#endif
SG(request_info).request_method = sapi_cgibin_getenv("REQUEST_METHOD",0 TSRMLS_CC);
SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING",0 TSRMLS_CC);
- if (script_path_translated)
+ /* some server configurations allow '..' to slip through in the
+ translated path. We'll just refuse to handle such a path. */
+ if (script_path_translated && !strstr(script_path_translated,".."))
SG(request_info).path_translated = estrdup(script_path_translated);
SG(request_info).content_type = (content_type ? content_type : "" );
SG(request_info).content_length = (content_length?atoi(content_length):0);
#endif
file_handle.type = ZEND_HANDLE_FILENAME;
file_handle.opened_path = NULL;
+ /* some server configurations allow '..' to slip through in the
+ translated path. We'll just refuse to handle such a path. */
+ if (strstr(SG(request_info).path_translated,"..")) {
+ SG(sapi_headers).http_response_code = 404;
+ efree(SG(request_info).path_translated);
+ SG(request_info).path_translated = NULL;
+ }
php_execute_script(&file_handle TSRMLS_CC);
if (SG(request_info).cookie_data) {
efree(SG(request_info).cookie_data);
}
- efree(SG(request_info).path_translated);
+ if (SG(request_info).path_translated)
+ efree(SG(request_info).path_translated);
#ifdef PHP_ENABLE_SEH
} __except(exceptionhandler(&e, GetExceptionInformation())) {
char buf[1024];
projects / php / commitdiff