pollita Wed Jan 24 21:43:47 2007 UTC
Modified files:
/php-src/ext/soap php_http.c php_xml.c
/php-src/ext/standard php_fopen_wrapper.c
/php-src/main main.c php_globals.h php_streams.h
/php-src/main/streams streams.c userspace.c
/php-src NEWS
Log:
Expand allow_url_fopen/allow_url_include functionality
http://cvs.php.net/viewvc.cgi/php-src/ext/soap/php_http.c?r1=1.100&r2=1.101&diff_format=u
Index: php-src/ext/soap/php_http.c
diff -u php-src/ext/soap/php_http.c:1.100 php-src/ext/soap/php_http.c:1.101
--- php-src/ext/soap/php_http.c:1.100 Wed Jan 17 00:22:48 2007
+++ php-src/ext/soap/php_http.c Wed Jan 24 21:43:47 2007
@@ -17,7 +17,7 @@
| Dmitry Stogov <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_http.c,v 1.100 2007/01/17 00:22:48 pollita Exp $ */
+/* $Id: php_http.c,v 1.101 2007/01/24 21:43:47 pollita Exp $ */
#include "php_soap.h"
#include "ext/standard/base64.h"
@@ -232,7 +232,7 @@
int content_type_xml = 0;
char *content_encoding;
char *http_msg = NULL;
- zend_bool old_allow_url_fopen;
+ char *old_allow_url_fopen_list;
soap_client_object *client;
if (this_ptr == NULL || Z_TYPE_P(this_ptr) != IS_OBJECT) {
@@ -317,13 +317,16 @@
return FALSE;
}
- old_allow_url_fopen = PG(allow_url_fopen);
- zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"), "1",
1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
+ old_allow_url_fopen_list = PG(allow_url_fopen_list);
+ if (!old_allow_url_fopen_list) {
+ old_allow_url_fopen_list = "";
+ }
+ zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"), "*",
1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
if (use_ssl && php_stream_locate_url_wrapper("https://";, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC) == NULL) {
php_url_free(phpurl);
if (request != buf) {efree(request);}
add_soap_fault(this_ptr, "HTTP", "SSL support is not available
in this build", NULL, NULL TSRMLS_CC);
- zend_alter_ini_entry("allow_url_fopen",
sizeof("allow_url_fopen"), old_allow_url_fopen ? "1" : "0", 1, PHP_INI_SYSTEM,
PHP_INI_STAGE_RUNTIME);
+ zend_alter_ini_entry("allow_url_fopen",
sizeof("allow_url_fopen"), old_allow_url_fopen_list,
strlen(old_allow_url_fopen_list), PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
return FALSE;
}
@@ -376,11 +379,11 @@
php_url_free(phpurl);
if (request != buf) {efree(request);}
add_soap_fault(this_ptr, "HTTP", "Could not connect to
host", NULL, NULL TSRMLS_CC);
- zend_alter_ini_entry("allow_url_fopen",
sizeof("allow_url_fopen"), old_allow_url_fopen ? "1" : "0", 1, PHP_INI_SYSTEM,
PHP_INI_STAGE_RUNTIME);
+ zend_alter_ini_entry("allow_url_fopen",
sizeof("allow_url_fopen"), old_allow_url_fopen_list,
strlen(old_allow_url_fopen_list), PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
return FALSE;
}
}
- zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"),
old_allow_url_fopen ? "1" : "0", 1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
+ zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"),
old_allow_url_fopen_list, strlen(old_allow_url_fopen_list), PHP_INI_SYSTEM,
PHP_INI_STAGE_RUNTIME);
if (stream) {
if (client->url) {
http://cvs.php.net/viewvc.cgi/php-src/ext/soap/php_xml.c?r1=1.31&r2=1.32&diff_format=u
Index: php-src/ext/soap/php_xml.c
diff -u php-src/ext/soap/php_xml.c:1.31 php-src/ext/soap/php_xml.c:1.32
--- php-src/ext/soap/php_xml.c:1.31 Wed Jan 17 00:22:48 2007
+++ php-src/ext/soap/php_xml.c Wed Jan 24 21:43:47 2007
@@ -17,7 +17,7 @@
| Dmitry Stogov <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_xml.c,v 1.31 2007/01/17 00:22:48 pollita Exp $ */
+/* $Id: php_xml.c,v 1.32 2007/01/24 21:43:47 pollita Exp $ */
#include "php_soap.h"
#include "libxml/parser.h"
@@ -80,16 +80,19 @@
{
xmlParserCtxtPtr ctxt = NULL;
xmlDocPtr ret;
- zend_bool old_allow_url_fopen;
+ char *old_allow_url_fopen_list;
/*
xmlInitParser();
*/
- old_allow_url_fopen = PG(allow_url_fopen);
- zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"), "1",
1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
+ old_allow_url_fopen_list = PG(allow_url_fopen_list);
+ if (!old_allow_url_fopen_list) {
+ old_allow_url_fopen_list = "";
+ }
+ zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"), "*",
1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
ctxt = xmlCreateFileParserCtxt(filename);
- zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"),
old_allow_url_fopen ? "1" : "0", 1, PHP_INI_SYSTEM, PHP_INI_STAGE_RUNTIME);
+ zend_alter_ini_entry("allow_url_fopen", sizeof("allow_url_fopen"),
old_allow_url_fopen_list, strlen(old_allow_url_fopen_list), PHP_INI_SYSTEM,
PHP_INI_STAGE_RUNTIME);
if (ctxt) {
ctxt->keepBlanks = 0;
ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/php_fopen_wrapper.c?r1=1.58&r2=1.59&diff_format=u
Index: php-src/ext/standard/php_fopen_wrapper.c
diff -u php-src/ext/standard/php_fopen_wrapper.c:1.58
php-src/ext/standard/php_fopen_wrapper.c:1.59
--- php-src/ext/standard/php_fopen_wrapper.c:1.58 Mon Jan 1 09:29:32 2007
+++ php-src/ext/standard/php_fopen_wrapper.c Wed Jan 24 21:43:47 2007
@@ -17,7 +17,7 @@
| Hartmut Holzgraefe <[EMAIL PROTECTED]> |
+----------------------------------------------------------------------+
*/
-/* $Id: php_fopen_wrapper.c,v 1.58 2007/01/01 09:29:32 sebastian Exp $ */
+/* $Id: php_fopen_wrapper.c,v 1.59 2007/01/24 21:43:47 pollita Exp $ */
#include <stdio.h>
#include <stdlib.h>
@@ -187,7 +187,8 @@
}
if (!strcasecmp(path, "input")) {
- if ((options & STREAM_OPEN_FOR_INCLUDE) &&
!PG(allow_url_include) ) {
+ /* Override default behavior for php://input when used as an
include and allow_url_include is being used in BC (off) mode */
+ if ((options & STREAM_OPEN_FOR_INCLUDE) &&
!PG(allow_url_include_list) ) {
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"URL file-access is disabled in the server configuration");
}
@@ -197,7 +198,8 @@
}
if (!strcasecmp(path, "stdin")) {
- if ((options & STREAM_OPEN_FOR_INCLUDE) &&
!PG(allow_url_include) ) {
+ /* Override default behavior for php://stdin when used as an
include and allow_url_include is being used in BC (off) mode */
+ if ((options & STREAM_OPEN_FOR_INCLUDE) &&
!PG(allow_url_include_list) ) {
if (options & REPORT_ERRORS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"URL file-access is disabled in the server configuration");
}
http://cvs.php.net/viewvc.cgi/php-src/main/main.c?r1=1.720&r2=1.721&diff_format=u
Index: php-src/main/main.c
diff -u php-src/main/main.c:1.720 php-src/main/main.c:1.721
--- php-src/main/main.c:1.720 Thu Jan 18 12:37:44 2007
+++ php-src/main/main.c Wed Jan 24 21:43:47 2007
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: main.c,v 1.720 2007/01/18 12:37:44 tony2001 Exp $ */
+/* $Id: main.c,v 1.721 2007/01/24 21:43:47 pollita Exp $ */
/* {{{ includes
*/
@@ -419,8 +419,8 @@
PHP_INI_ENTRY("disable_functions", "",
PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "",
PHP_INI_SYSTEM, NULL)
- STD_PHP_INI_BOOLEAN("allow_url_fopen", "1",
PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen,
php_core_globals, core_globals)
- STD_PHP_INI_BOOLEAN("allow_url_include", "0",
PHP_INI_SYSTEM, OnUpdateBool, allow_url_include,
php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("allow_url_fopen", "1",
PHP_INI_ALL, OnUpdateAllowUrl,
allow_url_fopen_list, php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("allow_url_include", "0",
PHP_INI_ALL, OnUpdateAllowUrl,
allow_url_include_list, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("always_populate_raw_post_data", "0",
PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,
always_populate_raw_post_data, php_core_globals,
core_globals)
STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM,
OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
STD_PHP_INI_ENTRY("realpath_cache_ttl", "120", PHP_INI_SYSTEM,
OnUpdateLong, realpath_cache_ttl, virtual_cwd_globals, cwd_globals)
@@ -1509,6 +1509,12 @@
if (core_globals->disable_classes) {
free(core_globals->disable_classes);
}
+ if (core_globals->allow_url_fopen_list) {
+ free(core_globals->allow_url_fopen_list);
+ }
+ if (core_globals->allow_url_include_list) {
+ free(core_globals->allow_url_include_list);
+ }
}
/* }}} */
http://cvs.php.net/viewvc.cgi/php-src/main/php_globals.h?r1=1.109&r2=1.110&diff_format=u
Index: php-src/main/php_globals.h
diff -u php-src/main/php_globals.h:1.109 php-src/main/php_globals.h:1.110
--- php-src/main/php_globals.h:1.109 Mon Jan 1 09:29:35 2007
+++ php-src/main/php_globals.h Wed Jan 24 21:43:47 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_globals.h,v 1.109 2007/01/01 09:29:35 sebastian Exp $ */
+/* $Id: php_globals.h,v 1.110 2007/01/24 21:43:47 pollita Exp $ */
#ifndef PHP_GLOBALS_H
#define PHP_GLOBALS_H
@@ -124,7 +124,8 @@
zend_bool modules_activated;
zend_bool file_uploads;
zend_bool during_request_startup;
- zend_bool allow_url_fopen;
+ char *allow_url_fopen_list;
+ char *allow_url_include_list;
zend_bool always_populate_raw_post_data;
zend_bool report_zend_debug;
@@ -137,7 +138,6 @@
char *disable_functions;
char *disable_classes;
- zend_bool allow_url_include;
#ifdef PHP_WIN32
zend_bool com_initialized;
#endif
http://cvs.php.net/viewvc.cgi/php-src/main/php_streams.h?r1=1.123&r2=1.124&diff_format=u
Index: php-src/main/php_streams.h
diff -u php-src/main/php_streams.h:1.123 php-src/main/php_streams.h:1.124
--- php-src/main/php_streams.h:1.123 Tue Jan 16 20:36:04 2007
+++ php-src/main/php_streams.h Wed Jan 24 21:43:47 2007
@@ -16,11 +16,13 @@
+----------------------------------------------------------------------+
*/
-/* $Id: php_streams.h,v 1.123 2007/01/16 20:36:04 helly Exp $ */
+/* $Id: php_streams.h,v 1.124 2007/01/24 21:43:47 pollita Exp $ */
#ifndef PHP_STREAMS_H
#define PHP_STREAMS_H
+#include "php_ini.h"
+
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#endif
@@ -165,7 +167,7 @@
struct _php_stream_wrapper {
php_stream_wrapper_ops *wops; /* operations the wrapper can perform */
void *abstract; /* context for the
wrapper */
- int is_url; /* so that
PG(allow_url_fopen) can be respected */
+ int is_url; /* so that
PG(allow_url_fopen_list)/PG(allow_url_include_list) can be respected */
/* support for wrappers to return (multiple) error messages to the
stream opener */
int err_count;
@@ -658,6 +660,11 @@
PHPAPI int _php_stream_make_seekable(php_stream *origstream, php_stream
**newstream, int flags STREAMS_DC TSRMLS_DC);
#define php_stream_make_seekable(origstream, newstream, flags)
_php_stream_make_seekable((origstream), (newstream), (flags) STREAMS_CC
TSRMLS_CC)
+PHP_INI_MH(OnUpdateAllowUrl);
+PHPAPI int php_stream_wrapper_is_allowed(const char *wrapper, int wrapper_len,
const char *setting TSRMLS_DC);
+#define php_stream_allow_url_fopen(wrapper, wrapper_len)
php_stream_wrapper_is_allowed((wrapper), (wrapper_len),
PG(allow_url_fopen_list) TSRMLS_CC)
+#define php_stream_allow_url_include(wrapper, wrapper_len)
php_stream_wrapper_is_allowed((wrapper), (wrapper_len),
PG(allow_url_include_list) TSRMLS_CC)
+
/* Give other modules access to the url_stream_wrappers_hash and
stream_filters_hash */
PHPAPI HashTable *_php_stream_get_url_stream_wrappers_hash(TSRMLS_D);
#define php_stream_get_url_stream_wrappers_hash()
_php_stream_get_url_stream_wrappers_hash(TSRMLS_C)
@@ -665,6 +672,7 @@
PHPAPI HashTable *_php_get_stream_filters_hash(TSRMLS_D);
#define php_get_stream_filters_hash() _php_get_stream_filters_hash(TSRMLS_C)
PHPAPI HashTable *php_get_stream_filters_hash_global();
+extern php_stream_wrapper_ops *php_stream_user_wrapper_ops;
END_EXTERN_C()
#endif
http://cvs.php.net/viewvc.cgi/php-src/main/streams/streams.c?r1=1.146&r2=1.147&diff_format=u
Index: php-src/main/streams/streams.c
diff -u php-src/main/streams/streams.c:1.146
php-src/main/streams/streams.c:1.147
--- php-src/main/streams/streams.c:1.146 Tue Jan 16 20:36:04 2007
+++ php-src/main/streams/streams.c Wed Jan 24 21:43:47 2007
@@ -19,7 +19,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: streams.c,v 1.146 2007/01/16 20:36:04 helly Exp $ */
+/* $Id: streams.c,v 1.147 2007/01/24 21:43:47 pollita Exp $ */
#define _GNU_SOURCE
#include "php.h"
@@ -2096,6 +2096,9 @@
}
/* TODO: curl based streams probably support file:// properly */
if (!protocol || !strncasecmp(protocol, "file", n)) {
+ /* fall back on regular file access */
+ php_stream_wrapper *plain_files_wrapper =
&php_plain_files_wrapper;
+
if (protocol) {
int localhost = 0;
@@ -2132,32 +2135,37 @@
return NULL;
}
+ /* The file:// wrapper may have been disabled/overridden */
if (FG(stream_wrappers)) {
- /* The file:// wrapper may have been
disabled/overridden */
-
- if (wrapperpp) {
- /* It was found so go ahead and provide it */
- return *wrapperpp;
- }
-
- /* Check again, the original check might have not known
the protocol name */
- if (zend_hash_find(wrapper_hash, "file",
sizeof("file"), (void**)&wrapperpp) == SUCCESS) {
- return *wrapperpp;
+ if (!wrapperpp || zend_hash_find(wrapper_hash, "file",
sizeof("file"), (void**)&wrapperpp) == FAILURE) {
+ if (options & REPORT_ERRORS) {
+ php_error_docref(NULL TSRMLS_CC,
E_WARNING, "Plainfiles wrapper disabled");
+ }
+ return NULL;
}
+ /* Handles overridden plain files wrapper */
+ plain_files_wrapper = *wrapperpp;
+ }
+
+ if (!php_stream_allow_url_fopen("file", sizeof("file") - 1) ||
+ ((options & STREAM_OPEN_FOR_INCLUDE) &&
!php_stream_allow_url_include("file", sizeof("file") - 1)) ) {
if (options & REPORT_ERRORS) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Plainfiles wrapper disabled");
+ php_error_docref(NULL TSRMLS_CC, E_WARNING,
"file:// wrapper is disabled in the server configuration");
}
return NULL;
}
-
- /* fall back on regular file access */
- return &php_plain_files_wrapper;
+
+ return plain_files_wrapper;
}
- if ((wrapperpp && (*wrapperpp)->is_url) && (!PG(allow_url_fopen) ||
((options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include))) ) {
+ if (!php_stream_allow_url_fopen(protocol, n) ||
+ ((options & STREAM_OPEN_FOR_INCLUDE) &&
!php_stream_allow_url_include(protocol, n)) ) {
if (options & REPORT_ERRORS) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL
file-access is disabled in the server configuration");
+ /* protocol[n] probably isn't '\0' */
+ char *protocol_dup = estrndup(protocol, n);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s://
wrapper is disabled in the server configuration", protocol_dup);
+ efree(protocol_dup);
}
return NULL;
}
@@ -2866,6 +2874,241 @@
}
/* }}} */
+/* {{{ allow_url_fopen / allow_url_include Handlers */
+
+PHPAPI int php_stream_wrapper_is_allowed(const char *wrapper, int wrapper_len,
const char *setting TSRMLS_DC)
+{
+ HashTable *wrapper_hash = (FG(stream_wrappers) ? FG(stream_wrappers) :
&url_stream_wrappers_hash);
+ php_stream_wrapper **wrapperpp;
+ int setting_len = setting ? strlen(setting) : 0;
+ const char *s = setting, *e = s + setting_len;
+ char *wrapper_dup;
+
+ /* BC: allow_url_* == on */
+ if (setting_len == 1 && *setting == '*') {
+ /* "*" means everything is allowed */
+ return 1;
+ }
+
+ if (wrapper_len == (sizeof("zlib") - 1) && strncasecmp("zlib", wrapper,
sizeof("zlib") - 1) == 0) {
+ wrapper = "compress.zlib";
+ wrapper_len = sizeof("compress.zlib") - 1;
+ }
+
+ wrapper_dup = estrndup(wrapper, wrapper_len);
+ php_strtolower(wrapper_dup, wrapper_len);
+ if (FAILURE == zend_hash_find(wrapper_hash, wrapper_dup, wrapper_len +
1, (void**)&wrapperpp)) {
+ /* Wrapper does not exist, assume disallow */
+ efree(wrapper_dup);
+ return 0;
+ }
+ efree(wrapper_dup);
+
+ /* BC: allow_url_* == off */
+ if (!setting || !setting_len) {
+ /* NULL or empty indicates that only is_url == 0 wrappers are
allowed */
+
+ if (wrapper_len == (sizeof("file") - 1) && strncasecmp("file",
wrapper, sizeof("file") - 1) == 0) {
+ /* file:// is non-url */
+ return 1;
+ }
+
+ if ((*wrapperpp)->is_url) {
+ /* is_url types are disabled, but this is an is_url
wrapper, disallow */
+ return 0;
+ }
+
+ /* Wrapper is not is_url, allow it */
+ return 1;
+ }
+
+ /* Otherwise, scan list */
+ while (s < e) {
+ const char *p = php_memnstr((char*)s, ":", 1, (char*)e);
+
+ if (!p) {
+ p = e;
+ }
+
+ if (wrapper_len == (p - s) &&
+ strncasecmp(s, wrapper, p - s) == 0) {
+ /* wrapper found in list */
+ return 1;
+ }
+
+ if ((*wrapperpp)->wops == php_stream_user_wrapper_ops &&
+ (sizeof("user") - 1) == (p - s) &&
+ strncasecmp(s, "user", sizeof("user") - 1) == 0) {
+ /* Wrapper is userspace wrapper and meta-wrapper "user"
is enabled */
+ return 1;
+ }
+
+ s = p + 1;
+ }
+
+ return 0;
+}
+
+/* allow_url_*_list accepts:
+ *
+ * 1/on to enable all URL prefixes
+ * 0/off to disable all is_url=1 wrappers
+ * A colon delimited list of wrappers to allow (wildcards allowed)
+ * e.g. file:gzip:compress.*:php
+ */
+PHP_INI_MH(OnUpdateAllowUrl)
+{
+#ifndef ZTS
+ char *base = (char *) mh_arg2;
+#else
+ char *base = (char *) ts_resource(*((int *) mh_arg2));
+#endif
+ char **allow = (char **) (base+(size_t) mh_arg1);
+
+ /* BC Enable */
+ if ((new_value_length == 1 && *new_value == '1') ||
+ (new_value_length == (sizeof("on") - 1) &&
strncasecmp(new_value, "on", sizeof("on") - 1) == 0) ) {
+
+ if (*allow && strcmp(*allow, "*") == 0) {
+ /* Turning on, but that's no change from current, so
leave it alone */
+ return SUCCESS;
+ }
+
+ if (stage != PHP_INI_STAGE_STARTUP) {
+ /* Not already on, and not in SYSTEM context, fail */
+ return FAILURE;
+ }
+
+ /* Otherwise, turn on setting */
+ if (*allow) {
+ free(*allow);
+ }
+
+ *allow = zend_strndup("*", 1);
+
+ return SUCCESS;
+ }
+
+ /* BC disable */
+ if ((new_value_length == 1 && *new_value == '0') ||
+ (new_value_length == (sizeof("off") - 1) &&
strncasecmp(new_value, "off", sizeof("off") - 1) == 0) ) {
+
+ /* Always permit shutting off allowurl settings */
+ if (*allow) {
+ free(*allow);
+ }
+ *allow = NULL;
+
+ return SUCCESS;
+ }
+
+ /* Specify as list */
+ if (stage == PHP_INI_STAGE_STARTUP) {
+ /* Always allow new settings in startup stage */
+ if (*allow) {
+ free(*allow);
+ }
+ *allow = zend_strndup(new_value, new_value_length);
+
+ return SUCCESS;
+ }
+
+ /* In PERDIR/RUNTIME context, do more work to ensure we're only
tightening the restriction */
+
+ if (*allow && strcmp(*allow, "*") == 0) {
+ /* Currently allowing everying, so whatever we set it to will
be more restrictive */
+ free(*allow);
+ *allow = zend_strndup(new_value, new_value_length);
+
+ return SUCCESS;
+ }
+
+ if (!*allow) {
+ /* Currently allowing anything with is_url == 0
+ * So long as this list doesn't contain any is_url == 1, allow
it
+ */
+ HashTable *wrapper_hash = (FG(stream_wrappers) ?
FG(stream_wrappers) : &url_stream_wrappers_hash);
+ char *s = new_value, *e = new_value + new_value_length;
+
+ while (s < e) {
+ php_stream_wrapper **wrapper;
+ char *p = php_memnstr(s, ":", 1, e);
+ char *scan;
+ int scan_len;
+
+ if (!p) {
+ p = e;
+ }
+
+ /* file:// is never a URL */
+ if ( (p - s) == (sizeof("file") - 1) && strncasecmp(s,
"file", sizeof("file") - 1) == 0 ) {
+ /* file is not a URL */
+ s = p + 1;
+ continue;
+ }
+
+ if ( (p - s) == (sizeof("zlib") - 1) && strncasecmp(s,
"zlib", sizeof("zlib") - 1) == 0 ) {
+ /* Wastful since we know that compress.zlib is
already lower cased, but forgivable */
+ scan = estrndup("compress.zlib",
sizeof("compress.zlib") - 1);
+ scan_len = sizeof("compress.zlib") - 1;
+ } else {
+ scan = estrndup(s, p - s);;
+ scan_len = p - s;
+ php_strtolower(scan, scan_len);
+ }
+
+ if (FAILURE == zend_hash_find(wrapper_hash, scan,
scan_len + 1, (void**) &wrapper)) {
+ /* Unknown wrapper, not allowed in this context
*/
+ efree(scan);
+ return FAILURE;
+ }
+ efree(scan);
+
+ if ((*wrapper)->is_url) {
+ /* Disallowed is_url wrapper specified when
trying to escape is_url == 0 context */
+ return FAILURE;
+ }
+
+ /* Seems alright so far... */
+ s = p+1;
+ }
+
+ /* All tests passed, allow it */
+ *allow = zend_strndup(new_value, new_value_length);
+
+ return SUCCESS;
+ }
+
+ /* The current allows are restricted to a specific list,
+ * Make certain that our new list is a subset of that list
+ */
+ {
+ char *s = new_value, *e = new_value + new_value_length;
+
+ while (s < e) {
+ char *p = php_memnstr(s, ":", 1, e);
+
+ if (!p) {
+ p = e;
+ }
+
+ if (!php_stream_wrapper_is_allowed(s, p - s, *allow
TSRMLS_CC)) {
+ /* Current settings don't allow this wrapper,
deny */
+ return FAILURE;
+ }
+
+ s = p + 1;
+ }
+
+ free(*allow);
+ *allow = zend_strndup(new_value, new_value_length);
+
+ return SUCCESS;
+ }
+}
+
+/* }}} */
+
/*
* Local variables:
* tab-width: 4
http://cvs.php.net/viewvc.cgi/php-src/main/streams/userspace.c?r1=1.39&r2=1.40&diff_format=u
Index: php-src/main/streams/userspace.c
diff -u php-src/main/streams/userspace.c:1.39
php-src/main/streams/userspace.c:1.40
--- php-src/main/streams/userspace.c:1.39 Mon Jan 15 17:06:52 2007
+++ php-src/main/streams/userspace.c Wed Jan 24 21:43:47 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: userspace.c,v 1.39 2007/01/15 17:06:52 tony2001 Exp $ */
+/* $Id: userspace.c,v 1.40 2007/01/24 21:43:47 pollita Exp $ */
#include "php.h"
#include "php_globals.h"
@@ -53,7 +53,7 @@
user_wrapper_mkdir,
user_wrapper_rmdir
};
-
+php_stream_wrapper_ops *php_stream_user_wrapper_ops = &user_stream_wops;
static void stream_wrapper_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
{
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2136&r2=1.2137&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2136 php-src/NEWS:1.2137
--- php-src/NEWS:1.2136 Sat Jan 6 16:43:54 2007
+++ php-src/NEWS Wed Jan 24 21:43:47 2007
@@ -10,6 +10,8 @@
- Changed opendir/dir/scandir to use default context
when no context argument is passed. (Sara)
- Changed open_basedir to allow tightening in runtime contexts. (Sara)
+- Changed allow_url_fopen/allow_url_include to allow
+ per-wrapper enable/disable and runtime tightening. (Sara)
- Removed old legacy:
. "register_globals" support. (Pierre)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
