File php-5.3.5-CVE-2012-0807.patch of Package php5
https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa
Index: ext/suhosin/header.c
===================================================================
--- ext/suhosin/header.c.orig
+++ ext/suhosin/header.c
@@ -3,7 +3,7 @@
| Suhosin Version 1 |
+----------------------------------------------------------------------+
| Copyright (c) 2006-2007 The Hardened-PHP Project |
- | Copyright (c) 2007-2010 SektionEins GmbH |
+ | Copyright (c) 2007-2012 SektionEins GmbH |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
@@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_h
char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
{
- char buffer[4096];
- char buffer2[4096];
- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
- int l;
-
- if (name_len > sizeof(buffer)-2) {
- buf = estrndup(name, name_len);
- } else {
- memcpy(buf, name, name_len);
- buf[name_len] = 0;
- }
+ char *buf, *buf2, *d, *d_url;
+ int l;
+
+ buf = estrndup(name, name_len);
+
name_len = php_url_decode(buf, name_len);
- normalize_varname(buf);
- name_len = strlen(buf);
+ normalize_varname(buf);
+ name_len = strlen(buf);
if (SUHOSIN_G(cookie_plainlist)) {
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
encrypt_return_plain:
- if (buf != buffer) {
- efree(buf);
- }
+ efree(buf);
return estrndup(value, value_len);
}
} else if (SUHOSIN_G(cookie_cryptlist)) {
@@ -70,52 +62,34 @@ encrypt_return_plain:
}
}
- if (strlen(value) <= sizeof(buffer2)-2) {
- memcpy(buf2, value, value_len);
- buf2[value_len] = 0;
- } else {
- buf2 = estrndup(value, value_len);
- }
+ buf2 = estrndup(value, value_len);
value_len = php_url_decode(buf2, value_len);
d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
d_url = php_url_encode(d, strlen(d), &l);
efree(d);
- if (buf != buffer) {
- efree(buf);
- }
- if (buf2 != buffer2) {
- efree(buf2);
- }
+ efree(buf);
+ efree(buf2);
return d_url;
}
char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
{
- char buffer[4096];
- char buffer2[4096];
int o_name_len = name_len;
- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
+ char *buf, *buf2, *d, *d_url;
int l;
- if (name_len > sizeof(buffer)-2) {
- buf = estrndup(name, name_len);
- } else {
- memcpy(buf, name, name_len);
- buf[name_len] = 0;
- }
-
+ buf = estrndup(name, name_len);
+
name_len = php_url_decode(buf, name_len);
- normalize_varname(buf);
- name_len = strlen(buf);
+ normalize_varname(buf);
+ name_len = strlen(buf);
if (SUHOSIN_G(cookie_plainlist)) {
if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
decrypt_return_plain:
- if (buf != buffer) {
- efree(buf);
- }
+ efree(buf);
memcpy(*where, name, o_name_len);
*where += o_name_len;
**where = '='; *where +=1;
@@ -130,12 +104,7 @@ decrypt_return_plain:
}
- if (strlen(value) <= sizeof(buffer2)-2) {
- memcpy(buf2, value, value_len);
- buf2[value_len] = 0;
- } else {
- buf2 = estrndup(value, value_len);
- }
+ buf2 = estrndup(value, value_len);
value_len = php_url_decode(buf2, value_len);
@@ -152,12 +121,8 @@ decrypt_return_plain:
*where += l;
efree(d_url);
skip_cookie:
- if (buf != buffer) {
- efree(buf);
- }
- if (buf2 != buffer2) {
- efree(buf2);
- }
+ efree(buf);
+ efree(buf2);
return *where;
}
@@ -240,7 +205,7 @@ int suhosin_header_handler(sapi_header_s
}
#endif
- if (!SUHOSIN_G(allow_multiheader) && sapi_header && sapi_header->header) {
+ if (sapi_header && sapi_header->header) {
tmp = sapi_header->header;
@@ -256,6 +221,9 @@ int suhosin_header_handler(sapi_header_s
if (!SUHOSIN_G(simulation)) {
sapi_header->header_len = i;
}
+ }
+ if (SUHOSIN_G(allow_multiheader)) {
+ continue;
} else if ((tmp[0] == '\r' && (tmp[1] != '\n' || i == 0)) ||
(tmp[0] == '\n' && (i == sapi_header->header_len-1 || i == 0 || (tmp[1] != ' ' && tmp[1] != '\t')))) {
char *fname = get_active_function_name(TSRMLS_C);