diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2010-01-31 18:06:29 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2010-01-31 18:06:29 +0000 |
| commit | 7bf62c33af160ed699af938ef10320ff95ac4a02 (patch) | |
| tree | 6da8ddfcce58221ea46010cb2485f112beea3fff /ext/session/session.c | |
| parent | 981faa675415478c670548197e2d81b4732cc849 (diff) | |
| download | php-git-7bf62c33af160ed699af938ef10320ff95ac4a02.tar.gz | |
Fixed a possible open_basedir/safe_mode bypass in session extension identified by Grzegorz Stachowiak.
Diffstat (limited to 'ext/session/session.c')
| -rw-r--r-- | ext/session/session.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/session/session.c b/ext/session/session.c index cd53cf1ac6..2004b2de13 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -563,8 +563,13 @@ static PHP_INI_MH(OnUpdateSaveDir) /* {{{ */ return FAILURE; } - if ((p = zend_memrchr(new_value, ';', new_value_length))) { + /* we do not use zend_memrchr() since path can contain ; itself */ + if ((p = strchr(new_value, ';'))) { + char *p2; p++; + if ((p2 = strchr(p, ';'))) { + p = p2 + 1; + } } else { p = new_value; } |