head 1.4; access; symbols OPENPKG_2_STABLE_MP:1.4 OPENPKG_E1_MP_HEAD:1.4 OPENPKG_E1_MP:1.4 OPENPKG_E1_MP_2_STABLE:1.4 OPENPKG_E1_FP:1.4 OPENPKG_2_STABLE_20061018:1.4 OPENPKG_2_STABLE:1.4.0.14 OPENPKG_2_STABLE_BP:1.4 OPENPKG_2_5_SOLID:1.4.0.12 OPENPKG_2_5_SOLID_BP:1.4 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.10 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_2_3_RELEASE:1.4 OPENPKG_2_3_SOLID:1.4.0.8 OPENPKG_2_3_SOLID_BP:1.4 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.6 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.4 OPENPKG_2_1_SOLID:1.4.0.4 OPENPKG_2_1_SOLID_BP:1.4 OPENPKG_2_0_RELEASE:1.4 OPENPKG_2_0_SOLID:1.4.0.2 OPENPKG_2_0_SOLID_BP:1.4 OPENPKG_1_1_SOLID:1.1.0.2; locks; strict; comment @# @; 1.4 date 2003.07.22.14.43.15; author rse; state dead; branches; next 1.3; 1.3 date 2003.07.01.11.57.34; author mlelstv; state Exp; branches; next 1.2; 1.2 date 2003.07.01.10.13.38; author mlelstv; state Exp; branches; next 1.1; 1.1 date 2003.01.22.12.22.27; author thl; state dead; branches 1.1.2.1; next ; 1.1.2.1 date 2003.01.22.12.22.27; author thl; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2003.07.07.13.49.01; author thl; state Exp; branches; next ; desc @@ 1.4 log @use canonical patch filenames only @ text @--- php-4.3.2/ext/oci8/config.m4.dist 2003-07-01 09:55:33.000000000 +0200 +++ php-4.3.2/ext/oci8/config.m4 2003-07-01 0:56:01.000000000 +0200 @@@@ -100,7 +100,6 @@@@ PHP_ADD_LIBRARY(clntsh, 1, OCI8_SHARED_LIBADD) PHP_ADD_LIBPATH($OCI8_DIR/lib, OCI8_SHARED_LIBADD) AC_DEFINE(HAVE_OCI8_ATTR_STATEMENT,1,[ ]) - AC_DEFINE(HAVE_OCI8_SHARED_MODE,1,[ ]) dnl These functions are only available in version >= 9.2 PHP_CHECK_LIBRARY(clntsh, OCIEnvNlsCreate, --- php-4.3.2/configure.dist 2003-07-01 13:52:41.000000000 +0200 +++ php-4.3.2/configure 2003-07-01 13:53:15.000000000 +0200 @@@@ -51349,10 +51349,6 @@@@ #define HAVE_OCI8_ATTR_STATEMENT 1 EOF - cat >> confdefs.h <<\EOF -#define HAVE_OCI8_SHARED_MODE 1 -EOF - save_old_LDFLAGS=$LDFLAGS @ 1.3 log @also patch vendor configure script, we don't run autoconf @ text @@ 1.2 log @php oci8 driver: don't use OCI_SHARED_MODE by default @ text @d11 13 @ 1.1 log @file php.patch was initially added on branch OPENPKG_1_1_SOLID. @ text @d1 10 @ 1.1.2.1 log @SA-2003.005-php; CAN-2002-1396 @ text @a0 105 --- php-4.2.2/ext/standard/string.c.orig Wed Jan 22 10:10:45 2003 +++ php-4.2.2/ext/standard/string.c Wed Jan 22 11:40:13 2003 @@@@ -616,7 +616,7 @@@@ { const char *text, *breakchar = "\n"; char *newtext; - int textlen, breakcharlen = 1, newtextlen; + int textlen, breakcharlen = 1, newtextlen, alloced, chk; long current = 0, laststart = 0, lastspace = 0; long linelength = 75; zend_bool docut = 0; @@@@ -642,38 +642,40 @@@@ for (current = 0; current < textlen; current++) { if (text[current] == breakchar[0]) { laststart = lastspace = current; - } - else if (text[current] == ' ') { + } else if (text[current] == ' ') { if (current - laststart >= linelength) { newtext[current] = breakchar[0]; laststart = current; } lastspace = current; - } - else if (current - laststart >= linelength - && laststart != lastspace) { + } else if (current - laststart >= linelength && laststart != lastspace) { newtext[lastspace] = breakchar[0]; laststart = lastspace; } } RETURN_STRINGL(newtext, textlen, 0); - } - else { + } else { /* Multiple character line break or forced cut */ if (linelength > 0) { - newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1; - } - else { - newtextlen = textlen * (breakcharlen + 1) + 1; + chk = (int)(textlen/linelength + 1); + alloced = textlen + chk * breakcharlen + 1; + } else { + chk = textlen; + alloced = textlen * (breakcharlen + 1) + 1; } - newtext = emalloc(newtextlen); + newtext = emalloc(alloced); /* now keep track of the actual new text length */ newtextlen = 0; laststart = lastspace = 0; for (current = 0; current < textlen; current++) { + if (chk <= 0) { + alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1; + newtext = erealloc(newtext, alloced); + chk = (int) ((textlen - current)/linelength) + 1; + } /* when we hit an existing break, copy to new buffer, and * fix up laststart and lastspace */ if (text[current] == breakchar[0] @@@@ -683,6 +685,7 @@@@ newtextlen += current-laststart+breakcharlen; current += breakcharlen - 1; laststart = lastspace = current + 1; + chk--; } /* if it is a space, check if it is at the line boundary, * copy and insert a break, or just keep track of it */ @@@@ -693,6 +696,7 @@@@ memcpy(newtext+newtextlen, breakchar, breakcharlen); newtextlen += breakcharlen; laststart = current + 1; + chk--; } lastspace = current; } @@@@ -706,6 +710,7 @@@@ memcpy(newtext+newtextlen, breakchar, breakcharlen); newtextlen += breakcharlen; laststart = lastspace = current; + chk--; } /* if the current word puts us over the linelength, copy * back up until the last space, insert a break, and move @@@@ -717,6 +722,7 @@@@ memcpy(newtext+newtextlen, breakchar, breakcharlen); newtextlen += breakcharlen; laststart = lastspace = lastspace + 1; + chk--; } } @@@@ -727,6 +733,8 @@@@ } newtext[newtextlen] = '\0'; + /* free unused memory */ + newtext = erealloc(newtext, newtextlen+1); RETURN_STRINGL(newtext, newtextlen, 0); } @ 1.1.2.2 log @SA-2003.032-php; CAN-2002-0985, CAN-2002-0986, CAN-2003-0442 @ text @a105 85 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985 The mail function in PHP 4.x to 4.2.2 may allow remote attackers to bypass safe mode restrictions and modify command line arguments to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA behavior and possibly executing commands. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986 The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a "spam proxy." diff -u -r1.48 -r1.48.2.3 --- php-4.2.2/ext/standard/mail.c 28 Feb 2002 08:26:46 -0000 1.48 +++ php-4.2.2/ext/standard/mail.c 24 Aug 2002 11:38:13 -0000 1.48.2.3 @@@@ -70,8 +70,12 @@@@ PHP_FUNCTION(mail) { char *to=NULL, *message=NULL, *headers=NULL, *subject=NULL, *extra_cmd=NULL; - int to_len,message_len,headers_len,subject_len,extra_cmd_len; + int to_len,message_len,headers_len,subject_len,extra_cmd_len,i; + if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) { + php_error(E_WARNING, "%s(): SAFE MODE Restriction in effect. The fifth parameter is disabled in SAFE MODE.", get_active_function_name(TSRMLS_C)); + RETURN_FALSE; + } if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sss|ss", &to, &to_len, @@@@ -83,14 +87,28 @@@@ return; } - for(to_len--;to_len;to_len--) { - if(!isspace(to[to_len]))break; - to[to_len]='\0'; + if (to_len > 0) { + for(;to_len;to_len--) { + if(!isspace((unsigned char)to[to_len-1]))break; + to[to_len-1]='\0'; + } + for(i=0;to[i];i++) { + if (iscntrl((unsigned char)to[i])) { + to[i]=' '; + } + } } - for(subject_len--;subject_len;subject_len--) { - if(!isspace(subject[subject_len]))break; - subject[subject_len]='\0'; + if (subject_len > 0) { + for(;subject_len;subject_len--) { + if(!isspace((unsigned char)subject[subject_len-1]))break; + subject[subject_len-1]='\0'; + } + for(i=0;subject[i];i++) { + if (iscntrl((unsigned char)subject[i])) { + subject[i]=' '; + } + } } if(extra_cmd) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442 Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. --- php-4.2.2/ext/session/session.c.orig +++ php-4.2.2/ext/session/session.c @@@@ -84,7 +84,9 @@@@ static void php_session_output_handler(char *output, uint output_len, char **handled_output, uint *handled_output_len, int mode TSRMLS_DC) { if ((PS(session_status) == php_session_active)) { - *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), PS(id), handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC); + char *encoded = php_url_encode(PS(id), strlen(PS(id)), NULL); + *handled_output = url_adapt_ext_ex(output, output_len, PS(session_name), encoded, handled_output_len, (zend_bool) (mode&PHP_OUTPUT_HANDLER_END ? 1 : 0) TSRMLS_CC); + efree(encoded); } else { *handled_output = NULL; } @