head 1.2; access; symbols pkgsrc-2026Q1:1.2.0.12 pkgsrc-2026Q1-base:1.2 pkgsrc-2025Q4:1.2.0.10 pkgsrc-2025Q4-base:1.2 pkgsrc-2025Q3:1.2.0.8 pkgsrc-2025Q3-base:1.2 pkgsrc-2025Q2:1.2.0.6 pkgsrc-2025Q2-base:1.2 pkgsrc-2025Q1:1.2.0.4 pkgsrc-2025Q1-base:1.2 pkgsrc-2024Q4:1.2.0.2 pkgsrc-2024Q4-base:1.2 pkgsrc-2024Q3:1.1.0.52 pkgsrc-2024Q3-base:1.1 pkgsrc-2024Q2:1.1.0.50 pkgsrc-2024Q2-base:1.1 pkgsrc-2024Q1:1.1.0.48 pkgsrc-2024Q1-base:1.1 pkgsrc-2023Q4:1.1.0.46 pkgsrc-2023Q4-base:1.1 pkgsrc-2023Q3:1.1.0.44 pkgsrc-2023Q3-base:1.1 pkgsrc-2023Q2:1.1.0.42 pkgsrc-2023Q2-base:1.1 pkgsrc-2023Q1:1.1.0.40 pkgsrc-2023Q1-base:1.1 pkgsrc-2022Q4:1.1.0.38 pkgsrc-2022Q4-base:1.1 pkgsrc-2022Q3:1.1.0.36 pkgsrc-2022Q3-base:1.1 pkgsrc-2022Q2:1.1.0.34 pkgsrc-2022Q2-base:1.1 pkgsrc-2022Q1:1.1.0.32 pkgsrc-2022Q1-base:1.1 pkgsrc-2021Q4:1.1.0.30 pkgsrc-2021Q4-base:1.1 pkgsrc-2021Q3:1.1.0.28 pkgsrc-2021Q3-base:1.1 pkgsrc-2021Q2:1.1.0.26 pkgsrc-2021Q2-base:1.1 pkgsrc-2021Q1:1.1.0.24 pkgsrc-2021Q1-base:1.1 pkgsrc-2020Q4:1.1.0.22 pkgsrc-2020Q4-base:1.1 pkgsrc-2020Q3:1.1.0.20 pkgsrc-2020Q3-base:1.1 pkgsrc-2020Q2:1.1.0.18 pkgsrc-2020Q2-base:1.1 pkgsrc-2020Q1:1.1.0.14 pkgsrc-2020Q1-base:1.1 pkgsrc-2019Q4:1.1.0.16 pkgsrc-2019Q4-base:1.1 pkgsrc-2019Q3:1.1.0.12 pkgsrc-2019Q3-base:1.1 pkgsrc-2019Q2:1.1.0.10 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.8 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.6 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.4 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2024.12.01.16.11.56; author taca; state Exp; branches; next 1.1; commitid zGtkiisbXubODOzF; 1.1 date 2018.07.18.07.33.12; author manu; state Exp; branches 1.1.2.1; next ; commitid WWXqWIXyjZzNAAKA; 1.1.2.1 date 2018.07.18.07.33.12; author bsiegert; state dead; branches; next 1.1.2.2; commitid 7KtGiQX7CIsBZuOA; 1.1.2.2 date 2018.08.17.17.39.36; author bsiegert; state Exp; branches; next ; commitid 7KtGiQX7CIsBZuOA; desc @@ 1.2 log @lang/php56: fix build problem * Switch to using autoconf269 instead of manually patch configure. * Make php-embed PHP_OPTIONS noop excep lang/php56 package. Bump PKGREVISION. @ text @$NetBSD: patch-disable-filter-url,v 1.1 2018/07/18 07:33:12 manu Exp $ Add build-time disable option for dangerous php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this patch makes that possible. --- ext/standard/php_fopen_wrapper.c.orig 2019-01-09 09:54:13.000000000 +0000 +++ ext/standard/php_fopen_wrapper.c @@@@ -334,6 +334,7 @@@@ php_stream * php_stream_url_wrap_php(php "[%d]: %s", fildes_ori, errno, strerror(errno)); return NULL; } +#ifndef DISABLE_FILTER_URL } else if (!strncasecmp(path, "filter/", 7)) { /* Save time/memory when chain isn't specified */ if (strchr(mode, 'r') || strchr(mode, '+')) { @@@@ -370,6 +371,7 @@@@ php_stream * php_stream_url_wrap_php(php efree(pathdup); return stream; +#endif /* !DISABLE_FILTER_URL */ } else { /* invalid php://thingy */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified"); @ 1.1 log @Add pkgsrc build option disable-filter-url to disable php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this option makes that possible. @ text @d1 1 a1 1 $NetBSD$ d13 3 a15 4 --- ./ext/standard/php_fopen_wrapper.c.orig +++ ./ext/standard/php_fopen_wrapper.c @@@@ -333,8 +333,9 @@@@ "Error duping file descriptor %ld; possibly it doesn't exist: " d23 1 a23 3 mode_rw |= PHP_STREAM_FILTER_READ; @@@@ -369,8 +370,9 @@@@ } a30 1 return NULL; @ 1.1.2.1 log @file patch-disable-filter-url was added on branch pkgsrc-2018Q2 on 2018-08-17 17:39:36 +0000 @ text @d1 34 @ 1.1.2.2 log @Pullup ticket #5800 - requested by taca lang/php56: security fix Revisions pulled up: - lang/php/phpversion.mk 1.225 - lang/php56/Makefile.php 1.5 - lang/php56/distinfo 1.49-1.50 - lang/php56/patches/patch-disable-filter-url 1.1 --- Module Name: pkgsrc Committed By: manu Date: Wed Jul 18 07:33:12 UTC 2018 Modified Files: pkgsrc/lang/php56: Makefile.php distinfo pkgsrc/lang/php70: Makefile.php distinfo pkgsrc/lang/php71: Makefile.php distinfo pkgsrc/lang/php72: Makefile.php distinfo Added Files: pkgsrc/lang/php56/patches: patch-disable-filter-url pkgsrc/lang/php70/patches: patch-disable-filter-url pkgsrc/lang/php71/patches: patch-disable-filter-url pkgsrc/lang/php72/patches: patch-disable-filter-url Log Message: Add pkgsrc build option disable-filter-url to disable php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this option makes that possible. --- Module Name: pkgsrc Committed By: taca Date: Fri Jul 20 13:28:48 UTC 2018 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php56: distinfo Log Message: lang/php56: update to 5.6.37 19 Jul 2018, PHP 5.6.37 - Exif: . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (Stas) . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (Stas) - Win32: . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol) @ text @a0 34 $NetBSD: patch-disable-filter-url,v 1.1 2018/07/18 07:33:12 manu Exp $ Add build-time disable option for dangerous php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this patch makes that possible. --- ./ext/standard/php_fopen_wrapper.c.orig +++ ./ext/standard/php_fopen_wrapper.c @@@@ -333,8 +333,9 @@@@ "Error duping file descriptor %ld; possibly it doesn't exist: " "[%d]: %s", fildes_ori, errno, strerror(errno)); return NULL; } +#ifndef DISABLE_FILTER_URL } else if (!strncasecmp(path, "filter/", 7)) { /* Save time/memory when chain isn't specified */ if (strchr(mode, 'r') || strchr(mode, '+')) { mode_rw |= PHP_STREAM_FILTER_READ; @@@@ -369,8 +370,9 @@@@ } efree(pathdup); return stream; +#endif /* !DISABLE_FILTER_URL */ } else { /* invalid php://thingy */ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified"); return NULL; @