diff --git a/php-bug68428.patch b/php-bug68428.patch new file mode 100644 index 0000000..434ec20 --- /dev/null +++ b/php-bug68428.patch @@ -0,0 +1,120 @@ +From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001 +From: Remi Collet +Date: Mon, 17 Nov 2014 09:22:13 +0100 +Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only + +--- + sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 50 insertions(+), 22 deletions(-) + +diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c +index d1db0ec..36e37b7 100644 +--- a/sapi/fpm/fpm/fastcgi.c ++++ b/sapi/fpm/fpm/fastcgi.c +@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars; + + static int is_initialized = 0; + static int in_shutdown = 0; +-static in_addr_t *allowed_clients = NULL; ++static sa_t *allowed_clients = NULL; + + static sa_t client_sa; + +@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip) + *end = 0; + end++; + } +- allowed_clients[n] = inet_addr(cur); +- if (allowed_clients[n] == INADDR_NONE) { ++ if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) { ++ allowed_clients[n].sa.sa_family = AF_INET; ++ n++; ++ } else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) { ++ allowed_clients[n].sa.sa_family = AF_INET6; ++ n++; ++ } else { + zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur); + } +- n++; + cur = end; + } +- allowed_clients[n] = INADDR_NONE; ++ allowed_clients[n].sa.sa_family = 0; + free(ip); + } + } +@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy) + } + } + ++static int fcgi_is_allowed() { ++ int i; ++ ++ if (client_sa.sa.sa_family == AF_UNIX) { ++ return 1; ++ } ++ if (!allowed_clients) { ++ return 1; ++ } ++ if (client_sa.sa.sa_family == AF_INET) { ++ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) { ++ if (allowed_clients[i].sa.sa_family == AF_INET ++ && !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) { ++ return 1; ++ } ++ } ++ } ++ if (client_sa.sa.sa_family == AF_INET6) { ++ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) { ++ if (allowed_clients[i].sa.sa_family == AF_INET6 ++ && !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) { ++ return 1; ++ } ++#ifdef IN6_IS_ADDR_V4MAPPED ++ if (allowed_clients[i].sa.sa_family == AF_INET ++ && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr) ++ && !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) { ++ return 1; ++ } ++#endif ++ } ++ } ++ ++ zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip()); ++ return 0; ++} ++ + int fcgi_accept_request(fcgi_request *req) + { + #ifdef _WIN32 +@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req) + FCGI_UNLOCK(req->listen_socket); + + client_sa = sa; +- if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) { +- int n = 0; +- int allowed = 0; +- +- while (allowed_clients[n] != INADDR_NONE) { +- if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) { +- allowed = 1; +- break; +- } +- n++; +- } +- if (!allowed) { +- zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr)); +- closesocket(req->fd); +- req->fd = -1; +- continue; +- } ++ if (req->fd >= 0 && !fcgi_is_allowed()) { ++ closesocket(req->fd); ++ req->fd = -1; ++ continue; + } + } + +-- +2.1.0 + diff --git a/php-fpm-www.conf b/php-fpm-www.conf index 97dd746..9f6dfe8 100644 --- a/php-fpm-www.conf +++ b/php-fpm-www.conf @@ -50,7 +50,7 @@ listen = 127.0.0.1:9000 ;listen.group = nobody ;listen.mode = 0660 -; List of ipv4 addresses of FastCGI clients which are allowed to connect. +; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect. ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address ; must be separated by a comma. If this value is left blank, connections will be diff --git a/php.spec b/php.spec index c678a4a..b0ea24c 100644 --- a/php.spec +++ b/php.spec @@ -62,7 +62,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.6.3 -Release: 3%{?dist} +Release: 4%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -117,6 +117,7 @@ Patch47: php-5.6.3-phpinfo.patch Patch101: php-bug68423.patch Patch102: php-bug68421.patch Patch103: php-bug68420.patch +Patch104: php-bug68428.patch # Security fixes (200+) @@ -722,6 +723,7 @@ httpd -V | grep -q 'threaded:.*yes' && exit 1 %patch101 -p1 -b .bug68423 %patch102 -p1 -b .bug68421 %patch103 -p1 -b .bug68420 +%patch104 -p1 -b .bug68428 # security patches @@ -1482,6 +1484,10 @@ rm -f README.{Zeus,QNX,CVS-RULES} %changelog +* Mon Nov 17 2014 Remi Collet 5.6.3-4 +- FPM: add upstream patch for https://bugs.php.net/68428 + listen.allowed_clients is IPv4 only + * Mon Nov 17 2014 Remi Collet 5.6.3-3 - sync php-fpm configuration with upstream - refresh upstream patch for 68421