Pullup ticket #5800 - requested by taca lang/php56: security fix Revisions pulled up: - lang/php/phpversion.mk 1.225 - lang/php56/Makefile.php 1.5 - lang/php56/distinfo 1.49-1.50 - lang/php56/patches/patch-disable-filter-url 1.1 --- Module Name: pkgsrc Committed By: manu Date: Wed Jul 18 07:33:12 UTC 2018 Modified Files: pkgsrc/lang/php56: Makefile.php distinfo pkgsrc/lang/php70: Makefile.php distinfo pkgsrc/lang/php71: Makefile.php distinfo pkgsrc/lang/php72: Makefile.php distinfo Added Files: pkgsrc/lang/php56/patches: patch-disable-filter-url pkgsrc/lang/php70/patches: patch-disable-filter-url pkgsrc/lang/php71/patches: patch-disable-filter-url pkgsrc/lang/php72/patches: patch-disable-filter-url Log Message: Add pkgsrc build option disable-filter-url to disable php://filter URL php://filter URL is a feature documented here: http://php.net/manual/en/wrappers.php.php Unfortunately, it allows remote control of include() behavior beyond what many developpers expected, enabling easy dump of PHP source files. The administrator may want to disable the feature for security sake, and this option makes that possible. --- Module Name: pkgsrc Committed By: taca Date: Fri Jul 20 13:28:48 UTC 2018 Modified Files: pkgsrc/lang/php: phpversion.mk pkgsrc/lang/php56: distinfo Log Message: lang/php56: update to 5.6.37 19 Jul 2018, PHP 5.6.37 - Exif: . Fixed bug #76423 (Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c). (Stas) . Fixed bug #76557 (heap-buffer-overflow (READ of size 48) while reading exif data). (Stas) - Win32: . Fixed bug #76459 (windows linkinfo lacks openbasedir check). (Anatol)diff -r1.221.2.3 -r1.221.2.4 pkgsrc/lang/php/phpversion.mk
(bsiegert)
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: phpversion.mk,v 1.221.2.3 2018/08/17 17:37:21 bsiegert Exp $ | 1 | # $NetBSD: phpversion.mk,v 1.221.2.4 2018/08/17 17:39:36 bsiegert Exp $ | |
2 | # | 2 | # | |
3 | # This file selects a PHP version, based on the user's preferences and | 3 | # This file selects a PHP version, based on the user's preferences and | |
4 | # the installed packages. It does not add a dependency on the PHP | 4 | # the installed packages. It does not add a dependency on the PHP | |
5 | # package. | 5 | # package. | |
6 | # | 6 | # | |
7 | # === User-settable variables === | 7 | # === User-settable variables === | |
8 | # | 8 | # | |
9 | # PHP_VERSION_DEFAULT | 9 | # PHP_VERSION_DEFAULT | |
10 | # The PHP version to choose when more than one is acceptable to | 10 | # The PHP version to choose when more than one is acceptable to | |
11 | # the package. | 11 | # the package. | |
12 | # | 12 | # | |
13 | # Possible: 56 70 71 72 | 13 | # Possible: 56 70 71 72 | |
14 | # Default: 71 | 14 | # Default: 71 | |
@@ -77,27 +77,27 @@ | @@ -77,27 +77,27 @@ | |||
77 | # PHP_EXTENSION_DIR | 77 | # PHP_EXTENSION_DIR | |
78 | # Relative path to ${PREFIX} for PHP's extensions. It is derived from | 78 | # Relative path to ${PREFIX} for PHP's extensions. It is derived from | |
79 | # initial release of major version. | 79 | # initial release of major version. | |
80 | # | 80 | # | |
81 | # Example: lib/php/20140828 | 81 | # Example: lib/php/20140828 | |
82 | # | 82 | # | |
83 | # Keywords: php | 83 | # Keywords: php | |
84 | # | 84 | # | |
85 | 85 | |||
86 | .if !defined(PHPVERSION_MK) | 86 | .if !defined(PHPVERSION_MK) | |
87 | PHPVERSION_MK= defined | 87 | PHPVERSION_MK= defined | |
88 | 88 | |||
89 | # Define each PHP's version. | 89 | # Define each PHP's version. | |
90 | PHP56_VERSION= 5.6.36 | 90 | PHP56_VERSION= 5.6.37 | |
91 | PHP70_VERSION= 7.0.31 | 91 | PHP70_VERSION= 7.0.31 | |
92 | PHP71_VERSION= 7.1.20 | 92 | PHP71_VERSION= 7.1.20 | |
93 | PHP72_VERSION= 7.2.8 | 93 | PHP72_VERSION= 7.2.8 | |
94 | 94 | |||
95 | # Define initial release of major version. | 95 | # Define initial release of major version. | |
96 | PHP56_RELDATE= 20140828 | 96 | PHP56_RELDATE= 20140828 | |
97 | PHP70_RELDATE= 20151203 | 97 | PHP70_RELDATE= 20151203 | |
98 | PHP71_RELDATE= 20160303 | 98 | PHP71_RELDATE= 20160303 | |
99 | PHP72_RELDATE= 20170718 | 99 | PHP72_RELDATE= 20170718 | |
100 | 100 | |||
101 | _VARGROUPS+= php | 101 | _VARGROUPS+= php | |
102 | _USER_VARS.php= PHP_VERSION_DEFAULT | 102 | _USER_VARS.php= PHP_VERSION_DEFAULT | |
103 | _PKG_VARS.php= PHP_VERSIONS_ACCEPTED PHP_VERSION_REQD | 103 | _PKG_VARS.php= PHP_VERSIONS_ACCEPTED PHP_VERSION_REQD |
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | # $NetBSD: Makefile.php,v 1.4 2017/07/12 09:11:35 manu Exp $ | 1 | # $NetBSD: Makefile.php,v 1.4.10.1 2018/08/17 17:39:36 bsiegert Exp $ | |
2 | # used by lang/php56/Makefile | 2 | # used by lang/php56/Makefile | |
3 | # used by www/ap-php/Makefile | 3 | # used by www/ap-php/Makefile | |
4 | # used by www/php-fpm/Makefile | 4 | # used by www/php-fpm/Makefile | |
5 | 5 | |||
6 | .include "../../lang/php56/Makefile.common" | 6 | .include "../../lang/php56/Makefile.common" | |
7 | 7 | |||
8 | DISTINFO_FILE= ${.CURDIR}/../../lang/php56/distinfo | 8 | DISTINFO_FILE= ${.CURDIR}/../../lang/php56/distinfo | |
9 | PATCHDIR= ${.CURDIR}/../../lang/php56/patches | 9 | PATCHDIR= ${.CURDIR}/../../lang/php56/patches | |
10 | 10 | |||
11 | USE_LIBTOOL= YES | 11 | USE_LIBTOOL= YES | |
12 | USE_LANGUAGES= c c++ | 12 | USE_LANGUAGES= c c++ | |
13 | GNU_CONFIGURE= YES | 13 | GNU_CONFIGURE= YES | |
14 | BUILD_DEFS+= VARBASE | 14 | BUILD_DEFS+= VARBASE | |
@@ -32,27 +32,27 @@ CONFIGURE_ARGS+= --without-pear | @@ -32,27 +32,27 @@ CONFIGURE_ARGS+= --without-pear | |||
32 | 32 | |||
33 | CONFIGURE_ARGS+= --disable-posix | 33 | CONFIGURE_ARGS+= --disable-posix | |
34 | CONFIGURE_ARGS+= --disable-opcache | 34 | CONFIGURE_ARGS+= --disable-opcache | |
35 | CONFIGURE_ARGS+= --disable-pdo | 35 | CONFIGURE_ARGS+= --disable-pdo | |
36 | CONFIGURE_ARGS+= --disable-json | 36 | CONFIGURE_ARGS+= --disable-json | |
37 | 37 | |||
38 | CONFIGURE_ARGS+= --enable-cgi | 38 | CONFIGURE_ARGS+= --enable-cgi | |
39 | CONFIGURE_ARGS+= --enable-mysqlnd | 39 | CONFIGURE_ARGS+= --enable-mysqlnd | |
40 | CONFIGURE_ARGS+= --enable-xml | 40 | CONFIGURE_ARGS+= --enable-xml | |
41 | CONFIGURE_ARGS+= --with-libxml-dir=${PREFIX} | 41 | CONFIGURE_ARGS+= --with-libxml-dir=${PREFIX} | |
42 | .include "../../textproc/libxml2/buildlink3.mk" | 42 | .include "../../textproc/libxml2/buildlink3.mk" | |
43 | 43 | |||
44 | PKG_OPTIONS_VAR= PKG_OPTIONS.${PHP_PKG_PREFIX} | 44 | PKG_OPTIONS_VAR= PKG_OPTIONS.${PHP_PKG_PREFIX} | |
45 | PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline | 45 | PKG_SUPPORTED_OPTIONS+= inet6 ssl maintainer-zts readline disable-filter-url | |
46 | PKG_SUGGESTED_OPTIONS+= inet6 ssl | 46 | PKG_SUGGESTED_OPTIONS+= inet6 ssl | |
47 | 47 | |||
48 | .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD" | 48 | .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD" | |
49 | PKG_SUPPORTED_OPTIONS+= dtrace | 49 | PKG_SUPPORTED_OPTIONS+= dtrace | |
50 | .endif | 50 | .endif | |
51 | 51 | |||
52 | .include "../../mk/bsd.options.mk" | 52 | .include "../../mk/bsd.options.mk" | |
53 | 53 | |||
54 | .if !empty(PKG_OPTIONS:Minet6) | 54 | .if !empty(PKG_OPTIONS:Minet6) | |
55 | CONFIGURE_ARGS+= --enable-ipv6 | 55 | CONFIGURE_ARGS+= --enable-ipv6 | |
56 | .else | 56 | .else | |
57 | CONFIGURE_ARGS+= --disable-ipv6 | 57 | CONFIGURE_ARGS+= --disable-ipv6 | |
58 | .endif | 58 | .endif | |
@@ -79,15 +79,19 @@ USE_GNU_READLINE= yes | @@ -79,15 +79,19 @@ USE_GNU_READLINE= yes | |||
79 | CONFIGURE_ARGS+= --with-readline=${BUILDLINK_PREFIX.readline} | 79 | CONFIGURE_ARGS+= --with-readline=${BUILDLINK_PREFIX.readline} | |
80 | .else | 80 | .else | |
81 | CONFIGURE_ARGS+= --without-readline | 81 | CONFIGURE_ARGS+= --without-readline | |
82 | .endif | 82 | .endif | |
83 | 83 | |||
84 | .if !empty(PKG_OPTIONS:Mdtrace) | 84 | .if !empty(PKG_OPTIONS:Mdtrace) | |
85 | PLIST.dtrace= yes | 85 | PLIST.dtrace= yes | |
86 | CONFIGURE_ARGS+= --enable-dtrace | 86 | CONFIGURE_ARGS+= --enable-dtrace | |
87 | 87 | |||
88 | # See https://bugs.php.net/bug.php?id=61268 | 88 | # See https://bugs.php.net/bug.php?id=61268 | |
89 | INSTALL_MAKE_FLAGS+= -r | 89 | INSTALL_MAKE_FLAGS+= -r | |
90 | .endif | 90 | .endif | |
91 | 91 | |||
92 | .if !empty(PKG_OPTIONS:Mdisable-filter-url) | |||
93 | CFLAGS+= -DDISABLE_FILTER_URL | |||
94 | .endif | |||
95 | ||||
92 | DL_AUTO_VARS= yes | 96 | DL_AUTO_VARS= yes | |
93 | .include "../../mk/dlopen.buildlink3.mk" | 97 | .include "../../mk/dlopen.buildlink3.mk" |
@@ -1,21 +1,22 @@ | @@ -1,21 +1,22 @@ | |||
1 | $NetBSD: distinfo,v 1.48 2018/04/29 16:26:40 taca Exp $ | 1 | $NetBSD: distinfo,v 1.48.2.1 2018/08/17 17:39:36 bsiegert Exp $ | |
2 | 2 | |||
3 | SHA1 (php-5.6.36.tar.bz2) = c5cf00d9d6e212e1d10cfd45adbe73c936312e43 | 3 | SHA1 (php-5.6.37.tar.bz2) = 4672d3d43f3de9aa77799be5bf41f11008e920a5 | |
4 | RMD160 (php-5.6.36.tar.bz2) = 91d662d8dba9cd6ed9b14244afcae4c12c25ff01 | 4 | RMD160 (php-5.6.37.tar.bz2) = 0690834e3a68fa8ac6d89ac0d73bb50930ab8077 | |
5 | SHA512 (php-5.6.36.tar.bz2) = 39988e3be529cdbb12aab848de7bc132475e2c81d322403bc7015b6f8c178334f2bc98cad70ea9426596da8ce160d78ce077578d37c668b7bd481da10bbd8bce | 5 | SHA512 (php-5.6.37.tar.bz2) = 9cdd7710893ceb464a4818b853a2a70a02f55ece1d23cafe9a5529fdfa9ac1b23cf0eb944bd812825ec946901967a76254b10a38db835759be048cbc01795776 | |
6 | Size (php-5.6.36.tar.bz2) = 15057704 bytes | 6 | Size (php-5.6.37.tar.bz2) = 15057773 bytes | |
7 | SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0 | 7 | SHA1 (patch-acinclude.m4) = 34d38d2538cc00932cdfcc80d1d4a91632cd15d0 | |
8 | SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2 | 8 | SHA1 (patch-configure) = a5623b0cbb3331fd0a537b26c0ae48315d52dbe2 | |
9 | SHA1 (patch-disable-filter-url) = a2b08912d81f2872bf1834fa4cefddb044c9d0f8 | |||
9 | SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19 | 10 | SHA1 (patch-ext_gd_config.m4) = b92ab4c7fe8aceaef7787a607a7d2eac258fee19 | |
10 | SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577 | 11 | SHA1 (patch-ext_imap_config.m4) = 9c6ed6966366c4fe1b7cfd34b5910e2ff0e68577 | |
11 | SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c | 12 | SHA1 (patch-ext_mssql_php__mssql.c) = c4fa9231dc539ffb027f1beb6f182f21ddb94a3c | |
12 | SHA1 (patch-ext_pcre_pcrelib_config.h) = 26588e9932ee715e32c872a1c7e2f9c640bd9cf8 | 13 | SHA1 (patch-ext_pcre_pcrelib_config.h) = 26588e9932ee715e32c872a1c7e2f9c640bd9cf8 | |
13 | SHA1 (patch-ext_pdo__mysql_config.m4) = 9d25c673fc151e1b8ae137f2a0fc540189ef5398 | 14 | SHA1 (patch-ext_pdo__mysql_config.m4) = 9d25c673fc151e1b8ae137f2a0fc540189ef5398 | |
14 | SHA1 (patch-ext_pdo_config.m4) = f6deef3ac631769baa587dd7c27e55bd2e9ca6a5 | 15 | SHA1 (patch-ext_pdo_config.m4) = f6deef3ac631769baa587dd7c27e55bd2e9ca6a5 | |
15 | SHA1 (patch-ext_phar_Makefile.frag) = 1564c188e57d48f83de7c2420fdde183598539e2 | 16 | SHA1 (patch-ext_phar_Makefile.frag) = 1564c188e57d48f83de7c2420fdde183598539e2 | |
16 | SHA1 (patch-ext_phar_phar_phar.php) = 5a82d55c7965027115065412f9b68defb278db64 | 17 | SHA1 (patch-ext_phar_phar_phar.php) = 5a82d55c7965027115065412f9b68defb278db64 | |
17 | SHA1 (patch-ext_recode_recode.c) = a97a1815d6a41410f68c289debbb9396128a2159 | 18 | SHA1 (patch-ext_recode_recode.c) = a97a1815d6a41410f68c289debbb9396128a2159 | |
18 | SHA1 (patch-ext_sqlite3_libsqlite_sqlite3.c) = 85cd8f3e115705aa2eeab0e7229f24422e322a7f | 19 | SHA1 (patch-ext_sqlite3_libsqlite_sqlite3.c) = 85cd8f3e115705aa2eeab0e7229f24422e322a7f | |
19 | SHA1 (patch-ext_standard_basic__functions.c) = 669fe55c975bf2d971f6fdcb5b3004f7e20304d2 | 20 | SHA1 (patch-ext_standard_basic__functions.c) = 669fe55c975bf2d971f6fdcb5b3004f7e20304d2 | |
20 | SHA1 (patch-ext_standard_php__dns.h) = 57c5d6d8ae60da58925abc2c51d66b56762fecda | 21 | SHA1 (patch-ext_standard_php__dns.h) = 57c5d6d8ae60da58925abc2c51d66b56762fecda | |
21 | SHA1 (patch-ext_tidy_tidy.c) = dd66f203196af544dcc06fe2229ba23c3086d3e8 | 22 | SHA1 (patch-ext_tidy_tidy.c) = dd66f203196af544dcc06fe2229ba23c3086d3e8 |
$NetBSD: patch-disable-filter-url,v 1.1.2.2 2018/08/17 17:39:36 bsiegert Exp $
Add build-time disable option for dangerous php://filter URL
php://filter URL is a feature documented here:
http://php.net/manual/en/wrappers.php.php
Unfortunately, it allows remote control of include() behavior
beyond what many developpers expected, enabling easy dump of
PHP source files. The administrator may want to disable the
feature for security sake, and this patch makes that possible.
--- ./ext/standard/php_fopen_wrapper.c.orig
+++ ./ext/standard/php_fopen_wrapper.c
@@ -333,8 +333,9 @@
"Error duping file descriptor %ld; possibly it doesn't exist: "
"[%d]: %s", fildes_ori, errno, strerror(errno));
return NULL;
}
+#ifndef DISABLE_FILTER_URL
} else if (!strncasecmp(path, "filter/", 7)) {
/* Save time/memory when chain isn't specified */
if (strchr(mode, 'r') || strchr(mode, '+')) {
mode_rw |= PHP_STREAM_FILTER_READ;
@@ -369,8 +370,9 @@
}
efree(pathdup);
return stream;
+#endif /* !DISABLE_FILTER_URL */
} else {
/* invalid php://thingy */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified");
return NULL;