From: Pierre Joye <pajoye@php.net>
Date: Thu, 30 Apr 2009 15:25:37 +0000 (+0000)
Subject: - MFB: #45997, safe_mode bypass with exec/sytem/passthru (windows only)
X-Git-Tag: php-5.3.0RC2~65
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ea81bfcf7a76b0d325cf4a64b5df2de5079d88ca;p=php

- MFB: #45997, safe_mode bypass with exec/sytem/passthru (windows only)
---

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index c4378186bd..65fe95115f 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -79,7 +79,16 @@ PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "No '..' components allowed in path");
 			goto err;
 		}
+		
 		b = strrchr(cmd, PHP_DIR_SEPARATOR);
+
+#ifdef PHP_WIN32
+		if (b && *b == '\\' && b == cmd) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid absolute path.");
+			goto err;
+		}
+#endif
+
 		spprintf(&d, 0, "%s%s%s%s%s", PG(safe_mode_exec_dir), (b ? "" : "/"), (b ? b : cmd), (c ? " " : ""), (c ? c : ""));
 		if (c) {
 			*(c - 1) = ' ';