UNIX sockets). (Mike)
. Fixed bug #64604 (parse_url is inconsistent with specified port).
(Ingo Walz)
+ . Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass).
+ (Jann Horn, Stas)
. Fixed bug #66182 (exit in stream filter produces segfault). (Mike)
. Fixed bug #66736 (fpassthru broken). (Mike)
. Fixed bug #67024 (getimagesize should recognize BMP files with negative
static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
{
char buf[MAXPATHLEN];
+ struct stat sbuf;
if (data->fd < 0 || !data->lastkey || strcmp(key, data->lastkey)) {
if (data->lastkey) {
}
data->lastkey = estrdup(key);
-
- data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode);
+
+ /* O_NOFOLLOW to prevent us from following evil symlinks */
+#ifdef O_NOFOLLOW
+ data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY | O_NOFOLLOW, data->filemode);
+#else
+ /* Check to make sure that the opened file is not outside of allowable dirs.
+ This is not 100% safe but it's hard to do something better without O_NOFOLLOW */
+ if(PG(open_basedir) && lstat(buf, &sbuf) == 0 && S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf TSRMLS_CC)) {
+ return;
+ }
+ data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode);
+#endif
if (data->fd != -1) {
#ifndef PHP_WIN32
- /* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */
- if (PG(open_basedir)) {
- struct stat sbuf;
-
- if (fstat(data->fd, &sbuf)) {
- close(data->fd);
- data->fd = -1;
- return;
- }
- if (S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf TSRMLS_CC)) {
- close(data->fd);
- data->fd = -1;
- return;
- }
- }
+ /* check that this session file was created by us or root – we
+ don't want to end up accepting the sessions of another webapp */
+ if (fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid())) {
+ close(data->fd);
+ data->fd = -1;
+ return;
+ }
#endif
flock(data->fd, LOCK_EX);
projects / php / commitdiff