Fixed bug #33072 - Add a safemode/open_basedir check for runtime save_path

change

diff --git a/NEWS b/NEWS
index 2404527caa8c1d12758eeac3cf76c9edd6070dfe..19c47da013fb23b1d0c42977bf88de347d09e1fa 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP 4                                                                      NEWS
   them sort based on the current locale. (Derick)
 - Changed sha1_file() and md5_file() functions to use streams instead of 
   low level IO. (Uwe)
+- Fixed bug #33072 (Add a safemode/open_basedir check for runtime save_path 
+  change) (Rasmus)
 - Fixed bug #33057 (Don't send extraneous entity-headers on a 304 as per
   RFC 2616 section 10.3.5) (Rasmus, Choitel)
 - Fixed bug #33019 (socket errors cause memory leaks in php_strerror()). 

diff --git a/ext/session/session.c b/ext/session/session.c
index 9904e7a9e74e65e5d8fdb5cebc606ceaa52861b2..7825a7afe192c3199dd308ddec2add6568f57028 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -117,6 +117,19 @@ static PHP_INI_MH(OnUpdateSerializer)
        return SUCCESS;
 }
 
+static PHP_INI_MH(OnUpdateSaveDir) {
+       /* Only do the safemode/open_basedir check at runtime */
+       if(stage == PHP_INI_STAGE_RUNTIME) {
+               if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+                       return FAILURE;
+               }
+
+               if (php_check_open_basedir(new_value TSRMLS_CC)) {
+                       return FAILURE;
+               }
+       }
+       OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
+}
 
 /* {{{ PHP_INI
  */
@@ -124,9 +137,9 @@ PHP_INI_BEGIN()
        STD_PHP_INI_BOOLEAN("session.bug_compat_42",    "1",         PHP_INI_ALL, OnUpdateBool,   bug_compat,         php_ps_globals,    ps_globals)
        STD_PHP_INI_BOOLEAN("session.bug_compat_warn",  "1",         PHP_INI_ALL, OnUpdateBool,   bug_compat_warn,    php_ps_globals,    ps_globals)
 #ifdef PHP_WIN32
-       STD_PHP_INI_ENTRY("session.save_path",          "",      PHP_INI_ALL, OnUpdateString, save_path,          php_ps_globals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "",          PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_globals,    ps_globals)
 #else
-       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",      PHP_INI_ALL, OnUpdateString, save_path,          php_ps_globals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",      PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_globals,    ps_globals)
 #endif
        STD_PHP_INI_ENTRY("session.name",               "PHPSESSID", PHP_INI_ALL, OnUpdateString, session_name,       php_ps_globals,    ps_globals)
        PHP_INI_ENTRY("session.save_handler",           "files",     PHP_INI_ALL, OnUpdateSaveHandler)