Imported Upstream version 5.2.4upstream/5.2.4

author: Mark A. Hershberger <mah@debian.(none)> 2009-03-25 00:38:07 -0400
committer: Mark A. Hershberger <mah@debian.(none)> 2009-03-25 00:38:07 -0400
commit: bb01389fbd53ec1cbcb80d0681a37cca1267891a (patch)
tree: 4783178fca65a5d9071c8df34f2ddc3d31728673 /ext/session/mod_files.c
parent: eddbbea4325e602ddc87c545531609132d4f0e3b (diff)
download: php-upstream/5.2.4.tar.gz
1 files changed, 72 insertions, 38 deletions
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index 9cba9f2ef..e80e51d10 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: mod_files.c,v 1.100.2.3.2.5 2007/03/03 15:07:31 iliaa Exp $ */
+/* $Id: mod_files.c,v 1.100.2.3.2.9 2007/08/23 12:23:59 jani Exp $ */
 
 #include "php.h"
 
@@ -87,9 +87,10 @@ static int ps_files_valid_key(const char *key)
 
 	len = p - key;
 	
-	if (len == 0)
+	if (len == 0) {
 		ret = 0;
-	
+	}
+
 	return ret;
 }
 
@@ -101,9 +102,11 @@ static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, cons
 	int n;
 	
 	key_len = strlen(key);
-	if (key_len <= data->dirdepth || buflen < 
-			(strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) 
+	if (key_len <= data->dirdepth ||
+		buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) {
 		return NULL;
+	}
+
 	p = key;
 	memcpy(buf, data->basedir, data->basedir_len);
 	n = data->basedir_len;
@@ -149,27 +152,49 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
 		}
 
 		ps_files_close(data);
-		
+
 		if (!ps_files_valid_key(key)) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'");
 			PS(invalid_session_id) = 1;
 			return;
 		}
-		if (!ps_files_path_create(buf, sizeof(buf), data, key))
+		if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
 			return;
-		
+		}
+
 		data->lastkey = estrdup(key);
-		
-		data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, 
-				data->filemode);
-		
+
+		data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode);
+
 		if (data->fd != -1) {
+#ifndef PHP_WIN32
+			/* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */
+			if (PG(safe_mode) || PG(open_basedir)) {
+				struct stat sbuf;
+
+				if (fstat(data->fd, &sbuf)) {
+					close(data->fd);
+					return;
+				}
+				if (
+					S_ISLNK(sbuf.st_mode) && 
+					(
+						php_check_open_basedir(buf TSRMLS_CC) ||
+						(PG(safe_mode) && !php_checkuid(buf, NULL, CHECKUID_CHECK_FILE_AND_DIR))
+					)
+				) {
+
+					close(data->fd);
+					return;
+				}
+			}
+#endif
 			flock(data->fd, LOCK_EX);
 
 #ifdef F_SETFD
-#ifndef FD_CLOEXEC
-#define FD_CLOEXEC 1
-#endif
+# ifndef FD_CLOEXEC
+#  define FD_CLOEXEC 1
+# endif
 			if (fcntl(data->fd, F_SETFD, FD_CLOEXEC)) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "fcntl(%d, F_SETFD, FD_CLOEXEC) failed: %s (%d)", data->fd, strerror(errno), errno);
 			}
@@ -209,15 +234,16 @@ static int ps_files_cleanup_dir(const char *dirname, int maxlifetime TSRMLS_DC)
 	while (php_readdir_r(dir, (struct dirent *) dentry, &entry) == 0 && entry) {
 		/* does the file start with our prefix? */
 		if (!strncmp(entry->d_name, FILE_PREFIX, sizeof(FILE_PREFIX) - 1)) {
-			size_t entry_len;
+			size_t entry_len = strlen(entry->d_name);
 
-			entry_len = strlen(entry->d_name);
 			/* does it fit into our buffer? */
 			if (entry_len + dirname_len + 2 < MAXPATHLEN) {
 				/* create the full path.. */
 				memcpy(buf + dirname_len + 1, entry->d_name, entry_len);
+
 				/* NUL terminate it and */
 				buf[dirname_len + entry_len + 1] = '\0';
+
 				/* check whether its last access was more than maxlifet ago */
 				if (VCWD_STAT(buf, &sbuf) == 0 && 
 #ifdef NETWARE
@@ -277,8 +303,7 @@ PS_OPEN_FUNC(files)
 		errno = 0;
 		dirdepth = (size_t) strtol(argv[0], NULL, 10);
 		if (errno == ERANGE) {
-			php_error(E_WARNING, 
-					"The first parameter in session.save_path is invalid");
+			php_error(E_WARNING, "The first parameter in session.save_path is invalid");
 			return FAILURE;
 		}
 	}
@@ -287,8 +312,7 @@ PS_OPEN_FUNC(files)
 		errno = 0;
 		filemode = strtol(argv[1], NULL, 8);
 		if (errno == ERANGE || filemode < 0 || filemode > 07777) {
-			php_error(E_WARNING, 
-					"The second parameter in session.save_path is invalid");
+			php_error(E_WARNING, "The second parameter in session.save_path is invalid");
 			return FAILURE;
 		}
 	}
@@ -314,8 +338,10 @@ PS_CLOSE_FUNC(files)
 
 	ps_files_close(data);
 
-	if (data->lastkey) 
+	if (data->lastkey) {
 		efree(data->lastkey);
+	}
+
 	efree(data->basedir);
 	efree(data);
 	*mod_data = NULL;
@@ -330,19 +356,21 @@ PS_READ_FUNC(files)
 	PS_FILES_DATA;
 
 	ps_files_open(data, key TSRMLS_CC);
-	if (data->fd < 0)
+	if (data->fd < 0) {
 		return FAILURE;
-	
-	if (fstat(data->fd, &sbuf))
+	}
+
+	if (fstat(data->fd, &sbuf)) {
 		return FAILURE;
-	
+	}
+
 	data->st_size = *vallen = sbuf.st_size;
-	
+
 	if (sbuf.st_size == 0) {
 		*val = STR_EMPTY_ALLOC();
 		return SUCCESS;
 	}
-	
+
 	*val = emalloc(sbuf.st_size);
 
 #if defined(HAVE_PREAD)
@@ -353,10 +381,11 @@ PS_READ_FUNC(files)
 #endif
 
 	if (n != sbuf.st_size) {
-		if (n == -1)
+		if (n == -1) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "read failed: %s (%d)", strerror(errno), errno);
-		else
+		} else {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "read returned less bytes than requested");
+		}
 		efree(*val);
 		return FAILURE;
 	}
@@ -370,16 +399,18 @@ PS_WRITE_FUNC(files)
 	PS_FILES_DATA;
 
 	ps_files_open(data, key TSRMLS_CC);
-	if (data->fd < 0)
+	if (data->fd < 0) {
 		return FAILURE;
+	}
 
 	/* 
 	 * truncate file, if the amount of new data is smaller than
 	 * the existing data set.
 	 */
 	
-	if (vallen < (int)data->st_size)
+	if (vallen < (int)data->st_size) {
 		ftruncate(data->fd, 0);
+	}
 
 #if defined(HAVE_PWRITE)
 	n = pwrite(data->fd, val, vallen, 0);
@@ -389,10 +420,11 @@ PS_WRITE_FUNC(files)
 #endif
 
 	if (n != vallen) {
-		if (n == -1)
+		if (n == -1) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "write failed: %s (%d)", strerror(errno), errno);
-		else
+		} else {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "write wrote less bytes than requested");
+		}
 		return FAILURE;
 	}
 
@@ -404,9 +436,10 @@ PS_DESTROY_FUNC(files)
 	char buf[MAXPATHLEN];
 	PS_FILES_DATA;
 
-	if (!ps_files_path_create(buf, sizeof(buf), data, key))
+	if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
 		return FAILURE;
-	
+	}
+
 	if (data->fd != -1) {
 		ps_files_close(data);
 	
@@ -431,9 +464,10 @@ PS_GC_FUNC(files)
 	   we return SUCCESS, since all cleanup should be handled by
 	   an external entity (i.e. find -ctime x | xargs rm) */
 	   
-	if (data->dirdepth == 0)
+	if (data->dirdepth == 0) {
 		*nrdels = ps_files_cleanup_dir(data->basedir, maxlifetime TSRMLS_CC);
-	
+	}
+
 	return SUCCESS;
 }
author	Mark A. Hershberger <mah@debian.(none)>	2009-03-25 00:38:07 -0400
committer	Mark A. Hershberger <mah@debian.(none)>	2009-03-25 00:38:07 -0400
commit	bb01389fbd53ec1cbcb80d0681a37cca1267891a (patch)
tree	4783178fca65a5d9071c8df34f2ddc3d31728673 /ext/session/mod_files.c
parent	eddbbea4325e602ddc87c545531609132d4f0e3b (diff)
download	php-upstream/5.2.4.tar.gz