From: Ilia Alshanetsky Date: Tue, 12 Jun 2007 12:53:08 +0000 (+0000) Subject: Fixed bug #41655 (open_basedir bypass via glob()) X-Git-Tag: php-5.2.4RC1~363 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=06b4c66f024d1cba4880c8ebe2f8a39f48382913;p=php Fixed bug #41655 (open_basedir bypass via glob()) --- diff --git a/NEWS b/NEWS index d86215930c..917d5ec6ac 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,7 @@ PHP NEWS - Fixed PECL bug #11216 (crash in ZipArchive::addEmptyDir when a directory already exists). (Pierre) +- Fixed bug #41655 (open_basedir bypass via glob()). (Ilia) - Fixed bug #41640 (get_class_vars produces error on class constants). (Johannes) - Fixed bug #41630 (segfault when an invalid color index is present in @@ -46,8 +47,7 @@ PHP NEWS with ini_set()). (Tony, Dmitry) - Fixed bug #41555 (configure failure: regression caused by fix for #41265). (Jani) -- Fixed bug #41527 (WDDX deserialize numeric string array key). (php_lists - at realplain dot com, Ilia) +- Fixed bug #41527 (WDDX deserialize numeric string array key). (Matt, Ilia) - Fixed bug #41518 (file_exists() warns of open_basedir restriction on non-existent file). (Tony) - Fixed bug #39330 (apache2handler does not call shutdown actions before diff --git a/ext/standard/dir.c b/ext/standard/dir.c index 9159ac8d6e..7a7f4c4149 100644 --- a/ext/standard/dir.c +++ b/ext/standard/dir.c @@ -24,6 +24,7 @@ #include "fopen_wrappers.h" #include "file.h" #include "php_dir.h" +#include "php_string.h" #include "php_scandir.h" #ifdef HAVE_DIRENT_H @@ -361,7 +362,6 @@ PHP_NAMED_FUNCTION(php_if_readdir) Find pathnames matching a pattern */ PHP_FUNCTION(glob) { - char cwd[MAXPATHLEN]; int cwd_skip = 0; #ifdef ZTS char work_pattern[MAXPATHLEN]; @@ -395,6 +395,22 @@ PHP_FUNCTION(glob) } #endif + if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { + size_t base_len = php_dirname(pattern, strlen(pattern)); + char pos = pattern[base_len]; + + pattern[base_len] = '\0'; + + if (PG(safe_mode) && (!php_checkuid(pattern, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + RETURN_FALSE; + } + if (php_check_open_basedir(pattern TSRMLS_CC)) { + RETURN_FALSE; + } + + pattern[base_len] = pos; + } + globbuf.gl_offs = 0; if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) { #ifdef GLOB_NOMATCH @@ -420,16 +436,6 @@ PHP_FUNCTION(glob) return; } - /* we assume that any glob pattern will match files from one directory only - so checking the dirname of the first match should be sufficient */ - strlcpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN); - if (PG(safe_mode) && (!php_checkuid(cwd, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { - RETURN_FALSE; - } - if (php_check_open_basedir(cwd TSRMLS_CC)) { - RETURN_FALSE; - } - array_init(return_value); for (n = 0; n < globbuf.gl_pathc; n++) { /* we need to do this everytime since GLOB_ONLYDIR does not guarantee that