From: Pierre Joye <pajoye@php.net>
Date: Thu, 4 Feb 2010 09:40:38 +0000 (+0000)
Subject: - Fixed a possible open_basedir/safe_mode bypass in session extension
X-Git-Tag: php-5.3.2RC2~43
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a10aaa35e9d9c3bfff7d10d8812119ee931e24cb;p=php

- Fixed a possible open_basedir/safe_mode bypass in session extension
---

diff --git a/ext/session/session.c b/ext/session/session.c
index ea3530dcdb..0ef856c9bf 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -687,8 +687,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 			return FAILURE;
 		}
 
-		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+		/* we do not use zend_memrchr() since path can contain ; itself */
+		if ((p = strchr(new_value, ';'))) {
+			char *p2;
 			p++;
+			if ((p2 = strchr(p, ';'))) {
+				p = p2 + 1;
+			}
 		} else {
 			p = new_value;
 		}