Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak.

author: Ilia Alshanetsky <iliaa@php.net> 2010-01-31 18:06:29 +0000
committer: Ilia Alshanetsky <iliaa@php.net> 2010-01-31 18:06:29 +0000
commit: dff4e7fda131f3f25204d7f6e2e549731bedad88 (patch)
tree: 1277edd44d534c0564a3e4a9d8d961c748bc26ea /ext/session/session.c
parent: 693eff5dc29f62a123aa554f6985dc8648925232 (diff)
download: php-git-dff4e7fda131f3f25204d7f6e2e549731bedad88.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/session/session.c b/ext/session/session.c
index ea3530dcdb..0ef856c9bf 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -687,8 +687,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */
 			return FAILURE;
 		}
 
-		if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+		/* we do not use zend_memrchr() since path can contain ; itself */
+		if ((p = strchr(new_value, ';'))) {
+			char *p2;
 			p++;
+			if ((p2 = strchr(p, ';'))) {
+				p = p2 + 1;
+			}
 		} else {
 			p = new_value;
 		}
author	Ilia Alshanetsky <iliaa@php.net>	2010-01-31 18:06:29 +0000
committer	Ilia Alshanetsky <iliaa@php.net>	2010-01-31 18:06:29 +0000
commit	dff4e7fda131f3f25204d7f6e2e549731bedad88 (patch)
tree	1277edd44d534c0564a3e4a9d8d961c748bc26ea /ext/session/session.c
parent	693eff5dc29f62a123aa554f6985dc8648925232 (diff)
download	php-git-dff4e7fda131f3f25204d7f6e2e549731bedad88.tar.gz