- MFB: #45997, safe_mode bypass with exec/sytem/passthru (windows only)

author Pierre Joye <pajoye@php.net>

Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)

committer Pierre Joye <pajoye@php.net>

Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)
author Pierre Joye <pajoye@php.net>
Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)
committer Pierre Joye <pajoye@php.net>
Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)
diff --git a/ext/standard/exec.c b/ext/standard/exec.c

index c4378186bd0f5a247e2c809a5a7224d18cb04ade..65fe95115f15be2ed3c1bb7f1fdf4baa425b1d81 100644 (file)
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -79,7 +79,16 @@ PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_
                         php_error_docref(NULL TSRMLS_CC, E_WARNING, "No '..' components allowed in path");
                         goto err;
                 }
+               
                 b = strrchr(cmd, PHP_DIR_SEPARATOR);
+
+#ifdef PHP_WIN32
+               if (b && *b == '\\' && b == cmd) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid absolute path.");
+                       goto err;
+               }
+#endif
+
                 spprintf(&d, 0, "%s%s%s%s%s", PG(safe_mode_exec_dir), (b ? "" : "/"), (b ? b : cmd), (c ? " " : ""), (c ? c : ""));
                 if (c) {
                         *(c - 1) = ' ';
author	Pierre Joye <pajoye@php.net>
	Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)
committer	Pierre Joye <pajoye@php.net>
	Thu, 30 Apr 2009 15:25:37 +0000 (15:25 +0000)