Merge remote-tracking branch 'origin/PHP-5.6' into str_size_and_int64_56_backport

* origin/PHP-5.6: fixed macro add clear_env option to FPM config Make sure value is initialized We can't dereference dbh if it is NULL
12 years ago · 94cfa3a120
7 changed files with 24 additions and 4 deletions
--- a/TSRM/tsrm_config_common.h
+++ b/TSRM/tsrm_config_common.h
@ -2,7 +2,7 @@
 #define TSRM_CONFIG_COMMON_H

 #ifndef __CYGWIN__
-# if WINNT|WIN32
+# ifdef _WIN32
 #  define TSRM_WIN32
 # endif
 #endif
--- a/Zend/zend_highlight.c
+++ b/Zend/zend_highlight.c
@ -57,7 +57,7 @@ ZEND_API void zend_html_putc(char c)
 ZEND_API void zend_html_puts(const char *s, zend_size_t len TSRMLS_DC)
 {
 	const unsigned char *ptr = (const unsigned char*)s, *end = ptr + len;
-	unsigned char *filtered;
+	unsigned char *filtered = NULL;
 	size_t filtered_len;

 	if (LANG_SCNG(output_filter)) {
--- a/ext/pdo_mysql/pdo_mysql.c
+++ b/ext/pdo_mysql/pdo_mysql.c
@ -64,7 +64,12 @@ static MYSQLND * pdo_mysql_convert_zv_to_mysqlnd(zval * zv TSRMLS_DC)
 	if (Z_TYPE_P(zv) == IS_OBJECT && instanceof_function(Z_OBJCE_P(zv), php_pdo_get_dbh_ce() TSRMLS_CC)) {
 		pdo_dbh_t * dbh = zend_object_store_get_object(zv TSRMLS_CC);

-		if (!dbh || dbh->driver != &pdo_mysql_driver) {
+		if (!dbh) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to retrieve handle from object store");
+			return NULL;
+		}
+
+		if (dbh->driver != &pdo_mysql_driver) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Provided PDO instance is not using MySQL but %s", dbh->driver->driver_name);
 			return NULL;
 		}
--- a/sapi/fpm/fpm/fpm_conf.c
+++ b/sapi/fpm/fpm/fpm_conf.c
@ -148,6 +148,7 @@ static struct ini_value_parser_s ini_fpm_pool_options[] = {
 	{ "chroot",                    &fpm_conf_set_string,      WPO(chroot) },
 	{ "chdir",                     &fpm_conf_set_string,      WPO(chdir) },
 	{ "catch_workers_output",      &fpm_conf_set_boolean,     WPO(catch_workers_output) },
+	{ "clear_env",                 &fpm_conf_set_boolean,     WPO(clear_env) },
 	{ "security.limit_extensions", &fpm_conf_set_string,      WPO(security_limit_extensions) },
 #ifdef HAVE_APPARMOR
 	{ "apparmor_hat",              &fpm_conf_set_string,      WPO(apparmor_hat) },
@ -606,6 +607,7 @@ static void *fpm_worker_pool_config_alloc() /* {{{ */
 	wp->config->listen_backlog = FPM_BACKLOG_DEFAULT;
 	wp->config->pm_process_idle_timeout = 10; /* 10s by default */
 	wp->config->process_priority = 64; /* 64 means unset */
+	wp->config->clear_env = 1;

 	if (!fpm_worker_all_pools) {
 		fpm_worker_all_pools = wp;
@ -1606,6 +1608,7 @@ static void fpm_conf_dump() /* {{{ */
 		zlog(ZLOG_NOTICE, "\tchroot = %s",                     STR2STR(wp->config->chroot));
 		zlog(ZLOG_NOTICE, "\tchdir = %s",                      STR2STR(wp->config->chdir));
 		zlog(ZLOG_NOTICE, "\tcatch_workers_output = %s",       BOOL2STR(wp->config->catch_workers_output));
+		zlog(ZLOG_NOTICE, "\tclear_env = %s",                  BOOL2STR(wp->config->clear_env));
 		zlog(ZLOG_NOTICE, "\tsecurity.limit_extensions = %s",  wp->config->security_limit_extensions);

 		for (kv = wp->config->env; kv; kv = kv->next) {
--- a/sapi/fpm/fpm/fpm_conf.h
+++ b/sapi/fpm/fpm/fpm_conf.h
@ -83,6 +83,7 @@ struct fpm_worker_pool_config_s {
 	char *chroot;
 	char *chdir;
 	int catch_workers_output;
+	int clear_env;
 	char *security_limit_extensions;
 	struct key_value_s *env;
 	struct key_value_s *php_admin_values;
--- a/sapi/fpm/fpm/fpm_env.c
+++ b/sapi/fpm/fpm/fpm_env.c
@ -143,7 +143,9 @@ int fpm_env_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
 	fpm_env_setproctitle(title);
 	efree(title);

-	clearenv();
+	if (wp->config->clear_env) {
+		clearenv();
+	}

 	for (kv = wp->config->env; kv; kv = kv->next) {
 		setenv(kv->key, kv->value, 1);
--- a/sapi/fpm/php-fpm.conf.in
+++ b/sapi/fpm/php-fpm.conf.in
@ -475,6 +475,15 @@ pm.max_spare_servers = 3
 ; Default Value: no
 ;catch_workers_output = yes

+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to