The issue referenced here doesn't contain a reproducer, but I recently
received an email of a user with the exact same problem. I was able to
recreate the scenario locally using vsftpd and setting
`require_ssl_reuse=YES` in the vsftpd configuration.
It turns out that our session resumption code is broken. It only works a
single time: the first time a data connection opens. Subsequent data
connections fail to reuse the session. This is because on every data
connection a new session is negotiated, but the current code always
tries to reuse the (stale) session of the control connection.
To fix this, we use SSL_CTX_sess_set_new_cb() to setup a callback that
gets called every time a new session is negotiated. We take a strong
reference using SSL_get1_session() and store it in the ftpbuf_t struct.
Every time we open a data connection we'll take that session.
This works because every control connection has at most a single
associated data connection.
Also disable internal session caching storage to not fill the cache up
with useless sessions.
There is no phpt for this because PHP does not support enforcing SSL
session reuse.
It is however testable manually by setting up vsftpd and setting the
`require_ssl_reuse=YES` function from before.
Closes GH-12851.
If there are two users that can execute the script that caches a WSDL,
but the script is owned by a single user, then the caching code will
name the cached file with the file owner username and a hash of the uri.
When one of the two tries to rename the file created by the other
process, this does not work because it has no permission to do so.
This then leaves temporary files floating in the temp directory.
To fix the immediate problem, unlink the file after rename has failed.
On the long term, this has to be fixed by taking the username of the
process instead of the username of the file owner.
Closes GH-12841.
This has been the case at least since PHP 5.4. Thanks to Girgias for
pointing it out.
It appears that there are several global variables internal to mbstring
which can be queried via mb_get_info() and which could be NULL, but
at the very least, we know that "mbstring.http_input" is one of them.
* fix segfault in `ZEND_BIND_STATIC`
In case a `ZEND_BIND_STATIC` is being executed, while the current chunk is full,
the `zend_array_dup()` call will trigger a OOM in ZendMM which will crash, as
the opline might be a dangling pointer.
* add missing test
* `assert()`ing seems easier than trying to make the compiler to not optimize
* moved from function call to INI setting, so we can use this in other places as well
* make `assert()` work no NDEBUG builds
* document magic number
* fix segfault in `ZEND_FUNC_GET_ARGS`
In case a `ZEND_FUNC_GET_ARGS` is being executed, while the current chunk is
full, the `zend_new_array()` call will trigger a OOM in ZendMM which will crash,
as the opline might be a dangling pointer.
---------
Co-authored-by: Florian Engelhardt <florian@engelhardt.tc>
