Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak.

author: Ilia Alshanetsky <iliaa@php.net> 2010-01-31 18:06:29 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2010-01-31 18:06:29 +0000
commit: 7df1c95ea17f308cd705c323e6f2edeab946d79d (patch)
tree: 0a6b3e0c0bfcb1f3478de5bfc2e73d81b8733e85
parent: 62567b90b3a258e9e69bf3c142ca1c5d4d7e8e91 (diff)
download: php-git-7df1c95ea17f308cd705c323e6f2edeab946d79d.tar.gz
2 files changed, 9 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 490571d882..bb1fad7538 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Feb 2010, PHP 5.2.13
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+  identified by Grzegorz Stachowiak. (Ilia)
+
 
 28 Jan 2010, PHP 5.2.13RC1
 - Updated timezone database to version 2010.2. (Derick)
diff --git a/ext/session/session.c b/ext/session/session.c
index 9f0b917623..59ffd73a3f 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -653,8 +653,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 			return FAILURE;
 		}
 
-		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+		/* we do not use zend_memrchr() since path can contain ; itself */
+		if ((p = strchr(new_value, ';'))) {
+			char *p2;
 			p++;
+			if ((p2 = strchr(p, ';'))) {
+				p = p2 + 1;
+			}
 		} else {
 			p = new_value;
 		}
author	Ilia Alshanetsky <iliaa@php.net>	2010-01-31 18:06:29 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2010-01-31 18:06:29 +0000
commit	7df1c95ea17f308cd705c323e6f2edeab946d79d (patch)
tree	0a6b3e0c0bfcb1f3478de5bfc2e73d81b8733e85
parent	62567b90b3a258e9e69bf3c142ca1c5d4d7e8e91 (diff)
download	php-git-7df1c95ea17f308cd705c323e6f2edeab946d79d.tar.gz