Fix #76359: open_basedir bypass through adding ".."

We explicitly forbid adding paths with a leading `..` to `open_basedir` at runtime. Closes GH-7024.
2025-08-15 21:48:51 +02:00 · 2021-05-21 15:00:41 +02:00 · 2021-05-21 15:00:41 +02:00 · ee9e07541f
commit ee9e07541f
parent 99a208566a
3 changed files with 25 additions and 0 deletions
--- a/1
+++ b/1
@ -4,6 +4,7 @@ PHP                                                                        NEWS

 - Core:
  . Fixed bug #81068 (Double free in realpath_cache_clean()). (Dimitry Andric)
+  . Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)

 - Standard:
  . Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@ -110,6 +110,11 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 			*end = '\0';
 			end++;
 		}
+		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || IS_SLASH(ptr[2]))) {
+			/* Don't allow paths with a leading .. path component to be set at runtime */
+			efree(pathbuf);
+			return FAILURE;
+		}
 		if (php_check_open_basedir_ex(ptr, 0) != 0) {
 			/* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */
 			efree(pathbuf);
--- a/tests/security/bug76359.phpt
+++ b/tests/security/bug76359.phpt
@ -0,0 +1,19 @@
+--TEST--
+Bug #76359 (open_basedir bypass through adding "..")
+--FILE--
+<?php
+ini_set('open_basedir', __DIR__);
+mkdir(__DIR__ . "/bug76359");
+chdir(__DIR__ . "/bug76359");
+var_dump(ini_set('open_basedir', ini_get('open_basedir') . PATH_SEPARATOR . ".."));
+chdir("..");
+chdir("..");
+?>
+--EXPECTF--
+bool(false)
+
+Warning: chdir(): open_basedir restriction in effect. File(..) is not within the allowed path(s): (%s) in %s on line %d
+--CLEAN--
+<?php
+@rmdir(__DIR__ . "/bug76359");
+?>