While the case in bug #74429 is not documented and is only worky due to
an implementation bug, the strength seems to breach some real world
apps. Given this patch doesn't impact the initial security fix for
bug #74216, it is reasonable to let the apps keep working. As mentioned
in the ticket, this behavior is a subject to change in future versions
and should not be abused.
For historical reasons, fsockopen() accepts the port and hostname
separately: fsockopen('127.0.0.1', 80)
However, with the introdcution of stream transports in PHP 4.3,
it became possible to include the port in the hostname specifier:
fsockopen('127.0.0.1:80')
Or more formally: fsockopen('tcp://127.0.0.1:80')
Confusing results when these two forms are combined, however.
fsockopen('127.0.0.1:80', 443) results in fsockopen() attempting
to connect to '127.0.0.1:80:443' which any reasonable stack would
consider invalid.
Unfortunately, PHP parses the address looking for the first colon
(with special handling for IPv6, don't worry) and calls atoi()
from there. atoi() in turn, simply stops parsing at the first
non-numeric character and returns the value so far.
The end result is that the explicitly supplied port is treated
as ignored garbage, rather than producing an error.
This diff replaces atoi() with strtol() and inspects the
stop character. If additional "garbage" of any kind is found,
it fails and returns an error.
If this does not break the Unix system somehow, I'll be amazed. This should get most of it out, apologies for any errors this may cause on non-Windows ends which I cannot test atm.
* master: (39 commits)
Add __debugInfo() to UPGRADING.
fix TS build
Update NEWS
Update NEWS
Update NEWS
Small tidy ups and raise visibility of GitHub PR process
Bug #41631: Observe socket read timeouts in SSL streams
wrap int8_t and int16_t with #ifdef to avoid possible clashes
- Updated to version 2014.6 (2014f)
Removed Countable::count() change info from UPGRADE.INTERNALS too
NEWS and UPGRADING for intdiv()
Revert "Add SO_REUSEPORT + SO_BROADCAST support via socket stream context option"
Fixed skip case for intdiv 64-bit test
Use callback structure
Add EXPECTF
Fix handling of multi-result sets with PS...used to clean not only the result set but the whole PS.
5.5.17 now
5.4.33-dev now
Add SO_REUSEPORT + SO_BROADCAST support via socket stream context option
Add SO_REUSEPORT + SO_BROADCAST support via socket stream context option
...
Conflicts:
ext/fileinfo/libmagic/softmagic.c
main/streams/xp_socket.c