session mod_files.c

Ilia Alshanetsky Wed, 22 Aug 2007 19:04:55 -0700

iliaa           Thu Aug 23 02:04:39 2007 UTC

  Modified files:              (Branch: PHP_5_2)
    /php-src    NEWS 
    /php-src/ext/session        mod_files.c 
  Log:
  
  Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir
  bypass).
  
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.906&r2=1.2027.2.547.2.907&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.2027.2.547.2.906 php-src/NEWS:1.2027.2.547.2.907
--- php-src/NEWS:1.2027.2.547.2.906     Wed Aug 22 22:40:29 2007
+++ php-src/NEWS        Thu Aug 23 02:04:39 2007
@@ -9,6 +9,8 @@
   in the same way as "instanceof" operator). (Dmitry)
 - Fixed bug #41904 (proc_open(): empty env array should cause empty
   environment to be passed to process). (Jani)
+- Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir
+  bypass). (Ilia)
 
 16 Aug 2007, PHP 5.2.4RC2
 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client
http://cvs.php.net/viewvc.cgi/php-src/ext/session/mod_files.c?r1=1.100.2.3.2.7&r2=1.100.2.3.2.8&diff_format=u
Index: php-src/ext/session/mod_files.c
diff -u php-src/ext/session/mod_files.c:1.100.2.3.2.7 
php-src/ext/session/mod_files.c:1.100.2.3.2.8
--- php-src/ext/session/mod_files.c:1.100.2.3.2.7       Fri Aug  3 01:16:40 2007
+++ php-src/ext/session/mod_files.c     Thu Aug 23 02:04:39 2007
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: mod_files.c,v 1.100.2.3.2.7 2007/08/03 01:16:40 stas Exp $ */
+/* $Id: mod_files.c,v 1.100.2.3.2.8 2007/08/23 02:04:39 iliaa Exp $ */
 
 #include "php.h"
 
@@ -164,6 +164,28 @@
                                data->filemode);
                
                if (data->fd != -1) {
+#ifndef PHP_WIN32
+                       /* check to make sure that the opened file is not a 
symlink, linking to data outside of allowable dirs */
+                       if (PG(safe_mode) || PG(open_basedir)) {
+                               struct stat sbuf;
+
+                               if (fstat(data->fd, &sbuf)) {
+                                       close(data->fd);
+                                       return;
+                               }
+                               if (
+                                       S_ISLNK(sbuf.st_mode) && 
+                                       (
+                                               php_check_open_basedir(buf 
TSRMLS_CC) ||
+                                               (PG(safe_mode) && 
!php_checkuid(buf, NULL, CHECKUID_CHECK_FILE_AND_DIR))
+                                       )
+                               ) {
+
+                                       close(data->fd);
+                                       return;
+                               }
+                       }
+#endif
                        flock(data->fd, LOCK_EX);
 
 #ifdef F_SETFD


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] cvs: php-src(PHP_5_2) / NEWS /ext/session mod_files.c

Reply via email to