diff options
author | Remi Collet <remi@remirepo.net> | 2021-01-05 10:23:51 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2021-01-05 10:23:51 +0100 |
commit | c000cb5ad571699f23a9a09f784b1e7be4375dc7 (patch) | |
tree | f9fa3058a4bb155f82182b1d23bd8667e5beec3d | |
parent | 3494f8af6d039ef52df8e13f85b0cfe67dcb5ac0 (diff) |
update to 0.7.0
sources from jvoisin instead of nbs-system
add patch for system libpcre from
https://github.com/jvoisin/snuffleupagus/pull/369
-rw-r--r-- | 1b52614c06b60ced6caecd8dcaa0911ed3aa72e2.patch | 254 | ||||
-rw-r--r-- | 369.patch | 46 | ||||
-rw-r--r-- | PHPINFO | 2 | ||||
-rw-r--r-- | REFLECTION | 2 | ||||
-rw-r--r-- | php-snuffleupagus.spec | 55 |
5 files changed, 75 insertions, 284 deletions
diff --git a/1b52614c06b60ced6caecd8dcaa0911ed3aa72e2.patch b/1b52614c06b60ced6caecd8dcaa0911ed3aa72e2.patch deleted file mode 100644 index fbd7750..0000000 --- a/1b52614c06b60ced6caecd8dcaa0911ed3aa72e2.patch +++ /dev/null @@ -1,254 +0,0 @@ -From 1b52614c06b60ced6caecd8dcaa0911ed3aa72e2 Mon Sep 17 00:00:00 2001 -From: bef <bef@users.noreply.github.com> -Date: Thu, 20 Jun 2019 12:40:07 +0200 -Subject: [PATCH] Fix snufflepagus_globals linking issues and one mac - compatibility issue - ---- - src/php_snuffleupagus.h | 1 + - src/sp_config.c | 2 -- - src/sp_config_keywords.c | 2 -- - src/sp_config_utils.c | 2 -- - src/sp_cookie_encryption.c | 2 -- - src/sp_crypt.c | 2 -- - src/sp_disable_xxe.c | 2 -- - src/sp_disabled_functions.c | 2 -- - src/sp_execute.c | 2 -- - src/sp_harden_rand.c | 2 -- - src/sp_network_utils.c | 4 +--- - src/sp_session.c | 2 -- - src/sp_sloppy.c | 2 -- - src/sp_unserialize.c | 1 - - src/sp_upload_validation.c | 2 -- - src/sp_utils.c | 2 -- - src/sp_wrapper.c | 2 -- - src/tweetnacl.c | 2 -- - 18 files changed, 2 insertions(+), 34 deletions(-) - -diff --git a/src/php_snuffleupagus.h b/src/php_snuffleupagus.h -index c9313f8..43131fe 100644 ---- a/src/php_snuffleupagus.h -+++ b/src/php_snuffleupagus.h -@@ -99,6 +99,7 @@ HashTable *sp_internal_functions_hook; - HashTable *sp_eval_blacklist_functions_hook; - ZEND_END_MODULE_GLOBALS(snuffleupagus) - -+ZEND_EXTERN_MODULE_GLOBALS(snuffleupagus) - #define SNUFFLEUPAGUS_G(v) ZEND_MODULE_GLOBALS_ACCESSOR(snuffleupagus, v) - - #if defined(ZTS) && defined(COMPILE_DL_SNUFFLEUPAGUS) -diff --git a/src/sp_config.c b/src/sp_config.c -index 915c8a1..25223f2 100644 ---- a/src/sp_config.c -+++ b/src/sp_config.c -@@ -4,8 +4,6 @@ - - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - size_t sp_line_no; - - sp_config_tokens const sp_func[] = { -diff --git a/src/sp_config_keywords.c b/src/sp_config_keywords.c -index a13aed2..abb3110 100644 ---- a/src/sp_config_keywords.c -+++ b/src/sp_config_keywords.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static int parse_enable(char *line, bool *restrict retval, - bool *restrict simulation) { - bool enable = false, disable = false; -diff --git a/src/sp_config_utils.c b/src/sp_config_utils.c -index 71c9071..dbe6793 100644 ---- a/src/sp_config_utils.c -+++ b/src/sp_config_utils.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --size_t sp_line_no; -- - int parse_keywords(sp_config_functions *funcs, char *line) { - int value_len = 0; - const char *original_line = line; -diff --git a/src/sp_cookie_encryption.c b/src/sp_cookie_encryption.c -index 249de2d..92a056b 100644 ---- a/src/sp_cookie_encryption.c -+++ b/src/sp_cookie_encryption.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static inline const sp_cookie *sp_lookup_cookie_config(const zend_string *key) { - const sp_list_node *it = SNUFFLEUPAGUS_G(config).config_cookie->cookies; - -diff --git a/src/sp_crypt.c b/src/sp_crypt.c -index da0e2fe..42c1510 100644 ---- a/src/sp_crypt.c -+++ b/src/sp_crypt.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - void generate_key(unsigned char *key) { - PHP_SHA256_CTX ctx; - const char *user_agent = getenv("HTTP_USER_AGENT"); -diff --git a/src/sp_disable_xxe.c b/src/sp_disable_xxe.c -index df00dbd..53148c8 100644 ---- a/src/sp_disable_xxe.c -+++ b/src/sp_disable_xxe.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - PHP_FUNCTION(sp_libxml_disable_entity_loader) { RETURN_TRUE; } - - int hook_libxml_disable_entity_loader() { -diff --git a/src/sp_disabled_functions.c b/src/sp_disabled_functions.c -index 8177ce1..c088f20 100644 ---- a/src/sp_disabled_functions.c -+++ b/src/sp_disabled_functions.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static void should_disable(zend_execute_data* execute_data, - const char* complete_function_path, - const zend_string* builtin_param, -diff --git a/src/sp_execute.c b/src/sp_execute.c -index b4f2595..4eae874 100644 ---- a/src/sp_execute.c -+++ b/src/sp_execute.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static void (*orig_execute_ex)(zend_execute_data *execute_data) = NULL; - static void (*orig_zend_execute_internal)(zend_execute_data *execute_data, - zval *return_value) = NULL; -diff --git a/src/sp_harden_rand.c b/src/sp_harden_rand.c -index 7ab798e..43c2a5b 100644 ---- a/src/sp_harden_rand.c -+++ b/src/sp_harden_rand.c -@@ -2,8 +2,6 @@ - - extern ZEND_API zend_class_entry *zend_ce_error; - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - /* This function is needed because `rand` and `mt_rand` parameters - * are optional, while the ones from `random_int` aren't. */ - static void random_int_wrapper(INTERNAL_FUNCTION_PARAMETERS) { -diff --git a/src/sp_network_utils.c b/src/sp_network_utils.c -index c444c1e..1811d98 100644 ---- a/src/sp_network_utils.c -+++ b/src/sp_network_utils.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static inline bool cidr4_match(const struct in_addr addr, - const struct in_addr net, uint8_t bits); - static inline bool cidr6_match(const struct in6_addr address, -@@ -19,7 +17,7 @@ static inline bool cidr4_match(const struct in_addr addr, - - static inline bool cidr6_match(const struct in6_addr address, - const struct in6_addr network, uint8_t bits) { --#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) -+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__APPLE__) - const uint32_t *a = address.__u6_addr.__u6_addr32; - const uint32_t *n = network.__u6_addr.__u6_addr32; - #else -diff --git a/src/sp_session.c b/src/sp_session.c -index 596eae9..1064fe6 100644 ---- a/src/sp_session.c -+++ b/src/sp_session.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - #if (HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)) - - #ifdef ZTS -diff --git a/src/sp_sloppy.c b/src/sp_sloppy.c -index d3678db..5837783 100644 ---- a/src/sp_sloppy.c -+++ b/src/sp_sloppy.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - ZEND_API zend_op_array* (*orig_zend_compile_file)(zend_file_handle* file_handle, - int type) = NULL; - ZEND_API zend_op_array* (*orig_zend_compile_string)(zval* source_string, -diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c -index 5e21d6a..f265ce6 100644 ---- a/src/sp_unserialize.c -+++ b/src/sp_unserialize.c -@@ -1,6 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) - - PHP_FUNCTION(sp_serialize) { - zif_handler orig_handler; -diff --git a/src/sp_upload_validation.c b/src/sp_upload_validation.c -index fe16a46..ee19df9 100644 ---- a/src/sp_upload_validation.c -+++ b/src/sp_upload_validation.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - int (*sp_rfc1867_orig_callback)(unsigned int event, void *event_data, - void **extra); - int sp_rfc1867_callback(unsigned int event, void *event_data, void **extra); -diff --git a/src/sp_utils.c b/src/sp_utils.c -index 475d552..7641808 100644 ---- a/src/sp_utils.c -+++ b/src/sp_utils.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - bool sp_zend_string_equals(const zend_string* s1, const zend_string* s2) { - // We can't use `zend_string_equals` here because it doesn't work on - // `const` zend_string. -diff --git a/src/sp_wrapper.c b/src/sp_wrapper.c -index 1618a4f..277f23a 100644 ---- a/src/sp_wrapper.c -+++ b/src/sp_wrapper.c -@@ -1,7 +1,5 @@ - #include "php_snuffleupagus.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - static bool wrapper_is_whitelisted(const zend_string *zs) { - const sp_list_node *list = SNUFFLEUPAGUS_G(config).config_wrapper->whitelist; - -diff --git a/src/tweetnacl.c b/src/tweetnacl.c -index ad5dae5..9f66546 100644 ---- a/src/tweetnacl.c -+++ b/src/tweetnacl.c -@@ -3,8 +3,6 @@ we're using the one from PHP.*/ - #include "php_snuffleupagus.h" - #include "ext/standard/php_random.h" - --ZEND_DECLARE_MODULE_GLOBALS(snuffleupagus) -- - void randombytes(unsigned char *x, unsigned long long xlen) { - assert(SIZE_MAX >= ULLONG_MAX); // max(size_t) > max(ull) ? - php_random_bytes(x, xlen, 1); diff --git a/369.patch b/369.patch new file mode 100644 index 0000000..ddcd511 --- /dev/null +++ b/369.patch @@ -0,0 +1,46 @@ +From da4452a8084115f5975c88efab3671cdc2a07cf8 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@remirepo.net> +Date: Mon, 4 Jan 2021 12:34:26 +0100 +Subject: [PATCH] Fix #368 build with system libpcre + +--- + src/sp_pcre_compat.c | 4 ++-- + src/sp_pcre_compat.h | 3 --- + 2 files changed, 2 insertions(+), 5 deletions(-) + +diff --git a/src/sp_pcre_compat.c b/src/sp_pcre_compat.c +index b4d29f06..283eeb7f 100644 +--- a/src/sp_pcre_compat.c ++++ b/src/sp_pcre_compat.c +@@ -15,7 +15,7 @@ sp_pcre* sp_pcre_compile(const char* const pattern) { + const char* pcre_error = NULL; + int erroroffset; + ret = +- php_pcre_compile(pattern, PCRE_CASELESS, &pcre_error, &erroroffset, NULL); ++ pcre_compile(pattern, PCRE_CASELESS, &pcre_error, &erroroffset, NULL); + #endif + + if (NULL == ret) { +@@ -38,7 +38,7 @@ bool ZEND_HOT sp_is_regexp_matching_len(const sp_pcre* regexp, const char* str, + ret = pcre2_match(regexp, (PCRE2_SPTR)str, len, 0, 0, match_data, NULL); + #else + int vec[30]; +- ret = php_pcre_exec(regexp, NULL, str, len, 0, 0, vec, ++ ret = pcre_exec(regexp, NULL, str, len, 0, 0, vec, + sizeof(vec) / sizeof(int)); + #endif + +diff --git a/src/sp_pcre_compat.h b/src/sp_pcre_compat.h +index 11f7f7ca..14c33b2d 100644 +--- a/src/sp_pcre_compat.h ++++ b/src/sp_pcre_compat.h +@@ -4,9 +4,6 @@ + #include <stdlib.h> + #include <stdbool.h> + +-#undef pcre_exec +-#undef pcre_compile +- + #define PCRE2_CODE_UNIT_WIDTH 8 + #if PHP_VERSION_ID >= 70300 + #define SP_HAS_PCRE2 @@ -2,7 +2,7 @@ snuffleupagus snuffleupagus support => enabled -Version => 0.5.0 +Version => 0.7.0 Valid config => yes Directive => Local Value => Master Value @@ -1,4 +1,4 @@ -Extension [ <persistent> extension #203 snuffleupagus version 0.5.0 ] { +Extension [ <persistent> extension #119 snuffleupagus version 0.7.0 ] { - INI { Entry [ sp.configuration_file <SYSTEM> ] diff --git a/php-snuffleupagus.spec b/php-snuffleupagus.spec index 4580b53..c52be26 100644 --- a/php-snuffleupagus.spec +++ b/php-snuffleupagus.spec @@ -1,6 +1,6 @@ # remirepo spec file for php-snuffleupagus # -# Copyright (c) 2018-2020 Remi Collet +# Copyright (c) 2018-2021 Remi Collet # License: CC-BY-SA # http://creativecommons.org/licenses/by-sa/4.0/ # @@ -18,9 +18,9 @@ %global pkg_name %{name} %endif -%global gh_commit 0410dd1ee69f5040e0a81d57d20d860139b0c32c +%global gh_commit 047b2d08a5d01c2c8654f16fb97bb99d0b25052b %global gh_short %(c=%{gh_commit}; echo ${c:0:7}) -%global gh_owner nbs-system +%global gh_owner jvoisin %global gh_project snuffleupagus #global gh_date 20180117 %global pecl_name snuffleupagus @@ -31,24 +31,24 @@ Summary: Security module for PHP Name: %{?sub_prefix}php-snuffleupagus -Version: 0.5.0 +Version: 0.7.0 %if 0%{?gh_date} Release: 2%{gh_date}.%{gh_short}%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} %else -Release: 4%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} +Release: 1%{?dist}%{!?scl:%{!?nophptag:%(%{__php} -r 'echo ".".PHP_MAJOR_VERSION.".".PHP_MINOR_VERSION;')}} %endif License: LGPLv3 Group: Development/Languages URL: https://github.com/%{gh_owner}/%{gh_project} Source0: https://github.com/%{gh_owner}/%{gh_project}/archive/%{gh_commit}/%{pkg_name}-%{version}-%{gh_short}.tar.gz -Patch0: https://github.com/jvoisin/snuffleupagus/commit/1b52614c06b60ced6caecd8dcaa0911ed3aa72e2.patch +Patch0: https://patch-diff.githubusercontent.com/raw/jvoisin/snuffleupagus/pull/369.patch BuildRequires: %{?dtsprefix}gcc BuildRequires: %{?scl_prefix}php-devel > 7 BuildRequires: pcre-devel # For tests/upload_validation_real.phpt -BuildRequires: %{?scl_prefix}php-vld +# BuildRequires: %%{?scl_prefix}php-vld BuildRequires: %{?scl_prefix}php-curl BuildRequires: %{?scl_prefix}php-dom BuildRequires: %{?scl_prefix}php-simplexml @@ -60,36 +60,21 @@ Requires: %{?scl_prefix}php(zend-abi) = %{php_zend_api} Requires: %{?scl_prefix}php(api) = %{php_core_api} %{?_sclreq:Requires: %{?scl_prefix}runtime%{?_sclreq}%{?_isa}} -%if "%{?vendor}" == "Remi Collet" && 0%{!?scl:1} && 0%{?rhel} -Obsoletes: php70u-%{pecl_name} <= %{version} -Obsoletes: php70w-%{pecl_name} <= %{version} -%if "%{php_version}" > "7.1" -Obsoletes: php71u-%{pecl_name} <= %{version} -Obsoletes: php71w-%{pecl_name} <= %{version} -%endif -%if "%{php_version}" > "7.2" -Obsoletes: php72u-%{pecl_name} <= %{version} -Obsoletes: php72w-%{pecl_name} <= %{version} -%endif +%if "%{?packager}" == "Remi Collet" && 0%{!?scl:1} && 0%{?rhel} %if "%{php_version}" > "7.3" Obsoletes: php73-%{pecl_name} <= %{version} -Obsoletes: php73w-%{pecl_name} <= %{version} %endif %if "%{php_version}" > "7.4" Obsoletes: php74-%{pecl_name} <= %{version} -Obsoletes: php74w-%{pecl_name} <= %{version} %endif +%if "%{php_version}" > "8.0" +Obsoletes: php80-%{pecl_name} <= %{version} %endif - -%if 0%{?fedora} < 20 && 0%{?rhel} < 7 -# Filter shared private -%{?filter_provides_in: %filter_provides_in %{_libdir}/.*\.so$} -%{?filter_setup} %endif %description -Snuffleupagus is a PHP7+ module designed to drastically raise the cost of +Snuffleupagus is a PHP module designed to drastically raise the cost of attacks against websites. This is achieved by killing entire bug classes and providing a powerful virtual-patching system, allowing the administrator to fix specific vulnerabilities without having to touch the PHP code. @@ -101,7 +86,7 @@ Package built for PHP %(%{__php} -r 'echo PHP_MAJOR_VERSION.".".PHP_MINOR_VERSIO %prep %setup -q -n %{gh_project}-%{gh_commit} -%patch0 -p1 -b .ups +%patch0 -p1 -b .pr369 cd src # Sanity check, really often broken @@ -173,7 +158,15 @@ install -D -m 644 %{ini_name} %{buildroot}%{php_ztsinidir}/%{ini_name} %check -sed -e 's:#!/usr/bin/env php:#!%{__php}:' -i scripts/upload_validation.php +if [ -f %{php_extdir}/vld.so ]; then + sed -e 's:#!/usr/bin/env php:#!%{__php}:' -i scripts/upload_validation.php +else + rm src/tests/upload_validation/upload_validation_real.phpt +fi + +%if "%{php_version}" < "8" +rm -rf src/tests/*php8*/ +%endif # add extensions used by test suite TEST_DEPS="-d extension=xml.so -d extension=dom.so -d extension=curl.so -d extension=simplexml.so" @@ -225,6 +218,12 @@ REPORT_EXIT_STATUS=1 \ %changelog +* Mon Jan 4 2021 Remi Collet <remi@remirepo.net> - 0.7.0-1 +- update to 0.7.0 +- sources from jvoisin instead of nbs-system +- add patch for system libpcre from + https://github.com/jvoisin/snuffleupagus/pull/369 + * Fri Feb 21 2020 Remi Collet <remi@remirepo.net> - 0.5.0-4 - fix test suite |