From: Dmitry Stogov <dmitry@php.net>
Date: Tue, 15 Jul 2008 13:38:29 +0000 (+0000)
Subject: Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots))
X-Git-Tag: php-5.2.7RC1~205
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f4617349f8aff69cc68c36dbb7e7cebdcbf7a9b0;p=php

Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots))
---

diff --git a/NEWS b/NEWS
index b735817196..1c5be1ea4d 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
 - Fixed bug #45251 (double free or corruption with setAttributeNode()). (Rob)
 - Fixed bug #45220 (curl_read callback returns -1 when needs to return 
   size_t (unsigned)). (Felipe)
+- Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)).
+  (Dmitry)
 - Fixed bug #45139 (ReflectionProperty returns incorrect declaring class).
   (Felipe)
 - Fixed bug #45004 (pg_insert() does not accept 4 digit timezone format).
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index a7abf09823..deb359108d 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -771,6 +771,39 @@ static void php_cgi_usage(char *argv0)
 }
 /* }}} */
 
+/* {{{ is_valid_path
+ *
+ * some server configurations allow '..' to slip through in the
+ * translated path.   We'll just refuse to handle such a path.
+ */
+static int is_valid_path(const char *path)
+{
+	const char *p;
+
+	if (!path) {
+		return 0;
+	}
+	p = strstr(path, "..");
+	if (p) {
+		if ((p == path || IS_SLASH(*(p-1))) &&
+		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
+			return 0;
+		}
+		while (1) {
+			p = strstr(p+1, "..");
+			if (!p) {
+				break;
+			}
+			if (IS_SLASH(*(p-1)) &&
+			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
+					return 0;
+			}
+		}
+	}
+	return 1;
+}
+/* }}} */
+
 /* {{{ init_request_info
 
   initializes request_info structure
@@ -1067,9 +1100,7 @@ static void init_request_info(TSRMLS_D)
 				if (pt) {
 					efree(pt);
 				}
-				/* some server configurations allow '..' to slip through in the
-				   translated path.   We'll just refuse to handle such a path. */
-				if (script_path_translated && !strstr(script_path_translated, "..")) {
+				if (is_valid_path(script_path_translated)) {
 					SG(request_info).path_translated = estrdup(script_path_translated);
 				}
 			} else {
@@ -1100,9 +1131,7 @@ static void init_request_info(TSRMLS_D)
 				} else {
 					SG(request_info).request_uri = env_script_name;
 				}
-				/* some server configurations allow '..' to slip through in the
-				   translated path.   We'll just refuse to handle such a path. */
-				if (script_path_translated && !strstr(script_path_translated, "..")) {
+				if (is_valid_path(script_path_translated)) {
 					SG(request_info).path_translated = estrdup(script_path_translated);
 				}
 				free(real_path);
@@ -1120,9 +1149,7 @@ static void init_request_info(TSRMLS_D)
 				script_path_translated = env_path_translated;
 			}
 #endif
-			/* some server configurations allow '..' to slip through in the
-			   translated path.   We'll just refuse to handle such a path. */
-			if (script_path_translated && !strstr(script_path_translated, "..")) {
+			if (is_valid_path(script_path_translated)) {
 				SG(request_info).path_translated = estrdup(script_path_translated);
 			}
 #if ENABLE_PATHINFO_CHECK