+++ /dev/null
-Cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP 5.1.2
-and 4.4.2 allows remote attackers to inject arbitrary web script or HTML
-via long array variables, including (1) a large number of dimensions or
-(2) long values, which prevents HTML tags from being removed.
-
-Patch pulled from cvs.php.net
-
---- php-5.1.2/ext/standard/info.c 2006/01/01 12:50:15 1.249.2.7
-+++ php-5.1.2/ext/standard/info.c 2006/03/30 19:58:18 1.249.2.9
-@@ -58,6 +58,21 @@
-
- PHPAPI extern char *php_ini_opened_path;
- PHPAPI extern char *php_ini_scanned_files;
-+
-+static int php_info_write_wrapper(const char *str, uint str_length)
-+{
-+ TSRMLS_FETCH();
-+
-+ int new_len, written;
-+ char *elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-+
-+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
-+
-+ efree(elem_esc);
-+
-+ return written;
-+}
-+
-
- /* {{{ _display_module_info
- */
-@@ -135,30 +150,13 @@
- PUTS(" => ");
- }
- if (Z_TYPE_PP(tmp) == IS_ARRAY) {
-- zval *tmp3;
--
-- MAKE_STD_ZVAL(tmp3);
--
- if (!sapi_module.phpinfo_as_text) {
- PUTS("<pre>");
-- }
-- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
--
-- zend_print_zval_r(*tmp, 0 TSRMLS_CC);
--
-- php_ob_get_buffer(tmp3 TSRMLS_CC);
-- php_end_ob_buffer(0, 0 TSRMLS_CC);
--
-- if (!sapi_module.phpinfo_as_text) {
-- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
-- PUTS(elem_esc);
-- efree(elem_esc);
-+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
- PUTS("</pre>");
- } else {
-- PUTS(Z_STRVAL_P(tmp3));
-+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
- }
-- zval_ptr_dtor(&tmp3);
--
- } else if (Z_TYPE_PP(tmp) != IS_STRING) {
- tmp2 = **tmp;
- zval_copy_ctor(&tmp2);
+++ /dev/null
-PHP before 5.1.3-RC1 might allow remote attackers to obtain portions of
-memory via crafted binary data sent to a script that processes user
-input in the html_entity_decode function and sends the encoded results
-back to the client, aka a "binary safety" issue. NOTE: this issue has
-been referred to as a "memory leak," but it is an information leak that
-discloses memory contents.
-
-Patch pulled from cvs.php.net
-
---- php-5.1.2/ext/standard/html.c 2006/01/01 12:50:14 1.111.2.1
-+++ php-5.1.2/ext/standard/html.c 2006/02/25 21:32:11 1.111.2.2
-@@ -884,7 +884,7 @@
- unsigned char replacement[15];
- int replacement_len;
-
-- ret = estrdup(old);
-+ ret = estrndup(old, oldlen);
- retlen = oldlen;
- if (!retlen) {
- goto empty_source;
+++ /dev/null
---- php-5.0.3/ext/msession/config.m4.orig 2003-02-12 19:34:20.000000000 +0100
-+++ php-5.0.3/ext/msession/config.m4 2004-12-26 16:35:35.520883760 +0100
-@@ -6,12 +6,12 @@
- [ --with-msession[=DIR] Include msession support])
-
- if test "$PHP_MSESSION" != "no"; then
-- if test -r $PHP_MSESSION/lib/libphoenix.a; then
-+ if test -r $PHP_MSESSION/lib/libphoenix.so -o -r $PHP_MSESSION/lib/libphoenix.a; then
- PHOENIX_DIR=$PHP_MSESSION
- else
- AC_MSG_CHECKING(for msession in default path)
- for i in /usr/local/phoenix /usr/local /usr; do
-- if test -r $i/lib/libphoenix.a; then
-+ if test -r $i/lib/libphoenix.so -o -r $i/lib/libphoenix.a; then
- PHOENIX_DIR=$i
- AC_MSG_RESULT(found in $i)
- fi
-@@ -25,12 +25,12 @@
-
-
- AC_DEFINE(HAVE_MSESSION, 1, [ ])
-- PHP_ADD_LIBRARY_WITH_PATH(phoenix, "$PHOENIX_DIR/lib", PHOENIX_LIB)
-+ PHP_ADD_LIBRARY_WITH_PATH(phoenix, "$PHOENIX_DIR/lib", MSESSION_SHARED_LIBADD)
- PHOENIX_INCLUDE="-I$PHOENIX_DIR"
-- PHP_SUBST(PHOENIX_LIB)
-+ PHP_SUBST(MSESSION_SHARED_LIBADD)
-
- PHP_REQUIRE_CXX
- PHP_NEW_EXTENSION(msession, msession.c, $ext_shared)
-- PHP_ADD_LIBRARY(stdc++)
-+ PHP_ADD_LIBRARY(stdc++,,MSESSION_SHARED_LIBADD)
- fi
-