[php/f19] - FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only - refre
Remi Collet
remi at fedoraproject.org
Fri Nov 21 11:50:16 UTC 2014
commit 784fca7e5f05464633d5d2a24b9f2f4f6033c732
Author: Remi Collet <remi at fedoraproject.org>
Date: Fri Nov 21 12:49:02 2014 +0100
- FPM: add upstream patch for https://bugs.php.net/68428 listen.allowed_clients is IPv4 only
- refresh upstream patch for 68421
(cherry picked from commit 2dc4b3432f1a2b574dbe65a8a4b8c5ba205db81a)
php-bug68421.patch | 46 ++++++++++++++++++++
php-bug68428.patch | 120 ++++++++++++++++++++++++++++++++++++++++++++++++++++
php.spec | 9 ++++-
3 files changed, 174 insertions(+), 1 deletions(-)
---
diff --git a/php-bug68421.patch b/php-bug68421.patch
index 0f59efd..80437ba 100644
--- a/php-bug68421.patch
+++ b/php-bug68421.patch
@@ -70,3 +70,49 @@ index 4e1a057..c71281b 100644
--
2.1.0
+From 4657289e87e18bb8967d5a8b0163c772d410e2b8 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Mon, 17 Nov 2014 06:53:38 +0100
+Subject: [PATCH] Improve fix bug #68421 access.format='%R' doesn't log ipv6
+ address
+
+Log IPv4-Mapped-Ipv6 address as IPv4 (not as IPv6)
+---
+ sapi/fpm/fpm/fastcgi.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
+index 86fca17..d1db0ec 100644
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -1099,13 +1099,23 @@ const char *fcgi_get_last_client_ip() /* {{{ */
+ {
+ static char str[INET6_ADDRSTRLEN];
+
+- if (client_sa.sa.sa_family == AF_UNIX) {
+- return NULL;
+- }
++ /* Ipv4 */
+ if (client_sa.sa.sa_family == AF_INET) {
+ return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet.sin_addr, str, INET6_ADDRSTRLEN);
+ }
+- return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet6.sin6_addr, str, INET6_ADDRSTRLEN);
++#ifdef IN6_IS_ADDR_V4MAPPED
++ /* Ipv4-Mapped-Ipv6 */
++ if (client_sa.sa.sa_family == AF_INET6
++ && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)) {
++ return inet_ntop(AF_INET, ((char *)&client_sa.sa_inet6.sin6_addr)+12, str, INET6_ADDRSTRLEN);
++ }
++#endif
++ /* Ipv6 */
++ if (client_sa.sa.sa_family == AF_INET6) {
++ return inet_ntop(client_sa.sa.sa_family, &client_sa.sa_inet6.sin6_addr, str, INET6_ADDRSTRLEN);
++ }
++ /* Unix socket */
++ return NULL;
+ }
+ /* }}} */
+ /*
+--
+2.1.0
+
diff --git a/php-bug68428.patch b/php-bug68428.patch
new file mode 100644
index 0000000..434ec20
--- /dev/null
+++ b/php-bug68428.patch
@@ -0,0 +1,120 @@
+From 3a8103ae4738824ebb27a9a739e253740580ed36 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi at php.net>
+Date: Mon, 17 Nov 2014 09:22:13 +0100
+Subject: [PATCH] Fixed bug #68428 allowed_client is IPv4 only
+
+---
+ sapi/fpm/fpm/fastcgi.c | 72 +++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 50 insertions(+), 22 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fastcgi.c b/sapi/fpm/fpm/fastcgi.c
+index d1db0ec..36e37b7 100644
+--- a/sapi/fpm/fpm/fastcgi.c
++++ b/sapi/fpm/fpm/fastcgi.c
+@@ -144,7 +144,7 @@ static HashTable fcgi_mgmt_vars;
+
+ static int is_initialized = 0;
+ static int in_shutdown = 0;
+-static in_addr_t *allowed_clients = NULL;
++static sa_t *allowed_clients = NULL;
+
+ static sa_t client_sa;
+
+@@ -267,14 +267,18 @@ void fcgi_set_allowed_clients(char *ip)
+ *end = 0;
+ end++;
+ }
+- allowed_clients[n] = inet_addr(cur);
+- if (allowed_clients[n] == INADDR_NONE) {
++ if (inet_pton(AF_INET, cur, &allowed_clients[n].sa_inet.sin_addr)>0) {
++ allowed_clients[n].sa.sa_family = AF_INET;
++ n++;
++ } else if (inet_pton(AF_INET6, cur, &allowed_clients[n].sa_inet6.sin6_addr)>0) {
++ allowed_clients[n].sa.sa_family = AF_INET6;
++ n++;
++ } else {
+ zlog(ZLOG_ERROR, "Wrong IP address '%s' in listen.allowed_clients", cur);
+ }
+- n++;
+ cur = end;
+ }
+- allowed_clients[n] = INADDR_NONE;
++ allowed_clients[n].sa.sa_family = 0;
+ free(ip);
+ }
+ }
+@@ -760,6 +764,43 @@ void fcgi_close(fcgi_request *req, int force, int destroy)
+ }
+ }
+
++static int fcgi_is_allowed() {
++ int i;
++
++ if (client_sa.sa.sa_family == AF_UNIX) {
++ return 1;
++ }
++ if (!allowed_clients) {
++ return 1;
++ }
++ if (client_sa.sa.sa_family == AF_INET) {
++ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++ if (allowed_clients[i].sa.sa_family == AF_INET
++ && !memcmp(&client_sa.sa_inet.sin_addr, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++ return 1;
++ }
++ }
++ }
++ if (client_sa.sa.sa_family == AF_INET6) {
++ for (i=0 ; allowed_clients[i].sa.sa_family ; i++) {
++ if (allowed_clients[i].sa.sa_family == AF_INET6
++ && !memcmp(&client_sa.sa_inet6.sin6_addr, &allowed_clients[i].sa_inet6.sin6_addr, 12)) {
++ return 1;
++ }
++#ifdef IN6_IS_ADDR_V4MAPPED
++ if (allowed_clients[i].sa.sa_family == AF_INET
++ && IN6_IS_ADDR_V4MAPPED(&client_sa.sa_inet6.sin6_addr)
++ && !memcmp(((char *)&client_sa.sa_inet6.sin6_addr)+12, &allowed_clients[i].sa_inet.sin_addr, 4)) {
++ return 1;
++ }
++#endif
++ }
++ }
++
++ zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", fcgi_get_last_client_ip());
++ return 0;
++}
++
+ int fcgi_accept_request(fcgi_request *req)
+ {
+ #ifdef _WIN32
+@@ -810,23 +851,10 @@ int fcgi_accept_request(fcgi_request *req)
+ FCGI_UNLOCK(req->listen_socket);
+
+ client_sa = sa;
+- if (sa.sa.sa_family == AF_INET && req->fd >= 0 && allowed_clients) {
+- int n = 0;
+- int allowed = 0;
+-
+- while (allowed_clients[n] != INADDR_NONE) {
+- if (allowed_clients[n] == sa.sa_inet.sin_addr.s_addr) {
+- allowed = 1;
+- break;
+- }
+- n++;
+- }
+- if (!allowed) {
+- zlog(ZLOG_ERROR, "Connection disallowed: IP address '%s' has been dropped.", inet_ntoa(sa.sa_inet.sin_addr));
+- closesocket(req->fd);
+- req->fd = -1;
+- continue;
+- }
++ if (req->fd >= 0 && !fcgi_is_allowed()) {
++ closesocket(req->fd);
++ req->fd = -1;
++ continue;
+ }
+ }
+
+--
+2.1.0
+
diff --git a/php.spec b/php.spec
index a9f851f..2ec1156 100644
--- a/php.spec
+++ b/php.spec
@@ -69,7 +69,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.5.19
-Release: 2%{?dist}
+Release: 3%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -124,6 +124,7 @@ Patch47: php-5.4.9-phpinfo.patch
Patch101: php-bug68423.patch
Patch102: php-bug68421.patch
Patch103: php-bug68420.patch
+Patch104: php-bug68428.patch
# Security fixes (200+)
@@ -737,6 +738,7 @@ support for using the enchant library to PHP.
%patch101 -p1 -b .bug68423
%patch102 -p1 -b .bug68421
%patch103 -p1 -b .bug68420
+%patch104 -p1 -b .bug68428
# security patches
@@ -1555,6 +1557,11 @@ exit 0
%changelog
+* Fri Nov 21 2014 Remi Collet <remi at fedoraproject.org> 5.5.19-3
+- FPM: add upstream patch for https://bugs.php.net/68428
+ listen.allowed_clients is IPv4 only
+- refresh upstream patch for 68421
+
* Sun Nov 16 2014 Remi Collet <remi at fedoraproject.org> 5.5.19-2
- FPM: add upstream patch for https://bugs.php.net/68421
access.format=R doesn't log ipv6 address
More information about the scm-commits
mailing list