rpms/php
7
0
Fork 0
Code Issues Pull Requests Releases Activity

FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only

Browse Source
This commit is contained in:
Remi Collet 2014-11-17 09:48:55 +01:00
parent e363175e30
commit e006dc9375
3 changed files with 128 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
php-bug68428.patch Normal file
View File

@ -0,0 +1,120 @@
From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Mon, 17 Nov 2014 09:22:13 +0100
Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only
---
sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++---------------
1 file changed, 50 insertions(+), 22 deletions(-)
diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
index d1db0ec..36e37b7 100644
--- a/sapi/fpm/fpm/fastcgi.c
+++ b/sapi/fpm/fpm/fastcgi.c
@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;
static int is_initialized = 0;
static int in_shutdown = 0;
-static in_addr_t *allowed_clients = NULL;
+static sa_t *allowed_clients = NULL;
static sa_t client_sa;
@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
*end = 0;
end++;
}
- allowed_clients[n] = inet_addr(cur);
- if (allowed_clients[n] == INADDR_NONE) {
+ if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
+ allowed_clients[n].sa.sa_family = AF_INET;
+ n++;
+ } else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
+ allowed_clients[n].sa.sa_family = AF_INET6;
+ n++;
+ } else {
zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
}
- n++;
cur = end;
}
- allowed_clients[n] = INADDR_NONE;
+ allowed_clients[n].sa.sa_family = 0;
free(ip);
}
}
@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
}
}
+static int fcgi_is_allowed() {
+ int i;
+
+ if (client_sa.sa.sa_family == AF_UNIX) {
+ return 1;
+ }
+ if (!allowed_clients) {
+ return 1;
+ }
+ if (client_sa.sa.sa_family == AF_INET) {
+ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+ if (allowed_clients[i].sa.sa_family == AF_INET
+ && !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+ return 1;
+ }
+ }
+ }
+ if (client_sa.sa.sa_family == AF_INET6) {
+ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
+ if (allowed_clients[i].sa.sa_family == AF_INET6
+ && !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
+ return 1;
+ }
+#ifdef IN6_IS_ADDR_V4MAPPED
+ if (allowed_clients[i].sa.sa_family == AF_INET
+ && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
+ && !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
+ return 1;
+ }
+#endif
+ }
+ }
+
+ zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
+ return 0;
+}
+
int fcgi_accept_request(fcgi_request *req)
{
#ifdef _WIN32
@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req)
FCGI_UNLOCK(req->listen_socket);
client_sa = sa;
- if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
- int n = 0;
- int allowed = 0;
-
- while (allowed_clients[n] != INADDR_NONE) {
- if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
- allowed = 1;
- break;
- }
- n++;
- }
- if (!allowed) {
- zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
- closesocket(req->fd);
- req->fd = -1;
- continue;
- }
+ if (req->fd >= 0 && !fcgi_is_allowed()) {
+ closesocket(req->fd);
+ req->fd = -1;
+ continue;
}
}
--
2.1.0

2
php-fpm-www.conf
View File

@ -50,7 +50,7 @@ listen = 127.0.0.1:9000
;listen.group = nobody ;listen.group = nobody
;listen.mode = 0660 ;listen.mode = 0660
; List of ipv4 addresses of FastCGI clients which are allowed to connect. ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be ; must be separated by a comma. If this value is left blank, connections will be

8
php.spec
View File

@ -62,7 +62,7 @@
Summary: PHP scripting language for creating dynamic web sites Summary: PHP scripting language for creating dynamic web sites
Name: php Name: php
Version: 5.6.3 Version: 5.6.3
Release: 3%{?dist} Release: 4%{?dist}
# All files licensed under PHP version 3.01, except # All files licensed under PHP version 3.01, except
# Zend is licensed under Zend # Zend is licensed under Zend
# TSRM is licensed under BSD # TSRM is licensed under BSD
@ -117,6 +117,7 @@ Patch47: php-5.6.3-phpinfo.patch
Patch101: php-bug68423.patch Patch101: php-bug68423.patch
Patch102: php-bug68421.patch Patch102: php-bug68421.patch
Patch103: php-bug68420.patch Patch103: php-bug68420.patch
Patch104: php-bug68428.patch
# Security fixes (200+) # Security fixes (200+)
@ -722,6 +723,7 @@ httpd -V | grep -q 'threaded:.*yes' && exit 1
%patch101 -p1 -b .bug68423 %patch101 -p1 -b .bug68423
%patch102 -p1 -b .bug68421 %patch102 -p1 -b .bug68421
%patch103 -p1 -b .bug68420 %patch103 -p1 -b .bug68420
%patch104 -p1 -b .bug68428
# security patches # security patches
@ -1482,6 +1484,10 @@ rm -f README.{Zeus,QNX,CVS-RULES}
%changelog %changelog
* Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-4
- FPM: add upstream patch for https://bugs.php.net/68428
listen.allowed_clients is IPv4 only
* Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-3 * Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-3
- sync php-fpm configuration with upstream - sync php-fpm configuration with upstream
- refresh upstream patch for 68421 - refresh upstream patch for 68421