dmitry Thu Mar 13 14:09:54 2008 UTC Modified files: (Branch: PHP_5_3) /php-src/main fopen_wrappers.c Log: Disable path resolution for filenames with stream wrappers More careful check for relative pathes (./xxx and ../xxx) http://cvs.php.net/viewvc.cgi/php-src/main/fopen_wrappers.c?r1=1.175.2.3.2.13.2.7&r2=1.175.2.3.2.13.2.8&diff_format=u Index: php-src/main/fopen_wrappers.c diff -u php-src/main/fopen_wrappers.c:1.175.2.3.2.13.2.7 php-src/main/fopen_wrappers.c:1.175.2.3.2.13.2.8 --- php-src/main/fopen_wrappers.c:1.175.2.3.2.13.2.7 Wed Mar 5 13:34:12 2008 +++ php-src/main/fopen_wrappers.c Thu Mar 13 14:09:54 2008 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: fopen_wrappers.c,v 1.175.2.3.2.13.2.7 2008/03/05 13:34:12 dmitry Exp $ */ +/* $Id: fopen_wrappers.c,v 1.175.2.3.2.13.2.8 2008/03/13 14:09:54 dmitry Exp $ */ /* {{{ includes */ @@ -446,13 +446,21 @@ { char resolved_path[MAXPATHLEN]; char trypath[MAXPATHLEN]; - char *ptr, *end; + const char *ptr, *end, *p; if (!filename) { return NULL; } - if (*filename == '.' || + /* Don't resolve patches which contain protocol */ + for (p = filename; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++); + if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) { + return NULL; + } + + if ((*filename == '.' && + (IS_SLASH(filename[1]) || + ((filename[1] == '.') && IS_SLASH(filename[2])))) || IS_ABSOLUTE_PATH(filename, filename_length) || !path || !*path) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php