Could someone check these out and commit them (or similar)? At
the moment, odbc_execute() allows any script to view any file
without regard to safe_mode or open_basedir, and also under
certain circumstances can corrupt its parameters. See Bug #15516
for more info. It may be desirable to change this mechanism
entirely, since presently you can't use odbc replaceable params
to enter strings which start and end with quotes.
If these changes are not suitable, could someone email me a
comment explaining why? Thanks...
Index: php_odbc.c
===================================================================
RCS file: /repository/php4/ext/odbc/php_odbc.c,v
retrieving revision 1.115
diff -u -r1.115 php_odbc.c
--- php_odbc.c 30 Jan 2002 21:54:54 -0000 1.115
+++ php_odbc.c 13 Feb 2002 08:52:27 -0000
@@ -943,12 +943,23 @@
else
ctype = SQL_C_CHAR;
- if (Z_STRVAL_PP(tmp)[0] == '\'' &&
+ if (Z_STRLEN_PP(tmp) > 2 &&
+ Z_STRVAL_PP(tmp)[0] == '\'' &&
Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') {
- filename = &Z_STRVAL_PP(tmp)[1];
- filename[Z_STRLEN_PP(tmp) - 2] = '\0';
+ filename = estrndup(&Z_STRVAL_PP(tmp)[1],
+Z_STRLEN_PP(tmp) - 2);
+ filename[strlen(filename)] = '\0';
- if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) {
+ /* Check for safe mode. */
+ if (PG(safe_mode) &&(!php_checkuid(filename, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+
+ /* Check the basedir */
+ if (php_check_open_basedir(filename TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
+ if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) {
php_error(E_WARNING,"Can't open file %s",
filename);
SQLFreeStmt(result->stmt, SQL_RESET_PARAMS);
for(i = 0; i < result->numparams; i++) {
@@ -957,8 +968,11 @@
}
}
efree(params);
+ efree(filename);
RETURN_FALSE;
}
+
+ efree(filename);
params[i-1].vallen = SQL_LEN_DATA_AT_EXEC(0);
--
Torben Wilson <[EMAIL PROTECTED]>
http://www.thebuttlesschaps.com
http://www.hybrid17.com
http://www.inflatableeye.com
+1.604.709.0506
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
