Fixed a possible open_basedir/safe_mode bypass in session extension identified by...

diff --git a/NEWS b/NEWS
index 490571d882c5ecf62d4aca1d72b4a5cdf7fe5eaa..bb1fad75387415876d3d667314151a01d4259532 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2010, PHP 5.2.13
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)
+
 
 28 Jan 2010, PHP 5.2.13RC1
 - Updated timezone database to version 2010.2. (Derick)

diff --git a/ext/session/session.c b/ext/session/session.c
index 9f0b917623aff61fd3a0f385b4a16e76a653070f..59ffd73a3ff49fd1a4dc6d714c17b422aa0319b7 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -653,8 +653,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
                        return FAILURE;
                }
 
-               if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+               /* we do not use zend_memrchr() since path can contain ; itself */
+               if ((p = strchr(new_value, ';'))) {
+                       char *p2;
                        p++;
+                       if ((p2 = strchr(p, ';'))) {
+                               p = p2 + 1;
+                       }
                } else {
                        p = new_value;
                }