MFB: Various security fixes

ext/curl/interface.c

@@ -1166,7 +1166,6 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 		case CURLOPT_FTPLISTONLY:
 		case CURLOPT_FTPAPPEND:
 		case CURLOPT_NETRC:
-		case CURLOPT_FOLLOWLOCATION:
 		case CURLOPT_PUT:
 #if CURLOPT_MUTE != 0
 		 case CURLOPT_MUTE:
@@ -1217,6 +1216,16 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 			convert_to_long_ex(zvalue);
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_FOLLOWLOCATION:
+			convert_to_long_ex(zvalue);
+			if (PG(open_basedir) && *PG(open_basedir)) {
+				if (Z_LVAL_PP(zvalue) != 0) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when open_basedir is set");
+					RETURN_FALSE;
+				}
+			}
+			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+			break;
 		case CURLOPT_URL:
 		case CURLOPT_PROXY:
 		case CURLOPT_USERPWD:

ext/curl/streams.c

@@ -349,11 +349,19 @@ php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *filename,
 				}
 			}
 			if (mr > 1) {
-				curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L);
+				if (PG(open_basedir) && *PG(open_basedir)) {
+					curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+				} else {
+					curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+				}
 				curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, mr);
 			}
 		} else {
-			curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L);
+			if (PG(open_basedir) && *PG(open_basedir)) {
+				curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+			} else {
+				curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+			}
 			curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, 20L);
 		}
 	}

ext/standard/string.c

@@ -834,7 +834,8 @@ PHP_FUNCTION(wordwrap)
 {
 	const char *text, *breakchar = "\n";
 	char *newtext;
-	int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+	int textlen, breakcharlen = 1, newtextlen, chk;
+	size_t alloced;
 	long current = 0, laststart = 0, lastspace = 0;
 	long linelength = 75;
 	zend_bool docut = 0;
@@ -6246,8 +6247,8 @@ PHP_FUNCTION(str_repeat)
 	zend_uchar	input_str_type;
 	long		mult;			/* Multiplier */
 	void		*result;		/* Resulting string */
-	int			result_len;		/* Length of the resulting string, in bytes */
+	size_t			result_len;		/* Length of the resulting string, in bytes */
-	int			result_chars;	/* Chars/UChars in resulting string */
+	size_t			result_chars;	/* Chars/UChars in resulting string */
 
 	if ( zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "tl", &input_str,
 							   &input_str_chars, &input_str_type, &mult) == FAILURE ) {
@@ -6273,23 +6274,12 @@ PHP_FUNCTION(str_repeat)
 	if ( input_str_type == IS_UNICODE ) {
 		input_str_len = UBYTES(input_str_chars);
 		result_len = UBYTES(result_chars);
-		if ( result_chars < 1 || result_chars > (2147483647/UBYTES(1)) ) {
+		result = (char *)safe_emalloc(UBYTES(input_str_chars), UBYTES(mult), UBYTES(1));
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than %ld characters", 2147483647/UBYTES(1));
-			RETURN_FALSE;
-		}
 	} else {
 		input_str_len = input_str_chars;
 		result_len = result_chars;
-		if ( result_chars < 1 || result_chars > 2147483647 ) {
+		result = (char *)safe_emalloc(input_str_chars, mult, 1);
-			if ( input_str_type == IS_STRING ) {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 characters");
-			} else {
-				php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes");
-			}
-			RETURN_FALSE;
-		}
 	}
-	result = emalloc(result_len);
 
 	/* Heavy optimization for situations where input string is 1 byte long */
 	if ( input_str_len == 1 ) {