diff options
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/tests/directory/open_basedir_001.phpt | 17 | ||||
| -rw-r--r-- | main/fopen_wrappers.c | 56 | ||||
| -rw-r--r-- | main/fopen_wrappers.h | 3 |
4 files changed, 77 insertions, 0 deletions
@@ -3,6 +3,7 @@ PHP NEWS ?? ??? 200?, PHP 5.3.0 Alpha 4 - Changed opendir/dir/scandir to use default context when no context argument is passed. (Sara) +- Changed open_basedir to allow tightening in runtime contexts. (Sara) - Fixed bug #46811 ini_set() doesn't return false on failure. (Hannes) diff --git a/ext/standard/tests/directory/open_basedir_001.phpt b/ext/standard/tests/directory/open_basedir_001.phpt new file mode 100644 index 0000000000..092eac27f0 --- /dev/null +++ b/ext/standard/tests/directory/open_basedir_001.phpt @@ -0,0 +1,17 @@ +--TEST-- +openbase_dir runtime tightning +--INI-- +open_basedir=/usr/local +--FILE-- +<?php +var_dump(ini_set("open_basedir", "/usr/local/bin")); +var_dump(ini_get("open_basedir")); +var_dump(ini_set("open_basedir", "/usr")); +var_dump(ini_get("open_basedir")); +?> +--EXPECT-- +string(10) "/usr/local" +string(14) "/usr/local/bin" +bool(false) +string(14) "/usr/local/bin" + diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c index feabfb85cc..b6b1f3a49d 100644 --- a/main/fopen_wrappers.c +++ b/main/fopen_wrappers.c @@ -79,6 +79,62 @@ #endif /* }}} */ +/* {{{ OnUpdateBaseDir +Allows any change to open_basedir setting in during Startup and Shutdown events, +or a tightening during activation/runtime/deactivation */ +PHPAPI ZEND_INI_MH(OnUpdateBaseDir) +{ + char **p, *pathbuf, *ptr, *end; +#ifndef ZTS + char *base = (char *) mh_arg2; +#else + char *base = (char *) ts_resource(*((int *) mh_arg2)); +#endif + + p = (char **) (base + (size_t) mh_arg1); + + if (stage == PHP_INI_STAGE_STARTUP || stage == PHP_INI_STAGE_SHUTDOWN) { + /* We're in a PHP_INI_SYSTEM context, no restrictions */ + *p = new_value; + return SUCCESS; + } + + /* Otherwise we're in runtime */ + if (!*p || !**p) { + /* open_basedir not set yet, go ahead and give it a value */ + *p = new_value; + return SUCCESS; + } + + /* Shortcut: When we have a open_basedir and someone tries to unset, we know it'll fail */ + if (!new_value || !*new_value) { + return FAILURE; + } + + /* Is the proposed open_basedir at least as restrictive as the current setting? */ + ptr = pathbuf = estrdup(new_value); + while (ptr && *ptr) { + end = strchr(ptr, DEFAULT_DIR_SEPARATOR); + if (end != NULL) { + *end = '\0'; + end++; + } + if (php_check_open_basedir_ex(ptr, 0 TSRMLS_CC) != 0) { + /* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */ + efree(pathbuf); + return FAILURE; + } + ptr = end; + } + efree(pathbuf); + + /* Everything checks out, set it */ + *p = new_value; + + return SUCCESS; +} +/* }}} */ + /* {{{ php_check_specific_open_basedir When open_basedir is not NULL, check if the given filename is located in open_basedir. Returns -1 if error or not in the open_basedir, else 0. diff --git a/main/fopen_wrappers.h b/main/fopen_wrappers.h index 1b8113c10c..b58bc02ac9 100644 --- a/main/fopen_wrappers.h +++ b/main/fopen_wrappers.h @@ -23,6 +23,7 @@ BEGIN_EXTERN_C() #include "php_globals.h" +#include "php_ini.h" PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC); PHPAPI char *expand_filepath(const char *filepath, char *real_path TSRMLS_DC); @@ -39,6 +40,8 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_len, const char PHPAPI FILE *php_fopen_with_path(const char *filename, const char *mode, const char *path, char **opened_path TSRMLS_DC); PHPAPI char *php_strip_url_passwd(char *path); + +PHPAPI ZEND_INI_MH(OnUpdateBaseDir); END_EXTERN_C() #endif |