MFH: Missing safe_mode/open_basedir checks for file uploads.

author Ilia Alshanetsky <iliaa@php.net>

Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)
diff --git a/NEWS b/NEWS

index 5872304d2eadc999e6fa8b0d19af3474d8cefda7..02f68f98ab5799acab87bcea956536d489fa660c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
  PHP 4                                                                      NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2005, Version 4.4.1
+- Added missing safe_mode/open_basedir checks for file uploads. (Ilia)
  - Fixed possible INI setting leak via virtual() in Apache 2 sapi. (Ilia)
  - Fixed possible crash and/or memory corruption in import_request_variables().
    (Ilia)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c

index 27192695f73fafe97733b2fae85dc06e1b57e28e..3468dfc5769b57847a2575c00467c477d39a1f7d 100644 (file)
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -992,10 +992,15 @@ PHP_FUNCTION(curl_setopt)
                                 
                                         postval = Z_STRVAL_PP(current);
                                         if (*postval == '@') {
+                                               ++postval;
+                                               /* safe_mode / open_basedir check */
+                                               if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+                                                       RETURN_FALSE;
+                                               }
                                                 error = curl_formadd(&first, &last, 
                                                                                          CURLFORM_COPYNAME, string_key,
                                                                                          CURLFORM_NAMELENGTH, (long)string_key_len - 1,
-                                                                                        CURLFORM_FILE, ++postval, 
+                                                                                        CURLFORM_FILE, postval, 
                                                                                          CURLFORM_END);
                                         }
                                         else {
author	Ilia Alshanetsky <iliaa@php.net>
	Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Wed, 5 Oct 2005 14:34:38 +0000 (14:34 +0000)
NEWS		patch \| blob \| history
ext/curl/curl.c		patch \| blob \| history