From: Ilia Alshanetsky <iliaa@php.net>
Date: Tue, 12 Jun 2007 12:57:43 +0000 (+0000)
Subject: MFB: Fixed bug #41655 (open_basedir bypass via glob())
X-Git-Tag: BEFORE_IMPORT_OF_MYSQLND~472
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a78d9e4ca07e4643b7da8d6aaa4b80ea9a4b8f5c;p=php

MFB: Fixed bug #41655 (open_basedir bypass via glob())
---

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index 8b6fdc1329..c8f77e49a2 100644
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -385,7 +385,6 @@ PHP_NAMED_FUNCTION(php_if_readdir)
    Find pathnames matching a pattern */
 PHP_FUNCTION(glob)
 {
-	char cwd[MAXPATHLEN];
 	int cwd_skip = 0;
 #ifdef ZTS
 	char work_pattern[MAXPATHLEN];
@@ -422,6 +421,19 @@ PHP_FUNCTION(glob)
 	} 
 #endif
 
+	if (PG(open_basedir) && *PG(open_basedir)) {
+		size_t base_len = php_dirname(pattern, strlen(pattern));
+		char pos = pattern[base_len];
+
+		pattern[base_len] = '\0';
+
+		if (php_check_open_basedir(pattern TSRMLS_CC)) {
+			RETURN_FALSE;
+		}
+
+		pattern[base_len] = pos;
+	}
+
 	globbuf.gl_offs = 0;
 	if (0 != (ret = glob(pattern, flags & GLOB_FLAGMASK, NULL, &globbuf))) {
 #ifdef GLOB_NOMATCH
@@ -447,14 +459,6 @@ PHP_FUNCTION(glob)
 		return;
 	}
 
-	/* we assume that any glob pattern will match files from one directory only
-	   so checking the dirname of the first match should be sufficient */
-	strlcpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
-
-	if (php_check_open_basedir(cwd TSRMLS_CC)) {
-		RETURN_FALSE;
-	}
-
 	array_init(return_value);
 	for (n = 0; n < globbuf.gl_pathc; n++) {
 		/* we need to do this everytime since GLOB_ONLYDIR does not guarantee that