File: 007CVE2007-0540.patch

package info (click to toggle)
wordpress 2.0.10-1etch6
  • links: PTS
  • area: main
  • in suites: etch
  • size: 3,040 kB
  • ctags: 7,377
  • sloc: php: 26,382; sh: 4,645; makefile: 23
file content (82 lines) | stat: -rw-r--r-- 2,479 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
#! /bin/sh /usr/share/dpatch/dpatch-run
## CVE-2007-0540.dpatch by  <andrea.de.iacovo@gmail.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix for CVE-2007-0540

@DPATCH@

--- wordpress-etch/wp-includes/functions.php	2007-03-28 01:47:02.000000000 +0200
+++ wordpress-etch/wp-includes/functions.php	2008-04-29 10:16:24.000000000 +0200
@@ -2191,8 +2198,46 @@
 	return $array;
 }
 
+function wp_limited_curl($url) {
+	/* This function is a wrapper for curl
+	 * that limits the amount of data we
+	 * fetch from a URI to avoid DOS problems
+	 * with wp_remote_fopen()
+	 */
+
+        $ch = curl_init($url);
+        global $total;
+        global $output;
+        $total = 0;
+        $output = "";
+
+        function read_body($ch, $string) {
+                $length = strlen($string);
+                global $total;
+                global $output;
+                $total += $length;
+                $output .= $string;
+                if ($total > 30720) return -1;
+                return $length;
+        }
+
+        curl_setopt($ch, CURLOPT_WRITEFUNCTION, 'read_body');
+        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 1);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 30);
+	curl_setopt($ch, CURLOPT_BUFFERSIZE, 4096);
+	curl_setopt($ch, CURLOPT_RANGE, "0-30720");
+        curl_exec($ch);
+        curl_close($ch);
+
+        return $output;
+}
+
 function wp_remote_fopen( $uri ) {
-	$timeout = 10;
+	$bytes_limit = 30720;  /* limit on size of source documen bytes, see 
+	                  	* Errata for pingback specification.
+				* http://www.hixie.ch/specs/pingback/pingback
+				*/
+	$timeout = 10; 
 	$parsed_url = @parse_url($uri);
 
 	if ( !$parsed_url || !is_array($parsed_url) )
@@ -2208,19 +2253,14 @@
 
 		//stream_set_timeout($fp, $timeout); // Requires php 4.3
 		$linea = '';
-		while( $remote_read = fread($fp, 4096) )
+		$bytes = 0;
+		while( $remote_read = fread($fp, 4096) && $bytes < $bytes_limit )
+			$bytes = $bytes + 4096;
 			$linea .= $remote_read;
 		fclose($fp);
 		return $linea;
 	} else if ( function_exists('curl_init') ) {
-		$handle = curl_init();
-		curl_setopt ($handle, CURLOPT_URL, $uri);
-		curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1);
-		curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1);
-		curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout);
-		$buffer = curl_exec($handle);
-		curl_close($handle);
-		return $buffer;
+		return wp_limited_curl($uri);
 	} else {
 		return false;
 	}