/web/diff/CVE-2012-0807/function.patch
Patch | 420 lines | 330 code | 90 blank | 0 comment | 0 complexity | c1d909bec4c9160a068146e51ba90ea8 MD5 | raw file
- commit 73b1968ee30f6d9d2dae497544b910e68e114bfa
- Author: Stefan Esser <stefan@nopiracy.de>
- Date: Sat Jan 14 09:44:17 2012 +0100
- Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
- diff --git a/Changelog b/Changelog
- index 6c18103..8c2a8a4 100644
- --- a/Changelog
- +++ b/Changelog
- @@ -1,257 +1,258 @@
- 2012-01-11 - 0.9.33-dev
-
- + - Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory)
- - Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers
- - Removed crypt() support - because not used for PHP >= 5.3.0 anyway
-
- 2010-07-23 - 0.9.32.1
-
- - Fixed missing header file resulting in compile errors
-
- 2010-07-23 - 0.9.32
-
- - Added support for memory_limit > 2GB
- - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used
- - Improved random number seed generation more by adding /dev/urandom juice
-
- 2010-03-28 - 0.9.31
-
- - Fix ZTS build of session.c
- - Increased session identifier entropy by using /dev/urandom if available
-
- 2010-03-25 - 0.9.30
-
- - Added line ending characters %0a and %0d to the list of dangerous characters handled
- by suhosin.server.encode and suhosin.server.strip
- - Fixed crash bug with PHP 5.3.x and session module (due to changed session globals struct)
- - Added ! protection to PHP session serializer
- - Fixed simulation mode now also affects (dis)allowed functions
- - Fixed missing return (1); in random number generator replacements
- - Fixed random number generator replacement error case behaviour in PHP 5.3.x
- - Fixed error case handling in function_exists() PHP 5.3.x
- - Merged changes/fixes in import_request_variables()/extract() from upstream PHP
- - Fixed suhosin_header_handler to be PHP 5.3.x compatible
- - Merge fixes and new features of PHP's file upload code to suhosin
-
- 2009-08-15 - 0.9.29
-
- - Fixing crash bugs with PHP 5.3.0 caused by unexpected NULL in EG(active_symbol_table)
- - Added more compatible way to retrieve ext/session globals
- - Increased default length and count limit for POST variables (for people not reading docu)
-
- 2009-08-14 - 0.9.28
-
- - Fixed crash bug with PHP 5.2.10 caused by a change in extension load order of ext/session
- - Fixed harmless parameter order error in a bogus memset()
- - Disable suhosin.session.cryptua by default because of Internet Explorer 8 "features"
- - Added suhosin.executor.include.allow_writable_files which can be disabled to disallow
- inclusion of files writable by the webserver
-
- 2008-08-23 - 0.9.27
-
- - Fixed typo in replacement rand() / mt_rand() that was hidden by LAZY symbol loading
-
- 2008-08-22 - 0.9.26
-
- - Fixed problem with suhosin.perdir
- Thanks to Hosteurope for tracking this down
- - Fixed problems with ext/uploadprogress
- Reported by: Christian Stocker
- - Added suhosin.srand.ignore and suhosin.mt_srand.ignore (default: on)
- - Modified rand()/srand() to use the Mersenne Twister algorithm with separate state
- - Added better internal seeding of rand() and mt_rand()
-
- 2008-08-06 - 0.9.25
-
- - Fixed PHP 4 compilation problem introduced in 0.9.24
- - Fixed PHP 5.3 compilation problem
- - Changed PHP default POST handler to PHP's current handler
-
- 2008-05-10 - 0.9.24
-
- - Added support for method-calls to function handling
- - This fixes white- and blacklist affecting methods with the same name
-
- 2008-01-14 - 0.9.23
-
- - Fixed suhosin extension now compiles with snapshots of PHP 5.3
- - Fixed crypt() behaves like normal again when there is no salt supplied
-
- 2007-12-01 - 0.9.22
-
- - Removed LFS warning message because it crashed on several systems
-
- 2007-11-30 - 0.9.21
-
- - Fixed function_exists() now checks the Suhosin permissions
- - Fixed crypt() salt no longer uses Blowfish by default
- - Fixed .htaccess/perdir support
- - Fixed compilation problem on OS/X
- - Added protection against some attacks through _SERVER variables
- - Added suhosin.server.strip and suhosin.server.encode
- - Added error message that warns about the LFS binary incompatibility
-
- 2007-05-19 - 0.9.20
-
- - Added protection flags against whitespace at variable start
- - Added mutex around crypt() to close the PHP crypt()
- thread safety vulnerability class
- - Improved HTTP Response Splitting Protection
- - Changed default maximum array depth to 50 for GPCR
- - Fixed possible endless loop in file logging
- - Fixed file locking in file logging
-
- 2007-05-01 - 0.9.19
-
- - Fixed typo in HTTP header protection (only during simulation mode)
- Reported by: Ilia Alshanetsky
- - Fixed wrong \0 termination in cookie decryptor
- - Fixed possible crash in SERVER variables protection when SAPI=embedded
- Fix provided by: Olivier Blin/Mandriva Linux
- - Added possibility to en-/disable INI_PERDIR
- Problem reported by: Ilia Alshanetsky
- - Added PHP Warning when disabled function is called
- - Added examples for new configuration option in suhosin.ini
-
- 2007-03-06 - 0.9.18
-
- - Fixed session double hooking in edge case
- - Added additional crash protection for PHP's session module
-
- 2007-03-04 - 0.9.17
-
- - Added a suhosin.ini example configuration
- Thanks to Mandriva Linux for supplying us with one
- - Added new logging device: file
- - Fixed that suhosin.filter.action did not affect POST limits
- - Fixed behaviour of request variable limit to be an upper limit
- for the other settings instead of being additive limit
- - Fixed hard_memory_limit bypass due to casting bug in PHP
- Problem was found by: Ilia Alshanetsky
- - Fixed some sql prefix/postfix problems
- - Added experimental SQL injection heuristic
-
- 2006-12-02 - 0.9.16
-
- - Added suhosin.stealth which controls if suhosin loads in
- stealth mode when it is not the only zend_extension
- (Required for full compatibility with certain encoders
- that consider open source untrusted. e.g. ionCube, Zend)
- - Activate suhosin.stealth by default
- - Fixed that Suhosin tries handling functions disabled by
- disable_function. In v0.9.15 it was impossible to disable
- phpinfo() with disable_function.
- Problem was found by: Thorsten Schifferdecker
-
- 2006-11-28 - 0.9.15
-
- - Added a transparent protection for open phpinfo() pages by
- adding an HTML META ROBOTS tag to the output that forbids
- indexing and archiving
-
- 2006-11-22 - 0.9.14
-
- - Drop wrongly decrypted cookies instead of leaving them empty
- - Fix another problem with urlencoded cookie names
- - Fix compilation problem with PHP4
- - Added better regression to the release process to stop
- compilation and missing symbol problems
-
- 2006-11-20 - 0.9.13
-
- - More compatible support for ap_php_snprintf() for old PHP
- - Changed phpinfo() output to put suhosin logo into a data: URL
- for Opera and Gecko based browsers when expose_php=off
-
- 2006-11-14 - 0.9.12
-
- - Adding ap_php_snprintf() when compiling against PHP 4.3.9
- - Added suhosin.protectkey to remove cryptkeys from phpinfo() output
- - Disabled suhosin.cookie.encrypt in default install
- - Fixed static compilation against PHP 5.2.0
-
- 2006-11-06 - 0.9.11
-
- - Fixed input filter for simulation mode
-
- 2006-10-26 - 0.9.10
-
- - Fixed ZTS compile problem in new code
- - Fixed PHP4 compile problem in new code
-
- 2006-10-25 - 0.9.9
-
- - Fixed mail() protection that failed to detect some injected headers
- - Fixed cookie decryption to not potentially trash apache memory
- - Fixed cookie enctyption to handle url encoded names correctly
- - Added suhosin.cookie/session.checkraddr
- - Added suhosin.cookie.cryptlist
- - Added suhosin.cookie.plainlist
- - Added suhosin_encrypt_cookie function for JS
- - Added suhosin_get_raw_cookies function
- - Changed dropped variable error messages
-
- 2006-10-08 - 0.9.8
-
- - Fixed a PHP4 ZTS compile problem
-
- 2006-10-08 - 0.9.7
-
- - Moved input handler hooking to a later place to ensure better compatibility
- with 3rd party extensions
- - Fixed a problem with overlong mail headers in mail protection
- - Fixed a problem with empty log/verification script names
- - Fixed a PHP4 compile problem with old gcc/in ZTS mode
- - Added mbregex.h from PHP4 to solve compile problems on systesm with broken
- header installations
-
- 2006-10-02 - 0.9.6
-
- - Disallow symlink() when open_basedir (activated by default)
- - Fix a problem with compilation in Visual Studio
-
- 2006-09-29 - 0.9.5
-
- - Added missing logo file
- - Added suhosin.apc_bug_workaround flag to enable compatibility with buggy APC 3.0.12x
-
- 2006-09-29 - 0.9.4
-
- - Added version number and logo to phpinfo() output
- - Fixed that all uploaded files are dropped after a single one was disallowed
- - Added undocumented suhosin.coredump flag to tell suhosin to dump core instead
- of logging S_MEMORY events
- - Disable handling of rfc1867 mbstring decoding
-
- 2006-09-24 - 0.9.3
-
- - Added protection against endless recursion for suhosin.log.phpscript
- - Added possibility to disable open_basedir and safe_mode for suhosin.log.phpscript
- - Added suhosin.executor.include.max_traversal to stop directory traversal includes
-
- 2006-09-19 - 0.9.2
-
- - Fixes broken rfc1867 fileupload hook
- - Changed definition of binary to: 0..31, 128..255 except whitespace
- - Added suhosin.log.phpscript(.name) directive to log to a PHP script
-
- 2006-09-16 - 0.9.1
-
- - A bunch of changes to compile and work on Windows
-
- 2006-09-09 - BETA
-
- - Added decryption of HTTP_COOKIE
- - Fixed a last problem in suhosin_strcasestr() helper function
-
- 2006-09-08 - BETA
-
- - Fixed a problem within suhosin_strcasestr() because it broke
- URL checks
-
- 2006-09-07 - BETA
-
- - CVS version of PHP 5.2.0 was changed to support incasesensitive
- URLs, support for this in suhosin added
- - Fixed a problem when preg_replace() was called with more than
- 4 parameters
-
- diff --git a/header.c b/header.c
- index 368e085..74d4ad9 100644
- --- a/header.c
- +++ b/header.c
- @@ -40,126 +40,91 @@ static int (*orig_header_handler)(sapi_header_struct *sapi_header, sapi_headers_
-
- char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
- {
- - char buffer[4096];
- - char buffer2[4096];
- - char *buf = buffer, *buf2 = buffer2, *d, *d_url;
- - int l;
- -
- - if (name_len > sizeof(buffer)-2) {
- - buf = estrndup(name, name_len);
- - } else {
- - memcpy(buf, name, name_len);
- - buf[name_len] = 0;
- - }
- + char *buf, *buf2, *d, *d_url;
- + int l;
- +
- + buf = estrndup(name, name_len);
- +
-
- name_len = php_url_decode(buf, name_len);
- - normalize_varname(buf);
- - name_len = strlen(buf);
- + normalize_varname(buf);
- + name_len = strlen(buf);
-
- if (SUHOSIN_G(cookie_plainlist)) {
- if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
- encrypt_return_plain:
- - if (buf != buffer) {
- - efree(buf);
- - }
- + efree(buf);
- return estrndup(value, value_len);
- }
- } else if (SUHOSIN_G(cookie_cryptlist)) {
- if (!zend_hash_exists(SUHOSIN_G(cookie_cryptlist), buf, name_len+1)) {
- goto encrypt_return_plain;
- }
- }
-
- - if (strlen(value) <= sizeof(buffer2)-2) {
- - memcpy(buf2, value, value_len);
- - buf2[value_len] = 0;
- - } else {
- - buf2 = estrndup(value, value_len);
- - }
- + buf2 = estrndup(value, value_len);
-
- value_len = php_url_decode(buf2, value_len);
-
- d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
- d_url = php_url_encode(d, strlen(d), &l);
- efree(d);
- - if (buf != buffer) {
- - efree(buf);
- - }
- - if (buf2 != buffer2) {
- - efree(buf2);
- - }
- + efree(buf);
- + efree(buf2);
- return d_url;
- }
-
- char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
- {
- - char buffer[4096];
- - char buffer2[4096];
- int o_name_len = name_len;
- - char *buf = buffer, *buf2 = buffer2, *d, *d_url;
- + char *buf, *buf2, *d, *d_url;
- int l;
-
- - if (name_len > sizeof(buffer)-2) {
- - buf = estrndup(name, name_len);
- - } else {
- - memcpy(buf, name, name_len);
- - buf[name_len] = 0;
- - }
- -
- + buf = estrndup(name, name_len);
- +
- name_len = php_url_decode(buf, name_len);
- - normalize_varname(buf);
- - name_len = strlen(buf);
- + normalize_varname(buf);
- + name_len = strlen(buf);
-
- if (SUHOSIN_G(cookie_plainlist)) {
- if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
- decrypt_return_plain:
- - if (buf != buffer) {
- - efree(buf);
- - }
- + efree(buf);
- memcpy(*where, name, o_name_len);
- *where += o_name_len;
- **where = '='; *where +=1;
- memcpy(*where, value, value_len);
- *where += value_len;
- return *where;
- }
- } else if (SUHOSIN_G(cookie_cryptlist)) {
- if (!zend_hash_exists(SUHOSIN_G(cookie_cryptlist), buf, name_len+1)) {
- goto decrypt_return_plain;
- }
- }
-
-
- - if (strlen(value) <= sizeof(buffer2)-2) {
- - memcpy(buf2, value, value_len);
- - buf2[value_len] = 0;
- - } else {
- - buf2 = estrndup(value, value_len);
- - }
- + buf2 = estrndup(value, value_len);
-
- value_len = php_url_decode(buf2, value_len);
-
- d = suhosin_decrypt_string(buf2, value_len, buf, name_len, key, &l, SUHOSIN_G(cookie_checkraddr) TSRMLS_CC);
- if (d == NULL) {
- goto skip_cookie;
- }
- d_url = php_url_encode(d, l, &l);
- efree(d);
- memcpy(*where, name, o_name_len);
- *where += o_name_len;
- **where = '=';*where += 1;
- memcpy(*where, d_url, l);
- *where += l;
- efree(d_url);
- skip_cookie:
- - if (buf != buffer) {
- - efree(buf);
- - }
- - if (buf2 != buffer2) {
- - efree(buf2);
- - }
- + efree(buf);
- + efree(buf2);
- return *where;
- }
-
- /* {{{ suhosin_cookie_decryptor
- */