diff options
| author | ale <ale@FreeBSD.org> | 2006-10-16 09:30:58 +0000 |
|---|---|---|
| committer | ale <ale@FreeBSD.org> | 2006-10-16 09:30:58 +0000 |
| commit | b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef (patch) | |
| tree | ce726f126e5db262557c17b8ebd4c326b332d0d6 /lang/php53 | |
| parent | d738d27d48f69016909b9b76d85be1cc2a311b3b (diff) | |
| download | FreeBSD-ports-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.zip FreeBSD-ports-b8e6a8ac6f955d1a2ca3f21c517a0de67897b6ef.tar.gz | |
- fix open_basedir vulnerability in php4 and php5 [1]
- add an alert on safe_mode intrinsic insecurity and
suggest to install the suhosin extension
- enable the suhosin patch by deafult also in php4
Submitted by: Thomas Vogt <thomas@bsdunix.ch> [1]
Obtained from: PHP CVS [1]
Approved by: portmgr (clement)
Diffstat (limited to 'lang/php53')
| -rw-r--r-- | lang/php53/Makefile | 2 | ||||
| -rw-r--r-- | lang/php53/files/patch-ext_standard_dir.c | 20 | ||||
| -rw-r--r-- | lang/php53/files/patch-main_php_open_temporary_file.c | 43 | ||||
| -rw-r--r-- | lang/php53/files/patch-php.ini-dist | 18 | ||||
| -rw-r--r-- | lang/php53/files/patch-php.ini-recommended | 18 |
5 files changed, 100 insertions, 1 deletions
diff --git a/lang/php53/Makefile b/lang/php53/Makefile index e0d2013..90bd0d3 100644 --- a/lang/php53/Makefile +++ b/lang/php53/Makefile @@ -7,7 +7,7 @@ PORTNAME= php5 PORTVERSION= 5.1.6 -PORTREVISION?= 1 +PORTREVISION?= 2 CATEGORIES?= lang devel www MASTER_SITES= ${MASTER_SITE_PHP:S,$,:release,} \ http://downloads.php.net/ilia/:rc \ diff --git a/lang/php53/files/patch-ext_standard_dir.c b/lang/php53/files/patch-ext_standard_dir.c new file mode 100644 index 0000000..58a6bcc --- /dev/null +++ b/lang/php53/files/patch-ext_standard_dir.c @@ -0,0 +1,20 @@ +--- ext/standard/dir.c.orig Mon Oct 16 07:08:36 2006 ++++ ext/standard/dir.c Mon Oct 16 07:08:40 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: dir.c,v 1.147.2.3 2006/02/26 10:49:50 helly Exp $ */ ++/* $Id: dir.c,v 1.147.2.3.2.1 2006/10/04 23:19:25 iliaa Exp $ */ + + /* {{{ includes/startup/misc */ + +@@ -286,7 +286,7 @@ + RETURN_FALSE; + } + +- if (PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) { ++ if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) { + RETURN_FALSE; + } + ret = VCWD_CHDIR(str); diff --git a/lang/php53/files/patch-main_php_open_temporary_file.c b/lang/php53/files/patch-main_php_open_temporary_file.c new file mode 100644 index 0000000..85f7c51a --- /dev/null +++ b/lang/php53/files/patch-main_php_open_temporary_file.c @@ -0,0 +1,43 @@ +--- main/php_open_temporary_file.c.orig Mon Oct 16 07:21:14 2006 ++++ main/php_open_temporary_file.c Mon Oct 16 07:22:00 2006 +@@ -16,7 +16,7 @@ + +----------------------------------------------------------------------+ + */ + +-/* $Id: php_open_temporary_file.c,v 1.34.2.2 2006/05/23 23:22:26 iliaa Exp $ */ ++/* $Id: php_open_temporary_file.c,v 1.34.2.1.2.4 2006/10/13 01:11:30 iliaa Exp $ */ + + #include "php.h" + +@@ -206,6 +206,7 @@ + PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC) + { + int fd; ++ const char *temp_dir; + + if (!pfx) { + pfx = "tmp."; +@@ -214,11 +215,22 @@ + *opened_path_p = NULL; + } + ++ if (!dir || *dir == '\0') { ++def_tmp: ++ temp_dir = php_get_temporary_directory(); ++ ++ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) { ++ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC); ++ } else { ++ return -1; ++ } ++ } ++ + /* Try the directory given as parameter. */ + fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC); + if (fd == -1) { + /* Use default temporary directory. */ +- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC); ++ goto def_tmp; + } + return fd; + } diff --git a/lang/php53/files/patch-php.ini-dist b/lang/php53/files/patch-php.ini-dist new file mode 100644 index 0000000..6d84f3a --- /dev/null +++ b/lang/php53/files/patch-php.ini-dist @@ -0,0 +1,18 @@ +--- php.ini-dist.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-dist Mon Oct 16 08:12:28 2006 +@@ -165,6 +165,15 @@ + + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we always recommend to install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when diff --git a/lang/php53/files/patch-php.ini-recommended b/lang/php53/files/patch-php.ini-recommended new file mode 100644 index 0000000..7b648b1 --- /dev/null +++ b/lang/php53/files/patch-php.ini-recommended @@ -0,0 +1,18 @@ +--- php.ini-recommended.orig Fri Dec 30 18:19:43 2005 ++++ php.ini-recommended Mon Oct 16 08:13:05 2006 +@@ -223,6 +223,15 @@ + ; + ; Safe Mode + ; ++; SECURITY NOTE: The FreeBSD Security Officer strongly recommend that ++; the PHP Safe Mode feature not be relied upon for security, since the ++; issues Safe Mode tries to handle cannot properly be handled in PHP ++; (primarily due to PHP's use of external libraries). While many bugs ++; in Safe Mode has been fixed it's very likely that more issues exist ++; which allows a user to bypass Safe Mode restrictions. ++; For increased security we recommend to always install the Suhosin ++; extension. ++; + safe_mode = Off + + ; By default, Safe Mode does a UID compare check when |
