diff options
| author | Remi Collet <remi@remirepo.net> | 2023-09-20 16:00:57 +0200 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2023-09-20 16:00:57 +0200 |
| commit | eb1d3b30bd05b57384824372496c4af2247f5d17 (patch) | |
| tree | ebdd777ed0e05997abe01aae38dd3ae3df9086f7 | |
| parent | 6a91633e760aba49f8ef28099848d942ca1db19d (diff) | |
| -rw-r--r-- | PHPINFO | 2 | ||||
| -rw-r--r-- | REFLECTION | 2 | ||||
| -rw-r--r-- | php-snuffleupagus.spec | 12 | ||||
| -rw-r--r-- | upstream.patch | 373 |
4 files changed, 8 insertions, 381 deletions
@@ -2,7 +2,7 @@ snuffleupagus snuffleupagus support => enabled -Version => 0.9.0-sng (with Suhosin-NG patches) +Version => 0.10.0-sng (with Suhosin-NG patches) Valid config => yes Directive => Local Value => Master Value @@ -1,4 +1,4 @@ -Extension [ <persistent> extension #120 snuffleupagus version 0.9.0 ] { +Extension [ <persistent> extension #125 snuffleupagus version 0.10.0 ] { - INI { Entry [ sp.configuration_file <SYSTEM> ] diff --git a/php-snuffleupagus.spec b/php-snuffleupagus.spec index 956ce12..3181e62 100644 --- a/php-snuffleupagus.spec +++ b/php-snuffleupagus.spec @@ -16,7 +16,7 @@ %bcond_without tests -%global gh_commit 7d006a4b971aec04c42c06c877c0e496f1f62bc0 +%global gh_commit cb3d7aed877ce2a0952c00f1950d57c72d664b49 %global gh_short %(c=%{gh_commit}; echo ${c:0:7}) %global gh_owner jvoisin %global gh_project snuffleupagus @@ -31,19 +31,17 @@ Summary: Security module for PHP Name: %{?scl_prefix}php-snuffleupagus -Version: 0.9.0 +Version: 0.10.0 %if 0%{?gh_date} Release: 1%{gh_date}.%{gh_short}%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} %else -Release: 3%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} +Release: 1%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} %endif License: LGPL-3.0-only Group: Development/Languages URL: https://github.com/%{gh_owner}/%{gh_project} Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{pkg_name}-%{version}-%{gh_short}.tar.gz -Patch0: upstream.patch - BuildRequires: %{?dtsprefix}gcc BuildRequires: %{?scl_prefix}php-devel >= 7.0 BuildRequires: pcre-devel @@ -74,7 +72,6 @@ Package built for PHP %(%{__php} -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSIO %prep %setup -q -n %{gh_project}-%{gh_commit} -%patch -P0 -p1 cd %{sources} # Sanity check, really often broken @@ -224,6 +221,9 @@ REPORT_EXIT_STATUS=1 \ %changelog +* Wed Sep 20 2023 Remi Collet <remi@remirepo.net> - 0.10.0-1 +- update to 0.10.0 + * Tue Sep 5 2023 Remi Collet <remi@remirepo.net> - 0.9.0-3 - add upstream patches for PHP 8.3 - build out of sources tree diff --git a/upstream.patch b/upstream.patch deleted file mode 100644 index 4f9fa16..0000000 --- a/upstream.patch +++ /dev/null @@ -1,373 +0,0 @@ -From 1bf0f3ec9088d34383c564d6306901ae6dc94cb5 Mon Sep 17 00:00:00 2001 -From: jvoisin <julien.voisin@dustri.org> -Date: Wed, 4 Jan 2023 19:06:28 +0100 -Subject: [PATCH] Fix the CI for PHP8.2 - ---- - .../deny_writable_execution.phpt | 10 ++-------- - .../deny_writable_execution_simulation.phpt | 20 +++++++------------ - .../dump_deny_writable_execution.phpt | 10 ++-------- - .../disabled_function_echo.phpt | 1 - - .../disabled_function_echo_2.phpt | 1 - - .../disabled_function_echo_local_var.phpt | 1 - - .../disabled_function_print.phpt | 3 +-- - src/tests/xxe/disable_xxe_dom_disabled.phpt | 9 +++------ - src/tests/xxe/disable_xxe_simplexml.phpt | 9 +++------ - src/tests/xxe/disable_xxe_simplexml_oop.phpt | 9 +++------ - src/tests/xxe/disable_xxe_xml_parse.phpt | 13 +++++------- - 11 files changed, 26 insertions(+), 60 deletions(-) - -diff --git a/src/tests/deny_writable/deny_writable_execution.phpt b/src/tests/deny_writable/deny_writable_execution.phpt -index a6294797..383ffa57 100644 ---- a/src/tests/deny_writable/deny_writable_execution.phpt -+++ b/src/tests/deny_writable/deny_writable_execution.phpt -@@ -21,6 +21,8 @@ sp.configuration_file={PWD}/config/config_disable_writable.ini - $dir = __DIR__; - - // just in case -+@chmod("$dir/non_writable_file.txt", 0777); -+@chmod("$dir/writable_file.txt", 0777); - @unlink("$dir/non_writable_file.txt"); - @unlink("$dir/writable_file.txt"); - -@@ -31,13 +33,5 @@ chmod("$dir/writable_file.txt", 0777); - include "$dir/non_writable_file.txt"; - include "$dir/writable_file.txt"; - ?> ----CLEAN-- --<?php --$dir = __DIR__; --chmod("$dir/non_writable_file.txt", 0777); --chmod("$dir/writable_file.txt", 0777); --unlink("$dir/non_writable_file.txt"); --unlink("$dir/writable_file.txt"); --?> - --EXPECTF-- - Fatal error: [snuffleupagus][0.0.0.0][readonly_exec][drop] Attempted execution of a writable file (%a/deny_writable_execution.php) in %a/deny_writable_execution.php on line 2 -diff --git a/src/tests/deny_writable/deny_writable_execution_simulation.phpt b/src/tests/deny_writable/deny_writable_execution_simulation.phpt -index d4e48018..39dab32f 100644 ---- a/src/tests/deny_writable/deny_writable_execution_simulation.phpt -+++ b/src/tests/deny_writable/deny_writable_execution_simulation.phpt -@@ -22,6 +22,8 @@ sp.configuration_file={PWD}/config/config_disable_writable_simulation.ini - $dir = __DIR__; - - // just in case -+@chmod("$dir/non_writable_file.txt", 0777); -+@chmod("$dir/writable_file.txt", 0777); - @unlink("$dir/non_writable_file.txt"); - @unlink("$dir/writable_file.txt"); - -@@ -32,23 +34,15 @@ chmod("$dir/non_writable_file.txt", 0400); - include "$dir/writable_file.txt"; - include "$dir/non_writable_file.txt"; - ?> ----CLEAN-- --<?php --$dir = __DIR__; --chmod("$dir/non_writable_file.txt", 0777); --chmod("$dir/writable_file.txt", 0777); --unlink("$dir/non_writable_file.txt"); --unlink("$dir/writable_file.txt"); --?> - --EXPECTF-- --Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/deny_writable_execution_simulation.php) in %a/deny_writable_execution_simulation.php on line 2 -+Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/deny_writable_execution_simulation.php) in %a/deny_writable_execution_simulation.php on line %d - --Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/deny_writable_execution_simulation.php on line 12 -+Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/deny_writable_execution_simulation.php on line %d - --Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/writable_file.txt on line 1 -+Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a writable file (%a/writable_file.txt) in %a/writable_file.txt on line %d - Code execution within a writable file. - --Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %s/tests/deny_writable/deny_writable_execution_simulation.php on line 13 -+Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %s/tests/deny_writable/deny_writable_execution_simulation.php on line %d - --Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %src/tests/deny_writable/non_writable_file.txt on line 1 -+Warning: [snuffleupagus][0.0.0.0][readonly_exec][simulation] Attempted execution of a file owned by the PHP process (%s/tests/deny_writable/non_writable_file.txt) in %src/tests/deny_writable/non_writable_file.txt on line %d - Code execution within a non-writable file. -diff --git a/src/tests/deny_writable/dump_deny_writable_execution.phpt b/src/tests/deny_writable/dump_deny_writable_execution.phpt -index c6dd6cd8..2e6bca51 100644 ---- a/src/tests/deny_writable/dump_deny_writable_execution.phpt -+++ b/src/tests/deny_writable/dump_deny_writable_execution.phpt -@@ -32,6 +32,8 @@ foreach (glob("/tmp/dump_result/sp_dump.*") as $dump) { - $dir = __DIR__; - - // just in case -+@chmod("$dir/non_writable_file.txt", 0777); -+@chmod("$dir/writable_file.txt", 0777); - @unlink("$dir/non_writable_file.txt"); - @unlink("$dir/writable_file.txt"); - -@@ -57,11 +59,3 @@ if ($res[2] != "GET:get_a='data_get_a_readonly' get_b='data_get_b_readonly' \n") - --EXPECTF-- - %a - WIN ----CLEAN-- --<?php --$dir = __DIR__; --chmod("$dir/non_writable_file.txt", 0777); --chmod("$dir/writable_file.txt", 0777); --unlink("$dir/non_writable_file.txt"); --unlink("$dir/writable_file.txt"); --?> -diff --git a/src/tests/disable_function/disabled_function_echo.phpt b/src/tests/disable_function/disabled_function_echo.phpt -index 12aaff48..b1da0dca 100644 ---- a/src/tests/disable_function/disabled_function_echo.phpt -+++ b/src/tests/disable_function/disabled_function_echo.phpt -@@ -13,7 +13,6 @@ echo "qwe"; - test("rty"); - test("oops"); - ?> ----CLEAN-- - --EXPECTF-- - qwerty - Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'echo' in %a/disabled_function_echo.php on line 3 -diff --git a/src/tests/disable_function/disabled_function_echo_2.phpt b/src/tests/disable_function/disabled_function_echo_2.phpt -index 82a2fa1d..c1d98170 100644 ---- a/src/tests/disable_function/disabled_function_echo_2.phpt -+++ b/src/tests/disable_function/disabled_function_echo_2.phpt -@@ -9,7 +9,6 @@ sp.configuration_file={PWD}/config/disabled_function_echo.ini - echo "qwe"; - echo "1", "oops"; - ?> ----CLEAN-- - --EXPECTF-- - qwe1 - Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'echo' in %a/disabled_function_echo_2.php on line 3 -diff --git a/src/tests/disable_function/disabled_function_echo_local_var.phpt b/src/tests/disable_function/disabled_function_echo_local_var.phpt -index ee1be1fb..52d1f481 100644 ---- a/src/tests/disable_function/disabled_function_echo_local_var.phpt -+++ b/src/tests/disable_function/disabled_function_echo_local_var.phpt -@@ -14,7 +14,6 @@ test(); - $abc = 123; - test(); - ?> ----CLEAN-- - --EXPECTF-- - 3 - -diff --git a/src/tests/disable_function/disabled_function_print.phpt b/src/tests/disable_function/disabled_function_print.phpt -index ec1b04f8..96008546 100644 ---- a/src/tests/disable_function/disabled_function_print.phpt -+++ b/src/tests/disable_function/disabled_function_print.phpt -@@ -13,7 +13,6 @@ print "qwe"; - test("rty"); - test("oops"); - ?> ----CLEAN-- - --EXPECTF-- - qwerty --Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'echo' in %a/disabled_function_print.php on line 3 -\ No newline at end of file -+Fatal error: [snuffleupagus][0.0.0.0][disabled_function][drop] Aborted execution on call of the function 'echo' in %a/disabled_function_print.php on line 3 -diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt -index 4a888edb..20399ecf 100644 ---- a/src/tests/xxe/disable_xxe_dom_disabled.phpt -+++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt -@@ -10,6 +10,9 @@ dom - --FILE-- - <?php - $dir = __DIR__; -+@unlink($dir . "/content.xml"); -+@unlink($dir . "/content.txt"); -+ - $content = '<content>WARNING, external entity loaded!</content>'; - file_put_contents($dir . '/content.txt', $content); - -@@ -52,9 +55,3 @@ libxml_disable_entity to false: WARNING, external entity loaded! - - Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %s/tests/xxe/disable_xxe_dom_disabled.php on line %d - without xxe: foo ----CLEAN-- --<?php --$dir = __DIR__; --unlink($dir . "/content.xml"); --unlink($dir . "/content.txt"); --?> -diff --git a/src/tests/xxe/disable_xxe_simplexml.phpt b/src/tests/xxe/disable_xxe_simplexml.phpt -index 95601563..8a4f0333 100644 ---- a/src/tests/xxe/disable_xxe_simplexml.phpt -+++ b/src/tests/xxe/disable_xxe_simplexml.phpt -@@ -11,6 +11,9 @@ simplexml - --FILE-- - <?php - $dir = __DIR__; -+@unlink($dir . "/content.xml"); -+@unlink($dir . "/content.txt"); -+ - $content = 'WARNING, external entity loaded!'; - file_put_contents('content.txt', $content); - -@@ -44,9 +47,3 @@ printf("without xxe: %s", $doc->testing); - libxml_disable_entity to true: - libxml_disable_entity to false: - without xxe: foo ----CLEAN-- --<?php --$dir = __DIR__; --unlink($dir . "/content.xml"); --unlink($dir . "/content.txt"); --?> -diff --git a/src/tests/xxe/disable_xxe_simplexml_oop.phpt b/src/tests/xxe/disable_xxe_simplexml_oop.phpt -index 1b2c4cac..c28c3649 100644 ---- a/src/tests/xxe/disable_xxe_simplexml_oop.phpt -+++ b/src/tests/xxe/disable_xxe_simplexml_oop.phpt -@@ -11,6 +11,9 @@ simplexml - --FILE-- - <?php - $dir = __DIR__; -+@unlink($dir . "/content.xml"); -+@unlink($dir . "/content.txt"); -+ - $content = 'WARNING, external entity loaded!'; - file_put_contents('content.txt', $content); - -@@ -44,9 +47,3 @@ printf("without xxe: %s", $doc->testing); - libxml_disable_entity to true: - libxml_disable_entity to false: - without xxe: foo ----CLEAN-- --<?php --$dir = __DIR__; --unlink($dir . "/content.xml"); --unlink($dir . "/content.txt"); --?> -diff --git a/src/tests/xxe/disable_xxe_xml_parse.phpt b/src/tests/xxe/disable_xxe_xml_parse.phpt -index bc7e338b..4a8292d7 100644 ---- a/src/tests/xxe/disable_xxe_xml_parse.phpt -+++ b/src/tests/xxe/disable_xxe_xml_parse.phpt -@@ -16,6 +16,9 @@ sp.configuration_file={PWD}/config/disable_xxe.ini - --FILE-- - <?php - $dir = __DIR__; -+@unlink($dir . "/content.xml"); -+@unlink($dir . "/content.txt"); -+ - $content = 'WARNING, external entity loaded!'; - file_put_contents('content.txt', $content); - -@@ -71,7 +74,7 @@ $doc = xml_parse($parser, $xml, true); - xml_parser_free($parser); - - --EXPECTF-- --Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 41 -+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line %d - string(4) "TEST" - - array(0) { -@@ -83,7 +86,7 @@ array(0) { - string(7) "TESTING" - string(4) "TEST" - --Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line 46 -+Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_disable_entity_loader was tried and nopped in %a.php on line %d - string(4) "TEST" - - array(0) { -@@ -104,9 +107,3 @@ array(0) { - } - textfoostring(7) "TESTING" - string(4) "TEST" ----CLEAN-- --<?php --$dir = __DIR__; --unlink($dir . "/content.xml"); --unlink($dir . "/content.txt"); --?> -From 709d850429d0d62b148bc235745c830c2f7a55be Mon Sep 17 00:00:00 2001 -From: jvoisin <julien.voisin@dustri.org> -Date: Sun, 25 Jun 2023 14:25:46 +0200 -Subject: [PATCH] Remove ZEND_HOT - ---- - src/sp_execute.c | 2 +- - src/sp_pcre_compat.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/sp_execute.c b/src/sp_execute.c -index 6e80b6df..f105b7f9 100644 ---- a/src/sp_execute.c -+++ b/src/sp_execute.c -@@ -89,7 +89,7 @@ inline static void is_builtin_matching( - should_disable_ht(EG(current_execute_data), function_name, param_value, param_name, SPCFG(disabled_functions_reg).disabled_functions, ht); - } - --static void ZEND_HOT is_in_eval_and_whitelisted(zend_execute_data const* const execute_data) { -+static void is_in_eval_and_whitelisted(zend_execute_data const* const execute_data) { - sp_config_eval const* const config_eval = &(SPCFG(eval)); - - if (EXPECTED(0 == SPG(in_eval))) { -diff --git a/src/sp_pcre_compat.c b/src/sp_pcre_compat.c -index 81c51fdc..3658692e 100644 ---- a/src/sp_pcre_compat.c -+++ b/src/sp_pcre_compat.c -@@ -23,7 +23,7 @@ sp_pcre* sp_pcre_compile(const char* const pattern) { - return ret; - } - --bool ZEND_HOT sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, size_t len) { -+bool sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, size_t len) { - int ret = 0; - - assert(NULL != regexp); -From 78668b6ef599f700ba939017dc805485452f5319 Mon Sep 17 00:00:00 2001 -From: jvoisin <julien.voisin@dustri.org> -Date: Sun, 25 Jun 2023 14:56:43 +0200 -Subject: [PATCH] Fix an unserialize-related warning - -This should fix `Warning: unserialize(): Extra data starting at offset 8 of 72 bytes in unserialize.php on line 4`. -On the flip side, it's not longer possible in PHP8.3 and above, when using -Snuffleupagus, to have other extensions hooking unserialize(). ---- - src/sp_unserialize.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - -diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c -index 641d9899..ab0d9edb 100644 ---- a/src/sp_unserialize.c -+++ b/src/sp_unserialize.c -@@ -50,8 +50,6 @@ static zend_string *sp_do_hash_hmac_sha256(char* restrict data, size_t data_len, - return hex_digest; - } - --// ------------------ -- - PHP_FUNCTION(sp_serialize) { - zif_handler orig_handler; - -@@ -130,11 +128,16 @@ PHP_FUNCTION(sp_unserialize) { - } - } else { status = 1; } - -- zif_handler orig_handler; -+ zif_handler orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")); - if (0 == status) { -- if ((orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")))) { -+#if PHP_VERSION_ID >= 80300 -+ // PHP8.3 gives a warning about trailing data in unserialize strings. -+ php_unserialize_with_options(return_value, buf, buf_len - 64, opts, "unserialize"); -+#else -+ if ((orig_handler)) { - orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU); - } -+#endif - } else { - const sp_config_unserialize *config_unserialize = &(SPCFG(unserialize)); - if (config_unserialize->dump) { -@@ -143,9 +146,14 @@ PHP_FUNCTION(sp_unserialize) { - } - if (true == config_unserialize->simulation) { - sp_log_simulation("unserialize", "Invalid HMAC for %s", serialized_str); -- if ((orig_handler = zend_hash_str_find_ptr(SPG(sp_internal_functions_hook), ZEND_STRL("unserialize")))) { -+#if PHP_VERSION_ID >= 80300 -+ // PHP8.3 gives a warning about trailing data in unserialize strings. -+ php_unserialize_with_options(return_value, buf, buf_len - 64, opts, "unserialize"); -+#else -+ if ((orig_handler)) { - orig_handler(INTERNAL_FUNCTION_PARAM_PASSTHRU); - } -+#endif - } else { - sp_log_drop("unserialize", "Invalid HMAC for %s", serialized_str); - } |