head 1.2;
access;
symbols
pkgsrc-2013Q2:1.2.0.32
pkgsrc-2013Q2-base:1.2
pkgsrc-2012Q4:1.2.0.30
pkgsrc-2012Q4-base:1.2
pkgsrc-2011Q4:1.2.0.28
pkgsrc-2011Q4-base:1.2
pkgsrc-2011Q2:1.2.0.26
pkgsrc-2011Q2-base:1.2
pkgsrc-2009Q4:1.2.0.24
pkgsrc-2009Q4-base:1.2
pkgsrc-2008Q4:1.2.0.22
pkgsrc-2008Q4-base:1.2
pkgsrc-2008Q3:1.2.0.20
pkgsrc-2008Q3-base:1.2
cube-native-xorg:1.2.0.18
cube-native-xorg-base:1.2
pkgsrc-2008Q2:1.2.0.16
pkgsrc-2008Q2-base:1.2
pkgsrc-2008Q1:1.2.0.14
pkgsrc-2008Q1-base:1.2
pkgsrc-2007Q4:1.2.0.12
pkgsrc-2007Q4-base:1.2
pkgsrc-2007Q3:1.2.0.10
pkgsrc-2007Q3-base:1.2
pkgsrc-2007Q2:1.2.0.8
pkgsrc-2007Q2-base:1.2
pkgsrc-2007Q1:1.2.0.6
pkgsrc-2007Q1-base:1.2
pkgsrc-2006Q4:1.2.0.4
pkgsrc-2006Q4-base:1.2
pkgsrc-2006Q3:1.2.0.2
pkgsrc-2006Q3-base:1.2
pkgsrc-2006Q2:1.1.0.4
pkgsrc-2006Q2-base:1.1
pkgsrc-2006Q1:1.1.0.2;
locks; strict;
comment @# @;
1.2
date 2006.08.10.23.01.39; author adrianp; state dead;
branches;
next 1.1;
1.1
date 2006.04.14.13.48.33; author cube; state Exp;
branches
1.1.2.1
1.1.4.1;
next ;
1.1.2.1
date 2006.04.14.13.48.33; author salo; state dead;
branches;
next 1.1.2.2;
1.1.2.2
date 2006.04.19.00.12.27; author salo; state Exp;
branches;
next ;
1.1.4.1
date 2006.08.16.07.17.41; author salo; state dead;
branches;
next ;
desc
@@
1.2
log
@Update to 4.4.3
All PHP 4.x users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The release also includes about 20 bug fixes and an upgraded PCRE library
(version 6.6).
For a full list of changes in PHP 4.4.3, see the ChangeLog:
http://www.php.net/ChangeLog-4.php#4.4.3
This also contains a fix for CVE-2006-4020 (SA21403)
@
text
@$NetBSD: patch-ar,v 1.1 2006/04/14 13:48:33 cube Exp $
--- ext/standard/info.c.orig 2006-01-01 14:46:57.000000000 +0100
+++ ext/standard/info.c
@@@@ -58,6 +58,23 @@@@ ZEND_EXTERN_MODULE_GLOBALS(iconv)
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ int new_len, written;
+ char *elem_esc;
+
+ TSRMLS_FETCH();
+
+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@@@ -133,23 +150,12 @@@@ static void php_print_gpcse_array(char *
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
- MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
- zend_print_zval_r(*tmp, 0);
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
- zval_ptr_dtor(&tmp3);
-
- if (!sapi_module.phpinfo_as_text) {
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("");
+ } else {
+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
@
1.1
log
@The actual patches for PHP4/5.
@
text
@d1 1
a1 1
$NetBSD$
@
1.1.2.1
log
@file patch-ar was added on branch pkgsrc-2006Q1 on 2006-04-14 13:48:33 +0000
@
text
@d1 55
@
1.1.2.2
log
@Pullup ticket 1406 - requested by cube
security fixes for php
Revisions pulled up:
- pkgsrc/lang/php5/Makefile 1.29
- pkgsrc/lang/php5/Makefile.php 1.18
- pkgsrc/lang/php5/distinfo 1.15
- pkgsrc/lang/php5/patches/patch-ap 1.1
- pkgsrc/lang/php5/patches/patch-aq 1.1
- pkgsrc/lang/php5/patches/patch-ar 1.1
- pkgsrc/www/php4/Makefile 1.63
- pkgsrc/www/php4/distinfo 1.52
- pkgsrc/www/php4/patches/patch-aq 1.1
- pkgsrc/www/php4/patches/patch-ar 1.1
- pkgsrc/www/php4/patches/patch-as 1.1
- pkgsrc/www/ap-php/Makefile 1.9
Module Name: pkgsrc
Committed By: cube
Date: Fri Apr 14 13:47:30 UTC 2006
Modified Files:
pkgsrc/lang/php5: Makefile Makefile.php distinfo
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php4: Makefile distinfo
Log Message:
PHP4/5 security changes... They're not critical issues; secunia classes
them between "not critical" and "less critical".
Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490.
See:
http://secunia.com/advisories/19383/
http://secunia.com/advisories/19599/
Patches were extracted from CVS. I had to translate the one for
CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch
(I don't know why; I can confirm it fixes the issue).
While here, add PATCHDIR to the list of variables php5's Makefile.php
defines. That way, ap-php gets patched too...
---
Module Name: pkgsrc
Committed By: cube
Date: Fri Apr 14 13:48:33 UTC 2006
Added Files:
pkgsrc/lang/php5/patches: patch-ap patch-aq patch-ar
pkgsrc/www/php4/patches: patch-aq patch-ar patch-as
Log Message:
The actual patches for PHP4/5.
@
text
@a0 55
$NetBSD: patch-ar,v 1.1.2.1 2006/04/19 00:12:27 salo Exp $
--- ext/standard/info.c.orig 2006-01-01 14:46:57.000000000 +0100
+++ ext/standard/info.c
@@@@ -58,6 +58,23 @@@@ ZEND_EXTERN_MODULE_GLOBALS(iconv)
PHPAPI extern char *php_ini_opened_path;
PHPAPI extern char *php_ini_scanned_files;
+
+static int php_info_write_wrapper(const char *str, uint str_length)
+{
+ int new_len, written;
+ char *elem_esc;
+
+ TSRMLS_FETCH();
+
+ elem_esc = php_escape_html_entities((char *)str, str_length, &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
+
+ written = php_body_write(elem_esc, new_len TSRMLS_CC);
+
+ efree(elem_esc);
+
+ return written;
+}
+
/* {{{ _display_module_info
*/
@@@@ -133,23 +150,12 @@@@ static void php_print_gpcse_array(char *
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
- zval *tmp3;
- MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
- }
- php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
- zend_print_zval_r(*tmp, 0);
- php_ob_get_buffer(tmp3 TSRMLS_CC);
- php_end_ob_buffer(0, 0 TSRMLS_CC);
-
- elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
- PUTS(elem_esc);
- efree(elem_esc);
- zval_ptr_dtor(&tmp3);
-
- if (!sapi_module.phpinfo_as_text) {
+ zend_print_zval_ex((zend_write_func_t) php_info_write_wrapper, *tmp, 0);
PUTS("");
+ } else {
+ zend_print_zval_r(*tmp, 0 TSRMLS_CC);
}
} else if (Z_TYPE_PP(tmp) != IS_STRING) {
tmp2 = **tmp;
@
1.1.4.1
log
@Pullup ticket 1790 - requested by adrianp
security update for php4
Revisions pulled up:
- pkgsrc/www/php4/Makefile 1.70
- pkgsrc/www/php4/Makefile.common 1.53
- pkgsrc/www/php4/distinfo 1.56
- pkgsrc/www/php4/files/pear.sh 1.3
- pkgsrc/www/php4/patches/patch-ao 1.3
- pkgsrc/www/php4/patches/patch-aq removed
- pkgsrc/www/php4/patches/patch-ar removed
- pkgsrc/www/php4/patches/patch-as removed
- pkgsrc/www/php4/patches/patch-au removed
- pkgsrc/www/php4/patches/patch-av removed
- pkgsrc/www/php4/patches/patch-aw 1.1
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Aug 10 23:01:40 UTC 2006
Modified Files:
pkgsrc/www/php4: Makefile Makefile.common distinfo
pkgsrc/www/php4/files: pear.sh
pkgsrc/www/php4/patches: patch-ao
Added Files:
pkgsrc/www/php4/patches: patch-aw
Removed Files:
pkgsrc/www/php4/patches: patch-aq patch-ar patch-as patch-au patch-av
Log Message:
Update to 4.4.3
All PHP 4.x users are encouraged to upgrade to this release as soon as possible.
The security issues resolved include the following:
* Disallow certain characters in session names.
* Fixed a buffer overflow inside the wordwrap() function.
* Prevent jumps to parent directory via the 2nd parameter of the tempnam()
function.
* Improved safe_mode check for the error_log() function.
* Fixed cross-site scripting inside the phpinfo() function.
The release also includes about 20 bug fixes and an upgraded PCRE library
(version 6.6).
For a full list of changes in PHP 4.4.3, see the ChangeLog:
http://www.php.net/ChangeLog-4.php#4.4.3
This also contains a fix for CVE-2006-4020 (SA21403)
@
text
@d1 1
a1 1
$NetBSD: patch-ar,v 1.1 2006/04/14 13:48:33 cube Exp $
@