head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.4 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.2 pkgsrc-2012Q4-base:1.4 pkgsrc-2012Q1:1.3.0.42 pkgsrc-2012Q1-base:1.3 pkgsrc-2011Q4:1.3.0.40 pkgsrc-2011Q4-base:1.3 pkgsrc-2011Q3:1.3.0.38 pkgsrc-2011Q3-base:1.3 pkgsrc-2011Q2:1.3.0.36 pkgsrc-2011Q2-base:1.3 pkgsrc-2011Q1:1.3.0.34 pkgsrc-2011Q1-base:1.3 pkgsrc-2010Q4:1.3.0.32 pkgsrc-2010Q4-base:1.3 pkgsrc-2010Q3:1.3.0.30 pkgsrc-2010Q3-base:1.3 pkgsrc-2010Q2:1.3.0.28 pkgsrc-2010Q2-base:1.3 pkgsrc-2010Q1:1.3.0.26 pkgsrc-2010Q1-base:1.3 pkgsrc-2009Q4:1.3.0.24 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q3:1.3.0.22 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.3.0.20 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.18 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.16 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.14 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.12 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.10 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.8 pkgsrc-2008Q1:1.3.0.6 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.4 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.2 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.2.0.10 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.8 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.6 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.4 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.2 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.1.0.2; locks; strict; comment @# @; 1.4 date 2012.06.16.15.15.06; author taca; state dead; branches; next 1.3; 1.3 date 2007.09.04.23.39.31; author jdolecek; state Exp; branches; next 1.2; 1.2 date 2006.05.06.22.42.44; author jdolecek; state dead; branches; next 1.1; 1.1 date 2006.04.14.13.48.33; author cube; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.04.14.13.48.33; author salo; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2006.04.19.00.12.27; author salo; state Exp; branches; next ; desc @@ 1.4 log @Remove php5 (PHP 5.2.17), please migra to php53 or php54. @ text @$NetBSD: patch-aq,v 1.3 2007/09/04 23:39:31 jdolecek Exp $ --- Zend/zend_extensions.c.orig 2007-09-05 00:24:04.000000000 +0200 +++ Zend/zend_extensions.c @@@@ -230,7 +230,7 @@@@ ZEND_API zend_extension *zend_get_extens * */ -#if HAVE_MACH_O_DYLD_H +#if defined(HAVE_MACH_O_DYLD_H) && !defined(HAVE_LIBDL) void *zend_mh_bundle_load(char* bundle_path) { @@@@ -284,7 +284,7 @@@@ const char *zend_mh_bundle_error(void) return NULL; } -#endif /* HAVE_MACH_O_DYLD_H */ +#endif /* HAVE_MACH_O_DYLD_H && !HAVE_LIBDL */ /* * Local variables: @ 1.3 log @load extensions via dlopen(), in preference to using NsLinkModule() et.al. on Mac OS X, so that symbols of loaded modules are available for other, dependant modules; dlopen() is native function since 10.4, so actually apparently preferable interface now this is necessary for PDO family of modules (pdo_* depends on symbols of PDO module), and for XSL module (which depends on symbols of DOM module); doing it this way allows for PDO and DOM modules to be also shared and dynamically loaded, this avoids need to compile them into main PHP binary bump PKGREVISION, this is functionality change for Mac OS X (no change for other platforms) @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @Update lang/php5 to 5.1.4. Some of the key changes include: * Disallow certain characters in session names. * Fixed a buffer overflow inside the wordwrap() function. * Prevent jumps to parent directory via the 2nd parameter of the tempnam() function. * Enforce safe_mode for the source parameter of the copy() function. * Fixed cross-site scripting inside the phpinfo() function. * Fixed offset/length parameter validation inside the substr_compare() function. * Fixed a heap corruption inside the session extension. * Fixed a bug that would allow variable to survive unset(). * Fixed a number of crashes in the DOM, SOAP and PDO extensions. * Upgraded bundled PCRE library to version 6.6 * The use of the var keyword to declare properties no longer raises a deprecation E_STRICT. * FastCGI interface was completely reimplemented. * Multitude of improvements to the SPL, SimpleXML, GD, CURL and Reflection extensions. * Over 120 various bug fixes. See release annoucement on: http://www.php.net/release_5_1_3.php And ChangeLog: http://www.php.net/ChangeLog-5.php#5.1.3 @ text @d1 1 a1 1 $NetBSD: patch-aq,v 1.1 2006/04/14 13:48:33 cube Exp $ d3 5 a7 10 --- ext/standard/file.c.orig 2006-01-01 13:50:14.000000000 +0100 +++ ext/standard/file.c @@@@ -773,8 +773,9 @@@@ PHP_FUNCTION(tempnam) zval **arg1, **arg2; char *d; char *opened_path; - char p[64]; + char *p; int fd; + size_t p_len; d9 2 a10 12 if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { WRONG_PARAM_COUNT; @@@@ -787,7 +788,11 @@@@ PHP_FUNCTION(tempnam) } d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); - strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p)); + + php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC); + if (p_len > 64) { + p[63] = '\0'; + } d12 4 a15 8 if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) { close(fd); @@@@ -795,6 +800,7 @@@@ PHP_FUNCTION(tempnam) } else { RETVAL_FALSE; } + efree(p); efree(d); a16 4 /* }}} */ @@@@ -1756,7 +1762,7 @@@@ no_stat: } safe_to_copy: d18 5 a22 5 - srcstream = php_stream_open_wrapper(src, "rb", STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, NULL); + srcstream = php_stream_open_wrapper(src, "rb", ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!srcstream) { return ret; @ 1.1 log @The actual patches for PHP4/5. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-aq was added on branch pkgsrc-2006Q1 on 2006-04-14 13:48:33 +0000 @ text @d1 45 @ 1.1.2.2 log @Pullup ticket 1406 - requested by cube security fixes for php Revisions pulled up: - pkgsrc/lang/php5/Makefile 1.29 - pkgsrc/lang/php5/Makefile.php 1.18 - pkgsrc/lang/php5/distinfo 1.15 - pkgsrc/lang/php5/patches/patch-ap 1.1 - pkgsrc/lang/php5/patches/patch-aq 1.1 - pkgsrc/lang/php5/patches/patch-ar 1.1 - pkgsrc/www/php4/Makefile 1.63 - pkgsrc/www/php4/distinfo 1.52 - pkgsrc/www/php4/patches/patch-aq 1.1 - pkgsrc/www/php4/patches/patch-ar 1.1 - pkgsrc/www/php4/patches/patch-as 1.1 - pkgsrc/www/ap-php/Makefile 1.9 Module Name: pkgsrc Committed By: cube Date: Fri Apr 14 13:47:30 UTC 2006 Modified Files: pkgsrc/lang/php5: Makefile Makefile.php distinfo pkgsrc/www/ap-php: Makefile pkgsrc/www/php4: Makefile distinfo Log Message: PHP4/5 security changes... They're not critical issues; secunia classes them between "not critical" and "less critical". Fix CVE-2006-0996, CVE-2006-1494, CVE-2006-1608, CVE-2006-1490. See: http://secunia.com/advisories/19383/ http://secunia.com/advisories/19599/ Patches were extracted from CVS. I had to translate the one for CVE-2006-1608 on php4 because it has not made its way to the php4.4 branch (I don't know why; I can confirm it fixes the issue). While here, add PATCHDIR to the list of variables php5's Makefile.php defines. That way, ap-php gets patched too... --- Module Name: pkgsrc Committed By: cube Date: Fri Apr 14 13:48:33 UTC 2006 Added Files: pkgsrc/lang/php5/patches: patch-ap patch-aq patch-ar pkgsrc/www/php4/patches: patch-aq patch-ar patch-as Log Message: The actual patches for PHP4/5. @ text @a0 45 $NetBSD: patch-aq,v 1.1.2.1 2006/04/19 00:12:27 salo Exp $ --- ext/standard/file.c.orig 2006-01-01 13:50:14.000000000 +0100 +++ ext/standard/file.c @@@@ -773,8 +773,9 @@@@ PHP_FUNCTION(tempnam) zval **arg1, **arg2; char *d; char *opened_path; - char p[64]; + char *p; int fd; + size_t p_len; if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) { WRONG_PARAM_COUNT; @@@@ -787,7 +788,11 @@@@ PHP_FUNCTION(tempnam) } d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1)); - strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p)); + + php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC); + if (p_len > 64) { + p[63] = '\0'; + } if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) { close(fd); @@@@ -795,6 +800,7 @@@@ PHP_FUNCTION(tempnam) } else { RETVAL_FALSE; } + efree(p); efree(d); } /* }}} */ @@@@ -1756,7 +1762,7 @@@@ no_stat: } safe_to_copy: - srcstream = php_stream_open_wrapper(src, "rb", STREAM_DISABLE_OPEN_BASEDIR | REPORT_ERRORS, NULL); + srcstream = php_stream_open_wrapper(src, "rb", ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL); if (!srcstream) { return ret; @