author | Craig Mohrman <craig.mohrman@oracle.com> |
Mon, 20 Jul 2015 09:11:32 -0700 | |
branch | s11u2-sru |
changeset 4673 | 7ca7277ea064 |
permissions | -rw-r--r-- |
4673
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
1 |
Community BUG: |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
2 |
https://bugs.php.net/bug.php?id=69364 |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
3 |
Patch from another source: |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
4 |
https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
5 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
6 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
7 |
### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
8 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
9 |
--- php-5.3.29/main/rfc1867.c_orig |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
10 |
+++ php-5.3.29/main/rfc1867.c |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
11 |
@@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
12 |
char *line; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
13 |
mime_header_entry prev_entry, entry; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
14 |
int prev_len, cur_len; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
15 |
+ int newlines = 0; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
16 |
+ long upload_max_newlines = 100; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
17 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
18 |
/* didn't find boundary, abort */ |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
19 |
if (!find_boundary(self, self->boundary TSRMLS_CC)) { |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
20 |
@@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
21 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
22 |
entry.value = estrdup(value); |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
23 |
entry.key = estrdup(key); |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
24 |
+ newlines = 0; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
25 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
26 |
} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
27 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
28 |
@@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
29 |
entry.value[cur_len + prev_len] = '\0'; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
30 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
31 |
entry.key = estrdup(prev_entry.key); |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
32 |
+ newlines++; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
33 |
+ if (newlines > upload_max_newlines) { |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
34 |
+ return 0; |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
35 |
+ } |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
36 |
|
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
37 |
zend_llist_remove_tail(header); |
7ca7277ea064
20803826 problem in UTILITY/PHP
Craig Mohrman <craig.mohrman@oracle.com>
parents:
diff
changeset
|
38 |
} else { |