From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 31 Jan 2010 18:06:29 +0000 (+0000)
Subject: Fixed a possible open_basedir/safe_mode bypass in session extension identified by... 
X-Git-Tag: php-5.4.0alpha1~354
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dff4e7fda131f3f25204d7f6e2e549731bedad88;p=php

Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak.
---

diff --git a/NEWS b/NEWS
index b03bb05097..7f2d0ce724 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,8 @@ PHP                                                                        NEWS
 - Upgraded bundled sqlite to version 3.6.22. (Ilia)
 - Upgraded bundled libmagic to version 5.03. (Mikko)
 
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)
 - Improved LCG entropy. (Rasmus, Samy Kamkar)
 
 - Added libpng 1.4.0 support. (Pierre)
diff --git a/ext/session/session.c b/ext/session/session.c
index ea3530dcdb..0ef856c9bf 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -687,8 +687,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 			return FAILURE;
 		}
 
-		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+		/* we do not use zend_memrchr() since path can contain ; itself */
+		if ((p = strchr(new_value, ';'))) {
+			char *p2;
 			p++;
+			if ((p2 = strchr(p, ';'))) {
+				p = p2 + 1;
+			}
 		} else {
 			p = new_value;
 		}