Bug #16685: safe_mode_include_dir check is not correct

byg Thu, 18 Apr 2002 09:15:27 -0700

From:             [EMAIL PROTECTED]
Operating system: Linux
PHP version:      4.2.0
PHP Bug Type:     Scripting Engine problem
Bug description:  safe_mode_include_dir check is not correct


I found that safe_mode_include_dir check is not correct.
Here's why:
resolved_name (the path in question) and ptr (a next directory from the
safe_mode_include_dir list) are compared so:
if (strncmp(ptr, resolved_name, strlen(ptr) ==0 )
let ptr="/var/www/script" and resolved_name="/var/www/scripts"
obviously, they will match though it's wrong.
It is necessary to add an extra check for trailing char
(valid one is either a slash or \0)
In fact, checking lengthes of those may save a bit CPU time
(especially with the long list).
Here's suggested patch (it also is available at
http://www.cf1.ru/~byg/patch/php/safe_mode_include_dir.patch
ftp://ftp.cf1.ru/pub/patches/php/safe_mode_include_dir.patch
):


--- main/fopen_wrappers.c.orig  Thu Apr 18 21:40:57 2002
+++ main/fopen_wrappers.c       Thu Apr 18 23:02:55 2002
@@ -233,6 +233,7 @@
                char *ptr;
                char *end;
                char resolved_name[MAXPATHLEN];
+               int  len;

                /* Resolve the real path into resolved_name */
                if (expand_filepath(path, resolved_name TSRMLS_CC) ==
NULL)
@@ -250,15 +251,20 @@
                        }

                        /* Check the path */
+                        len = strlen(ptr);
+                       if (strlen(resolved_name) >= len) {
 #ifdef PHP_WIN32
-                       if (strncasecmp(ptr, resolved_name, strlen(ptr))
== 0)
+                           if (strncasecmp(ptr, resolved_name, len) ==
0)
 #else
-                       if (strncmp(ptr, resolved_name, strlen(ptr)) ==
0)
+                           if (strncmp(ptr, resolved_name, len) == 0)
 #endif
-                       {
-                               /* File is in the right directory */
-                               efree(pathbuf);
-                               return 0;
+                           {
+                               if ((*(resolved_name + len) ==
DEFAULT_SLASH) || (*(resolved_name + len) == '\0')) {
+                                   /* File is in the right directory */
+                                   efree(pathbuf);
+                                   return 0;
+                               }
+                           }
                        }
 
                        ptr = end;




-- 
Edit bug report at http://bugs.php.net/?id=16685&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=16685&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=16685&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=16685&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=16685&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=16685&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=16685&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=16685&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=16685&r=submittedtwice

Bug #16685: safe_mode_include_dir check is not correct

Reply via email to