From 8c52ea4cddde578a6233a1d5be6cada30df4e797 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 11 2016 19:54:11 +0000
Subject: import rh-php56-php-5.6.5-9.el7


---

diff --git a/SOURCES/php-5.6.5-CVE-2016-5385.patch b/SOURCES/php-5.6.5-CVE-2016-5385.patch
new file mode 100644
index 0000000..2853355
--- /dev/null
+++ b/SOURCES/php-5.6.5-CVE-2016-5385.patch
@@ -0,0 +1,114 @@
+Adapted for 5.6 from:
+
+
+From 98b9dfaec95e6f910f125ed172cdbd25abd006ec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 10 Jul 2016 16:17:54 -0700
+Subject: [PATCH] Fix for HTTP_PROXY issue.
+
+The following changes are made:
+- _SERVER/_ENV only has HTTP_PROXY if the local environment has it,
+  and only one from the environment.
+- getenv('HTTP_PROXY') only returns one from the local environment
+- getenv has optional second parameter, telling it to only consider
+  local environment
+
+--- php-5.6.23/ext/standard/basic_functions.c	2016-06-22 03:50:40.000000000 +0200
++++ php-5.6.24/ext/standard/basic_functions.c	2016-07-21 02:23:03.000000000 +0200
+@@ -635,8 +635,9 @@
+ 	ZEND_ARG_INFO(0, proper_address)
+ ZEND_END_ARG_INFO()
+ 
+-ZEND_BEGIN_ARG_INFO(arginfo_getenv, 0)
++ZEND_BEGIN_ARG_INFO_EX(arginfo_getenv, 0, 0, 1)
+ 	ZEND_ARG_INFO(0, varname)
++	ZEND_ARG_INFO(0, local_only)
+ ZEND_END_ARG_INFO()
+ 
+ #ifdef HAVE_PUTENV
+@@ -3977,21 +3978,24 @@
+  * System Functions *
+  ********************/
+ 
+-/* {{{ proto string getenv(string varname)
++/* {{{ proto string getenv(string varname[, bool local_only])
+    Get the value of an environment variable */
+ PHP_FUNCTION(getenv)
+ {
+ 	char *ptr, *str;
+ 	int str_len;
++	zend_bool local_only = 0;
+ 
+-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
++	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &local_only) == FAILURE) {
+ 		RETURN_FALSE;
+ 	}
+ 
+-	/* SAPI method returns an emalloc()'d string */
+-	ptr = sapi_getenv(str, str_len TSRMLS_CC);
+-	if (ptr) {
+-		RETURN_STRING(ptr, 0);
++	if (!local_only) {
++		/* SAPI method returns an emalloc()'d string */
++		ptr = sapi_getenv(str, str_len TSRMLS_CC);
++		if (ptr) {
++			RETURN_STRING(ptr, 0);
++		}
+ 	}
+ #ifdef PHP_WIN32
+ 	{
+--- php-5.6.23/main/SAPI.c	2016-06-22 03:50:40.000000000 +0200
++++ php-5.6.24/main/SAPI.c	2016-07-21 02:23:03.000000000 +0200
+@@ -1020,6 +1020,10 @@
+ 
+ SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC)
+ {
++	if (!strncasecmp(name, "HTTP_PROXY", name_len)) {
++		/* Ugly fix for HTTP_PROXY issue, see bug #72573 */
++		return NULL;
++	}
+ 	if (sapi_module.getenv) { 
+ 		char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC);
+ 		if (tmp) {
+--- php-5.6.23/main/php_variables.c	2016-06-22 03:50:40.000000000 +0200
++++ php-5.6.24/main/php_variables.c	2016-07-21 02:23:03.000000000 +0200
+@@ -798,6 +798,23 @@
+ 	return 0; /* don't rearm */
+ }
+ 
++/* Upgly hack to fix HTTP_PROXY issue, see bug #72573 */
++static void check_http_proxy(HashTable *var_table)
++{
++	if (zend_hash_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"))) {
++		char *local_proxy = getenv("HTTP_PROXY");
++
++		if (!local_proxy) {
++			zend_hash_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"));
++		} else {
++			zval *local_zval;
++			ALLOC_INIT_ZVAL(local_zval);
++			ZVAL_STRING(local_zval, local_proxy, 1);
++			zend_hash_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"), &local_zval, sizeof(zval **), NULL);
++		}
++	}
++}
++
+ static zend_bool php_auto_globals_create_server(const char *name, uint name_len TSRMLS_DC)
+ {
+ 	if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) {
+@@ -830,6 +647,7 @@
+ 		PG(http_globals)[TRACK_VARS_SERVER] = server_vars;
+ 	}
+ 
++	check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]));
+ 	zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL);
+ 	Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
+ 	
+@@ -851,6 +869,7 @@
+ 		php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
+ 	}
+ 
++	check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]));
+ 	zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL);
+ 	Z_ADDREF_P(PG(http_globals)[TRACK_VARS_ENV]);
+ 
diff --git a/SPECS/php.spec b/SPECS/php.spec
index 9e103e9..ded9c96 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -111,7 +111,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.6.5
-Release: 8%{?dist}
+Release: 9%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -192,6 +192,7 @@ Patch163: php-5.6.5-CVE-2015-6832.patch
 Patch164: php-5.6.5-CVE-2015-6831.patch
 Patch165: php-5.6.5-CVE-2015-6834-2.patch
 Patch166: php-5.6.5-CVE-2015-6836.patch
+Patch167: php-5.6.5-CVE-2016-5385.patch
 
 
 # Fixes for tests (300+)
@@ -793,6 +794,7 @@ support for using the enchant library to PHP.
 %patch164 -p1 -b .cve6831
 %patch165 -p1 -b .cve6834
 %patch166 -p1 -b .cve6836
+%patch167 -p1 -b .cve5385
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1715,6 +1717,10 @@ fi
 
 
 %changelog
+* Mon Jul 25 2016 Remi Collet <rcollet@redhat.com> - 5.6.5-9
+- don't set environmental variable based on user supplied Proxy
+  request header CVE-2016-5385
+
 * Mon Feb 15 2016 Remi Collet <rcollet@redhat.com> - 5.6.5-8
 - Phar: fix segmentation fault in Phar::convertToData on
   invalid file CVE-2015-5589