diff options
| author | Dmitry Stogov <dmitry@php.net> | 2008-07-15 13:38:29 +0000 |
|---|---|---|
| committer | Dmitry Stogov <dmitry@php.net> | 2008-07-15 13:38:29 +0000 |
| commit | f4617349f8aff69cc68c36dbb7e7cebdcbf7a9b0 (patch) | |
| tree | 0ced9d7146efd6d7b6456d24ae7249f6500268cb | |
| parent | 8fc55787d5db127fb6b9966ccc3f665398b8da95 (diff) | |
| download | php-git-f4617349f8aff69cc68c36dbb7e7cebdcbf7a9b0.tar.gz | |
Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots))
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | sapi/cgi/cgi_main.c | 45 |
2 files changed, 38 insertions, 9 deletions
@@ -26,6 +26,8 @@ PHP NEWS - Fixed bug #45251 (double free or corruption with setAttributeNode()). (Rob) - Fixed bug #45220 (curl_read callback returns -1 when needs to return size_t (unsigned)). (Felipe) +- Fixed bug #45151 (Crash with URI/file..php (filename contains 2 dots)). + (Dmitry) - Fixed bug #45139 (ReflectionProperty returns incorrect declaring class). (Felipe) - Fixed bug #45004 (pg_insert() does not accept 4 digit timezone format). diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index a7abf09823..deb359108d 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -771,6 +771,39 @@ static void php_cgi_usage(char *argv0) } /* }}} */ +/* {{{ is_valid_path + * + * some server configurations allow '..' to slip through in the + * translated path. We'll just refuse to handle such a path. + */ +static int is_valid_path(const char *path) +{ + const char *p; + + if (!path) { + return 0; + } + p = strstr(path, ".."); + if (p) { + if ((p == path || IS_SLASH(*(p-1))) && + (*(p+2) == 0 || IS_SLASH(*(p+2)))) { + return 0; + } + while (1) { + p = strstr(p+1, ".."); + if (!p) { + break; + } + if (IS_SLASH(*(p-1)) && + (*(p+2) == 0 || IS_SLASH(*(p+2)))) { + return 0; + } + } + } + return 1; +} +/* }}} */ + /* {{{ init_request_info initializes request_info structure @@ -1067,9 +1100,7 @@ static void init_request_info(TSRMLS_D) if (pt) { efree(pt); } - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } } else { @@ -1100,9 +1131,7 @@ static void init_request_info(TSRMLS_D) } else { SG(request_info).request_uri = env_script_name; } - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } free(real_path); @@ -1120,9 +1149,7 @@ static void init_request_info(TSRMLS_D) script_path_translated = env_path_translated; } #endif - /* some server configurations allow '..' to slip through in the - translated path. We'll just refuse to handle such a path. */ - if (script_path_translated && !strstr(script_path_translated, "..")) { + if (is_valid_path(script_path_translated)) { SG(request_info).path_translated = estrdup(script_path_translated); } #if ENABLE_PATHINFO_CHECK |