While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
```
In file included from /usr/local/include/php/main/php_network.h:124:0,
from /var/www/html/php-ext-handlersocketi-0.0.1/hs_response.c:3:
/usr/include/sys/poll.h:1:2: warning: #warning redirecting incorrect #include <sys/poll.h> to <poll.h> [-Wcpp]
#warning redirecting incorrect #include <sys/poll.h> to <poll.h>
^
```
For historical reasons, fsockopen() accepts the port and hostname
separately: fsockopen('127.0.0.1', 80)
However, with the introdcution of stream transports in PHP 4.3,
it became possible to include the port in the hostname specifier:
fsockopen('127.0.0.1:80')
Or more formally: fsockopen('tcp://127.0.0.1:80')
Confusing results when these two forms are combined, however.
fsockopen('127.0.0.1:80', 443) results in fsockopen() attempting
to connect to '127.0.0.1:80:443' which any reasonable stack would
consider invalid.
Unfortunately, PHP parses the address looking for the first colon
(with special handling for IPv6, don't worry) and calls atoi()
from there. atoi() in turn, simply stops parsing at the first
non-numeric character and returns the value so far.
The end result is that the explicitly supplied port is treated
as ignored garbage, rather than producing an error.
This diff replaces atoi() with strtol() and inspects the
stop character. If additional "garbage" of any kind is found,
it fails and returns an error.
Hereby, interned strings are supported in thread safe PHP. The patch
implements two types of interned strings
- interning per process, strings are not freed till process end
- interning per request, strings are freed at request end
There is no runtime interning.
With Opcache, all the permanent iterned strings are copied into SHM on
startup, additional copying into SHM might happen on demand.
* PHP_OS_FAMILY is now a macro, to allow extensions to take advantage of it, it is defined in php.h
* Values are not upper-case-first, not always uppercase. Windows is no longer just "Win", if we want the short version for testing then PHP_OS is always WINNT anyway
As in previous variant, locking is removed and the initialization
is done only once at process start. The CNG API turns out to be
faster, also the initialization is less resources hungry. The
initialization part could need to be improved, if too much startup
failures are sighted in the real world usage. Though that would mean
having locking back.
The usage of CNG was already pointed out and requested in several
reports, with the further refactoring it appears to make sense and
simplify things a backward compatible way.
This reverts commit 23bd7bcde0.
Looks like this change is unstable. If same CSP is use but multiple processers,
the initialization failures are possible. Thus, CryptAcquireContext in
every process, even if it won't be used at all, is not sensible. This
might actually motivate to look for better CSP APIs.
