From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 27 May 2007 17:33:39 +0000 (+0000)
Subject: Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()).
X-Git-Tag: php-5.2.3~26
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6f61e8472780eae3ddcb566baefba0538ea53059;p=php

Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()).
---

diff --git a/NEWS b/NEWS
index 7fddee2aad..2dfc4b049c 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jun 2007, PHP 5.2.3
 - Fixed bug #41511 (Compile failure under IRIX 6.5.30 building md5.c). (Jani)
+- Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()). (Ilia)
 - Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty
   string keys). (Ilia)
 - Fixed bug #41236 (Regression in timeout handling of non-blocking SSL
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 870972b366..e6dd5d71a4 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2371,6 +2371,14 @@ PHP_FUNCTION(realpath)
 	convert_to_string_ex(path);
 
 	if (VCWD_REALPATH(Z_STRVAL_PP(path), resolved_path_buff)) {
+		if (PG(safe_mode) && (!php_checkuid(resolved_path_buff, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+			RETURN_FALSE;
+		}
+
+		if (php_check_open_basedir(resolved_path_buff TSRMLS_CC)) {
+			RETURN_FALSE;
+		}
+
 #ifdef ZTS
 		if (VCWD_ACCESS(resolved_path_buff, F_OK)) {
 			RETURN_FALSE;