- fix #39863, do not accept paths with NULL in them. See http://news.php.net/php...

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 76a785c4b446db91fd2805fa0fc7118affc7815c..4c6598cade195920263b654afd6d91ead2dbd8dc 100644 (file)
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -1880,6 +1880,16 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(ZEND_OPCODE_HA
 
        return_value_used = RETURN_VALUE_USED(opline);
 
+       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               } else {
+                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               }
+               goto done;
+       }
+
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -1933,6 +1943,7 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CONST_HANDLER(ZEND_OPCODE_HA
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
+done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -5154,6 +5165,16 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER(ZEND_OPCODE_HAND
 
        return_value_used = RETURN_VALUE_USED(opline);
 
+       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               } else {
+                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               }
+               goto done;
+       }
+
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -5207,6 +5228,7 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_TMP_HANDLER(ZEND_OPCODE_HAND
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
+done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -8524,6 +8546,16 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER(ZEND_OPCODE_HAND
 
        return_value_used = RETURN_VALUE_USED(opline);
 
+       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               } else {
+                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               }
+               goto done;
+       }
+
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -8577,6 +8609,7 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_VAR_HANDLER(ZEND_OPCODE_HAND
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
+done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }
@@ -22387,6 +22420,16 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER(ZEND_OPCODE_HANDL
 
        return_value_used = RETURN_VALUE_USED(opline);
 
+       if (Z_LVAL(opline->op2.u.constant) != ZEND_EVAL && strlen(Z_STRVAL_P(inc_filename)) != Z_STRLEN_P(inc_filename)) {
+               if (Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE_ONCE ||
+                   Z_LVAL(opline->op2.u.constant)==ZEND_INCLUDE) {
+                       zend_message_dispatcher(ZMSG_FAILED_INCLUDE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               } else {
+                       zend_message_dispatcher(ZMSG_FAILED_REQUIRE_FOPEN, Z_STRVAL_P(inc_filename) TSRMLS_CC);
+               }
+               goto done;
+       }
+
        switch (Z_LVAL(opline->op2.u.constant)) {
                case ZEND_INCLUDE_ONCE:
                case ZEND_REQUIRE_ONCE: {
@@ -22440,6 +22483,7 @@ static int ZEND_FASTCALL  ZEND_INCLUDE_OR_EVAL_SPEC_CV_HANDLER(ZEND_OPCODE_HANDL
                        break;
                EMPTY_SWITCH_DEFAULT_CASE()
        }
+done:
        if (inc_filename==&tmp_inc_filename) {
                zval_dtor(&tmp_inc_filename);
        }

diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
index 411b2b5dabbc99c89f934d8f663c9337d1525365..223af6e5bace42e8baa0eaea3b0951db0a922f54 100644 (file)
--- a/ext/bz2/bz2.c
+++ b/ext/bz2/bz2.c
@@ -387,6 +387,9 @@ static PHP_FUNCTION(bzopen)
        if (Z_TYPE_PP(file) == IS_STRING) {
                convert_to_string_ex(file);
 
+               if (strlen(Z_STRVAL_PP(file)) != Z_STRLEN_PP(file)) {
+                       RETURN_FALSE;
+               }
                if (Z_STRLEN_PP(file) == 0) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "filename cannot be empty");
                        RETURN_FALSE;

diff --git a/ext/com_dotnet/com_persist.c b/ext/com_dotnet/com_persist.c
index 9df476dc0478098102ba21ee47bc71b6c0dd3465..41bcc71333bcfd94a3e0252cc9e342c6dc9e4a81 100755 (executable)
--- a/ext/com_dotnet/com_persist.c
+++ b/ext/com_dotnet/com_persist.c
@@ -389,6 +389,9 @@ CPH_METHOD(SaveToFile)
                }
 
                if (filename) {
+                       if (strlen(filename) != filename_len) {
+                               RETURN_FALSE;
+                       }
                        fullpath = expand_filepath(filename, NULL TSRMLS_CC);
                        if (!fullpath) {
                                RETURN_FALSE;
@@ -453,6 +456,10 @@ CPH_METHOD(LoadFromFile)
                        return;
                }
 
+               if (strlen(filename) != filename_len) {
+                       RETURN_FALSE;
+               }
+
                if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
                        RETURN_FALSE;
                }

diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c
index 14ea003ebe05db373bde6cc212a152cb8852bff7..bb817314da6b2161bc687ee946c06436062bc374 100755 (executable)
--- a/ext/enchant/enchant.c
+++ b/ext/enchant/enchant.c
@@ -591,6 +591,10 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict)
                RETURN_FALSE;
        }
 
+       if (strlen(pwl) != pwllen) {
+               RETURN_FALSE;
+       }
+
 #if PHP_API_VERSION < 20100412
        if ((PG(safe_mode) && (!php_checkuid(pwl, NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(pwl TSRMLS_CC)) {
 #else

diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c
index 81ee428e943234ef86f418b7475d500073b302b3..5802c0b2d2be64447ebb900eaf659262401e49ef 100644 (file)
--- a/ext/fileinfo/fileinfo.c
+++ b/ext/fileinfo/fileinfo.c
@@ -294,6 +294,9 @@ PHP_FUNCTION(finfo_open)
        if (file_len == 0) {
                file = NULL;
        } else if (file && *file) { /* user specified file, perform open_basedir checks */
+               if (strlen(file) != file_len) {
+                       RETURN_FALSE;
+               }
                if (!VCWD_REALPATH(file, resolved_path)) {
                        RETURN_FALSE;
                }

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 7b4d780c7bd5e4e3d5a278fee5a46ee4cbec6d89..d2fd45ec91e3eda8c832d9904f2b01f7d5324830 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -2642,6 +2642,9 @@ static void _php_image_output(INTERNAL_FUNCTION_PARAMETERS, int image_type, char
        }
 
        if (argc >= 2 && file_len) {
+               if (strlen(file) != file_len) {
+                       RETURN_FALSE;
+               }
                PHP_GD_CHECK_OPEN_BASEDIR(fn, "Invalid filename");
 
                fp = VCWD_FOPEN(fn, "wb");
@@ -4552,6 +4555,14 @@ static void _php_image_convert(INTERNAL_FUNCTION_PARAMETERS, int image_type )
        dest_width = width;
        int_threshold = threshold;
 
+       if (strlen(f_org) != f_org_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(f_dest) != f_dest_len) {
+               RETURN_FALSE;
+       }
+
        /* Check threshold value */
        if (int_threshold < 0 || int_threshold > 8) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid threshold value '%d'", int_threshold);

diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index c25a7dc3ac0765751bb631f8c24a51477aee45ae..34ca64c4350f0806838b4034818013f745a41f78 100644 (file)
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -91,6 +91,9 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
        }
 
        if (argc > 1 && file_len) {
+               if (strlen(file) != file_len) {
+                       RETURN_FALSE;
+               }
                PHP_GD_CHECK_OPEN_BASEDIR(file, "Invalid filename");
 
                fp = VCWD_FOPEN(file, "wb");

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 408dd8b8759f952387b1c5788ba3fbdf82edfda8..866c61e7038cab7becd60a9205b2103386d39796 100644 (file)
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -1218,10 +1218,14 @@ static void php_imap_do_open(INTERNAL_FUNCTION_PARAMETERS, int persistent)
        }
 
        /* local filename, need to perform open_basedir and safe_mode checks */
-       if (mailbox[0] != '{' &&
-                       (php_check_open_basedir(mailbox TSRMLS_CC) ||
-                       (PG(safe_mode) && !php_checkuid(mailbox, NULL, CHECKUID_CHECK_FILE_AND_DIR)))) {
-               RETURN_FALSE;
+       if (mailbox[0] != '{') {
+               if (strlen(mailbox) != mailbox_len) {
+                       RETURN_FALSE;
+               }
+               if (php_check_open_basedir(mailbox TSRMLS_CC) ||
+                       (PG(safe_mode) && !php_checkuid(mailbox, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+                       RETURN_FALSE;
+               }
        }
 
        IMAPG(imap_user)     = estrndup(user, user_len);

diff --git a/ext/oci8/oci8_interface.c b/ext/oci8/oci8_interface.c
index abd4589db4b71e1e0ec18d952e6aa60762665c43..4d59ebfbe1bcd44fc6bccf95a8cc169d976cd68c 100644 (file)
--- a/ext/oci8/oci8_interface.c
+++ b/ext/oci8/oci8_interface.c
@@ -276,6 +276,10 @@ PHP_FUNCTION(oci_lob_load)
                        return;
                }       
        }
+
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
        
        if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
@@ -667,7 +671,7 @@ PHP_FUNCTION(oci_lob_erase)
                        RETURN_FALSE;
                }
        }
-       
+
        if (zend_hash_find(Z_OBJPROP_P(z_descriptor), "descriptor", sizeof("descriptor"), (void **)&tmp) == FAILURE) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to find descriptor property");
                RETURN_FALSE;
@@ -928,6 +932,10 @@ PHP_FUNCTION(oci_lob_export)
                /* nothing to write, fail silently */
                RETURN_FALSE;
        }
+
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
        
        if (PG(safe_mode) && (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;

diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c
index 907d1ca8e3005926fd1cced0d2b9dd052494e8ac..01fbe3831932d03cd585f30763079a24a26892da 100644 (file)
--- a/ext/odbc/php_odbc.c
+++ b/ext/odbc/php_odbc.c
@@ -1317,8 +1317,11 @@ PHP_FUNCTION(odbc_execute)
                        if (Z_STRLEN_PP(tmp) > 2 &&
                                Z_STRVAL_PP(tmp)[0] == '\'' &&
                                Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') {
+                               if (strlen(tmp) != Z_STRLEN_PP(tmp)) {
+                                       RETURN_FALSE;
+                               }
+
                                filename = estrndup(&Z_STRVAL_PP(tmp)[1], Z_STRLEN_PP(tmp) - 2);
-                               filename[strlen(filename)] = '\0';
 
                                /* Check for safe mode. */
                                if (PG(safe_mode) && (!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 0440aa7d16dfddba516630b1dd6df7c24c519fed..eb873deb9218aa3f53fa99474d57e0f1544e62a8 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1771,6 +1771,10 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file)
                return;
 
        RETVAL_FALSE;
+
+       if (strlen(filename) != filename_len) {
+               return;
+       }
        
        cert = php_openssl_x509_from_zval(zcert, 0, &certresource TSRMLS_CC);
        if (cert == NULL) {
@@ -2219,6 +2223,10 @@ PHP_FUNCTION(openssl_csr_export_to_file)
        }
        RETVAL_FALSE;
 
+       if (strlen(filename) != filename_len) {
+               return;
+       }
+
        csr = php_openssl_csr_from_zval(&zcsr, 0, &csr_resource TSRMLS_CC);
        if (csr == NULL) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot get CSR from parameter 1");
@@ -3003,6 +3011,10 @@ PHP_FUNCTION(openssl_pkey_export_to_file)
        }
        RETVAL_FALSE;
 
+       if (strlen(filename) != filename_len) {
+               return;
+       }
+
        key = php_openssl_evp_from_zval(zpkey, 0, passphrase, 0, &key_resource TSRMLS_CC);
 
        if (key == NULL) {
@@ -3395,7 +3407,14 @@ PHP_FUNCTION(openssl_pkcs7_encrypt)
                                &outfilename, &outfilename_len, &zrecipcerts, &zheaders, &flags, &cipherid) == FAILURE)
                return;
 
-       
+       if (strlen(infilename) != infilename_len) {
+               return;
+       }
+
+       if (strlen(outfilename) != outfilename_len) {
+               return;
+       }
+
        if (php_openssl_safe_mode_chk(infilename TSRMLS_CC) || php_openssl_safe_mode_chk(outfilename TSRMLS_CC)) {
                return;
        }
@@ -3527,14 +3546,22 @@ PHP_FUNCTION(openssl_pkcs7_sign)
        char * outfilename;     int outfilename_len;
        char * extracertsfilename = NULL; int extracertsfilename_len;
 
+       RETVAL_FALSE;
+
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZZa!|ls",
                                &infilename, &infilename_len, &outfilename, &outfilename_len,
                                &zcert, &zprivkey, &zheaders, &flags, &extracertsfilename,
                                &extracertsfilename_len) == FAILURE) {
                return;
        }
-       
-       RETVAL_FALSE;
+
+       if (strlen(infilename) != infilename_len) {
+               return;
+       }
+
+       if (strlen(outfilename) != outfilename_len) {
+               return;
+       }
 
        if (extracertsfilename) {
                others = load_all_certs_from_file(extracertsfilename);
@@ -3631,12 +3658,20 @@ PHP_FUNCTION(openssl_pkcs7_decrypt)
        char * infilename;      int infilename_len;
        char * outfilename;     int outfilename_len;
 
+       RETVAL_FALSE;
+
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ssZ|Z", &infilename, &infilename_len,
                                &outfilename, &outfilename_len, &recipcert, &recipkey) == FAILURE) {
                return;
        }
 
-       RETVAL_FALSE;
+       if (strlen(infilename) != infilename_len) {
+               return;
+       }
+
+       if (strlen(outfilename) != outfilename_len) {
+               return;
+       }
 
        cert = php_openssl_x509_from_zval(recipcert, 0, &certresval TSRMLS_CC);
        if (cert == NULL) {

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 90231c2ab562c3bc1470b49d4c117d73f2943641..3308e95716f8ce36ee7082d594bc70bbdd62aeb9 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -3339,6 +3339,10 @@ PHP_FUNCTION(pg_lo_import)
                WRONG_PARAM_COUNT;
        }
 
+       if (strlen(file_in) != name_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) &&(!php_checkuid(file_in, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
@@ -3476,6 +3480,10 @@ PHP_FUNCTION(pg_lo_export)
                RETURN_FALSE;
        }
 
+       if (strlen(file_out) != name_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) &&(!php_checkuid(file_out, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }

diff --git a/ext/posix/posix.c b/ext/posix/posix.c
index aeaae224b25571bf8f12c420a1cf62fe596a9cab..b4ba1aff0b66f3181adebd660ec5c4b577de7b94 100644 (file)
--- a/ext/posix/posix.c
+++ b/ext/posix/posix.c
@@ -842,6 +842,10 @@ PHP_FUNCTION(posix_mkfifo)
                RETURN_FALSE;
        }
 
+       if (strlen(path) != path_len) {
+               RETURN_FALSE;
+       }
+
        if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
                        (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))) {
                RETURN_FALSE;
@@ -877,6 +881,10 @@ PHP_FUNCTION(posix_mknod)
                RETURN_FALSE;
        }
 
+       if (strlen(path) != path_len) {
+               RETURN_FALSE;
+       }
+
        if (php_check_open_basedir_ex(path, 0 TSRMLS_CC) ||
                        (PG(safe_mode) && (!php_checkuid(path, NULL, CHECKUID_ALLOW_ONLY_DIR)))) {
                RETURN_FALSE;
@@ -957,6 +965,10 @@ PHP_FUNCTION(posix_access)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        path = expand_filepath(filename, NULL TSRMLS_CC);
        if (!path) {
                POSIX_G(last_error) = EIO;

diff --git a/ext/pspell/pspell.c b/ext/pspell/pspell.c
index 0d508180d8dceaaec321d6a08332d382de2affb6..0a291902a19331388cc6a52bc8f5753a17f5ab8d 100644 (file)
--- a/ext/pspell/pspell.c
+++ b/ext/pspell/pspell.c
@@ -402,6 +402,10 @@ static PHP_FUNCTION(pspell_new_personal)
        }
 #endif
 
+       if (strlen(personal) != personal_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) && (!php_checkuid(personal, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                delete_pspell_config(config);
                RETURN_FALSE;
@@ -834,6 +838,10 @@ static void pspell_config_path(INTERNAL_FUNCTION_PARAMETERS, char *option)
                return;
        }
 
+       if (strlen(value) != value_len) {
+               RETURN_FALSE;
+       }
+
        PSPELL_FETCH_CONFIG;
 
        if (PG(safe_mode) && (!php_checkuid(value, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
@@ -891,6 +899,10 @@ static PHP_FUNCTION(pspell_config_repl)
 
        pspell_config_replace(config, "save-repl", "true");
 
+       if (strlen(repl) != repl_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) && (!php_checkuid(repl, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }

diff --git a/ext/sqlite/sqlite.c b/ext/sqlite/sqlite.c
index 5fc562eeab01ada4a3fe963eadb0a824b8b302b6..c9673e868b264fab94238c35129342f2c8c7a207 100644 (file)
--- a/ext/sqlite/sqlite.c
+++ b/ext/sqlite/sqlite.c
@@ -1560,6 +1560,9 @@ PHP_FUNCTION(sqlite_popen)
                ZVAL_NULL(errmsg);
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
        if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
                /* resolve the fully-qualified path name to use as the hash key */
                if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
@@ -1637,6 +1640,9 @@ PHP_FUNCTION(sqlite_open)
                ZVAL_NULL(errmsg);
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
        if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
                /* resolve the fully-qualified path name to use as the hash key */
                if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
@@ -1690,6 +1696,10 @@ PHP_FUNCTION(sqlite_factory)
                ZVAL_NULL(errmsg);
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
                /* resolve the fully-qualified path name to use as the hash key */
                if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {

diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index f5d321dbf94ab37abb5d2a629459c3b0870db402..8dcce7ca65747ba7a14c53ad16b0a19fa002911b 100644 (file)
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -114,6 +114,9 @@ PHP_METHOD(sqlite3, open)
                zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Already initialised DB Object", 0 TSRMLS_CC);
        }
 
+       if (strlen(filename) != filename_len) {
+               return;
+       }
        if (strncmp(filename, ":memory:", 8) != 0) {
                if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
                        zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Unable to expand filepath", 0 TSRMLS_CC);

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index cb056e1ac1548a6ed270235826a0ba9dae0606e5..c535678e513797076a482ebd8ff815b87ac35004 100644 (file)
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -4673,6 +4673,12 @@ PHP_FUNCTION(error_log)
                opt_err = erropt;
        }
 
+       if (opt_err == 3) {
+               if (strlen(opt) != opt_len) {
+                       RETURN_FALSE;
+               }
+       }
+
        if (_php_error_log_ex(opt_err, message, message_len, opt, headers TSRMLS_CC) == FAILURE) {
                RETURN_FALSE;
        }
@@ -5161,6 +5167,10 @@ PHP_FUNCTION(highlight_file)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (i) {
                php_start_ob_buffer (NULL, 0, 1 TSRMLS_CC);
        }
@@ -5207,6 +5217,10 @@ PHP_FUNCTION(php_strip_whitespace)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        file_handle.type = ZEND_HANDLE_FILENAME;
        file_handle.filename = filename;
        file_handle.free_filename = 0;
@@ -5467,6 +5481,11 @@ PHP_FUNCTION(set_include_path)
                return;
        }
 
+       /* No nulls allowed in paths */
+       if (strlen(new_value) != new_value_len) {
+               RETURN_FALSE;
+       }
+
        old_value = zend_ini_string("include_path", sizeof("include_path"), 0);
        /* copy to return here, because alter might free it! */
        if (old_value) {
@@ -5777,6 +5796,10 @@ PHP_FUNCTION(is_uploaded_file)
                return;
        }
 
+       if (strlen(path) != path_len) {
+               RETURN_FALSE;
+       }
+
        if (zend_hash_exists(SG(rfc1867_uploaded_files), path, path_len + 1)) {
                RETURN_TRUE;
        } else {
@@ -5817,6 +5840,14 @@ PHP_FUNCTION(move_uploaded_file)
                RETURN_FALSE;
        }
 
+       if (strlen(path) != path_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(new_path) != new_path_len) {
+               RETURN_FALSE;
+       }
+
        VCWD_UNLINK(new_path);
        if (VCWD_RENAME(path, new_path) == 0) {
                successful = 1;
@@ -5960,6 +5991,10 @@ PHP_FUNCTION(parse_ini_file)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        /* Set callback function */
        if (process_sections) {
                BG(active_ini_file_section) = NULL;

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index 470d886dd44a5fbb4a9aca94eb72615c08a76966..e5a02201418426c39afa41eb9cbe345212a689e5 100644 (file)
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -325,6 +325,10 @@ PHP_FUNCTION(chdir)
                RETURN_FALSE;
        }
 
+       if (strlen(str) != str_len) {
+               RETURN_FALSE;
+       }
+
        if ((PG(safe_mode) && !php_checkuid(str, NULL, CHECKUID_CHECK_FILE_AND_DIR)) || php_check_open_basedir(str TSRMLS_CC)) {
                RETURN_FALSE;
        }
@@ -436,6 +440,10 @@ PHP_FUNCTION(glob)
                return;
        }
 
+       if (strlen(pattern) != pattern_len) {
+               RETURN_FALSE;
+       }
+
        if (pattern_len >= MAXPATHLEN) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN);
                RETURN_FALSE;
@@ -557,6 +565,10 @@ PHP_FUNCTION(scandir)
                return;
        }
 
+       if (strlen(dirn) != dirn_len) {
+               RETURN_FALSE;
+       }
+
        if (dirn_len < 1) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Directory name cannot be empty");
                RETURN_FALSE;

diff --git a/ext/standard/file.c b/ext/standard/file.c
index 953ca7928d5b50b079761e32c01eba80a4811c47..ef4b72462d61b1bcd4114c86c2a2e78f189a0e29 100644 (file)
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -386,6 +386,10 @@ PHP_FUNCTION(get_meta_tags)
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        md.stream = php_stream_open_wrapper(filename, "rb",
                        (use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS,
                        NULL);
@@ -539,6 +543,10 @@ PHP_FUNCTION(file_get_contents)
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (ZEND_NUM_ARGS() == 5 && maxlen < 0) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "length must be greater than or equal to zero");
                RETURN_FALSE;
@@ -595,6 +603,10 @@ PHP_FUNCTION(file_put_contents)
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (Z_TYPE_P(data) == IS_RESOURCE) {
                php_stream_from_zval(srcstream, &data);
        }
@@ -739,6 +751,11 @@ PHP_FUNCTION(file)
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|lr!", &filename, &filename_len, &flags, &zcontext) == FAILURE) {
                return;
        }
+
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (flags < 0 || flags > (PHP_FILE_USE_INCLUDE_PATH | PHP_FILE_IGNORE_NEW_LINES | PHP_FILE_SKIP_EMPTY_LINES | PHP_FILE_NO_DEFAULT_CONTEXT)) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "'%ld' flag is not supported", flags);
                RETURN_FALSE;
@@ -836,6 +853,14 @@ PHP_FUNCTION(tempnam)
                return;
        }
 
+       if (strlen(dir) != dir_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(prefix) != prefix_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) &&(!php_checkuid(dir, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
@@ -894,6 +919,10 @@ PHP_NAMED_FUNCTION(php_if_fopen)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        context = php_stream_context_from_zval(zcontext, 0);
 
        stream = php_stream_open_wrapper_ex(filename, mode, (use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL, context);
@@ -1397,6 +1426,10 @@ PHP_FUNCTION(mkdir)
                RETURN_FALSE;
        }
 
+       if (strlen(dir) != dir_len) {
+               RETURN_FALSE;
+       }
+
        context = php_stream_context_from_zval(zcontext, 0);
 
        RETURN_BOOL(php_stream_mkdir(dir, mode, (recursive ? PHP_STREAM_MKDIR_RECURSIVE : 0) | REPORT_ERRORS, context));
@@ -1416,6 +1449,10 @@ PHP_FUNCTION(rmdir)
                RETURN_FALSE;
        }
 
+       if (strlen(dir) != dir_len) {
+               RETURN_FALSE;
+       }
+
        context = php_stream_context_from_zval(zcontext, 0);
 
        RETURN_BOOL(php_stream_rmdir(dir, REPORT_ERRORS, context));
@@ -1438,6 +1475,10 @@ PHP_FUNCTION(readfile)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        context = php_stream_context_from_zval(zcontext, 0);
 
        stream = php_stream_open_wrapper_ex(filename, "rb", (use_include_path ? USE_PATH : 0) | ENFORCE_SAFE_MODE | REPORT_ERRORS, NULL, context);
@@ -1511,6 +1552,14 @@ PHP_FUNCTION(rename)
                RETURN_FALSE;
        }
 
+       if (strlen(old_name) != old_name_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(new_name) != new_name_len) {
+               RETURN_FALSE;
+       }
+
        wrapper = php_stream_locate_url_wrapper(old_name, NULL, 0 TSRMLS_CC);
 
        if (!wrapper || !wrapper->wops) {
@@ -1548,6 +1597,10 @@ PHP_FUNCTION(unlink)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        context = php_stream_context_from_zval(zcontext, 0);
 
        wrapper = php_stream_locate_url_wrapper(filename, NULL, 0 TSRMLS_CC);
@@ -1684,6 +1737,14 @@ PHP_FUNCTION(copy)
                return;
        }
 
+       if (strlen(source) != source_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(target) != target_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) &&(!php_checkuid(source, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
@@ -2385,6 +2446,10 @@ PHP_FUNCTION(realpath)
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (VCWD_REALPATH(filename, resolved_path_buff)) {
                if (PG(safe_mode) && (!php_checkuid(resolved_path_buff, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                        RETURN_FALSE;
@@ -2527,6 +2592,14 @@ PHP_FUNCTION(fnmatch)
                return;
        }
 
+       if (strlen(pattern) != pattern_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+       
        if (filename_len >= MAXPATHLEN) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN);
                RETURN_FALSE;

diff --git a/ext/standard/filestat.c b/ext/standard/filestat.c
index b38e6e78b91f46659dff37a0402e9c9fe4040693..cb40bbbd5fff36926cc0d47de8ac332254ce3e8a 100644 (file)
--- a/ext/standard/filestat.c
+++ b/ext/standard/filestat.c
@@ -379,6 +379,10 @@ PHP_FUNCTION(disk_free_space)
                RETURN_FALSE;
        }
 
+       if (strlen(path) != path_len) {
+               RETURN_FALSE;
+       }
+
        if (php_disk_free_space(path, &bytesfree TSRMLS_CC) == SUCCESS) {
                RETURN_DOUBLE(bytesfree);
        }
@@ -399,6 +403,10 @@ static void php_do_chgrp(INTERNAL_FUNCTION_PARAMETERS, int do_lchgrp) /* {{{ */
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (Z_TYPE_P(group) == IS_LONG) {
                gid = (gid_t)Z_LVAL_P(group);
        } else if (Z_TYPE_P(group) == IS_STRING) {
@@ -500,6 +508,10 @@ static void php_do_chown(INTERNAL_FUNCTION_PARAMETERS, int do_lchown) /* {{{ */
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (Z_TYPE_P(user) == IS_LONG) {
                uid = (uid_t)Z_LVAL_P(user);
        } else if (Z_TYPE_P(user) == IS_STRING) {
@@ -607,6 +619,10 @@ PHP_FUNCTION(chmod)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        /* Check the basedir */
        if (php_check_open_basedir(filename TSRMLS_CC)) {
                RETURN_FALSE;
@@ -660,6 +676,10 @@ PHP_FUNCTION(touch)
                return;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        switch (argc) {
                case 1:
 #ifdef HAVE_UTIME_NULL
@@ -715,8 +735,9 @@ PHP_FUNCTION(touch)
 PHPAPI void php_clear_stat_cache(zend_bool clear_realpath_cache, const char *filename, int filename_len TSRMLS_DC)
 {
        /* always clear CurrentStatFile and CurrentLStatFile even if filename is not NULL
-        * as it may contains outdated data (e.g. "nlink" for a directory when deleting a file
+        * as it may contain outdated data (e.g. "nlink" for a directory when deleting a file
         * in this directory, as shown by lstat_stat_variation9.phpt) */
+
        if (BG(CurrentStatFile)) {
                efree(BG(CurrentStatFile));
                BG(CurrentStatFile) = NULL;
@@ -777,6 +798,10 @@ PHPAPI void php_stat(const char *filename, php_stat_len filename_length, int typ
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_length) {
+               RETURN_FALSE;
+       }
+
        if ((wrapper = php_stream_locate_url_wrapper(filename, &local, 0 TSRMLS_CC)) == &php_plain_files_wrapper) {
                if (php_check_open_basedir(local TSRMLS_CC)) {
                        RETURN_FALSE;

diff --git a/ext/standard/ftok.c b/ext/standard/ftok.c
index 81d1c189e3832a2fd25d1ff43d2a0210c53016bf..7fccb1f3fc5bbeb0fb36f3faba601fdceb8a9573 100644 (file)
--- a/ext/standard/ftok.c
+++ b/ext/standard/ftok.c
@@ -39,6 +39,10 @@ PHP_FUNCTION(ftok)
                return;
        }
 
+       if (strlen(pathname) != pathname_len) {
+               RETURN_FALSE;
+       }
+
        if (pathname_len == 0){
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pathname is invalid");
                RETURN_LONG(-1);

diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c
index 2eb2fab4c1afb8f28a0c76cf37071b234a26b907..22f103cd992963eb23de2c6c78b5fffb48c010f3 100644 (file)
--- a/ext/standard/iptc.c
+++ b/ext/standard/iptc.c
@@ -190,6 +190,10 @@ PHP_FUNCTION(iptcembed)
                return;
        }
 
+       if (strlen(jpeg_file) != jpeg_file_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) && (!php_checkuid(jpeg_file, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }

diff --git a/ext/standard/link.c b/ext/standard/link.c
index f2de0193029185b2237fbf09a87e1fa9bf0f00de..d69dcfa109417c7d12aa97d137407238a8883a4e 100644 (file)
--- a/ext/standard/link.c
+++ b/ext/standard/link.c
@@ -64,6 +64,10 @@ PHP_FUNCTION(readlink)
                return;
        }
 
+       if (strlen(link) != link_len) {
+               RETURN_FALSE;
+       }
+
        if (PG(safe_mode) && !php_checkuid(link, NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
                RETURN_FALSE;
        }
@@ -123,6 +127,14 @@ PHP_FUNCTION(symlink)
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &topath, &topath_len, &frompath, &frompath_len) == FAILURE) {
                return;
        }
+
+       if (strlen(topath) != topath_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(frompath) != frompath_len) {
+               RETURN_FALSE;
+       }
        
        if (!expand_filepath(frompath, source_p TSRMLS_CC)) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "No such file or directory");
@@ -188,6 +200,14 @@ PHP_FUNCTION(link)
                return;
        }
 
+       if (strlen(topath) != topath_len) {
+               RETURN_FALSE;
+       }
+
+       if (strlen(frompath) != frompath_len) {
+               RETURN_FALSE;
+       }
+
        if (!expand_filepath(frompath, source_p TSRMLS_CC) || !expand_filepath(topath, dest_p TSRMLS_CC)) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "No such file or directory");
                RETURN_FALSE;

diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index dfc15d97f0257aa9f3c8da57f5ac40aa53efb472..5a8cc0d1fa9368d70b2d316f412492a30de946a9 100644 (file)
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -567,6 +567,9 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil
        }
        
        if (is_file) {
+               if (strlen(arg1) != arg1_len) {
+                       RETURN_FALSE;
+               }
                if (!(data = php_tidy_file_to_mem(arg1, use_include_path, &data_len TSRMLS_CC))) {
                        RETURN_FALSE;
                }
@@ -1221,6 +1224,9 @@ static PHP_FUNCTION(tidy_parse_file)
                RETURN_FALSE;
        }
 
+       if (strlen(inputfile) != input_len) {
+               RETURN_FALSE;
+       }
        tidy_instanciate(tidy_ce_doc, return_value TSRMLS_CC);
        obj = (PHPTidyObj *) zend_object_store_get_object(return_value TSRMLS_CC);
 
@@ -1534,10 +1540,13 @@ static TIDY_DOC_METHOD(__construct)
                                                          &options, &enc, &enc_len, &use_include_path) == FAILURE) {
                RETURN_FALSE;
        }
-       
+
        obj = (PHPTidyObj *)zend_object_store_get_object(object TSRMLS_CC);
        
        if (inputfile) {
+               if (strlen(inputfile) != input_len) {
+                       RETURN_FALSE;
+               }
                if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
                        return;
@@ -1568,7 +1577,10 @@ static TIDY_DOC_METHOD(parseFile)
                                                          &options, &enc, &enc_len, &use_include_path) == FAILURE) {
                RETURN_FALSE;
        }
-       
+
+       if (strlen(inputfile) != input_len) {
+               RETURN_FALSE;
+       }
        if (!(contents = php_tidy_file_to_mem(inputfile, use_include_path, &contents_len TSRMLS_CC))) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot Load '%s' into memory %s", inputfile, (use_include_path) ? "(Using include path)" : "");
                RETURN_FALSE;

diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index 1907f093b498181a2d324ff6684d81294567f8ec..f111d64978e6d4550cf74998752bf40a3208a213 100644 (file)
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -642,6 +642,9 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_uri)
 
        ret = -1;
        if (newdocp) {
+               if (strlen(uri) != uri_len) {
+                       RETURN_FALSE;
+               }
                ret = xsltSaveResultToFilename(uri, newdocp, sheetp, 0);
                xmlFreeDoc(newdocp);
        }
@@ -845,7 +848,7 @@ PHP_FUNCTION(xsl_xsltprocessor_set_profiling)
                if (intern->profiling) {
                        efree(intern->profiling);
                }
-               if (filename != NULL) {
+               if (filename != NULL && strlen(filename) == filename_len) {
                        intern->profiling = estrndup(filename,filename_len);
                } else {
                        intern->profiling = NULL;

diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index e89682546f614ffacbe8d6725457f3fcc8017bdf..5c291381c51ef93f8e19e26f3c739448740506d2 100644 (file)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1148,6 +1148,10 @@ static PHP_NAMED_FUNCTION(zif_zip_open)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (ZIP_OPENBASEDIR_CHECKPATH(filename)) {
                RETURN_FALSE;
        }
@@ -1437,6 +1441,10 @@ static ZIPARCHIVE_METHOD(open)
                RETURN_FALSE;
        }
 
+       if (strlen(filename) != filename_len) {
+               RETURN_FALSE;
+       }
+
        if (ZIP_OPENBASEDIR_CHECKPATH(filename)) {
                RETURN_FALSE;
        }
@@ -2363,6 +2371,10 @@ static ZIPARCHIVE_METHOD(extractTo)
                RETURN_FALSE;
        }
 
+       if (strlen(pathto) != pathto_len) {
+               RETURN_FALSE;
+       }
+
        if (php_stream_stat_path(pathto, &ssb) < 0) {
                ret = php_stream_mkdir(pathto, 0777,  PHP_STREAM_MKDIR_RECURSIVE, NULL);
                if (!ret) {
@@ -2449,6 +2461,9 @@ static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ll", &filename, &filename_len, &len, &flags) == FAILURE) {
                        return;
                }
+               if (strlen(filename) != filename_len) {
+                       return;
+               }
                PHP_ZIP_STAT_PATH(intern, filename, filename_len, flags, sb);
        } else {
                if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l|ll", &index, &len, &flags) == FAILURE) {

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index 8bc649ef55553451d82221c8215cc8524a9e6935..303ff55525429c4dac49c47e3fbe9c3c0b4cdf7c 100644 (file)
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -538,6 +538,10 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
                return NULL;
        }
 
+       if (strlen(filename) != filename_length) {
+               return NULL;
+       }
+
        /* Don't resolve paths which contain protocol (except of file://) */
        for (p = filename; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
        if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) {