iliaa                                    Sun, 31 Jan 2010 18:06:29 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=294272

Log:
Fixed a possible open_basedir/safe_mode bypass in session extension identified 
by Grzegorz Stachowiak.

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/session/session.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/session/session.c
    U   php/php-src/trunk/ext/session/session.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-01-31 18:06:29 UTC (rev 294272)
@@ -1,7 +1,10 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2010, PHP 5.2.13
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)

+
 28 Jan 2010, PHP 5.2.13RC1
 - Updated timezone database to version 2010.2. (Derick)
 - Upgraded bundled PCRE to version 8.01. (Ilia)

Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/session/session.c  2010-01-31 17:43:29 UTC 
(rev 294271)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c  2010-01-31 18:06:29 UTC 
(rev 294272)
@@ -653,8 +653,13 @@
                        return FAILURE;
                }

-               if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+               /* we do not use zend_memrchr() since path can contain ; itself 
*/
+               if ((p = strchr(new_value, ';'))) {
+                       char *p2;
                        p++;
+                       if ((p2 = strchr(p, ';'))) {
+                               p = p2 + 1;
+                       }
                } else {
                        p = new_value;
                }

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-01-31 18:06:29 UTC (rev 294272)
@@ -5,6 +5,8 @@
 - Upgraded bundled sqlite to version 3.6.22. (Ilia)
 - Upgraded bundled libmagic to version 5.03. (Mikko)

+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)
 - Improved LCG entropy. (Rasmus, Samy Kamkar)

 - Added libpng 1.4.0 support. (Pierre)

Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/session.c  2010-01-31 17:43:29 UTC 
(rev 294271)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c  2010-01-31 18:06:29 UTC 
(rev 294272)
@@ -687,8 +687,13 @@
                        return FAILURE;
                }

-               if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+               /* we do not use zend_memrchr() since path can contain ; itself 
*/
+               if ((p = strchr(new_value, ';'))) {
+                       char *p2;
                        p++;
+                       if ((p2 = strchr(p, ';'))) {
+                               p = p2 + 1;
+                       }
                } else {
                        p = new_value;
                }

Modified: php/php-src/trunk/ext/session/session.c
===================================================================
--- php/php-src/trunk/ext/session/session.c     2010-01-31 17:43:29 UTC (rev 
294271)
+++ php/php-src/trunk/ext/session/session.c     2010-01-31 18:06:29 UTC (rev 
294272)
@@ -563,8 +563,13 @@
                        return FAILURE;
                }

-               if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+               /* we do not use zend_memrchr() since path can contain ; itself 
*/
+               if ((p = strchr(new_value, ';'))) {
+                       char *p2;
                        p++;
+                       if ((p2 = strchr(p, ';'))) {
+                               p = p2 + 1;
+                       }
                } else {
                        p = new_value;
                }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to