From: Dmitry Stogov <dmitry@php.net>
Date: Thu, 13 Mar 2008 14:10:08 +0000 (+0000)
Subject: Disable path resolution for filenames with stream wrappers
X-Git-Tag: RELEASE_2_0_0a1~146
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ab77e14ad2031894d10ec5eb2dc1ca40d988da6d;p=php

Disable path resolution for filenames with stream wrappers
More careful check for relative pathes (./xxx and ../xxx)
---

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index d54e26aa72..5aa95c19c0 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -454,13 +454,21 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
 {
 	char resolved_path[MAXPATHLEN];
 	char trypath[MAXPATHLEN];
-	char *ptr, *end;
+	const char *ptr, *end, *p;
 
 	if (!filename) {
 		return NULL;
 	}
 
-	if (*filename == '.' ||
+	/* Don't resolve patches which contain protocol */
+	for (p = filename; isalnum((int)*p) || *p == '+' || *p == '-' || *p == '.'; p++);
+    if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) {
+    	return NULL;
+    }
+
+	if ((*filename == '.' && 
+	     (IS_SLASH(filename[1]) || 
+	      ((filename[1] == '.') && IS_SLASH(filename[2])))) ||
 	    IS_ABSOLUTE_PATH(filename, filename_length) ||
 	    !path ||
 	    !*path) {