php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 08:12:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-5.5' into PHP-5.6

Browse Source 
* PHP-5.5:
  Fix bug #69646	OS command injection vulnerability in escapeshellarg
  Fix #69719 - more checks for nulls in paths
  fix test description
  Fixed Buf #68812 Unchecked return value.
This commit is contained in:
Stanislav Malyshev
2015-06-09 15:32:27 -07:00
parent 8574290d9b 4e2fb47092
commit 8b1919ed73
3 changed files with 31 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
ext/dom/document.c
View File

@@ -1700,7 +1700,7 @@ PHP_FUNCTION(dom_document_save)
char *file;
long options = 0;
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
return;
}
@@ -1930,7 +1930,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
int is_valid;
char resolved_path[MAXPATHLEN + 1];
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) {
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) {
return;
}
@@ -1943,6 +1943,10 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
switch (type) {
case DOM_LOAD_FILE:
if (CHECK_NULL_PATH(source, source_len)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
RETURN_FALSE;
}
valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (!valid_file) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
@@ -2026,7 +2030,7 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
int is_valid;
char resolved_path[MAXPATHLEN + 1];
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
return;
}
@@ -2039,6 +2043,10 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
switch (type) {
case DOM_LOAD_FILE:
if (CHECK_NULL_PATH(source, source_len)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
RETURN_FALSE;
}
valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (!valid_file) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
@@ -2119,7 +2127,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
id = getThis();
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
return;
}
@@ -2129,6 +2137,10 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
}
if (mode == DOM_LOAD_FILE) {
if (CHECK_NULL_PATH(source, source_len)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source");
RETURN_FALSE;
}
ctxt = htmlCreateFileParserCtxt(source, NULL);
} else {
source_len = xmlStrlen(source);
@@ -2217,7 +2229,7 @@ PHP_FUNCTION(dom_document_save_html_file)
char *file;
const char *encoding;
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
return;
}

12
ext/gd/gd.c
View File

@@ -1750,7 +1750,7 @@ PHP_FUNCTION(imagefilledarc)
long cx, cy, w, h, ST, E, col, style;
gdImagePtr im;
int e, st;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) {
return;
}
@@ -1991,7 +1991,7 @@ PHP_FUNCTION(imagegrabwindow)
if ( handle == 0 ) {
goto clean;
}
pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
if ( pPrintWindow ) {
pPrintWindow(window, memDC, (UINT) client_area);
@@ -3860,7 +3860,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int
if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) {
continue;
}
if (strcmp("linespacing", key) == 0) {
convert_to_double_ex(item);
strex.flags |= gdFTEX_LINESPACE;
@@ -3939,7 +3939,7 @@ PHP_FUNCTION(imagepsloadfont)
struct stat st;
#endif
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
return;
}
@@ -4279,11 +4279,11 @@ PHP_FUNCTION(imagepsbbox)
if (argc != 3 && argc != 6) {
ZEND_WRONG_PARAM_COUNT();
}
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) {
return;
}
if (argc == 6) {
space = sp;
add_width = wd;

8
ext/standard/exec.c
View File

@@ -380,6 +380,14 @@ PHPAPI char *php_escape_shell_arg(char *str)
}
}
#ifdef PHP_WIN32
if (y > 0 && '\\' == cmd[y - 1]) {
int k = 0, n = y - 1;
for (; n >= 0 && '\\' == cmd[n]; n--, k++);
if (k % 2) {
cmd[y++] = '\\';
}
}
cmd[y++] = '"';
#else
cmd[y++] = '\'';