addpkg: php53 5.3.29-4

1 files changed, 43 insertions, 0 deletions

diff --git a/curl_embedded_null.patch b/curl_embedded_null.patch
new file mode 100644
index 000000000000..eca9b1d1c39e
--- /dev/null
+++ b/curl_embedded_null.patch
@@ -0,0 +1,43 @@
+Description: fix local file disclosure via curl NULL byte injection
+Origin: backport, http://git.php.net/?p=php-src.git;a=commit;h=ab0939e5e5449cba04b02fff3a5595f725bce0a0
+Bug: https://bugs.php.net/bug.php?id=68089
+
+Index: php5-5.3.10/ext/curl/interface.c
+===================================================================
+--- php5-5.3.10.orig/ext/curl/interface.c	2014-10-28 14:54:02.671549358 -0400
++++ php5-5.3.10/ext/curl/interface.c	2014-10-28 14:54:49.427898135 -0400
+@@ -172,6 +172,11 @@
+ #endif
+ 	TSRMLS_FETCH();
+ 
++	if (strlen(url) != len) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Curl option contains invalid characters (\\0)");
++		return 0;
++	}
++
+ 	/* Disable file:// if open_basedir or safe_mode are used */
+ 	if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+ #if LIBCURL_VERSION_NUM >= 0x071304
+Index: php5-5.3.10/ext/curl/tests/bug68089.phpt
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ php5-5.3.10/ext/curl/tests/bug68089.phpt	2014-10-28 14:54:02.667549328 -0400
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #68089 (NULL byte injection - cURL lib)
++--SKIPIF--
++<?php 
++include 'skipif.inc';
++
++?>
++--FILE--
++<?php
++$url = "file:///etc/passwd\0http://google.com";
++$ch = curl_init();
++var_dump(curl_setopt($ch, CURLOPT_URL, $url));
++?>
++Done
++--EXPECTF--
++Warning: curl_setopt(): Curl option contains invalid characters (\0) in %s/bug68089.php on line 4
++bool(false)
++Done