FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only

php-bug68428.patch

@@ -0,0 +1,120 @@
+From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 17 Nov 2014 09:22:13 +0100
+Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only
+
+---
+ sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 50 insertions(+), 22 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
+index d1db0ec..36e37b7 100644
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;
+ 
+ static int is_initialized = 0;
+ static int in_shutdown = 0;
+-static in_addr_t *allowed_clients = NULL;
++static sa_t *allowed_clients = NULL;
+ 
+ static sa_t client_sa;
+ 
+@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
+ 				*end = 0;
+ 				end++;
+ 			}
+-			allowed_clients[n] = inet_addr(cur);
+-			if (allowed_clients[n] == INADDR_NONE) {
++			if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
++				allowed_clients[n].sa.sa_family = AF_INET;
++				n++;
++			} else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
++				allowed_clients[n].sa.sa_family = AF_INET6;
++				n++;
++			} else {
+ 				zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
+ 			}
+-			n++;
+ 			cur = end;
+ 		}
+-		allowed_clients[n] = INADDR_NONE;
++		allowed_clients[n].sa.sa_family = 0;
+ 		free(ip);
+ 	}
+ }
+@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
+ 	}
+ }
+ 
++static int fcgi_is_allowed() {
++	int i;
++
++	if (client_sa.sa.sa_family == AF_UNIX) {
++		return 1;
++	}
++	if (!allowed_clients) {
++		return 1;
++	}
++	if (client_sa.sa.sa_family == AF_INET) {
++		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++			if (allowed_clients[i].sa.sa_family == AF_INET
++				&& !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++				return 1;
++			}
++		}
++	}
++	if (client_sa.sa.sa_family == AF_INET6) {
++		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++			if (allowed_clients[i].sa.sa_family == AF_INET6
++				&& !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
++				return 1;
++			}
++#ifdef IN6_IS_ADDR_V4MAPPED
++			if (allowed_clients[i].sa.sa_family == AF_INET
++			    && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
++				&& !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++				return 1;
++			}
++#endif
++		}
++	}
++
++	zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
++	return 0;
++}
++
+ int fcgi_accept_request(fcgi_request *req)
+ {
+ #ifdef _WIN32
+@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req)
+ 					FCGI_UNLOCK(req->listen_socket);
+ 
+ 					client_sa = sa;
+-					if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
+-						int n = 0;
+-						int allowed = 0;
+-
+-						while (allowed_clients[n] != INADDR_NONE) {
+-							if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
+-								allowed = 1;
+-								break;
+-							}
+-							n++;
+-						}
+-						if (!allowed) {
+-							zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
+-							closesocket(req->fd);
+-							req->fd = -1;
+-							continue;
+-						}
++					if (req->fd >= 0 && !fcgi_is_allowed()) {
++						closesocket(req->fd);
++						req->fd = -1;
++						continue;
+ 					}
+ 				}
+ 
+-- 
+2.1.0
+

php-fpm-www.conf

@@ -50,7 +50,7 @@ listen = 127.0.0.1:9000
 ;listen.group = nobody
 ;listen.mode = 0660
 
-; List of ipv4 addresses of FastCGI clients which are allowed to connect.
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be

php.spec

@@ -62,7 +62,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.3
-Release: 3%{?dist}
+Release: 4%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -117,6 +117,7 @@ Patch47: php-5.6.3-phpinfo.patch
 Patch101: php-bug68423.patch
 Patch102: php-bug68421.patch
 Patch103: php-bug68420.patch
+Patch104: php-bug68428.patch
 
 # Security fixes (200+)
 
@@ -722,6 +723,7 @@ httpd -V  | grep -q 'threaded:.*yes' && exit 1
 %patch101 -p1 -b .bug68423
 %patch102 -p1 -b .bug68421
 %patch103 -p1 -b .bug68420
+%patch104 -p1 -b .bug68428
 
 # security patches
 
@@ -1482,6 +1484,10 @@ rm -f README.{Zeus,QNX,CVS-RULES}
 
 
 %changelog
+* Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-4
+- FPM: add upstream patch for https://bugs.php.net/68428
+  listen.allowed_clients is IPv4 only
+
 * Mon Nov 17 2014 Remi Collet <remi@fedoraproject.org> 5.6.3-3
 - sync php-fpm configuration with upstream
 - refresh upstream patch for 68421