shane Thu Mar 27 12:52:33 2003 EDT Modified files: /php4/sapi/cgi cgi_main.c /php4/sapi/isapi php4isapi.c Log: handle invalid paths passed to us from iis Index: php4/sapi/cgi/cgi_main.c diff -u php4/sapi/cgi/cgi_main.c:1.219 php4/sapi/cgi/cgi_main.c:1.220 --- php4/sapi/cgi/cgi_main.c:1.219 Tue Mar 25 03:07:13 2003 +++ php4/sapi/cgi/cgi_main.c Thu Mar 27 12:52:33 2003 @@ -20,7 +20,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: cgi_main.c,v 1.219 2003/03/25 08:07:13 sebastian Exp $ */ +/* $Id: cgi_main.c,v 1.220 2003/03/27 17:52:33 shane Exp $ */ #include "php.h" #include "php_globals.h" @@ -827,7 +827,9 @@ #endif SG(request_info).request_method = sapi_cgibin_getenv("REQUEST_METHOD",0 TSRMLS_CC); SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING",0 TSRMLS_CC); - if (script_path_translated) + /* some server configurations allow '..' to slip through in the + translated path. We'll just refuse to handle such a path. */ + if (script_path_translated && !strstr(script_path_translated,"..")) SG(request_info).path_translated = estrdup(script_path_translated); SG(request_info).content_type = (content_type ? content_type : "" ); SG(request_info).content_length = (content_length?atoi(content_length):0); Index: php4/sapi/isapi/php4isapi.c diff -u php4/sapi/isapi/php4isapi.c:1.100 php4/sapi/isapi/php4isapi.c:1.101 --- php4/sapi/isapi/php4isapi.c:1.100 Mon Mar 24 06:21:15 2003 +++ php4/sapi/isapi/php4isapi.c Thu Mar 27 12:52:33 2003 @@ -818,13 +818,21 @@ #endif file_handle.type = ZEND_HANDLE_FILENAME; file_handle.opened_path = NULL; + /* some server configurations allow '..' to slip through in the + translated path. We'll just refuse to handle such a path. */ + if (strstr(SG(request_info).path_translated,"..")) { + SG(sapi_headers).http_response_code = 404; + efree(SG(request_info).path_translated); + SG(request_info).path_translated = NULL; + } php_execute_script(&file_handle TSRMLS_CC); if (SG(request_info).cookie_data) { efree(SG(request_info).cookie_data); } - efree(SG(request_info).path_translated); + if (SG(request_info).path_translated) + efree(SG(request_info).path_translated); #ifdef PHP_ENABLE_SEH } __except(exceptionhandler(&e, GetExceptionInformation())) { char buf[1024];
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php