Re: Option to disable php://filter URL

To: tech-pkg%netbsd.org@localhost
Subject: Re: Option to disable php://filter URL
From: Emmanuel Dreyfus <manu%netbsd.org@localhost>
Date: Tue, 10 Jul 2018 08:46:48 +0000

On Wed, Jul 04, 2018 at 11:00:27AM +0200, Emmanuel Dreyfus wrote:
> PHP has a php://filter URL feature which in my opinion violates
> the principle of least astonishment enough that we could want
> an option to disable it.

If nobody complain, I am about to commit the attached patch


-- 
Emmanuel Dreyfus
manu%netbsd.org@localhost

--- lang/php56/files/disable-filter-url56.patch.orig
+++ lang/php56/files/disable-filter-url56.patch
@@ -0,0 +1,26 @@
+$NetBSD$
+
+Disable dangerous php://filter URL
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -333,8 +333,9 @@
+ 				"Error duping file descriptor %ld; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifdef ENABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -369,8 +370,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* ENABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;
--- lang/php56/Makefile.php.orig
+++ lang/php56/Makefile.php
@@ -41,9 +41,9 @@
 CONFIGURE_ARGS+=	--with-libxml-dir=${PREFIX}
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
 PKG_SUPPORTED_OPTIONS+=	dtrace
@@ -88,6 +88,13 @@
 # See https://bugs.php.net/bug.php?id=61268
 INSTALL_MAKE_FLAGS+=	-r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+USE_TOOLS+=		patch
+FILTER_URL_PATCH=	../../lang/php56/files/disable-filter-url56.patch
+post-patch:
+	${PATCH} -d ${WRKSRC} --forward --quiet  < ${FILTER_URL_PATCH}
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
--- lang/php70/files/disable-filter-url70.patch.orig
+++ lang/php70/files/disable-filter-url70.patch
@@ -0,0 +1,26 @@
+$NetBSD$
+
+Disable dangerous php://filter URL
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+ 				"Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifdef ENABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* ENABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;
--- lang/php70/Makefile.php.orig
+++ lang/php70/Makefile.php
@@ -44,9 +44,9 @@
 CONFIGURE_ARGS+=	--with-libxml-dir=${PREFIX}
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl readline
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
 PKG_SUPPORTED_OPTIONS+=	dtrace
@@ -91,6 +91,13 @@
 # See https://bugs.php.net/bug.php?id=61268
 INSTALL_MAKE_FLAGS+=	-r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+USE_TOOLS+=		patch
+FILTER_URL_PATCH=	../../lang/php70/files/disable-filter-url70.patch
+post-patch:
+	${PATCH} -d ${WRKSRC} --forward --quiet  < ${FILTER_URL_PATCH}
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
--- lang/php71/files/disable-filter-url71.patch.orig
+++ lang/php71/files/disable-filter-url71.patch
@@ -0,0 +1,26 @@
+$NetBSD$
+
+Disable dangerous php://filter URL
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+ 				"Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifdef ENABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* ENABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;
--- lang/php71/Makefile.php.orig
+++ lang/php71/Makefile.php
@@ -44,9 +44,9 @@
 CONFIGURE_ARGS+=	--with-libxml-dir=${PREFIX}
 .include "../../textproc/libxml2/buildlink3.mk"
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
-PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline
+PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl readline
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
 PKG_SUPPORTED_OPTIONS+=	dtrace
@@ -91,6 +91,13 @@
 # See https://bugs.php.net/bug.php?id=61268
 INSTALL_MAKE_FLAGS+=	-r
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+USE_TOOLS+=		patch
+FILTER_URL_PATCH=	../../lang/php71/files/disable-filter-url71.patch
+post-patch:
+	${PATCH} -d ${WRKSRC} --forward --quiet  < ${FILTER_URL_PATCH}
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"
--- lang/php72/files/disable-filter-url72.patch.orig
+++ lang/php72/files/disable-filter-url72.patch
@@ -0,0 +1,26 @@
+$NetBSD$
+
+Disable dangerous php://filter URL
+
+--- ./ext/standard/php_fopen_wrapper.c.orig
++++ ./ext/standard/php_fopen_wrapper.c
+@@ -345,8 +345,9 @@
+ 				"Error duping file descriptor " ZEND_LONG_FMT "; possibly it doesn't exist: "
+ 				"[%d]: %s", fildes_ori, errno, strerror(errno));
+ 			return NULL;
+ 		}
++#ifdef ENABLE_FILTER_URL
+ 	} else if (!strncasecmp(path, "filter/", 7)) {
+ 		/* Save time/memory when chain isn't specified */
+ 		if (strchr(mode, 'r') || strchr(mode, '+')) {
+ 			mode_rw |= PHP_STREAM_FILTER_READ;
+@@ -382,8 +383,9 @@
+ 		}
+ 		efree(pathdup);
+ 
+ 		return stream;
++#endif /* ENABLE_FILTER_URL */
+ 	} else {
+ 		/* invalid php://thingy */
+ 		php_error_docref(NULL, E_WARNING, "Invalid php:// URL specified");
+ 		return NULL;
--- lang/php72/Makefile.php.orig
+++ lang/php72/Makefile.php
@@ -50,8 +50,9 @@
 CONFIGURE_ARGS+=	--with-pcre-regex=${BUILDLINK_PREFIX.pcre}
 
 PKG_OPTIONS_VAR=	PKG_OPTIONS.${PHP_PKG_PREFIX}
 PKG_SUPPORTED_OPTIONS+=	inet6 ssl maintainer-zts readline argon2 sqlite3
+PKG_SUPPORTED_OPTIONS+=	disable-filter-url
 PKG_SUGGESTED_OPTIONS+=	inet6 ssl readline sqlite3
 
 .if ${OPSYS} == "SunOS" || ${OPSYS} == "Darwin" || ${OPSYS} == "FreeBSD"
 PKG_SUPPORTED_OPTIONS+=	dtrace
@@ -108,6 +109,13 @@
 .else
 CONFIGURE_ARGS+=    --without-sqlite3
 .endif
 
+.if !empty(PKG_OPTIONS:Mdisable-filter-url)
+USE_TOOLS+=		patch
+FILTER_URL_PATCH=	../../lang/php72/files/disable-filter-url72.patch
+post-patch:
+	${PATCH} -d ${WRKSRC} --forward --quiet  < ${FILTER_URL_PATCH}
+.endif
+
 DL_AUTO_VARS=		yes
 .include "../../mk/dlopen.buildlink3.mk"

Follow-Ups:
- Re: Option to disable php://filter URL
  - From: J. Lewis Muir
- Re: Option to disable php://filter URL
  - From: Jonathan Perkin

References:
- Option to disable php://filter URL
  - From: Emmanuel Dreyfus

Prev by Date: daily pkgsrc CVS update output
Next by Date: Re: Option to disable php://filter URL
Previous by Thread: Option to disable php://filter URL
Next by Thread: Re: Option to disable php://filter URL
Indexes:

Home | Main Index | Thread Index | Old Index