[php/f19] - FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only - refre

Remi Collet remi at fedoraproject.org
Fri Nov 21 11:50:16 UTC 2014 

commit 784fca7e5f05464633d5d2a24b9f2f4f6033c732
Author: Remi Collet <remi at fedoraproject.org>
Date:   Fri Nov 21 12:49:02 2014 +0100

    - FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only
    - refresh upstream patch for 68421
    
    (cherry picked from commit 2dc4b3432f1a2b574dbe65a8a4b8c5ba205db81a)

 php-bug68421.patch |   46 ++++++++++++++++++++
 php-bug68428.patch |  120 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 php.spec           |    9 ++++-
 3 files changed, 174 insertions(+), 1 deletions(-)
---
diff --git a/php-bug68421.patch b/php-bug68421.patch
index 0f59efd..80437ba 100644
--- a/php-bug68421.patch
+++ b/php-bug68421.patch
@@ -70,3 +70,49 @@ index 4e1a057..c71281b 100644
 -- 
 2.1.0
 
+From 4657289e87e18bb8967d5a8b0163c772d410e2b8 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Mon, 17 Nov 2014 06:53:38 +0100
+Subject: [PATCH] Improve fix bug #68421 access.format='%R' doesn't log ipv6
+ address
+
+Log IPv4-Mapped-Ipv6 address as IPv4 (not as IPv6)
+---
+ sapi/fpm/fpm/fastcgi.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
+index 86fca17..d1db0ec 100644
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -1099,13 +1099,23 @@ const char *fcgi_get_last_client_ip() /* {{{ */
+ {
+ 	static char str[INET6_ADDRSTRLEN];
+ 
+-	if (client_sa.sa.sa_family == AF_UNIX) {
+-		return NULL;
+-	}
++	/* Ipv4 */
+ 	if (client_sa.sa.sa_family == AF_INET) {
+ 		return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet.sin_addr, str, INET6_ADDRSTRLEN);
+ 	}
+-	return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet6.sin6_addr, str, INET6_ADDRSTRLEN);
++#ifdef IN6_IS_ADDR_V4MAPPED
++	/* Ipv4-Mapped-Ipv6 */
++	if (client_sa.sa.sa_family == AF_INET6
++		&& IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)) {
++		return inet_ntop(AF_INET, ((char *)&client_sa.sa_inet6.sin6_addr)+12, str, INET6_ADDRSTRLEN);
++	}
++#endif
++	/* Ipv6 */
++	if (client_sa.sa.sa_family == AF_INET6) {
++		return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet6.sin6_addr, str, INET6_ADDRSTRLEN);
++	}
++	/* Unix socket */
++	return NULL;
+ }
+ /* }}} */
+ /*
+-- 
+2.1.0
+
diff --git a/php-bug68428.patch b/php-bug68428.patch
new file mode 100644
index 0000000..434ec20
--- /dev/null
+++ b/php-bug68428.patch
@@ -0,0 +1,120 @@
+From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Mon, 17 Nov 2014 09:22:13 +0100
+Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only
+
+---
+ sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 50 insertions(+), 22 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
+index d1db0ec..36e37b7 100644
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;
+ 
+ static int is_initialized = 0;
+ static int in_shutdown = 0;
+-static in_addr_t *allowed_clients = NULL;
++static sa_t *allowed_clients = NULL;
+ 
+ static sa_t client_sa;
+ 
+@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
+ 				*end = 0;
+ 				end++;
+ 			}
+-			allowed_clients[n] = inet_addr(cur);
+-			if (allowed_clients[n] == INADDR_NONE) {
++			if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
++				allowed_clients[n].sa.sa_family = AF_INET;
++				n++;
++			} else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
++				allowed_clients[n].sa.sa_family = AF_INET6;
++				n++;
++			} else {
+ 				zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
+ 			}
+-			n++;
+ 			cur = end;
+ 		}
+-		allowed_clients[n] = INADDR_NONE;
++		allowed_clients[n].sa.sa_family = 0;
+ 		free(ip);
+ 	}
+ }
+@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
+ 	}
+ }
+ 
++static int fcgi_is_allowed() {
++	int i;
++
++	if (client_sa.sa.sa_family == AF_UNIX) {
++		return 1;
++	}
++	if (!allowed_clients) {
++		return 1;
++	}
++	if (client_sa.sa.sa_family == AF_INET) {
++		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++			if (allowed_clients[i].sa.sa_family == AF_INET
++				&& !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++				return 1;
++			}
++		}
++	}
++	if (client_sa.sa.sa_family == AF_INET6) {
++		for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++			if (allowed_clients[i].sa.sa_family == AF_INET6
++				&& !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
++				return 1;
++			}
++#ifdef IN6_IS_ADDR_V4MAPPED
++			if (allowed_clients[i].sa.sa_family == AF_INET
++			    && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
++				&& !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++				return 1;
++			}
++#endif
++		}
++	}
++
++	zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
++	return 0;
++}
++
+ int fcgi_accept_request(fcgi_request *req)
+ {
+ #ifdef _WIN32
+@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req)
+ 					FCGI_UNLOCK(req->listen_socket);
+ 
+ 					client_sa = sa;
+-					if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
+-						int n = 0;
+-						int allowed = 0;
+-
+-						while (allowed_clients[n] != INADDR_NONE) {
+-							if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
+-								allowed = 1;
+-								break;
+-							}
+-							n++;
+-						}
+-						if (!allowed) {
+-							zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
+-							closesocket(req->fd);
+-							req->fd = -1;
+-							continue;
+-						}
++					if (req->fd >= 0 && !fcgi_is_allowed()) {
++						closesocket(req->fd);
++						req->fd = -1;
++						continue;
+ 					}
+ 				}
+ 
+-- 
+2.1.0
+
diff --git a/php.spec b/php.spec
index a9f851f..2ec1156 100644
--- a/php.spec
+++ b/php.spec
@@ -69,7 +69,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.5.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -124,6 +124,7 @@ Patch47: php-5.4.9-phpinfo.patch
 Patch101: php-bug68423.patch
 Patch102: php-bug68421.patch
 Patch103: php-bug68420.patch
+Patch104: php-bug68428.patch
 
 # Security fixes (200+)
 
@@ -737,6 +738,7 @@ support for using the enchant library to PHP.
 %patch101 -p1 -b .bug68423
 %patch102 -p1 -b .bug68421
 %patch103 -p1 -b .bug68420
+%patch104 -p1 -b .bug68428
 
 # security patches
 
@@ -1555,6 +1557,11 @@ exit 0
 
 
 %changelog
+* Fri Nov 21 2014 Remi Collet <remi at fedoraproject.org> 5.5.19-3
+- FPM: add upstream patch for https://bugs.php.net/68428
+  listen.allowed_clients is IPv4 only
+- refresh upstream patch for 68421
+
 * Sun Nov 16 2014 Remi Collet <remi at fedoraproject.org> 5.5.19-2
 - FPM: add upstream patch for https://bugs.php.net/68421
   access.format=R doesn't log ipv6 address

More information about the scm-commits mailing list