Fixed bug #41655 (open_basedir bypass via glob())

diff --git a/NEWS b/NEWS
index d86215930cdfe8f482e5c43818fd9263afa3d5c0..917d5ec6ac1ec1af278b028841c592c1b1c1b23b 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ PHP                                                                        NEWS
 - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory 
   already exists). (Pierre)
 
+- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia)
 - Fixed bug #41640 (get_class_vars produces error on class constants).
   (Johannes)
 - Fixed bug #41630 (segfault when an invalid color index is present in
@@ -46,8 +47,7 @@ PHP                                                                        NEWS
   with ini_set()). (Tony, Dmitry)
 - Fixed bug #41555 (configure failure: regression caused by fix for #41265).
   (Jani)
-- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists
-  at realplain dot com, Ilia)
+- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia)
 - Fixed bug #41518 (file_exists() warns of open_basedir restriction on 
   non-existent file). (Tony)
 - Fixed bug #39330 (apache2handler does not call shutdown actions before 

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index 9159ac8d6eb570cc079a89e73a145fcfc8513491..7a7f4c4149301563546b57e3b5055ac52222b376 100644 (file)
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -24,6 +24,7 @@
 #include "fopen_wrappers.h"
 #include "file.h"
 #include "php_dir.h"
+#include "php_string.h"
 #include "php_scandir.h"
 
 #ifdef HAVE_DIRENT_H
@@ -361,7 +362,6 @@ PHP_NAMED_FUNCTION(php_if_readdir)
    Find pathnames matching a pattern */
 PHP_FUNCTION(glob)
 {
-       char cwd[MAXPATHLEN];
        int cwd_skip = 0;
 #ifdef ZTS
        char work_pattern[MAXPATHLEN];
@@ -395,6 +395,22 @@ PHP_FUNCTION(glob)
        } 
 #endif
 
+       if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) {
+               size_t base_len = php_dirname(pattern, strlen(pattern));
+               char pos = pattern[base_len];
+
+               pattern[base_len] = '\0';
+
+               if (PG(safe_mode) && (!php_checkuid(pattern, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+                       RETURN_FALSE;
+               }
+               if (php_check_open_basedir(pattern TSRMLS_CC)) {
+                       RETURN_FALSE;
+               }
+
+               pattern[base_len] = pos;
+       }
+
        globbuf.gl_offs = 0;
        if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
 #ifdef GLOB_NOMATCH
@@ -420,16 +436,6 @@ PHP_FUNCTION(glob)
                return;
        }
 
-       /* we assume that any glob pattern will match files from one directory only
-          so checking the dirname of the first match should be sufficient */
-       strlcpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
-       if (PG(safe_mode) && (!php_checkuid(cwd, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
-               RETURN_FALSE;
-       }
-       if (php_check_open_basedir(cwd TSRMLS_CC)) {
-               RETURN_FALSE;
-       }
-
        array_init(return_value);
        for (n = 0; n < globbuf.gl_pathc; n++) {
                /* we need to do this everytime since GLOB_ONLYDIR does not guarantee that