php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.0'

Browse Source 
* PHP-8.0:
  Fix #76359: open_basedir bypass through adding ".."
This commit is contained in:
Christoph M. Becker
2021-05-25 13:47:25 +02:00
parent 428340dfeb a5601b2ab5
commit fda53548b5
2 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
main/fopen_wrappers.c
View File

@@ -101,6 +101,11 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
*end = '\0';
end++;
}
if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || IS_SLASH(ptr[2]))) {
/* Don't allow paths with a leading .. path component to be set at runtime */
efree(pathbuf);
return FAILURE;
}
if (php_check_open_basedir_ex(ptr, 0) != 0) {
/* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */
efree(pathbuf);

19
tests/security/bug76359.phpt Normal file
View File

@@ -0,0 +1,19 @@
--TEST--
Bug #76359 (open_basedir bypass through adding "..")
--FILE--
<?php
ini_set('open_basedir', __DIR__);
mkdir(__DIR__ . "/bug76359");
chdir(__DIR__ . "/bug76359");
var_dump(ini_set('open_basedir', ini_get('open_basedir') . PATH_SEPARATOR . ".."));
chdir("..");
chdir("..");
?>
--EXPECTF--
bool(false)
Warning: chdir(): open_basedir restriction in effect. File(..) is not within the allowed path(s): (%s) in %s on line %d
--CLEAN--
<?php
@rmdir(__DIR__ . "/bug76359");
?>