From 47b11d865cc81a900e23f0d725bdfd5006a41945 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 5 Mar 2019 08:49:38 +0100
Subject: Fix #77630 rename() across the device may allow unwanted access
 during processing

---
 php-bug77630.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php.spec           |  8 ++++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 php-bug77630.patch

diff --git a/php-bug77630.patch b/php-bug77630.patch
new file mode 100644
index 0000000..bc3f645
--- /dev/null
+++ b/php-bug77630.patch
@@ -0,0 +1,90 @@
+Backported to 5.6 from 7.1 by remi
+
+
+
+From e3133e4db70476fb7adfdedb738483e2255ce0e1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 2 Mar 2019 23:42:53 -0800
+Subject: [PATCH] Fix bug #77630 - safer rename() procedure
+
+In order to rename safer, we do the following:
+- set umask to 077 (unfortunately, not TS, so excluding ZTS)
+- chown() first, to set proper group before allowing group access
+- chmod() after, even if chown() fails
+---
+ main/streams/plain_wrapper.c | 51 ++++++++++++++++++++++++------------
+ 1 file changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
+index af890a9aa3bb..7fdf906e6fad 100644
+--- a/main/streams/plain_wrapper.c
++++ b/main/streams/plain_wrapper.c
+@@ -1126,34 +1126,51 @@ static int php_plain_files_rename(php_st
+ # ifdef EXDEV
+ 		if (errno == EXDEV) {
+ 			struct stat sb;
++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++			/* not sure what to do in ZTS case, umask is not thread-safe */
++			int oldmask = umask(077);
++# endif
++			int success = 0;
+ 			if (php_copy_file(url_from, url_to TSRMLS_CC) == SUCCESS) {
+ 				if (VCWD_STAT(url_from, &sb) == 0) {
++					success = 1;
+ #  if !defined(TSRM_WIN32) && !defined(NETWARE)
+-					if (VCWD_CHMOD(url_to, sb.st_mode)) {
+-						if (errno == EPERM) {
+-							php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-							VCWD_UNLINK(url_from);
+-							return 1;
+-						}
++					/*
++					 * Try to set user and permission info on the target.
++					 * If we're not root, then some of these may fail.
++					 * We try chown first, to set proper group info, relying
++					 * on the system environment to have proper umask to not allow
++					 * access to the file in the meantime.
++					 */
++					if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+ 						php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-						return 0;
++						if (errno != EPERM) {
++							success = 0;
++						}
+ 					}
+-					if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+-						if (errno == EPERM) {
++
++					if (success) {
++						if (VCWD_CHMOD(url_to, sb.st_mode)) {
+ 							php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-							VCWD_UNLINK(url_from);
+-							return 1;
++							if (errno != EPERM) {
++								success = 0;
++							}
+ 						}
+-						php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-						return 0;
+ 					}
+ #  endif
+-					VCWD_UNLINK(url_from);
+-					return 1;
++					if (success) {
++						VCWD_UNLINK(url_from);
++					}
++				} else {
++					php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ 				}
++			} else {
++				php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ 			}
+-			php_error_docref2(NULL TSRMLS_CC, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-			return 0;
++#  if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++			umask(oldmask);
++#  endif
++			return success;
+ 		}
+ # endif
+ #endif
diff --git a/php.spec b/php.spec
index 9cef192..a8c9198 100644
--- a/php.spec
+++ b/php.spec
@@ -136,7 +136,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.6.40
-Release: 3%{?dist}
+Release: 4%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -197,6 +197,7 @@ Patch100: php-5.6.31-oci.patch
 # Security fixes (200+)
 Patch210: php-bug77540.patch
 Patch211: php-bug77563.patch
+Patch213: php-bug77630.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -920,6 +921,7 @@ support for using the enchant library to PHP.
 # security patches
 %patch210 -p1 -b .bug77540
 %patch211 -p1 -b .bug77563
+%patch213 -p1 -b .bug77630
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1859,6 +1861,10 @@ EOF
 
 
 %changelog
+* Tue Mar  5 2019 Remi Collet <remi@remirepo.net> - 5.6.40-4
+- Fix #77630 rename() across the device may allow unwanted access
+  during processing
+
 * Mon Mar  4 2019 Remi Collet <remi@remirepo.net> - 5.6.40-3
 - exif:
   Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF
-- 
cgit