From bc419fee5c9704eb4ce338acacbc2380c6f4427d Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sat, 13 Feb 2016 15:17:51 +0100 Subject: [PATCH 1/6] FIx bug #71569 convert_to_string() may result in an interned string. --- NEWS | 3 +++ ext/pdo_mysql/mysql_driver.c | 26 +++++++++++++------------- ext/pdo_mysql/tests/bug71569.phpt | 23 +++++++++++++++++++++++ 3 files changed, 39 insertions(+), 13 deletions(-) create mode 100644 ext/pdo_mysql/tests/bug71569.phpt diff --git a/NEWS b/NEWS index a13c4b2d54f..e551a97e089 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,9 @@ PHP NEWS . Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi setup). (Matt Haught, Remi) +- PDO MySQL: + . Fixed bug #71569 (#70389 fix causes segmentation fault). (Nikita) + - Standard: . Fixed bug #70720 (strip_tags improper php code parsing). (Julien) diff --git a/ext/pdo_mysql/mysql_driver.c b/ext/pdo_mysql/mysql_driver.c index 003a0c33be2..e82fdf46db8 100644 --- a/ext/pdo_mysql/mysql_driver.c +++ b/ext/pdo_mysql/mysql_driver.c @@ -658,31 +658,31 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_ init_cmd = pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_INIT_COMMAND, NULL TSRMLS_CC); if (init_cmd) { if (mysql_options(H->server, MYSQL_INIT_COMMAND, (const char *)init_cmd)) { - efree(init_cmd); + str_efree(init_cmd); pdo_mysql_error(dbh); goto cleanup; } - efree(init_cmd); + str_efree(init_cmd); } #ifndef PDO_USE_MYSQLND default_file = pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_READ_DEFAULT_FILE, NULL TSRMLS_CC); if (default_file) { if (mysql_options(H->server, MYSQL_READ_DEFAULT_FILE, (const char *)default_file)) { - efree(default_file); + str_efree(default_file); pdo_mysql_error(dbh); goto cleanup; } - efree(default_file); + str_efree(default_file); } default_group= pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_READ_DEFAULT_GROUP, NULL TSRMLS_CC); if (default_group) { if (mysql_options(H->server, MYSQL_READ_DEFAULT_GROUP, (const char *)default_group)) { - efree(default_group); + str_efree(default_group); pdo_mysql_error(dbh); goto cleanup; } - efree(default_group); + str_efree(default_group); } #endif compress = pdo_attr_lval(driver_options, PDO_MYSQL_ATTR_COMPRESS, 0 TSRMLS_CC); @@ -702,19 +702,19 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_ if (ssl_key || ssl_cert || ssl_ca || ssl_capath || ssl_cipher) { mysql_ssl_set(H->server, ssl_key, ssl_cert, ssl_ca, ssl_capath, ssl_cipher); if (ssl_key) { - efree(ssl_key); + str_efree(ssl_key); } if (ssl_cert) { - efree(ssl_cert); + str_efree(ssl_cert); } if (ssl_ca) { - efree(ssl_ca); + str_efree(ssl_ca); } if (ssl_capath) { - efree(ssl_capath); + str_efree(ssl_capath); } if (ssl_cipher) { - efree(ssl_cipher); + str_efree(ssl_cipher); } } @@ -724,10 +724,10 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_ if (public_key) { if (mysql_options(H->server, MYSQL_SERVER_PUBLIC_KEY, public_key)) { pdo_mysql_error(dbh); - efree(public_key); + str_efree(public_key); goto cleanup; } - efree(public_key); + str_efree(public_key); } } #endif diff --git a/ext/pdo_mysql/tests/bug71569.phpt b/ext/pdo_mysql/tests/bug71569.phpt new file mode 100644 index 00000000000..3ace1e98bf9 --- /dev/null +++ b/ext/pdo_mysql/tests/bug71569.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #70389 (PDO constructor changes unrelated variables) +--SKIPIF-- + +--FILE-- + null, + ]); +} catch (PDOException $e) { + echo $e->getMessage(); +} + +?> +--EXPECT-- +SQLSTATE[42000] [1065] Query was empty From adcdb4f7bab6a0c59fbcca108fac526d8ede70e6 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Sat, 13 Feb 2016 17:46:24 +0100 Subject: [PATCH 2/6] Fix test description --- ext/pdo_mysql/tests/bug71569.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_mysql/tests/bug71569.phpt b/ext/pdo_mysql/tests/bug71569.phpt index 3ace1e98bf9..32c14b4622d 100644 --- a/ext/pdo_mysql/tests/bug71569.phpt +++ b/ext/pdo_mysql/tests/bug71569.phpt @@ -1,5 +1,5 @@ --TEST-- -Bug #70389 (PDO constructor changes unrelated variables) +Bug #71569 (#70389 fix causes segmentation fault) --SKIPIF-- Date: Sat, 13 Feb 2016 17:47:30 +0100 Subject: [PATCH 3/6] Fix bounds check in strip_tags() --- ext/standard/string.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/string.c b/ext/standard/string.c index bcfc3b61812..d5f83e7d0f4 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -4822,7 +4822,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow, * state == 2 (PHP). Switch back to HTML. */ - if (state == 2 && p > buf+2 && strncasecmp(p-4, " buf+4 && strncasecmp(p-4, " Date: Sat, 13 Feb 2016 18:01:50 +0100 Subject: [PATCH 4/6] Check length of string before comparing to :memory: --- ext/sqlite3/sqlite3.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index f7f76cd3fb3..ce9472a7141 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -123,7 +123,8 @@ PHP_METHOD(sqlite3, open) if (strlen(filename) != filename_len) { return; } - if (memcmp(filename, ":memory:", sizeof(":memory:")) != 0) { + if (filename_len != sizeof(":memory:")-1 || + memcmp(filename, ":memory:", sizeof(":memory:")-1) != 0) { if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) { zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Unable to expand filepath", 0 TSRMLS_CC); return; From ce4a2f0fc60309f429e4c04160a71befc283338a Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Sun, 14 Feb 2016 20:47:23 +0100 Subject: [PATCH 5/6] Fixed bug #71559 Built-in HTTP server, we can downlaod file in web by bug --- sapi/cli/php_cli_server.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c index f85d1265cf7..169c05b88e8 100644 --- a/sapi/cli/php_cli_server.c +++ b/sapi/cli/php_cli_server.c @@ -2058,6 +2058,19 @@ static int php_cli_server_begin_send_static(php_cli_server *server, php_cli_serv return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC); } +#ifdef PHP_WIN32 + /* The win32 namespace will cut off trailing dots and spaces. Since the + VCWD functionality isn't used here, a sophisticated functionality + would have to be reimplemented to know ahead there are no files + with invalid names there. The simplest is just to forbid invalid + filenames, which is done here. */ + if (client->request.path_translated && + ('.' == client->request.path_translated[client->request.path_translated_len-1] || + ' ' == client->request.path_translated[client->request.path_translated_len-1])) { + return php_cli_server_send_error_page(server, client, 500); + } +#endif + fd = client->request.path_translated ? open(client->request.path_translated, O_RDONLY): -1; if (fd < 0) { return php_cli_server_send_error_page(server, client, 404 TSRMLS_CC); From aa10fc6092ab190751abafcf4b51713344aa583a Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Sun, 14 Feb 2016 20:52:47 +0100 Subject: [PATCH 6/6] update NEWS --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index e551a97e089..a7760dac09b 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes while curl_multi_exec). (Laruence) +- CLI server: + . Bug #71559 (Built-in HTTP server, we can download file in web by bug). + (Johannes, Anatol) + - Date: . Fixed bug #68078 (Datetime comparisons ignore microseconds). (Willem-Jan Zijderveld)