Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir

author Ilia Alshanetsky <iliaa@php.net>

Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)
diff --git a/NEWS b/NEWS

index a094eaeb5477c8c466938c92c736cbedb152a1fa..8ea894226f0beb9e94191b3478a91b80e45f6f00 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
    in the same way as "instanceof" operator). (Dmitry)
  - Fixed bug #41904 (proc_open(): empty env array should cause empty
    environment to be passed to process). (Jani)
+- Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir
+  bypass). (Ilia)
  
  16 Aug 2007, PHP 5.2.4RC2
  - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c

index 722e389177814527299167b5f7ccbbfedfb8bb57..6535c7d34595c46052c2b3ca31ba2d6d6e9dc3e0 100644 (file)
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -164,6 +164,28 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
                                 data->filemode);
                 
                 if (data->fd != -1) {
+#ifndef PHP_WIN32
+                       /* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */
+                       if (PG(safe_mode) || PG(open_basedir)) {
+                               struct stat sbuf;
+
+                               if (fstat(data->fd, &sbuf)) {
+                                       close(data->fd);
+                                       return;
+                               }
+                               if (
+                                       S_ISLNK(sbuf.st_mode) && 
+                                       (
+                                               php_check_open_basedir(buf TSRMLS_CC) ||
+                                               (PG(safe_mode) && !php_checkuid(buf, NULL, CHECKUID_CHECK_FILE_AND_DIR))
+                                       )
+                               ) {
+
+                                       close(data->fd);
+                                       return;
+                               }
+                       }
+#endif
                         flock(data->fd, LOCK_EX);
  
  #ifdef F_SETFD
author	Ilia Alshanetsky <iliaa@php.net>
	Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Thu, 23 Aug 2007 02:04:39 +0000 (02:04 +0000)
NEWS		patch \| blob \| history
ext/session/mod_files.c		patch \| blob \| history