diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2007-06-12 12:56:17 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2007-06-12 12:56:17 +0000 |
| commit | db2cce5fea39fe4bca60fe284a6e9b038d16acf8 (patch) | |
| tree | 7f06b8b23d5c08548dc327ed8ab4bd3b6f0bc7a9 | |
| parent | d7ddbd5ccf848ad5951af038aa5b2cdd3e0d2d8e (diff) | |
| download | php-git-db2cce5fea39fe4bca60fe284a6e9b038d16acf8.tar.gz | |
MFB: Fixed bug #41655 (open_basedir bypass via glob())
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/standard/dir.c | 28 |
2 files changed, 19 insertions, 13 deletions
@@ -29,8 +29,8 @@ PHP 4 NEWS - Fixed CVE-2007-1001 (GD wbmp used with invalid image size). (Pierre) - Fixed CVE-2007-0455 (Buffer overflow in gdImageStringFTEx, used by imagettf function). (Kees Cook, Pierre) -- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists - at realplain dot com, Ilia) +- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia) +- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia) - Fixed bug #41252 (Calling mcrypt_generic without first calling mcrypt_generic_init crashes). (Derick) - Fixed bug #40998 (long session array keys are truncated). (Tony) diff --git a/ext/standard/dir.c b/ext/standard/dir.c index 43e8310b21..7e2b266671 100644 --- a/ext/standard/dir.c +++ b/ext/standard/dir.c @@ -24,6 +24,7 @@ #include "fopen_wrappers.h" #include "file.h" #include "php_dir.h" +#include "php_string.h" #ifdef HAVE_DIRENT_H # include <dirent.h> @@ -349,7 +350,6 @@ PHP_NAMED_FUNCTION(php_if_readdir) Find pathnames matching a pattern */ PHP_FUNCTION(glob) { - char cwd[MAXPATHLEN]; int cwd_skip = 0; #ifdef ZTS char work_pattern[MAXPATHLEN]; @@ -382,6 +382,22 @@ PHP_FUNCTION(glob) } #endif + if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { + size_t base_len = php_dirname(pattern, strlen(pattern)); + char pos = pattern[base_len]; + + pattern[base_len] = '\0'; + + if (PG(safe_mode) && (!php_checkuid(pattern, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + RETURN_FALSE; + } + if (php_check_open_basedir(pattern TSRMLS_CC)) { + RETURN_FALSE; + } + + pattern[base_len] = pos; + } + globbuf.gl_offs = 0; if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) { #ifdef GLOB_NOMATCH @@ -403,16 +419,6 @@ PHP_FUNCTION(glob) return; } - /* we assume that any glob pattern will match files from one directory only - so checking the dirname of the first match should be sufficient */ - strncpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN); - if (PG(safe_mode) && (!php_checkuid(cwd, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { - RETURN_FALSE; - } - if (php_check_open_basedir(cwd TSRMLS_CC)) { - RETURN_FALSE; - } - array_init(return_value); for (n = 0; n < globbuf.gl_pathc; n++) { /* we need to this everytime since GLOB_ONLYDIR does not guarantee that |