[PHP-CVS] cvs: php4 /sapi/cgi cgi_main.c /sapi/isapi php4isapi.c

Thu, 27 Mar 2003 09:50:45 -0800 

shane           Thu Mar 27 12:52:33 2003 EDT

  Modified files:              
    /php4/sapi/cgi      cgi_main.c 
    /php4/sapi/isapi    php4isapi.c 
  Log:
  handle invalid paths passed to us from iis
  
  
Index: php4/sapi/cgi/cgi_main.c
diff -u php4/sapi/cgi/cgi_main.c:1.219 php4/sapi/cgi/cgi_main.c:1.220
--- php4/sapi/cgi/cgi_main.c:1.219      Tue Mar 25 03:07:13 2003
+++ php4/sapi/cgi/cgi_main.c    Thu Mar 27 12:52:33 2003
@@ -20,7 +20,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: cgi_main.c,v 1.219 2003/03/25 08:07:13 sebastian Exp $ */
+/* $Id: cgi_main.c,v 1.220 2003/03/27 17:52:33 shane Exp $ */
 
 #include "php.h"
 #include "php_globals.h"
@@ -827,7 +827,9 @@
 #endif
                SG(request_info).request_method = 
sapi_cgibin_getenv("REQUEST_METHOD",0 TSRMLS_CC);
                SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING",0 
TSRMLS_CC);
-               if (script_path_translated)
+               /* some server configurations allow '..' to slip through in the
+                  translated path.   We'll just refuse to handle such a path. */
+               if (script_path_translated && !strstr(script_path_translated,".."))
                        SG(request_info).path_translated = 
estrdup(script_path_translated);
                SG(request_info).content_type = (content_type ? content_type : "" );
                SG(request_info).content_length = 
(content_length?atoi(content_length):0);
Index: php4/sapi/isapi/php4isapi.c
diff -u php4/sapi/isapi/php4isapi.c:1.100 php4/sapi/isapi/php4isapi.c:1.101
--- php4/sapi/isapi/php4isapi.c:1.100   Mon Mar 24 06:21:15 2003
+++ php4/sapi/isapi/php4isapi.c Thu Mar 27 12:52:33 2003
@@ -818,13 +818,21 @@
 #endif
                        file_handle.type = ZEND_HANDLE_FILENAME;
                        file_handle.opened_path = NULL;
+                       /* some server configurations allow '..' to slip through in the
+                          translated path.   We'll just refuse to handle such a path. 
*/
+                       if (strstr(SG(request_info).path_translated,"..")) {
+                               SG(sapi_headers).http_response_code = 404;
+                               efree(SG(request_info).path_translated);
+                               SG(request_info).path_translated = NULL;
+                       }
 
 
                        php_execute_script(&file_handle TSRMLS_CC);
                        if (SG(request_info).cookie_data) {
                                efree(SG(request_info).cookie_data);
                        }
-                       efree(SG(request_info).path_translated);
+                       if (SG(request_info).path_translated)
+                               efree(SG(request_info).path_translated);
 #ifdef PHP_ENABLE_SEH
                } __except(exceptionhandler(&e, GetExceptionInformation())) {
                        char buf[1024];



-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to