php_default_input_filter, NULL);
	134	return SUCCESS;
	135	}
	136	/* }}} */