From ba09fa0473cc2f090fda511c1a78adee8a3fab66 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 27 Sep 2022 17:58:04 +0200
Subject: phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628

core: fix #81727 Don't mangle HTTP variable names that clash with ones
  that have a specific semantic meaning. CVE-2022-31629
use oracle client library version 21.7
---
 php-bug81727.patch | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 php-bug81727.patch

(limited to 'php-bug81727.patch')

diff --git a/php-bug81727.patch b/php-bug81727.patch
new file mode 100644
index 0000000..c80c3c9
--- /dev/null
+++ b/php-bug81727.patch
@@ -0,0 +1,81 @@
+From bab5b52a66d7af02b4940e31a500c1fc4fd5e894 Mon Sep 17 00:00:00 2001
+From: Derick Rethans <github@derickrethans.nl>
+Date: Fri, 9 Sep 2022 16:54:03 +0100
+Subject: [PATCH 1/2] Fix #81727: Don't mangle HTTP variable names that clash
+ with ones that have a specific semantic meaning.
+
+(cherry picked from commit 0611be4e82887cee0de6c4cbae320d34eec946ca)
+(cherry picked from commit 8b300e157e92b0e945ad813d608f076b5323d721)
+---
+ NEWS                             |  6 ++++++
+ ext/standard/tests/bug81727.phpt | 15 +++++++++++++++
+ main/php_variables.c             | 14 ++++++++++++++
+ 3 files changed, 35 insertions(+)
+ create mode 100644 ext/standard/tests/bug81727.phpt
+
+diff --git a/NEWS b/NEWS
+index 8d609a489c..e82f34bbd5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.4.31
++
++- Core:
++  . Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
++    that have a specific semantic meaning. (CVE-2022-31629). (Derick)
++
+ Backported from 7.4.30
+ 
+ - mysqlnd:
+diff --git a/ext/standard/tests/bug81727.phpt b/ext/standard/tests/bug81727.phpt
+new file mode 100644
+index 0000000000..71a9cb46c8
+--- /dev/null
++++ b/ext/standard/tests/bug81727.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #81727: $_COOKIE name starting with ..Host/..Secure should be discarded
++--COOKIE--
++..Host-test=ignore; __Host-test=correct; . Secure-test=ignore; . Elephpant=Awesome;
++--FILE--
++<?php
++var_dump($_COOKIE);
++?>
++--EXPECT--
++array(2) {
++  ["__Host-test"]=>
++  string(7) "correct"
++  ["__Elephpant"]=>
++  string(7) "Awesome"
++}
+diff --git a/main/php_variables.c b/main/php_variables.c
+index 50ecc663bd..e5d3ffcf52 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -103,6 +103,20 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
+ 	}
+ 	var_len = p - var;
+ 
++	/* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
++	if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
++		zval_ptr_dtor_nogc(val);
++		free_alloca(var_orig, use_heap);
++		return;
++	}
++
++	/* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
++	if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
++		zval_ptr_dtor_nogc(val);
++		free_alloca(var_orig, use_heap);
++		return;
++	}
++
+ 	if (var_len==0) { /* empty variable name, or variable name with a space in it */
+ 		zval_dtor(val);
+ 		free_alloca(var_orig, use_heap);
+-- 
+2.37.3
+
-- 
cgit