dmitry Tue Jul 15 13:38:29 2008 UTC Modified files: (Branch: PHP_5_2) /php-src NEWS /php-src/sapi/cgi cgi_main.c Log: Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)) http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1173&r2=1.2027.2.547.2.1174&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.1173 php-src/NEWS:1.2027.2.547.2.1174 --- php-src/NEWS:1.2027.2.547.2.1173 Tue Jul 15 13:16:25 2008 +++ php-src/NEWS Tue Jul 15 13:38:29 2008 @@ -26,6 +26,8 @@ - Fixed bug #45251 (double free or corruption with setAttributeNode()). (Rob) - Fixed bug #45220 (curl_read callback returns -1 when needs to return size_t (unsigned)). (Felipe) +- Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)). + (Dmitry) - Fixed bug #45139 (ReflectionProperty returns incorrect declaring class). (Felipe) - Fixed bug #45004 (pg_insert() does not accept 4 digit timezone format). http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&diff_format=u Index: php-src/sapi/cgi/cgi_main.c diff -u php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.57 php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.58 --- php-src/sapi/cgi/cgi_main.c:1.267.2.15.2.57 Tue Jul 15 13:10:07 2008 +++ php-src/sapi/cgi/cgi_main.c Tue Jul 15 13:38:29 2008 @@ -21,7 +21,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: cgi_main.c,v 1.267.2.15.2.57 2008/07/15 13:10:07 dmitry Exp $ */ +/* $Id: cgi_main.c,v 1.267.2.15.2.58 2008/07/15 13:38:29 dmitry Exp $ */ #include "php.h" #include "php_globals.h" @@ -771,6 +771,39 @@ } /* }}} */ +/* {{{ is_valid_path + * + * some server configurations allow '..' to slip through in the + * translated path. We'll just refuse to handle such a path. + */ +static int is_valid_path(const char *path) +{ + const char *p; + + if (!path) { + return 0; + } + p = strstr(path, ".."); + if (p) { + if ((p == path || IS_SLASH(*(p-1))) && + (*(p+2) == 0 || IS_SLASH(*(p+2)))) { + return 0; + } + while (1) { + p = strstr(p+1, ".."); + if (!p) { + break; + } + if (IS_SLASH(*(p-1)) && + (*(p+2) == 0 || IS_SLASH(*(p+2)))) { + return 0; + } + } + } + return 1; +} +/* }}} */ + /* {{{ init_request_info initializes request_info structure @@ -1067,9 +1100,7 @@ if (pt) { efree(pt); } - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } } else { @@ -1100,9 +1131,7 @@ } else { SG(request_info).request_uri = env_script_name; } - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } free(real_path); @@ -1120,9 +1149,7 @@ script_path_translated = env_path_translated; } #endif - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } #if ENABLE_PATHINFO_CHECK
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php