archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-7.4' into PHP-8.0

Browse source 
* PHP-7.4:
  Fixed bug #42560
This commit is contained in:
Nikita Popov 2021-01-19 11:44:22 +01:00
commit 1bdd8f7ae4
6 changed files with 37 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ext/standard/file.c
View file

@ -828,10 +828,6 @@ PHP_FUNCTION(tempnam)
Z_PARAM_PATH(prefix, prefix_len) Z_PARAM_PATH(prefix, prefix_len)
ZEND_PARSE_PARAMETERS_END(); ZEND_PARSE_PARAMETERS_END();
if (php_check_open_basedir(dir)) {
RETURN_FALSE;
}
p = php_basename(prefix, prefix_len, NULL, 0); p = php_basename(prefix, prefix_len, NULL, 0);
if (ZSTR_LEN(p) > 64) { if (ZSTR_LEN(p) > 64) {
ZSTR_VAL(p)[63] = '\0'; ZSTR_VAL(p)[63] = '\0';
@ -839,7 +835,7 @@ PHP_FUNCTION(tempnam)
RETVAL_FALSE; RETVAL_FALSE;
if ((fd = php_open_temporary_fd_ex(dir, ZSTR_VAL(p), &opened_path, 1)) >= 0) { if ((fd = php_open_temporary_fd_ex(dir, ZSTR_VAL(p), &opened_path, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ALWAYS)) >= 0) {
close(fd); close(fd);
RETVAL_STR(opened_path); RETVAL_STR(opened_path);
} }

17
ext/standard/tests/file/bug42560.phpt Normal file
View file

@ -0,0 +1,17 @@
--TEST--
Bug #42560 Empty directory argument to tempnam yields open_basedir problems
--FILE--
<?php
$tmpdir = sys_get_temp_dir();
ini_set('open_basedir', $tmpdir);
$tempnam = tempnam('', 'test');
var_dump($tempnam !== false);
var_dump(file_exists($tempnam));
if (file_exists($tempnam)) {
unlink($tempnam);
}
?>
--EXPECT--
bool(true)
bool(true)

10
main/php_open_temporary_file.c
View file

@ -299,13 +299,19 @@ PHPAPI int php_open_temporary_fd_ex(const char *dir, const char *pfx, zend_strin
def_tmp: def_tmp:
temp_dir = php_get_temporary_directory(); temp_dir = php_get_temporary_directory();
if (temp_dir && *temp_dir != '\0' && (!(flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK) || !php_check_open_basedir(temp_dir))) { if (temp_dir &&
*temp_dir != '\0' &&
(!(flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK) || !php_check_open_basedir(temp_dir))) {
return php_do_open_temporary_file(temp_dir, pfx, opened_path_p); return php_do_open_temporary_file(temp_dir, pfx, opened_path_p);
} else { } else {
return -1; return -1;
} }
} }
if ((flags & PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR) && php_check_open_basedir(dir)) {
return -1;
}
/* Try the directory given as parameter. */ /* Try the directory given as parameter. */
fd = php_do_open_temporary_file(dir, pfx, opened_path_p); fd = php_do_open_temporary_file(dir, pfx, opened_path_p);
if (fd == -1) { if (fd == -1) {
@ -320,7 +326,7 @@ def_tmp:
PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, zend_string **opened_path_p) PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, zend_string **opened_path_p)
{ {
return php_open_temporary_fd_ex(dir, pfx, opened_path_p, 0); return php_open_temporary_fd_ex(dir, pfx, opened_path_p, PHP_TMP_FILE_DEFAULT);
} }
PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p) PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p)

10
main/php_open_temporary_file.h
View file

@ -17,8 +17,16 @@
#ifndef PHP_OPEN_TEMPORARY_FILE_H #ifndef PHP_OPEN_TEMPORARY_FILE_H
#define PHP_OPEN_TEMPORARY_FILE_H #define PHP_OPEN_TEMPORARY_FILE_H
#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK (1<<0) #define PHP_TMP_FILE_DEFAULT 0
#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK (1<<0)
#define PHP_TMP_FILE_SILENT (1<<1) #define PHP_TMP_FILE_SILENT (1<<1)
#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR (1<<2)
#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ALWAYS \
(PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK | PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_EXPLICIT_DIR)
/* for compatibility purpose */
#define PHP_TMP_FILE_OPEN_BASEDIR_CHECK PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK
BEGIN_EXTERN_C() BEGIN_EXTERN_C()
PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p); PHPAPI FILE *php_open_temporary_file(const char *dir, const char *pfx, zend_string **opened_path_p);

2
main/rfc1867.c
View file

@ -998,7 +998,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
/* in non-debug mode we have no problem with 0-length files */ /* in non-debug mode we have no problem with 0-length files */
{ {
#endif #endif
fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, 1); fd = php_open_temporary_fd_ex(PG(upload_tmp_dir), "php", &temp_filename, PHP_TMP_FILE_OPEN_BASEDIR_CHECK_ON_FALLBACK);
upload_cnt--; upload_cnt--;
if (fd == -1) { if (fd == -1) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file"); sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");

2
tests/security/open_basedir_tempnam.phpt
View file

@ -63,7 +63,7 @@ bool(false)
Warning: tempnam(): open_basedir restriction in effect. File(./../.) is not within the allowed path(s): (.) in %s on line %d Warning: tempnam(): open_basedir restriction in effect. File(./../.) is not within the allowed path(s): (.) in %s on line %d
bool(false) bool(false)
Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (.) in %s on line %d Warning: tempnam(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (.) in %s on line %d
bool(false) bool(false)
string(%d) "%s" string(%d) "%s"
bool(true) bool(true)