From: Ilia Alshanetsky <iliaa@php.net>
Date: Wed, 5 Oct 2005 14:34:38 +0000 (+0000)
Subject: MFH: Missing safe_mode/open_basedir checks for file uploads.
X-Git-Tag: php-4.4.1RC1~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3c63f4f09f5fb187ea49cf413c03acade2e4aa62;p=php

MFH: Missing safe_mode/open_basedir checks for file uploads.
---

diff --git a/NEWS b/NEWS
index 5872304d2e..02f68f98ab 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.1
+- Added missing safe_mode/open_basedir checks for file uploads. (Ilia)
 - Fixed possible INI setting leak via virtual() in Apache 2 sapi. (Ilia)
 - Fixed possible crash and/or memory corruption in import_request_variables().
   (Ilia)
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index 27192695f7..3468dfc576 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -992,10 +992,15 @@ PHP_FUNCTION(curl_setopt)
 				
 					postval = Z_STRVAL_PP(current);
 					if (*postval == '@') {
+						++postval;
+						/* safe_mode / open_basedir check */
+						if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+							RETURN_FALSE;
+						}
 						error = curl_formadd(&first, &last, 
 											 CURLFORM_COPYNAME, string_key,
 											 CURLFORM_NAMELENGTH, (long)string_key_len - 1,
-											 CURLFORM_FILE, ++postval, 
+											 CURLFORM_FILE, postval, 
 											 CURLFORM_END);
 					}
 					else {