From db2cce5fea39fe4bca60fe284a6e9b038d16acf8 Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 12 Jun 2007 12:56:17 +0000
Subject: MFB: Fixed bug #41655 (open_basedir bypass via glob())

---
 NEWS               |  4 ++--
 ext/standard/dir.c | 28 +++++++++++++++++-----------
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/NEWS b/NEWS
index b13bc50efb..5b7abf059f 100644
--- a/NEWS
+++ b/NEWS
@@ -29,8 +29,8 @@ PHP 4                                                                      NEWS
 - Fixed CVE-2007-1001 (GD wbmp used with invalid image size). (Pierre)
 - Fixed CVE-2007-0455 (Buffer overflow in gdImageStringFTEx, used by imagettf
   function). (Kees Cook, Pierre)
-- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists
-  at realplain dot com, Ilia)
+- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia)
+- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia)
 - Fixed bug #41252 (Calling mcrypt_generic without first calling
   mcrypt_generic_init crashes). (Derick)
 - Fixed bug #40998 (long session array keys are truncated). (Tony)
diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index 43e8310b21..7e2b266671 100644
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -24,6 +24,7 @@
 #include "fopen_wrappers.h"
 #include "file.h"
 #include "php_dir.h"
+#include "php_string.h"
 
 #ifdef HAVE_DIRENT_H
 # include <dirent.h>
@@ -349,7 +350,6 @@ PHP_NAMED_FUNCTION(php_if_readdir)
    Find pathnames matching a pattern */
 PHP_FUNCTION(glob)
 {
-	char cwd[MAXPATHLEN];
 	int cwd_skip = 0;
 #ifdef ZTS
 	char work_pattern[MAXPATHLEN];
@@ -382,6 +382,22 @@ PHP_FUNCTION(glob)
 	} 
 #endif
 
+	if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
+		size_t base_len = php_dirname(pattern, strlen(pattern));
+		char pos = pattern[base_len];
+
+		pattern[base_len] = '\0';
+
+		if (PG(safe_mode) && (!php_checkuid(pattern, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+			RETURN_FALSE;
+		}
+		if (php_check_open_basedir(pattern TSRMLS_CC)) {
+			RETURN_FALSE;
+		}
+
+		pattern[base_len] = pos;
+	}
+
 	globbuf.gl_offs = 0;
 	if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
 #ifdef GLOB_NOMATCH
@@ -403,16 +419,6 @@ PHP_FUNCTION(glob)
 		return;
 	}
 
-	/* we assume that any glob pattern will match files from one directory only
-	   so checking the dirname of the first match should be sufficient */
-	strncpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
-	if (PG(safe_mode) && (!php_checkuid(cwd, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
-		RETURN_FALSE;
-	}
-	if (php_check_open_basedir(cwd TSRMLS_CC)) {
-		RETURN_FALSE;
-	}
-
 	array_init(return_value);
 	for (n = 0; n < globbuf.gl_pathc; n++) {
 		/* we need to this everytime since GLOB_ONLYDIR does not guarantee that
-- 
cgit v1.2.1