diff options
author | sj-i <shinji.igarashi@gmail.com> | 2020-12-20 15:57:54 +0900 |
---|---|---|
committer | Nikita Popov <nikita.ppv@gmail.com> | 2021-01-19 11:41:58 +0100 |
commit | 5d31ee302db073d5e99cf307315d2d631eaa34a5 (patch) | |
tree | 93324ec78f3b18b1fb9581b47854c1e6406507de /main | |
parent | 68f5289e9e84b12b1a9ad671657702ce9a65a1e1 (diff) | |
download | php-git-5d31ee302db073d5e99cf307315d2d631eaa34a5.tar.gz |
Fixed bug #42560
Check open_basedir after the fallback to the system's temporary
directory in tempnam().
In order to preserve the current behavior of upload_tmp_dir
(do not check explicitly specified dir, but check fallback),
new flags are added to check open_basedir for explicit dir
and for fallback.
Closes GH-6526.
Diffstat (limited to 'main')
-rw-r--r-- | main/php_open_temporary_file.c | 10 | ||||
-rw-r--r-- | main/php_open_temporary_file.h | 10 | ||||
-rw-r--r-- | main/rfc1867.c | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c index 6fca7e4cab..b15dec03e4 100644 --- a/main/php_open_temporary_file.c +++ b/main/php_open_temporary_file.c @@ -301,13 +301,19 @@ PHPAPI int php_open_temporary_fd_ex(const char *dir, const char *pfx, zend_strin def_tmp: temp_dir = php_get_temporary_directory(); - if (temp_dir && *temp_dir != '\0' && (!(flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK) || !php_check_open_basedir(temp_dir))) { + if (temp_dir && + *temp_dir != '\0' && + (!(flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK) || !php_check_open_basedir(temp_dir))) { return php_do_open_temporary_file(temp_dir, pfx, opened_path_p); } else { return -1; } } + if ((flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR) && php_check_open_basedir(dir)) { + return -1; + } + /* Try the directory given as parameter. */ fd = php_do_open_temporary_file(dir, pfx, opened_path_p); if (fd == -1) { @@ -322,7 +328,7 @@ def_tmp: PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, zend_string **opened_path_p) { - return php_open_temporary_fd_ex(dir, pfx, opened_path_p, 0); + return php_open_temporary_fd_ex(dir, pfx, opened_path_p, PHP_TMP_FILE_DEFAULT); } PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p) diff --git a/main/php_open_temporary_file.h b/main/php_open_temporary_file.h index 0195056e31..2c7d98fe86 100644 --- a/main/php_open_temporary_file.h +++ b/main/php_open_temporary_file.h @@ -19,8 +19,16 @@ #ifndef PHP_OPEN_TEMPORARY_FILE_H #define PHP_OPEN_TEMPORARY_FILE_H -#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK (1<<0) +#define PHP_TMP_FILE_DEFAULT 0 +#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK (1<<0) #define PHP_TMP_FILE_SILENT (1<<1) +#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR (1<<2) +#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ALWAYS \ + (PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK | PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR) + +/* for compatibility purpose */ +#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK + BEGIN_EXTERN_C() PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p); diff --git a/main/rfc1867.c b/main/rfc1867.c index 8bdc409296..edef19c16d 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -1009,7 +1009,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ /* in non-debug mode we have no problem with 0-length files */ { #endif - fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1); + fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK); upload_cnt--; if (fd == -1) { sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); |