function.patch | searchcode

/web/diff/CVE-2012-0807/function.patch

https://bitbucket.org/deonjo/vulnerablity_crawler
Patch | 420 lines | 330 code | 90 blank | 0 comment | 0 complexity | c1d909bec4c9160a068146e51ba90ea8 MD5 | raw file

commit 73b1968ee30f6d9d2dae497544b910e68e114bfa
Author: Stefan Esser <stefan@nopiracy.de>
Date:   Sat Jan 14 09:44:17 2012 +0100

    Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)

diff --git a/Changelog b/Changelog
index 6c18103..8c2a8a4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,257 +1,258 @@
 2012-01-11 - 0.9.33-dev
 
+    - Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
     - Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
     - Removed crypt() support - because not used for PHP >= 5.3.0 anyway
 
 2010-07-23 - 0.9.32.1
 
     - Fixed missing header file resulting in compile errors
 
 2010-07-23 - 0.9.32
 
     - Added support for memory_limit > 2GB
     - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used
     - Improved random number seed generation more by adding /dev/urandom juice
 
 2010-03-28 - 0.9.31
 
     - Fix ZTS build of session.c
     - Increased session identifier entropy by using /dev/urandom if available
 
 2010-03-25 - 0.9.30
 
     - Added line ending characters %0a and %0d to the list of dangerous characters handled
       by suhosin.server.encode and suhosin.server.strip
     - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
     - Added ! protection to PHP session serializer
     - Fixed simulation mode now also affects (dis)allowed functions
     - Fixed missing return (1); in random number generator replacements
     - Fixed random number generator replacement error case behaviour in PHP 5.3.x
     - Fixed error case handling in function_exists() PHP 5.3.x
     - Merged changes/fixes in import_request_variables()/extract() from upstream PHP
     - Fixed suhosin_header_handler to be PHP 5.3.x compatible
     - Merge fixes and new features of PHP's file upload code to suhosin
 
 2009-08-15 - 0.9.29
 
     - Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
     - Added more compatible way to retrieve ext/session globals
     - Increased default length and count limit for POST variables (for people not reading docu)
 
 2009-08-14 - 0.9.28
 
     - Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
     - Fixed harmless parameter order error in a bogus memset()
     - Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
     - Added suhosin.executor.include.allow_writable_files which can be disabled to disallow 
       inclusion of files writable by the webserver
 
 2008-08-23 - 0.9.27
 
 	- Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading
 
 2008-08-22 - 0.9.26
 
 	- Fixed problem with suhosin.perdir
 	  Thanks to Hosteurope for tracking this down
 	- Fixed problems with ext/uploadprogress
 	  Reported by: Christian Stocker
 	- Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
 	- Modified rand()/srand() to use the Mersenne Twister algorithm with separate state 
 	- Added better internal seeding of rand() and mt_rand()
 	
 2008-08-06 - 0.9.25
 
 	- Fixed PHP 4 compilation problem introduced in 0.9.24
 	- Fixed PHP 5.3 compilation problem
 	- Changed PHP default POST handler to PHP's current handler
 
 2008-05-10 - 0.9.24
 
     - Added support for method-calls to function handling
     - This fixes white- and blacklist affecting methods with the same name
 
 2008-01-14 - 0.9.23
 
     - Fixed suhosin extension now compiles with snapshots of PHP 5.3
     - Fixed crypt() behaves like normal again when there is no salt supplied
 
 2007-12-01 - 0.9.22
 
     - Removed LFS warning message because it crashed on several systems
 
 2007-11-30 - 0.9.21
 
     - Fixed function_exists() now checks the Suhosin permissions
     - Fixed crypt() salt no longer uses Blowfish by default
     - Fixed .htaccess/perdir support
     - Fixed compilation problem on OS/X
     - Added protection against some attacks through _SERVER variables
     - Added suhosin.server.strip and suhosin.server.encode
     - Added error message that warns about the LFS binary incompatibility
     
 2007-05-19 - 0.9.20
 
     - Added protection flags against whitespace at variable start
     - Added mutex around crypt() to close the PHP crypt() 
       thread safety vulnerability class
     - Improved HTTP Response Splitting Protection
     - Changed default maximum array depth to 50 for GPCR
     - Fixed possible endless loop in file logging
     - Fixed file locking in file logging
 
 2007-05-01 - 0.9.19
 
     - Fixed typo in HTTP header protection (only during simulation mode)
       Reported by: Ilia Alshanetsky
     - Fixed wrong \0 termination in cookie decryptor
     - Fixed possible crash in SERVER variables protection when SAPI=embedded
       Fix provided by: Olivier Blin/Mandriva Linux
     - Added possibility to en-/disable INI_PERDIR
       Problem reported by: Ilia Alshanetsky
     - Added PHP Warning when disabled function is called
     - Added examples for new configuration option in suhosin.ini
 
 2007-03-06 - 0.9.18
 
     - Fixed session double hooking in edge case
     - Added additional crash protection for PHP's session module
 
 2007-03-04 - 0.9.17
 
     - Added a suhosin.ini example configuration 
       Thanks to Mandriva Linux for supplying us with one
     - Added new logging device: file
     - Fixed that suhosin.filter.action did not affect POST limits
     - Fixed behaviour of request variable limit to be an upper limit
       for the other settings instead of being additive limit
     - Fixed hard_memory_limit bypass due to casting bug in PHP 
       Problem was found by: Ilia Alshanetsky
     - Fixed some sql prefix/postfix problems
     - Added experimental SQL injection heuristic
 
 2006-12-02 - 0.9.16
 
     - Added suhosin.stealth which controls if suhosin loads in
       stealth mode when it is not the only zend_extension
       (Required for full compatibility with certain encoders 
        that consider open source untrusted. e.g. ionCube, Zend)
     - Activate suhosin.stealth by default
     - Fixed that Suhosin tries handling functions disabled by
       disable_function. In v0.9.15 it was impossible to disable
       phpinfo() with disable_function.
       Problem was found by: Thorsten Schifferdecker
     
 2006-11-28 - 0.9.15
 
     - Added a transparent protection for open phpinfo() pages by
       adding an HTML META ROBOTS tag to the output that forbids 
       indexing and archiving
 
 2006-11-22 - 0.9.14
 
     - Drop wrongly decrypted cookies instead of leaving them empty
     - Fix another problem with urlencoded cookie names
     - Fix compilation problem with PHP4
     - Added better regression to the release process to stop 
       compilation and missing symbol problems
 
 2006-11-20 - 0.9.13
 
     - More compatible support for ap_php_snprintf() for old PHP
     - Changed phpinfo() output to put suhosin logo into a data: URL
       for Opera and Gecko based browsers when expose_php=off
     
 2006-11-14 - 0.9.12
 
     - Adding ap_php_snprintf() when compiling against PHP 4.3.9
     - Added suhosin.protectkey to remove cryptkeys from phpinfo() output
     - Disabled suhosin.cookie.encrypt in default install
     - Fixed static compilation against PHP 5.2.0
 
 2006-11-06 - 0.9.11
     
     - Fixed input filter for simulation mode 
 
 2006-10-26 - 0.9.10
 
     - Fixed ZTS compile problem in new code
     - Fixed PHP4 compile problem in new code
 
 2006-10-25 - 0.9.9
 
     - Fixed mail() protection that failed to detect some injected headers
     - Fixed cookie decryption to not potentially trash apache memory
     - Fixed cookie enctyption to handle url encoded names correctly
     - Added suhosin.cookie/session.checkraddr
     - Added suhosin.cookie.cryptlist
     - Added suhosin.cookie.plainlist
     - Added suhosin_encrypt_cookie function for JS
     - Added suhosin_get_raw_cookies function
     - Changed dropped variable error messages
     
 2006-10-08 - 0.9.8
      
     - Fixed a PHP4 ZTS compile problem
 
 2006-10-08 - 0.9.7
 
     - Moved input handler hooking to a later place to ensure better compatibility
       with 3rd party extensions
     - Fixed a problem with overlong mail headers in mail protection
     - Fixed a problem with empty log/verification script names
     - Fixed a PHP4 compile problem with old gcc/in ZTS mode
     - Added mbregex.h from PHP4 to solve compile problems on systesm with broken
       header installations
 
 2006-10-02 - 0.9.6
 
     - Disallow symlink() when open_basedir (activated by default)
     - Fix a problem with compilation in Visual Studio
 
 2006-09-29 - 0.9.5
 
     - Added missing logo file
     - Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x
 
 2006-09-29 - 0.9.4
 
     - Added version number and logo to phpinfo() output
     - Fixed that all uploaded files are dropped after a single one was disallowed
     - Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
       of logging S_MEMORY events
     - Disable handling of rfc1867 mbstring decoding
 
 2006-09-24 - 0.9.3
 
     - Added protection against endless recursion for suhosin.log.phpscript
     - Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
     - Added suhosin.executor.include.max_traversal to stop directory traversal includes
 
 2006-09-19 - 0.9.2
 
     - Fixes broken rfc1867 fileupload hook
     - Changed definition of binary to: 0..31, 128..255 except whitespace
     - Added suhosin.log.phpscript(.name) directive to log to a PHP script
 	
 2006-09-16 - 0.9.1
 
     - A bunch of changes to compile and work on Windows
 
 2006-09-09 - BETA
 
     - Added decryption of HTTP_COOKIE
     - Fixed a last problem in suhosin_strcasestr() helper function
 
 2006-09-08 - BETA
 
     - Fixed a problem within suhosin_strcasestr() because it broke 
       URL checks
 
 2006-09-07 - BETA
 
     - CVS version of PHP 5.2.0 was changed to support incasesensitive 
       URLs, support for this in suhosin added
     - Fixed a problem when preg_replace() was called with more than
       4 parameters
     
diff --git a/header.c b/header.c
index 368e085..74d4ad9 100644
--- a/header.c
+++ b/header.c
@@ -40,126 +40,91 @@ static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_
 
 char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
 {
-	char buffer[4096];
-    char buffer2[4096];
-	char *buf = buffer, *buf2 = buffer2, *d, *d_url;
-    int l;
-
-	if (name_len > sizeof(buffer)-2) {
-		buf = estrndup(name, name_len);
-	} else {
-		memcpy(buf, name, name_len);
-		buf[name_len] = 0;
-	}
+	char *buf, *buf2, *d, *d_url;
+	int l;
+
+	buf = estrndup(name, name_len);
+	
 	
 	name_len = php_url_decode(buf, name_len);
-    normalize_varname(buf);
-    name_len = strlen(buf);
+	normalize_varname(buf);
+	name_len = strlen(buf);
 	
 	if (SUHOSIN_G(cookie_plainlist)) {
 		if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
 encrypt_return_plain:
-			if (buf != buffer) {
-				efree(buf);
-			}
+			efree(buf);
 			return estrndup(value, value_len);
 		}
 	} else if (SUHOSIN_G(cookie_cryptlist)) {
 		if (!zend_hash_exists(SUHOSIN_G(cookie_cryptlist), buf, name_len+1)) {
 			goto encrypt_return_plain;
 		}
 	}
 	
-	if (strlen(value) <= sizeof(buffer2)-2) {
-		memcpy(buf2, value, value_len);
-		buf2[value_len] = 0;
-	} else {
-		buf2 = estrndup(value, value_len);
-	}
+	buf2 = estrndup(value, value_len);
 	
 	value_len = php_url_decode(buf2, value_len);
 	
 	d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
 	d_url = php_url_encode(d, strlen(d), &l);
 	efree(d);
-    if (buf != buffer) {
-		efree(buf);
-	}
-    if (buf2 != buffer2) {
-		efree(buf2);
-	}
+	efree(buf);
+	efree(buf2);
 	return d_url;
 }
 
 char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
 {
-	char buffer[4096];
-    char buffer2[4096];
     int o_name_len = name_len;
-	char *buf = buffer, *buf2 = buffer2, *d, *d_url;
+	char *buf, *buf2, *d, *d_url;
 	int l;
 
-	if (name_len > sizeof(buffer)-2) {
-		buf = estrndup(name, name_len);
-	} else {
-		memcpy(buf, name, name_len);
-		buf[name_len] = 0;
-	}
-	
+	buf = estrndup(name, name_len);
+		
 	name_len = php_url_decode(buf, name_len);
-    normalize_varname(buf);
-    name_len = strlen(buf);
+	normalize_varname(buf);
+	name_len = strlen(buf);
 	
 	if (SUHOSIN_G(cookie_plainlist)) {
 		if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
 decrypt_return_plain:
-			if (buf != buffer) {
-				efree(buf);
-			}
+			efree(buf);
             memcpy(*where, name, o_name_len);
             *where += o_name_len;
             **where = '='; *where +=1;
 	        memcpy(*where, value, value_len);
 	        *where += value_len;
 			return *where;
 		}
 	} else if (SUHOSIN_G(cookie_cryptlist)) {
 		if (!zend_hash_exists(SUHOSIN_G(cookie_cryptlist), buf, name_len+1)) {
 			goto decrypt_return_plain;
 		}
 	}
 	
 	
-	if (strlen(value) <= sizeof(buffer2)-2) {
-		memcpy(buf2, value, value_len);
-		buf2[value_len] = 0;
-	} else {
-		buf2 = estrndup(value, value_len);
-	}
+	buf2 = estrndup(value, value_len);
 	
 	value_len = php_url_decode(buf2, value_len);
 	
 	d = suhosin_decrypt_string(buf2, value_len, buf, name_len, key, &l, SUHOSIN_G(cookie_checkraddr) TSRMLS_CC);
     if (d == NULL) {
         goto skip_cookie;
     }
 	d_url = php_url_encode(d, l, &l);
 	efree(d);
     memcpy(*where, name, o_name_len);
     *where += o_name_len;
     **where = '=';*where += 1;
 	memcpy(*where, d_url, l);
 	*where += l;
 	efree(d_url);
 skip_cookie:
-	if (buf != buffer) {
-		efree(buf);
-	}
-	if (buf2 != buffer2) {
-		efree(buf2);
-	}
+	efree(buf);
+	efree(buf2);
 	return *where;
 }
 
 /* {{{ suhosin_cookie_decryptor
  */