# # Description: fix arbitrary file write by placing a "php_value error_log" # entry in a .htaccess file. # Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?hideattic=0&r1=1.19.2.7.2.14&r2=1.19.2.7.2.15 # Patch: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache2handler/apache_config.c?hideattic=0&r1=1.7.2.1.2.5&r2=1.7.2.1.2.6 # diff -Nur php5-5.2.6/sapi/apache/mod_php5.c php5-5.2.6.new/sapi/apache/mod_php5.c --- php5-5.2.6/sapi/apache/mod_php5.c 2009-01-26 09:57:46.000000000 -0500 +++ php5-5.2.6.new/sapi/apache/mod_php5.c 2009-01-26 09:57:52.000000000 -0500 @@ -729,11 +729,11 @@ return 1; /* does not exist in dest, copy from source */ } - if (new_per_dir_entry->type==PHP_INI_SYSTEM - && orig_per_dir_entry->type!=PHP_INI_SYSTEM) { - return 1; - } else { + if (orig_per_dir_entry->type==PHP_INI_SYSTEM + && new_per_dir_entry->type!=PHP_INI_SYSTEM) { return 0; + } else { + return 1; } } /* }}} */ @@ -770,9 +770,9 @@ /* need a copy of addv to merge */ new = php_create_dir(p, "php_merge_dir"); - zend_hash_copy(new, (HashTable *) addv, (copy_ctor_func_t) copy_per_dir_entry, NULL, sizeof(php_per_dir_entry)); + zend_hash_copy(new, (HashTable *) basev, (copy_ctor_func_t) copy_per_dir_entry, NULL, sizeof(php_per_dir_entry)); - zend_hash_merge_ex(new, (HashTable *) basev, (copy_ctor_func_t) copy_per_dir_entry, sizeof(php_per_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); + zend_hash_merge_ex(new, (HashTable *) addv, (copy_ctor_func_t) copy_per_dir_entry, sizeof(php_per_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); return new; } /* }}} */ diff -Nur php5-5.2.6/sapi/apache2handler/apache_config.c php5-5.2.6.new/sapi/apache2handler/apache_config.c --- php5-5.2.6/sapi/apache2handler/apache_config.c 2007-12-31 02:20:15.000000000 -0500 +++ php5-5.2.6.new/sapi/apache2handler/apache_config.c 2009-01-26 09:57:55.000000000 -0500 @@ -117,6 +117,23 @@ return NULL; } +static zend_bool should_overwrite_per_dir_entry(HashTable *target_ht, php_dir_entry *new_per_dir_entry, zend_hash_key *hash_key, void *pData) +{ + php_dir_entry *orig_per_dir_entry; + + if (zend_hash_find(target_ht, hash_key->arKey, hash_key->nKeyLength, (void **) &orig_per_dir_entry)==FAILURE) { + return 1; /* does not exist in dest, copy from source */ + } + + if (new_per_dir_entry->status >= orig_per_dir_entry->status) { + /* use new entry */ + phpapdebug((stderr, "ADDING/OVERWRITING %s (%d vs. %d)\n", hash_key->arKey, new_per_dir_entry->status, orig_per_dir_entry->status)); + return 1; + } else { + return 0; + } +} + void *merge_php_config(apr_pool_t *p, void *base_conf, void *new_conf) { @@ -128,9 +145,12 @@ ulong num_index; n = create_php_config(p, "merge_php_config"); - zend_hash_copy(&n->config, &e->config, NULL, NULL, sizeof(php_dir_entry)); - + /* copy old config */ + zend_hash_copy(&n->config, &d->config, NULL, NULL, sizeof(php_dir_entry)); + /* merge new config */ phpapdebug((stderr, "Merge dir (%p)+(%p)=(%p)\n", base_conf, new_conf, n)); + zend_hash_merge_ex(&n->config, &e->config, NULL, sizeof(php_dir_entry), (merge_checker_func_t) should_overwrite_per_dir_entry, NULL); +#if STAS_0 for (zend_hash_internal_pointer_reset(&d->config); zend_hash_get_current_key_ex(&d->config, &str, &str_len, &num_index, 0, NULL) == HASH_KEY_IS_STRING; @@ -140,10 +160,10 @@ if (zend_hash_find(&n->config, str, str_len, (void **) &pe) == SUCCESS) { if (pe->status >= data->status) continue; } - zend_hash_update(&n->config, str, str_len, data, sizeof(*data), NULL); phpapdebug((stderr, "ADDING/OVERWRITING %s (%d vs. %d)\n", str, data->status, pe?pe->status:-1)); + zend_hash_update(&n->config, str, str_len, data, sizeof(*data), NULL); } - +#endif return n; }