Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:31359
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45359 invoked by uid 1010); 2 Aug 2007 00:48:41 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 45343 invoked from network); 2 Aug 2007 00:48:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Aug 2007 00:48:41 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:4592] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 85/00-43474-AC921B64 for <internals@lists.php.net>; Wed, 01 Aug 2007 20:48:12 -0400
Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Wed, 1 Aug 2007 17:48:08 -0700
Message-ID: <46B129BE.3050807@zend.com>
Date: Wed, 01 Aug 2007 17:47:58 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.5 (Windows/20070716)
MIME-Version: 1.0
To: 'PHP Internals' <internals@lists.php.net>
Content-Type: multipart/mixed;
 boundary="------------050803080207080401020805"
X-OriginalArrivalTime: 02 Aug 2007 00:48:08.0450 (UTC) FILETIME=[CB533E20:01C7D49E]
Subject: ini system patch
From: stas@zend.com (Stanislav Malyshev)

--------------050803080207080401020805
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi!

The attached patch implements the following improvement in Apache module 
configuration handling:

New INI stage is introduced - ZEND_INI_STAGE_HTACCESS and values set in 
.htaccess are passed to handlers with ZEND_INI_STAGE_HTACCESS instead of 
ZEND_INI_STAGE_ACTIVATE.

The reason for this is that there are values - one of them being 
session.save_handler - that we want to allow administrator to set to 
arbitrary values, even not inside open_basedir/safe_mode restrictions, 
while we do want user-set values to be inside limits. The problem was 
that right now there's no way to see if the value is set from httpd.conf 
(admin) or from .htaccess (frequently user-accessible and 
user-writable). This patch enables to make such distinction.
I don't see any modules depending on ZEND_INI_STAGE_ACTIVATE but if 
there would be they can easily be fixed to work with 
ZEND_INI_STAGE_HTACCESS too. The attached patch is for apache2 SAPI 
only, but same one would be needed for apache1 API.

This patch will allow proper fix for CVE-2007-3378 (current one breaks BC).

Comments/objections?
-- 
Stanislav Malyshev, Zend Software Architect
stas@zend.com   http://www.zend.com/
(408)253-8829   MSN: stas@zend.com

--------------050803080207080401020805
Content-Type: text/plain;
 name="htaccess.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="htaccess.diff"

Index: Zend/zend_ini.h
===================================================================
RCS file: /repository/ZendEngine2/zend_ini.h,v
retrieving revision 1.34.2.1.2.3
diff -u -r1.34.2.1.2.3 zend_ini.h
--- Zend/zend_ini.h	1 Jan 2007 09:35:46 -0000	1.34.2.1.2.3
+++ Zend/zend_ini.h	2 Aug 2007 00:40:52 -0000
@@ -189,6 +189,7 @@
 #define ZEND_INI_STAGE_ACTIVATE		(1<<2)
 #define ZEND_INI_STAGE_DEACTIVATE	(1<<3)
 #define ZEND_INI_STAGE_RUNTIME		(1<<4)
+#define ZEND_INI_STAGE_HTACCESS		(1<<5)
 
 /* INI parsing engine */
 typedef void (*zend_ini_parser_cb_t)(zval *arg1, zval *arg2, int callback_type, void *arg);
Index: sapi/apache2handler/apache_config.c
===================================================================
RCS file: /repository/php-src/sapi/apache2handler/apache_config.c,v
retrieving revision 1.7.2.1.2.2
diff -u -r1.7.2.1.2.2 apache_config.c
--- sapi/apache2handler/apache_config.c	1 Jan 2007 09:36:12 -0000	1.7.2.1.2.2
+++ sapi/apache2handler/apache_config.c	2 Aug 2007 00:40:52 -0000
@@ -51,6 +51,7 @@
 	char *value;
 	size_t value_len;
 	char status;
+    char htaccess;
 } php_dir_entry;
 
 static const char *real_value_hnd(cmd_parms *cmd, void *dummy, const char *name, const char *value, int status)
@@ -67,7 +68,8 @@
 	e.value = apr_pstrdup(cmd->pool, value);
 	e.value_len = strlen(value);
 	e.status = status;
-	
+	e.htaccess = ((cmd->override & (RSRC_CONF|ACCESS_CONF)) == 0);
+
 	zend_hash_update(&d->config, (char *) name, strlen(name) + 1, &e, sizeof(e), NULL);
 	return NULL;
 }
@@ -170,7 +172,7 @@
 			zend_hash_move_forward(&d->config)) {
 		zend_hash_get_current_data(&d->config, (void **) &data);
 		phpapdebug((stderr, "APPLYING (%s)(%s)\n", str, data->value));
-		if (zend_alter_ini_entry(str, str_len, data->value, data->value_len, data->status, PHP_INI_STAGE_ACTIVATE) == FAILURE) {
+		if (zend_alter_ini_entry(str, str_len, data->value, data->value_len, data->status, data->htaccess?ZEND_INI_STAGE_HTACCESS:PHP_INI_STAGE_ACTIVATE) == FAILURE) {
 			phpapdebug((stderr, "..FAILED\n"));
 		}	
 	}

--------------050803080207080401020805--