iliaa Sun, 31 Jan 2010 18:06:29 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=294272
Log:
Fixed a possible open_basedir/safe_mode bypass in session extension identified
by Grzegorz Stachowiak.
Changed paths:
U php/php-src/branches/PHP_5_2/NEWS
U php/php-src/branches/PHP_5_2/ext/session/session.c
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/session/session.c
U php/php-src/trunk/ext/session/session.c
Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS 2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_2/NEWS 2010-01-31 18:06:29 UTC (rev 294272)
@@ -1,7 +1,10 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? Feb 2010, PHP 5.2.13
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+ identified by Grzegorz Stachowiak. (Ilia)
+
28 Jan 2010, PHP 5.2.13RC1
- Updated timezone database to version 2010.2. (Derick)
- Upgraded bundled PCRE to version 8.01. (Ilia)
Modified: php/php-src/branches/PHP_5_2/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/session/session.c 2010-01-31 17:43:29 UTC
(rev 294271)
+++ php/php-src/branches/PHP_5_2/ext/session/session.c 2010-01-31 18:06:29 UTC
(rev 294272)
@@ -653,8 +653,13 @@
return FAILURE;
}
- if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+ /* we do not use zend_memrchr() since path can contain ; itself
*/
+ if ((p = strchr(new_value, ';'))) {
+ char *p2;
p++;
+ if ((p2 = strchr(p, ';'))) {
+ p = p2 + 1;
+ }
} else {
p = new_value;
}
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-01-31 17:43:29 UTC (rev 294271)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-01-31 18:06:29 UTC (rev 294272)
@@ -5,6 +5,8 @@
- Upgraded bundled sqlite to version 3.6.22. (Ilia)
- Upgraded bundled libmagic to version 5.03. (Mikko)
+- Fixed a possible open_basedir/safe_mode bypass in session extension
+ identified by Grzegorz Stachowiak. (Ilia)
- Improved LCG entropy. (Rasmus, Samy Kamkar)
- Added libpng 1.4.0 support. (Pierre)
Modified: php/php-src/branches/PHP_5_3/ext/session/session.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/session/session.c 2010-01-31 17:43:29 UTC
(rev 294271)
+++ php/php-src/branches/PHP_5_3/ext/session/session.c 2010-01-31 18:06:29 UTC
(rev 294272)
@@ -687,8 +687,13 @@
return FAILURE;
}
- if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+ /* we do not use zend_memrchr() since path can contain ; itself
*/
+ if ((p = strchr(new_value, ';'))) {
+ char *p2;
p++;
+ if ((p2 = strchr(p, ';'))) {
+ p = p2 + 1;
+ }
} else {
p = new_value;
}
Modified: php/php-src/trunk/ext/session/session.c
===================================================================
--- php/php-src/trunk/ext/session/session.c 2010-01-31 17:43:29 UTC (rev
294271)
+++ php/php-src/trunk/ext/session/session.c 2010-01-31 18:06:29 UTC (rev
294272)
@@ -563,8 +563,13 @@
return FAILURE;
}
- if ((p = zend_memrchr(new_value, ';', new_value_length))) {
+ /* we do not use zend_memrchr() since path can contain ; itself
*/
+ if ((p = strchr(new_value, ';'))) {
+ char *p2;
p++;
+ if ((p2 = strchr(p, ';'))) {
+ p = p2 + 1;
+ }
} else {
p = new_value;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
