On Tue, 12 Jun 2007, Ilia Alshanetsky wrote: > iliaa Tue Jun 12 12:56:17 2007 UTC > > Modified files: (Branch: PHP_4_4) > /php-src NEWS > /php-src/ext/standard dir.c > Log: > > MFB: Fixed bug #41655 (open_basedir bypass via glob())
This commit breaks the compile on: gcc (GCC) 4.1.2 (Ubuntu 4.1.2-0ubuntu4) gcc (GCC) 4.1.3 20070601 (prerelease) (Debian 4.1.2-12) with the following error: /home/derick/dev/php/php-4.4dev/ext/standard/dir.c: In function ‘zif_glob’: /home/derick/dev/php/php-4.4dev/ext/standard/dir.c:387: error: void value not ignored as it ought to be make: *** [ext/standard/dir.lo] Error 1 > > http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.236&r2=1.1247.2.920.2.237&diff_format=u > Index: php-src/NEWS > diff -u php-src/NEWS:1.1247.2.920.2.236 php-src/NEWS:1.1247.2.920.2.237 > --- php-src/NEWS:1.1247.2.920.2.236 Mon Jun 11 20:19:53 2007 > +++ php-src/NEWS Tue Jun 12 12:56:17 2007 > @@ -29,8 +29,8 @@ > - Fixed CVE-2007-1001 (GD wbmp used with invalid image size). (Pierre) > - Fixed CVE-2007-0455 (Buffer overflow in gdImageStringFTEx, used by imagettf > function). (Kees Cook, Pierre) > -- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists > - at realplain dot com, Ilia) > +- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia) > +- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia) > - Fixed bug #41252 (Calling mcrypt_generic without first calling > mcrypt_generic_init crashes). (Derick) > - Fixed bug #40998 (long session array keys are truncated). (Tony) > http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.109.2.18.2.4&r2=1.109.2.18.2.5&diff_format=u > Index: php-src/ext/standard/dir.c > diff -u php-src/ext/standard/dir.c:1.109.2.18.2.4 > php-src/ext/standard/dir.c:1.109.2.18.2.5 > --- php-src/ext/standard/dir.c:1.109.2.18.2.4 Mon Jan 1 09:46:47 2007 > +++ php-src/ext/standard/dir.c Tue Jun 12 12:56:17 2007 > @@ -16,7 +16,7 @@ > +----------------------------------------------------------------------+ > */ > > -/* $Id: dir.c,v 1.109.2.18.2.4 2007/01/01 09:46:47 sebastian Exp $ */ > +/* $Id: dir.c,v 1.109.2.18.2.5 2007/06/12 12:56:17 iliaa Exp $ */ > > /* {{{ includes/startup/misc */ > > @@ -24,6 +24,7 @@ > #include "fopen_wrappers.h" > #include "file.h" > #include "php_dir.h" > +#include "php_string.h" > > #ifdef HAVE_DIRENT_H > # include <dirent.h> > @@ -349,7 +350,6 @@ > Find pathnames matching a pattern */ > PHP_FUNCTION(glob) > { > - char cwd[MAXPATHLEN]; > int cwd_skip = 0; > #ifdef ZTS > char work_pattern[MAXPATHLEN]; > @@ -382,6 +382,22 @@ > } > #endif > > + if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { > + size_t base_len = php_dirname(pattern, strlen(pattern)); > + char pos = pattern[base_len]; > + > + pattern[base_len] = '\0'; > + > + if (PG(safe_mode) && (!php_checkuid(pattern, NULL, > CHECKUID_CHECK_FILE_AND_DIR))) { > + RETURN_FALSE; > + } > + if (php_check_open_basedir(pattern TSRMLS_CC)) { > + RETURN_FALSE; > + } > + > + pattern[base_len] = pos; > + } > + > globbuf.gl_offs = 0; > if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) { > #ifdef GLOB_NOMATCH > @@ -403,16 +419,6 @@ > return; > } > > - /* we assume that any glob pattern will match files from one directory > only > - so checking the dirname of the first match should be sufficient */ > - strncpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN); > - if (PG(safe_mode) && (!php_checkuid(cwd, NULL, > CHECKUID_CHECK_FILE_AND_DIR))) { > - RETURN_FALSE; > - } > - if (php_check_open_basedir(cwd TSRMLS_CC)) { > - RETURN_FALSE; > - } > - > array_init(return_value); > for (n = 0; n < globbuf.gl_pathc; n++) { > /* we need to this everytime since GLOB_ONLYDIR does not > guarantee that > > -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
