handle invalid paths passed to us from iis

author: Shane Caraveo <shane@php.net> 2003-03-27 17:52:33 +0000
committer: Shane Caraveo <shane@php.net> 2003-03-27 17:52:33 +0000
commit: e949850881e5f2f4897c3fd4dfe0f161fc9e0adb (patch)
tree: f10ba58f4dd7c3f0ea24b963f857e465f9fabd8d /sapi/cgi
parent: 86569cb1542ca6ab7e6dc50613688a47fae5de4f (diff)
download: php-git-e949850881e5f2f4897c3fd4dfe0f161fc9e0adb.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 5d99c2244f..2295d94e2a 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -827,7 +827,9 @@ static void init_request_info(TSRMLS_D)
 #endif
 		SG(request_info).request_method = sapi_cgibin_getenv("REQUEST_METHOD",0 TSRMLS_CC);
 		SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING",0 TSRMLS_CC);
-		if (script_path_translated)
+		/* some server configurations allow '..' to slip through in the
+		   translated path.   We'll just refuse to handle such a path. */
+		if (script_path_translated && !strstr(script_path_translated,".."))
 			SG(request_info).path_translated = estrdup(script_path_translated);
 		SG(request_info).content_type = (content_type ? content_type : "" );
 		SG(request_info).content_length = (content_length?atoi(content_length):0);
author	Shane Caraveo <shane@php.net>	2003-03-27 17:52:33 +0000
committer	Shane Caraveo <shane@php.net>	2003-03-27 17:52:33 +0000
commit	e949850881e5f2f4897c3fd4dfe0f161fc9e0adb (patch)
tree	f10ba58f4dd7c3f0ea24b963f857e465f9fabd8d /sapi/cgi
parent	86569cb1542ca6ab7e6dc50613688a47fae5de4f (diff)
download	php-git-e949850881e5f2f4897c3fd4dfe0f161fc9e0adb.tar.gz