Fixed Bug #17790

- link and symlink now check uid and open_base_dir for link and its target

diff --git a/ext/standard/link.c b/ext/standard/link.c
index 257d7659098bd0988f5b12ac956a88e526e616b2..23036067e70046fed81320e71b2f2dc46cb4c798 100644 (file)
--- a/ext/standard/link.c
+++ b/ext/standard/link.c
@@ -114,6 +114,18 @@ PHP_FUNCTION(symlink)
                RETURN_FALSE;
        }
 
+       if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(frompath), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+               RETURN_FALSE;
+       }
+
+       if (php_check_open_basedir(Z_STRVAL_PP(topath) TSRMLS_CC)) {
+               RETURN_FALSE;
+       }
+
+       if (php_check_open_basedir(Z_STRVAL_PP(frompath) TSRMLS_CC)) {
+               RETURN_FALSE;
+       }
+
        if (!strncasecmp(Z_STRVAL_PP(topath), "http://", 7) || !strncasecmp(Z_STRVAL_PP(topath), "ftp://", 6)) {
                php_error(E_WARNING, "Unable to symlink to a URL");
                RETURN_FALSE;
@@ -146,6 +158,18 @@ PHP_FUNCTION(link)
                RETURN_FALSE;
        }
 
+       if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(frompath), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+               RETURN_FALSE;
+       }
+
+       if (php_check_open_basedir(Z_STRVAL_PP(topath) TSRMLS_CC)) {
+               RETURN_FALSE;
+       }
+
+       if (php_check_open_basedir(Z_STRVAL_PP(frompath) TSRMLS_CC)) {
+               RETURN_FALSE;
+       }
+
        if (!strncasecmp(Z_STRVAL_PP(topath), "http://", 7) || !strncasecmp(Z_STRVAL_PP(topath), "ftp://", 6)) {
                php_error(E_WARNING, "Unable to link to a URL");
                RETURN_FALSE;