ID: 15516 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Closed Bug Type: ODBC related Operating System: Debian testing PHP Version: 4.0CVS-2002-02-1 New Comment:
This bug has been fixed in CVS. thanks for the patch it should be in cvs in a few seconds...whenever CVS commit finalizes.... Previous Comments: ------------------------------------------------------------------------ [2002-02-13 06:12:56] [EMAIL PROTECTED] Good point. OK, this one fixes the clobber problem and checks for safe_mode and open_basedir. Torben Index: php_odbc.c =================================================================== RCS file: /repository/php4/ext/odbc/php_odbc.c,v retrieving revision 1.115 diff -u -r1.115 php_odbc.c --- php_odbc.c 30 Jan 2002 21:54:54 -0000 1.115 +++ php_odbc.c 13 Feb 2002 08:52:27 -0000 @@ -943,12 +943,23 @@ else ctype = SQL_C_CHAR; - if (Z_STRVAL_PP(tmp)[0] == '\'' && + if (Z_STRLEN_PP(tmp) > 2 && + Z_STRVAL_PP(tmp)[0] == '\'' && Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') { - filename = &Z_STRVAL_PP(tmp)[1]; - filename[Z_STRLEN_PP(tmp) - 2] = '\0'; + filename = estrndup(&Z_STRVAL_PP(tmp)[1], +Z_STRLEN_PP(tmp) - 2); + filename[strlen(filename)] = '\0'; - if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) { + /* Check for safe mode. */ + if (PG(safe_mode) &&(!php_checkuid(filename, NULL, CHECKUID_CHECK_FILE_AND_DIR))) { + RETURN_FALSE; + } + + /* Check the basedir */ + if (php_check_open_basedir(filename TSRMLS_CC)) { + RETURN_FALSE; + } + + if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) +{ php_error(E_WARNING,"Can't open file %s", filename); SQLFreeStmt(result->stmt, SQL_RESET_PARAMS); for(i = 0; i < result->numparams; i++) { @@ -957,8 +968,11 @@ } } efree(params); + efree(filename); RETURN_FALSE; } + + efree(filename); params[i-1].vallen = SQL_LEN_DATA_AT_EXEC(0); ------------------------------------------------------------------------ [2002-02-11 22:14:07] [EMAIL PROTECTED] along similar lines, it would be nice to change that open() call to the php wrapper which enables safe-mode checking. (there was a bug filed recently about this, i think. or maybe just a message on php-dev.) ------------------------------------------------------------------------ [2002-02-11 22:08:20] [EMAIL PROTECTED] ----------------------------------------------------- Synopsis: odbc_execute() has some undocumented functionality: if a parameter is given enclosed in single-quotes, that param is taken as the name of a file to read and send instead of the actual parameter string. In the above case, odbc_execute() will replace the last character of the passed parameter with \0. ----------------------------------------------------- Test script: <?php /* -*- mode: c++; minor-mode: font -*- */ error_reporting(E_ALL); /* Just using the default test settings for now. */ if (!$dbh = odbc_connect('myodbc3', 'root', '')) { echo "Could not connect: error: " . odbc_errormsg() . "\n"; } $query = 'insert into phptest (c) values(?)'; if (!$stmt = odbc_prepare($dbh, $query)) { echo "Prepare failed: error: " . odbc_errormsg() . "\n"; } $filename = "'/home/torben/odbc.ini'"; $params = array($filename); echo "Before: " . addslashes($filename) . "\n"; if (!$res = odbc_execute($stmt, $params)) { echo "Execute failed: error: " . odbc_errormsg() . "\n"; } echo "After: " . addslashes($filename) . "\n"; odbc_close($dbh); ?> ----------------------------------------------------- Output: Before: \'/home/torben/odbc.ini\' After: \'/home/torben/odbc.ini\0 ----------------------------------------------------- Patch: Index: php_odbc.c =================================================================== RCS file: /repository/php4/ext/odbc/php_odbc.c,v retrieving revision 1.115 diff -u -r1.115 php_odbc.c --- php_odbc.c 30 Jan 2002 21:54:54 -0000 1.115 +++ php_odbc.c 12 Feb 2002 02:41:25 -0000 @@ -943,12 +943,13 @@ else ctype = SQL_C_CHAR; - if (Z_STRVAL_PP(tmp)[0] == '\'' && + if (Z_STRLEN_PP(tmp) > 2 && + Z_STRVAL_PP(tmp)[0] == '\'' && Z_STRVAL_PP(tmp)[Z_STRLEN_PP(tmp) - 1] == '\'') { - filename = &Z_STRVAL_PP(tmp)[1]; - filename[Z_STRLEN_PP(tmp) - 2] = '\0'; + filename = estrndup(&Z_STRVAL_PP(tmp)[1], +Z_STRLEN_PP(tmp) - 2); + filename[strlen(filename)] = '\0'; - if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) { + if ((params[i-1].fp = open(filename,O_RDONLY)) == -1) +{ php_error(E_WARNING,"Can't open file %s", filename); SQLFreeStmt(result->stmt, SQL_RESET_PARAMS); for(i = 0; i < result->numparams; i++) { @@ -957,8 +958,11 @@ } } efree(params); + efree(filename); RETURN_FALSE; } + + efree(filename); params[i-1].vallen = SQL_LEN_DATA_AT_EXEC(0); ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=15516&edit=1