iliaa Tue Jun 12 12:53:08 2007 UTC
Modified files: (Branch: PHP_5_2)
/php-src NEWS
/php-src/ext/standard dir.c
Log:
Fixed bug #41655 (open_basedir bypass via glob())
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.775&r2=1.2027.2.547.2.776&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.775 php-src/NEWS:1.2027.2.547.2.776
--- php-src/NEWS:1.2027.2.547.2.775 Mon Jun 11 20:22:45 2007
+++ php-src/NEWS Tue Jun 12 12:53:07 2007
@@ -25,6 +25,7 @@
- Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory
already exists). (Pierre)
+- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia)
- Fixed bug #41640 (get_class_vars produces error on class constants).
(Johannes)
- Fixed bug #41630 (segfault when an invalid color index is present in
@@ -46,8 +47,7 @@
with ini_set()). (Tony, Dmitry)
- Fixed bug #41555 (configure failure: regression caused by fix for #41265).
(Jani)
-- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists
- at realplain dot com, Ilia)
+- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia)
- Fixed bug #41518 (file_exists() warns of open_basedir restriction on
non-existent file). (Tony)
- Fixed bug #39330 (apache2handler does not call shutdown actions before
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.147.2.3.2.4&r2=1.147.2.3.2.5&diff_format=u
Index: php-src/ext/standard/dir.c
diff -u php-src/ext/standard/dir.c:1.147.2.3.2.4
php-src/ext/standard/dir.c:1.147.2.3.2.5
--- php-src/ext/standard/dir.c:1.147.2.3.2.4 Sat Feb 24 17:16:23 2007
+++ php-src/ext/standard/dir.c Tue Jun 12 12:53:08 2007
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: dir.c,v 1.147.2.3.2.4 2007/02/24 17:16:23 iliaa Exp $ */
+/* $Id: dir.c,v 1.147.2.3.2.5 2007/06/12 12:53:08 iliaa Exp $ */
/* {{{ includes/startup/misc */
@@ -24,6 +24,7 @@
#include "fopen_wrappers.h"
#include "file.h"
#include "php_dir.h"
+#include "php_string.h"
#include "php_scandir.h"
#ifdef HAVE_DIRENT_H
@@ -361,7 +362,6 @@
Find pathnames matching a pattern */
PHP_FUNCTION(glob)
{
- char cwd[MAXPATHLEN];
int cwd_skip = 0;
#ifdef ZTS
char work_pattern[MAXPATHLEN];
@@ -395,6 +395,22 @@
}
#endif
+ if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
+ size_t base_len = php_dirname(pattern, strlen(pattern));
+ char pos = pattern[base_len];
+
+ pattern[base_len] = '\0';
+
+ if (PG(safe_mode) && (!php_checkuid(pattern, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(pattern TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
+ pattern[base_len] = pos;
+ }
+
globbuf.gl_offs = 0;
if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
#ifdef GLOB_NOMATCH
@@ -420,16 +436,6 @@
return;
}
- /* we assume that any glob pattern will match files from one directory
only
- so checking the dirname of the first match should be sufficient */
- strlcpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
- if (PG(safe_mode) && (!php_checkuid(cwd, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
- RETURN_FALSE;
- }
- if (php_check_open_basedir(cwd TSRMLS_CC)) {
- RETURN_FALSE;
- }
-
array_init(return_value);
for (n = 0; n < globbuf.gl_pathc; n++) {
/* we need to do this everytime since GLOB_ONLYDIR does not
guarantee that
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
