From 9c805a6cb31596c41609512bdd8a9a76c9ce9b15 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Fri, 14 Aug 2015 16:56:40 +0200
Subject: Fix #70264: CLI server directory traversal

On Windows the built-in webserver doesn't prevent directory traversal when
backslashes are used as path component separators. Even though that is not a
security issue (the CLI webserver is meant for testing only), we fix that by
replacing backslashes in the path with slashes on Windows, because backslashes
may be valid characters for file names on other systems, but not on Windows.
---
 sapi/cli/php_cli_server.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'sapi/cli/php_cli_server.c')

diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
index 00226782de..e4ea00ac33 100644
--- a/sapi/cli/php_cli_server.c
+++ b/sapi/cli/php_cli_server.c
@@ -1579,6 +1579,18 @@ static void normalize_vpath(char **retval, size_t *retval_len, const char *vpath
 
 	decoded_vpath_end = decoded_vpath + php_url_decode(decoded_vpath, vpath_len);
 
+#ifdef PHP_WIN32
+	{
+		char *p = decoded_vpath;
+		
+		do {
+			if (*p == '\\') {
+				*p = '/';
+			}
+		} while (*p++);
+	}
+#endif
+
 	p = decoded_vpath;
 
 	if (p < decoded_vpath_end && *p == '/') {
-- 
cgit v1.2.1