This behavior is already implemented in "improved" patch that I sent on
Saturday.
Thanks. Dmitry.
Rasmus Lerdorf wrote:
Stefan Esser wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Dmitry,
while you are at fixing realpath() it might be a good idea to fix the
../ nonsense.
What I mean is:
fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd",
"r");
works because of realpath() and PHP's wrapper.
Same for
fopen("this_is_not_existing/../../../../../../../../etc/passwd", "r");
Dmitry, I think this is a good suggestion. If any component of the
path, other than the final one is not a directory, or if a component of
the path doesn't exist, the realpath call should fail. We're doing the
stat on each one anyway, so checking the entry type shouldn't be an issue.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
