Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()).

diff --git a/NEWS b/NEWS
index 7fddee2aad22cd4d4ae5adc6f8e17059cde5fdfb..2dfc4b049c38dbae33a9dbb465fc0126cb677b7f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jun 2007, PHP 5.2.3
 - Fixed bug #41511 (Compile failure under IRIX 6.5.30 building md5.c). (Jani)
+- Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()). (Ilia)
 - Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty
   string keys). (Ilia)
 - Fixed bug #41236 (Regression in timeout handling of non-blocking SSL

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 870972b3669a276dd2f57e232655a1ce1f2e1c11..e6dd5d71a43c479a95fd169231acab79e3365578 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2371,6 +2371,14 @@ PHP_FUNCTION(realpath)
        convert_to_string_ex(path);
 
        if (VCWD_REALPATH(Z_STRVAL_PP(path), resolved_path_buff)) {
+               if (PG(safe_mode) && (!php_checkuid(resolved_path_buff, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+                       RETURN_FALSE;
+               }
+
+               if (php_check_open_basedir(resolved_path_buff TSRMLS_CC)) {
+                       RETURN_FALSE;
+               }
+
 #ifdef ZTS
                if (VCWD_ACCESS(resolved_path_buff, F_OK)) {
                        RETURN_FALSE;