Stefan Esser wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Hello Dmitry, while you are at fixing realpath() it might be a good idea to fix the ../ nonsense. What I mean is: fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd", "r"); works because of realpath() and PHP's wrapper. Same for fopen("this_is_not_existing/../../../../../../../../etc/passwd", "r");
Dmitry, I think this is a good suggestion. If any component of the path, other than the final one is not a directory, or if a component of the path doesn't exist, the realpath call should fail. We're doing the stat on each one anyway, so checking the entry type shouldn't be an issue.
-Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
