Protect against null bytes in LOB filenames (rasmus)

ext/oci8/oci8_interface.c

@@ -242,7 +242,12 @@ PHP_FUNCTION(oci_lob_import)
 			return;
 		}	
 	}
-	
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;  
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -894,7 +899,12 @@ PHP_FUNCTION(oci_lob_export)
 			RETURN_FALSE;
 		}
 	}
-	
+
+	if (strlen(filename) != filename_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename cannot contain null bytes");
+		RETURN_FALSE;  
+	}
+
 	if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
 		RETURN_FALSE;
@@ -1662,8 +1672,8 @@ PHP_FUNCTION(oci_num_fields)
 }
 /* }}} */
 
-/* {{{ proto resource oci_parse(resource connection, string query)
-   Parse a query and return a statement */
+/* {{{ proto resource oci_parse(resource connection, string statement)
+   Parse a SQL or PL/SQL statement and return a statement resource */
 PHP_FUNCTION(oci_parse)
 {
 	zval *z_connection;

ext/oci8/package.xml

@@ -33,21 +33,20 @@ http://pear.php.net/dtd/package-2.0.xsd">
   <active>no</active>
  </lead>
 
- <date>2010-11-10</date>
+ <date>2010-11-16</date>
  <time>15:00:00</time>
 
  <version>
-  <release>1.4.4</release>
-  <api>1.4.4</api>
+  <release>1.4.5</release>
+  <api>1.4.5</api>
  </version>
  <stability>
-  <release>stable</release>
+  <release>devel</release>
   <api>stable</api>
  </stability>
  <license uri="http://www.php.net/license">PHP</license>
  <notes>
-    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
-    Enhancement - improve startup failure error messages
+    Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
  </notes>
  <contents>
   <dir name="/">
@@ -306,6 +305,8 @@ http://pear.php.net/dtd/package-2.0.xsd">
     <file name="lob_temp1.phpt" role="test" />
     <file name="lob_temp.phpt" role="test" />
     <file name="minfo.phpt" role="test" />
+    <file name="null_byte_1.phpt" role="test" />
+    <file name="null_byte_2.phpt" role="test" />
     <file name="num.phpt" role="test" />
     <file name="oci8safemode.phpt" role="test" />
     <file name="oci_execute_segfault.phpt" role="test" />
@@ -377,6 +378,22 @@ http://pear.php.net/dtd/package-2.0.xsd">
  </extsrcrelease>
  <changelog>
 
+<release>
+ <version>
+  <release>1.4.4</release>
+  <api>1.4.4</api>
+ </version>
+ <stability>
+  <release>stable</release>
+  <api>stable</api>
+ </stability>
+ <license uri="http://www.php.net/license">PHP</license>
+ <notes>
+    Fixed bug #53284 (Valgrind warnings in oci_set_* functions)
+    Enhancement - improve startup failure error messages
+ </notes>
+</release>
+
 <release>
  <version>
   <release>1.4.3</release>

ext/oci8/php_oci8.h

@@ -46,7 +46,7 @@
  */
 #undef PHP_OCI8_VERSION
 #endif
-#define PHP_OCI8_VERSION "1.4.4"
+#define PHP_OCI8_VERSION "1.4.5-devel"
 
 extern zend_module_entry oci8_module_entry;
 #define phpext_oci8_ptr &oci8_module_entry

ext/oci8/tests/null_byte_1.phpt

@@ -0,0 +1,38 @@
+--TEST--
+Protect against null bytes in LOB filenames (http://news.php.net/php.internals/50202)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Import\n";
+
+$lob = oci_new_descriptor($c, OCI_D_LOB);
+$r = $lob->savefile("/tmp/abc\0def");
+var_dump($r);
+
+echo "Test 2: Export\n";
+
+$r = $lob->export("/tmp/abc\0def");
+var_dump($r);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Import
+
+Warning: OCI-Lob::savefile(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+Test 2: Export
+
+Warning: OCI-Lob::export(): Filename cannot contain null bytes in %snull_byte_1.php on line %d
+bool(false)
+===DONE===

ext/oci8/tests/null_byte_2.phpt

@@ -0,0 +1,69 @@
+--TEST--
+Null bytes in SQL statements
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die ("skip no oci8 extension"); ?>
+--INI--
+display_errors = On
+error_reporting = E_WARNING
+--FILE--
+<?php
+
+require(dirname(__FILE__).'/connect.inc');
+
+// Run Test
+
+echo "Test 1: Valid use of a null byte\n";
+
+$s = oci_parse($c, "select * \0from dual");
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+echo "Test 2: Invalid use of a null byte\n";
+
+$s = oci_parse($c, "select * from du\0al");
+oci_execute($s);
+
+echo "Test 3: Using a null byte in a bind variable name\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 1");
+$bv = 1;
+oci_bind_by_name($s, ":bv\0:bv", $bv);
+oci_execute($s);
+ 
+echo "Test 4: Using a null byte in a bind variable value causing WHERE clause to fail\n";
+
+$s = oci_parse($c, "select * from dual where :bv = 'abc'");
+$bv = 'abc\0abc';
+oci_bind_by_name($s, ":bv", $bv);
+oci_execute($s);
+oci_fetch_all($s, $res);
+var_dump($res);
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+Test 1: Valid use of a null byte
+array(1) {
+  ["DUMMY"]=>
+  array(1) {
+    [0]=>
+    string(1) "X"
+  }
+}
+Test 2: Invalid use of a null byte
+
+Warning: oci_execute(): ORA-00942: %s in %snull_byte_2.php on line %d
+Test 3: Using a null byte in a bind variable name
+
+Warning: oci_bind_by_name(): ORA-01036: %s in %snull_byte_2.php on line %d
+
+Warning: oci_execute(): ORA-01008: %s in %snull_byte_2.php on line %d
+Test 4: Using a null byte in a bind variable value causing WHERE clause to fail
+array(1) {
+  ["DUMMY"]=>
+  array(0) {
+  }
+}
+===DONE===