From 78d1228ef689a9fffd5cf5b55de6f9a5540be07a Mon Sep 17 00:00:00 2001 From: George Wang Date: Mon, 8 Jun 2015 15:38:59 -0400 Subject: [PATCH 1/4] Fixed Buf #68812 Unchecked return value. --- sapi/litespeed/lsapilib.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/sapi/litespeed/lsapilib.c b/sapi/litespeed/lsapilib.c index baf0db37972..a109909c352 100644 --- a/sapi/litespeed/lsapilib.c +++ b/sapi/litespeed/lsapilib.c @@ -3131,10 +3131,20 @@ static int lsapi_initSuEXEC() if ( !s_defaultUid || !s_defaultGid ) { pw = getpwnam( "nobody" ); - if ( !s_defaultUid ) - s_defaultUid = pw->pw_uid; - if ( !s_defaultGid ) - s_defaultGid = pw->pw_gid; + if ( pw ) + { + if ( !s_defaultUid ) + s_defaultUid = pw->pw_uid; + if ( !s_defaultGid ) + s_defaultGid = pw->pw_gid; + } + else + { + if ( !s_defaultUid ) + s_defaultUid = 10000; + if ( !s_defaultGid ) + s_defaultGid = 10000; + } } return 0; } From 531c306fe6715b1f4e060bbeef88b4fb9cb954f9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 9 Jun 2015 09:12:59 +0200 Subject: [PATCH 2/4] fix test description --- ext/pgsql/tests/pg_insert_002.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pgsql/tests/pg_insert_002.phpt b/ext/pgsql/tests/pg_insert_002.phpt index 87d87b84756..329f525b27a 100644 --- a/ext/pgsql/tests/pg_insert_002.phpt +++ b/ext/pgsql/tests/pg_insert_002.phpt @@ -1,5 +1,5 @@ --TEST-- -PostgreSQL pg_select() - basic test using schema +PostgreSQL pg_insert() - test for CVE-2015-1532 --SKIPIF-- --FILE-- From f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 31 May 2015 22:47:52 -0700 Subject: [PATCH 3/4] Fix #69719 - more checks for nulls in paths --- ext/dom/document.c | 22 +++++++++++++++++----- ext/gd/gd.c | 16 ++++++++-------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/ext/dom/document.c b/ext/dom/document.c index 48a19dd05de..097fcba4675 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1761,7 +1761,7 @@ PHP_FUNCTION(dom_document_save) char *file; long options = 0; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { return; } @@ -1990,7 +1990,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type int is_valid; char resolved_path[MAXPATHLEN + 1]; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { return; } @@ -2003,6 +2003,10 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); @@ -2079,7 +2083,7 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ int is_valid; char resolved_path[MAXPATHLEN + 1]; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { return; } @@ -2092,6 +2096,10 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); @@ -2172,7 +2180,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ id = getThis(); - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { return; } @@ -2182,6 +2190,10 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ } if (mode == DOM_LOAD_FILE) { + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); + RETURN_FALSE; + } ctxt = htmlCreateFileParserCtxt(source, NULL); } else { source_len = xmlStrlen(source); @@ -2270,7 +2282,7 @@ PHP_FUNCTION(dom_document_save_html_file) char *file; const char *encoding; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { return; } diff --git a/ext/gd/gd.c b/ext/gd/gd.c index d258c3dbc78..e52757567ea 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1790,7 +1790,7 @@ PHP_FUNCTION(imagefilledarc) long cx, cy, w, h, ST, E, col, style; gdImagePtr im; int e, st; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) { return; } @@ -2033,7 +2033,7 @@ PHP_FUNCTION(imagegrabwindow) if ( handle == 0 ) { goto clean; } - pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); + pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); if ( pPrintWindow ) { pPrintWindow(window, memDC, (UINT) client_area); @@ -3984,7 +3984,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) { continue; } - + if (strcmp("linespacing", key) == 0) { convert_to_double_ex(item); strex.flags |= gdFTEX_LINESPACE; @@ -4006,7 +4006,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int #endif PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename"); - + #ifdef USE_GD_IMGSTRTTF # if HAVE_GD_STRINGFTEX if (extended) { @@ -4071,7 +4071,7 @@ PHP_FUNCTION(imagepsloadfont) struct stat st; #endif - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { return; } @@ -4411,11 +4411,11 @@ PHP_FUNCTION(imagepsbbox) if (argc != 3 && argc != 6) { ZEND_WRONG_PARAM_COUNT(); } - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) { return; } - + if (argc == 6) { space = sp; add_width = wd; @@ -4600,7 +4600,7 @@ static void _php_image_convert(INTERNAL_FUNCTION_PARAMETERS, int image_type ) #ifdef HAVE_GD_JPG long ignore_warning; #endif - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pplll", &f_org, &f_org_len, &f_dest, &f_dest_len, &height, &width, &threshold) == FAILURE) { return; } From 80367584910885baa1a2a4476a4a31efdcf0c9c0 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 31 May 2015 22:53:35 -0700 Subject: [PATCH 4/4] Fix bug #69646 OS command injection vulnerability in escapeshellarg --- ext/standard/exec.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ext/standard/exec.c b/ext/standard/exec.c index d6938a48095..d0b1e01e167 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -380,6 +380,14 @@ PHPAPI char *php_escape_shell_arg(char *str) } } #ifdef PHP_WIN32 + if (y > 0 && '\\' == cmd[y - 1]) { + int k = 0, n = y - 1; + for (; n >= 0 && '\\' == cmd[n]; n--, k++); + if (k % 2) { + cmd[y++] = '\\'; + } + } + cmd[y++] = '"'; #else cmd[y++] = '\'';