Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir

bypass).
author: Ilia Alshanetsky <iliaa@php.net> 2007-08-23 02:04:39 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2007-08-23 02:04:39 +0000
commit: 89c0ba1685032b0da7626f794fbea215a5b78cf2 (patch)
tree: aad1cf8c8c035b913e6af1090fe87a0eb2338f49 /ext/session/mod_files.c
parent: f30f2ef73335ba5de31ad4f27643c369c354db61 (diff)
download: php-git-89c0ba1685032b0da7626f794fbea215a5b78cf2.tar.gz
1 files changed, 22 insertions, 0 deletions
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index 722e389177..6535c7d345 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -164,6 +164,28 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
 				data->filemode);
 		
 		if (data->fd != -1) {
+#ifndef PHP_WIN32
+			/* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */
+			if (PG(safe_mode) || PG(open_basedir)) {
+				struct stat sbuf;
+
+				if (fstat(data->fd, &sbuf)) {
+					close(data->fd);
+					return;
+				}
+				if (
+					S_ISLNK(sbuf.st_mode) && 
+					(
+						php_check_open_basedir(buf TSRMLS_CC) ||
+						(PG(safe_mode) && !php_checkuid(buf, NULL, CHECKUID_CHECK_FILE_AND_DIR))
+					)
+				) {
+
+					close(data->fd);
+					return;
+				}
+			}
+#endif
 			flock(data->fd, LOCK_EX);
 
 #ifdef F_SETFD
author	Ilia Alshanetsky <iliaa@php.net>	2007-08-23 02:04:39 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2007-08-23 02:04:39 +0000
commit	89c0ba1685032b0da7626f794fbea215a5b78cf2 (patch)
tree	aad1cf8c8c035b913e6af1090fe87a0eb2338f49 /ext/session/mod_files.c
parent	f30f2ef73335ba5de31ad4f27643c369c354db61 (diff)
download	php-git-89c0ba1685032b0da7626f794fbea215a5b78cf2.tar.gz