fd fix

3 files changed, 20 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 01481a3049..6b63e90d44 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,10 @@ PHP                                                                        NEWS
   . Fixed bug #54547 (wrong equality of string numbers). (Gustavo)
   . Fixed bug #54197 ([PATH=] sections incompatibility with user_ini.filename
     set to null). (Anatoliy)
+  . Changed php://fd to be available only for CLI.
+
+- Phar:
+  . Fix bug #61065 (Secunia SA44335). (Rasmus)
 
 - Reflection:
   . Implemented FR #61602 (Allow access to the name of constant
diff --git a/UPGRADING b/UPGRADING
index 391c3651ff..7177a6df64 100755
--- a/UPGRADING
+++ b/UPGRADING
@@ -339,6 +339,8 @@ PHP 5.4 UPGRADE NOTES
 - ob_start() no longer starts multiple output buffers when passed
   array("callback1", "callback2", "callback3", ...).
 
+- Since 5.4.4, "php://fd" stream syntax is available only in CLI build.
+
 ==============================
 5. Changes to existing classes
 ==============================
diff --git a/ext/standard/php_fopen_wrapper.c b/ext/standard/php_fopen_wrapper.c
index a831dd1c16..b51aaa219f 100644
--- a/ext/standard/php_fopen_wrapper.c
+++ b/ext/standard/php_fopen_wrapper.c
@@ -263,6 +263,20 @@ php_stream * php_stream_url_wrap_php(php_stream_wrapper *wrapper, char *path, ch
 		long	   fildes_ori;
 		int		   dtablesize;
 
+		if (strcmp(sapi_module.name, "cli")) {
+			if (options & REPORT_ERRORS) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Direct access to file descriptors is only available from command-line PHP");
+			}
+			return NULL;
+		}
+
+		if ((options & STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include) ) {
+			if (options & REPORT_ERRORS) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL file-access is disabled in the server configuration");
+			}
+			return NULL;
+		}
+
 		start = &path[3];
 		fildes_ori = strtol(start, &end, 10);
 		if (end == start || *end != '\0') {