File php-5.1.2-save_path-secfix.patch of Package php
--- Zend/zend_operators.h
+++ Zend/zend_operators.h
@@ -159,6 +159,18 @@
return NULL;
}
+static inline void *zend_memrchr(const void *s, int c, size_t n)
+{
+ register unsigned char *e = (unsigned char *)s + n;
+
+ for (e--; e >= (unsigned char *)s; e--) {
+ if (*e == (unsigned char)c) {
+ return (void *)e;
+ }
+ }
+
+ return NULL;
+}
BEGIN_EXTERN_C()
ZEND_API int increment_function(zval *op1);
--- ext/session/session.c
+++ ext/session/session.c
@@ -133,18 +133,30 @@
static PHP_INI_MH(OnUpdateSaveDir)
{
- /* Only do the safemode/open_basedir check at runtime */
- if (stage == PHP_INI_STAGE_RUNTIME) {
- if (PG(safe_mode) && (!php_checkuid(new_value, NULL, CHECKUID_ALLOW_ONLY_DIR))) {
- return FAILURE;
- }
-
- if (php_check_open_basedir(new_value TSRMLS_CC)) {
- return FAILURE;
- }
- }
- OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
- return SUCCESS;
+ /* Only do the safemode/open_basedir check at runtime */
+ if (stage == PHP_INI_STAGE_RUNTIME) {
+ char *p;
+
+ if (memchr(new_value, '\0', new_value_length) != NULL) {
+ return FAILURE;
+ }
+
+ if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+ p++;
+ } else {
+ p = new_value;
+ }
+
+ if (PG(safe_mode) && (!php_checkuid(p, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ return FAILURE;
+ }
+
+ if (php_check_open_basedir(p TSRMLS_CC)) {
+ return FAILURE;
+ }
+ }
+ OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
+ return SUCCESS;
}
/* {{{ PHP_INI
--- ext/standard/basic_functions.c
+++ ext/standard/basic_functions.c
@@ -2667,7 +2667,6 @@
_CHECK_PATH(varname, "java.class.path") ||
_CHECK_PATH(varname, "java.home") ||
_CHECK_PATH(varname, "java.library.path") ||
- _CHECK_PATH(varname, "session.save_path") ||
_CHECK_PATH(varname, "vpopmail.directory")) {
if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(new_value), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
zval_dtor(return_value);
