diff options
| -rw-r--r-- | sapi/cgi/cgi_main.c | 4 | ||||
| -rw-r--r-- | sapi/isapi/php4isapi.c | 10 |
2 files changed, 11 insertions, 3 deletions
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 8b756a761d..2ddabd591d 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -806,7 +806,9 @@ static void init_request_info(TSRMLS_D) #endif SG(request_info).request_method = sapi_cgibin_getenv("REQUEST_METHOD",0 TSRMLS_CC); SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING",0 TSRMLS_CC); - if (script_path_translated) + /* some server configurations allow '..' to slip through in the + translated path. We'll just refuse to handle such a path. */ + if (script_path_translated && !strstr(script_path_translated,"..")) SG(request_info).path_translated = estrdup(script_path_translated); SG(request_info).content_type = (content_type ? content_type : "" ); SG(request_info).content_length = (content_length?atoi(content_length):0); diff --git a/sapi/isapi/php4isapi.c b/sapi/isapi/php4isapi.c index b496d4344c..fc8f5d9667 100644 --- a/sapi/isapi/php4isapi.c +++ b/sapi/isapi/php4isapi.c @@ -744,16 +744,22 @@ DWORD WINAPI HttpExtensionProc(LPEXTENSION_CONTROL_BLOCK lpECB) * variable won't be present, so fall back to old behaviour. */ efree( file_handle.filename ); - file_handle.filename = SG(request_info.path_translated); + file_handle.filename = SG(request_info).path_translated; file_handle.free_filename = 0; } } #else - file_handle.filename = SG(request_info.path_translated); + file_handle.filename = SG(request_info).path_translated; file_handle.free_filename = 0; #endif file_handle.type = ZEND_HANDLE_FILENAME; file_handle.opened_path = NULL; + /* some server configurations allow '..' to slip through in the + translated path. We'll just refuse to handle such a path. */ + if (strstr(SG(request_info).path_translated,"..")) { + SG(sapi_headers).http_response_code = 404; + SG(request_info).path_translated = NULL; + } php_request_startup(TSRMLS_C); php_execute_script(&file_handle TSRMLS_CC); |