granicus.if.org Git - php/commit

]> granicus.if.org Git - php/commit

author	Greg Beaver <cellog@php.net>
	Thu, 15 May 2008 16:09:01 +0000 (16:09 +0000)
committer	Greg Beaver <cellog@php.net>
	Thu, 15 May 2008 16:09:01 +0000 (16:09 +0000)
commit	de5aaaa74c319e4fd2cdcec0cfb57c0ae1edc14a
tree	0a97a926b504d1bc3b1760dfeca589f49e0fe476	tree \| snapshot
parent	8cc335a0da2ec6d96ed9afd281d11b1cc1ffb33c	commit \| diff

fix potentially major security hole: modification/creation of files in .phar directory enabled in many locations
which then allows easy creation of tar/zip-based phar archives with a simple rename even when phar.readonly=1. Plug the hole very tightly, allowing read access to
files, and also excluding them from opendir() output

17 files changed:

ext/phar/dirstream.c		diff \| blob \| history
ext/phar/phar_internal.h		diff \| blob \| history
ext/phar/phar_object.c		diff \| blob \| history
ext/phar/stream.c		diff \| blob \| history
ext/phar/tests/030.phpt		diff \| blob \| history
ext/phar/tests/addfuncs.phpt		diff \| blob \| history
ext/phar/tests/mkdir.phpt		diff \| blob \| history
ext/phar/tests/mounteddir.phpt		diff \| blob \| history
ext/phar/tests/phar_buildfromiterator4.phpt		diff \| blob \| history
ext/phar/tests/phar_copy.phpt		diff \| blob \| history
ext/phar/tests/phar_extract2.phpt		diff \| blob \| history
ext/phar/tests/phar_offset_check.phpt		diff \| blob \| history
ext/phar/tests/phar_offset_get_error.phpt		diff \| blob \| history
ext/phar/tests/tar/dir.phpt		diff \| blob \| history
ext/phar/tests/tar/tar_003.phpt		diff \| blob \| history
ext/phar/tests/zf_test.phpt		diff \| blob \| history
ext/phar/util.c		diff \| blob \| history

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom