← Back to branch summary

~ubuntu-branches/ubuntu/gutsy/php5/gutsy

« back to all changes in this revision

Viewing changes to main/SAPI.c

  • Committer: Bazaar Package Importer
  • Author(s): Martin Pitt, CVE-2007-0905, CVE-2007-0906, CVE-2007-0909, CVE-2007-0910
  • Date: 2007-02-20 17:54:46 UTC
  • mfrom: (1.1.6 upstream)
  • Revision ID: james.westby@ubuntu.com-20070220175446-nudqyuv0dfowel3r
Tags: 5.2.1-0ubuntu1
* New upstream security/bugfix release:
  - safe_mode & open_basedir bypasses inside the session extension
    [CVE-2007-0905]
  - multiple buffer overflows in various extensions and functions
    [CVE-2007-0906]
  - underflow in the internal sapi_header_op() function [CVE-2007-0907]
  - information disclosure in the wddx extension [CVE-2007-0908]
  - string format vulnerability in *print() functions on 64 bit systems
    [CVE-2007-0909]
  - possible clobbering of super-globals in several code paths
    [CVE-2007-0910]
* Adapted patches to new upstream release:
  - 006-debian_quirks.patch
  - 034-apache2_umask_fix.patch
  - 044-strtod_arm_fix.patch
* Drop 109-libdb4.4.patch: Obsolete, upstream now checks for db 4.5 and 4.4.
* Drop 114-zend_alloc.c_m68k_alignment.patch and
  115-zend_alloc.c_memleak.patch: Applied upstream.
* Add debian/patches/000upstream-str_ireplace_offbyone.patch:
  - Fix off-by-one in str_ireplace(), a regression introduced in 5.2.1.
  - Patch taken from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.630&r2=1.631
  - CVE-2007-0911
* debian/control: Set Ubuntu maintainer.

Show diffs side-by-side

added added

removed removed

Lines of Context:
main/SAPI.c
2
2
   +----------------------------------------------------------------------+
3
3
   | PHP Version 5                                                        |
4
4
   +----------------------------------------------------------------------+
5
 
   | Copyright (c) 1997-2006 The PHP Group                                |
 
5
   | Copyright (c) 1997-2007 The PHP Group                                |
6
6
   +----------------------------------------------------------------------+
7
7
   | This source file is subject to version 3.01 of the PHP license,      |
8
8
   | that is bundled with this package in the file LICENSE, and is        |
18
18
   +----------------------------------------------------------------------+
19
19
*/
20
20
 
21
 
/* $Id: SAPI.c,v 1.202.2.7.2.2 2006/09/19 20:33:11 dmitry Exp $ */
 
21
/* $Id: SAPI.c,v 1.202.2.7.2.7 2007/01/01 09:36:10 sebastian Exp $ */
22
22
 
23
23
#include <ctype.h>
24
24
#include <sys/stat.h>
540
540
        }
541
541
 
542
542
        switch (op) {
543
 
        case SAPI_HEADER_SET_STATUS:
544
 
                sapi_update_response_code((long) arg TSRMLS_CC);
545
 
                return SUCCESS;
546
 
 
547
 
        case SAPI_HEADER_REPLACE:
548
 
        case SAPI_HEADER_ADD: {
549
 
                sapi_header_line *p = arg;
550
 
                
551
 
                if (!p->line || !p->line_len) {
 
543
                case SAPI_HEADER_SET_STATUS:
 
544
                        sapi_update_response_code((long) arg TSRMLS_CC);
 
545
                        return SUCCESS;
 
546
 
 
547
                case SAPI_HEADER_REPLACE:
 
548
                case SAPI_HEADER_ADD: {
 
549
                                sapi_header_line *p = arg;
 
550
 
 
551
                                if (!p->line || !p->line_len) {
 
552
                                        return FAILURE;
 
553
                                }
 
554
                                header_line = p->line;
 
555
                                header_line_len = p->line_len;
 
556
                                http_response_code = p->response_code;
 
557
                                replace = (op == SAPI_HEADER_REPLACE);
 
558
                                break;
 
559
                        }
 
560
 
 
561
                default:
552
562
                        return FAILURE;
553
 
                }
554
 
                header_line = p->line;
555
 
                header_line_len = p->line_len;
556
 
                http_response_code = p->response_code;
557
 
                replace = (op == SAPI_HEADER_REPLACE);
558
 
                break;
559
 
                }
560
 
        
561
 
        default:
562
 
                return FAILURE;
563
563
        }
564
564
 
565
565
        header_line = estrndup(header_line, header_line_len);
566
566
 
567
567
        /* cut of trailing spaces, linefeeds and carriage-returns */
568
 
        while(isspace(header_line[header_line_len-1])) 
 
568
        while(header_line_len && isspace(header_line[header_line_len-1])) 
569
569
                  header_line[--header_line_len]='\0';
570
570
        
571
571
        /* new line safety check */
631
631
                                        SG(sapi_headers).http_response_code > 307) &&
632
632
                                        SG(sapi_headers).http_response_code != 201) {
633
633
                                        /* Return a Found Redirect if one is not already specified */
634
 
                                        if(SG(request_info).proto_num > 1000 && 
 
634
                                        if (http_response_code) { /* user specified redirect code */
 
635
                                                sapi_update_response_code(http_response_code TSRMLS_CC);
 
636
                                        } else if (SG(request_info).proto_num > 1000 && 
635
637
                                           SG(request_info).request_method && 
636
638
                                           strcmp(SG(request_info).request_method, "HEAD") &&
637
639
                                           strcmp(SG(request_info).request_method, "GET")) {
918
920
{
919
921
        if (sapi_module.getenv) { 
920
922
                char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC);
921
 
                if(tmp) value = estrdup(tmp); 
922
 
                else return NULL;
 
923
                if (tmp) {
 
924
                        value = estrdup(tmp);
 
925
                } else {
 
926
                        return NULL;
 
927
                }
923
928
                sapi_module.input_filter(PARSE_ENV, name, &value, strlen(value), NULL TSRMLS_CC);
924
929
                return value;
925
 
        } else {
926
 
                return NULL; 
927
 
        }   
 
930
        }
 
931
        return NULL;
928
932
}
929
933
 
930
934
SAPI_API int sapi_get_fd(int *fd TSRMLS_DC)