File php-5.2.14-CVE-2011-1469.patch of Package php-5.2.17

File php-5.2.14-CVE-2011-1469.patch of Package php-5.2.17 (Revision 19)

Currently displaying revision 19, show latest

Index: ext/standard/ftp_fopen_wrapper.c
===================================================================
--- ext/standard/ftp_fopen_wrapper.c.orig
+++ ext/standard/ftp_fopen_wrapper.c
@@ -72,6 +72,12 @@
 #define FTPS_ENCRYPT_DATA 1
 #define GET_FTP_RESULT(stream)	get_ftp_result((stream), tmp_line, sizeof(tmp_line) TSRMLS_CC)
 
+typedef struct _php_ftp_dirstream_data {
+	php_stream *datastream;
+	php_stream *controlstream;
+	php_stream *dirstream;
+} php_ftp_dirstream_data;
+
 /* {{{ get_ftp_result
  */
 static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC)
@@ -97,14 +103,28 @@ static int php_stream_ftp_stream_stat(ph
  */
 static int php_stream_ftp_stream_close(php_stream_wrapper *wrapper, php_stream *stream TSRMLS_DC)
 {
-	php_stream *controlstream = (php_stream *)stream->wrapperdata;
+	php_stream *controlstream = stream->wrapperthis;
+	int ret = 0;
 	
 	if (controlstream) {
+		if (strpbrk(stream->mode, "wa+")) {
+			char tmp_line[512];
+			int result;
+
+			/* For write modes close data stream first to signal EOF to server */
+			result = GET_FTP_RESULT(controlstream);
+			if (result != 226 && result != 250) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "FTP server error %d:%s", result, tmp_line);
+				ret = EOF;
+			}
+		}
+
 		php_stream_write_string(controlstream, "QUIT\r\n");
 		php_stream_close(controlstream);
-		stream->wrapperdata = NULL;
+		stream->wrapperthis = NULL;
 	}
-	return 0;
+
+	return ret;
 }
 /* }}} */
 
@@ -564,7 +584,7 @@ php_stream * php_stream_url_wrap_ftp(php
 	}
 
 	/* remember control stream */	
-	datastream->wrapperdata = (zval *)stream;
+	datastream->wrapperthis = stream;
 
 	php_url_free(resource);
 	return datastream;
@@ -588,11 +608,13 @@ errexit:
 static size_t php_ftp_dirstream_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
 {
 	php_stream_dirent *ent = (php_stream_dirent *)buf;
-	php_stream *innerstream = (php_stream *)stream->abstract;
+	php_stream *innerstream;
 	size_t tmp_len;
 	char *basename;
 	size_t basename_len;
 
+	innerstream =  ((php_ftp_dirstream_data *)stream->abstract)->datastream;
+
 	if (count != sizeof(php_stream_dirent)) {
 		return 0;
 	}
@@ -636,13 +658,18 @@ static size_t php_ftp_dirstream_read(php
  */
 static int php_ftp_dirstream_close(php_stream *stream, int close_handle TSRMLS_DC)
 {
-	php_stream *innerstream = (php_stream *)stream->abstract;
+	php_ftp_dirstream_data *data = stream->abstract;
 
-	if (innerstream->wrapperdata) {
-		php_stream_close((php_stream *)innerstream->wrapperdata);
-		innerstream->wrapperdata = NULL;
-	}
-	php_stream_close((php_stream *)stream->abstract);
+	/* close control connection */
+	if (data->controlstream) {
+		php_stream_close(data->controlstream);
+		data->controlstream = NULL;
+	}
+	/* close data connection */
+	php_stream_close(data->datastream);
+	data->datastream = NULL;
+	
+	efree(data);
 	stream->abstract = NULL;
 
 	return 0;
@@ -668,6 +695,7 @@ static php_stream_ops php_ftp_dirstream_
 php_stream * php_stream_ftp_opendir(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context STREAMS_DC TSRMLS_DC)
 {
 	php_stream *stream, *reuseid, *datastream = NULL;
+	php_ftp_dirstream_data *dirsdata;
 	php_url *resource = NULL;
 	int result = 0, use_ssl, use_ssl_on_data = 0;
 	char *hoststart = NULL, tmp_line[512];
@@ -727,11 +755,14 @@ php_stream * php_stream_ftp_opendir(php_
 		goto opendir_errexit;
 	}
 
-	/* remember control stream */	
-	datastream->wrapperdata = (zval *)stream;
-
 	php_url_free(resource);
-	return php_stream_alloc(&php_ftp_dirstream_ops, datastream, 0, mode);
+
+	dirsdata = emalloc(sizeof *dirsdata);
+	dirsdata->datastream = datastream;
+	dirsdata->controlstream = stream;
+	dirsdata->dirstream = php_stream_alloc(&php_ftp_dirstream_ops, dirsdata, 0, mode);
+
+	return dirsdata->dirstream;
 
 opendir_errexit:
 	if (resource) {