Skip to content
Permalink
Browse files

Add more tests for GlobIterator and improve patch

  • Loading branch information...
bukka committed Jul 30, 2013
1 parent 5a79719 commit 3dc5e37726a8045c355e4011d04409d4bced9eed
Showing with 39 additions and 15 deletions.
  1. +32 −11 ext/spl/tests/bug65069.phpt
  2. +7 −4 main/streams/glob_wrapper.c
@@ -3,14 +3,13 @@ Bug #65069: GlobIterator fails to access files inside an open_basedir restricted
--FILE--
<?php
$file_path = dirname(__FILE__);
ini_set('open_basedir', $file_path);
// temp dirname used here
$dirname = "$file_path/bug65069";
// temp dir created
mkdir($dirname);
ini_set('open_basedir', $dirname);
// temp files created
$fp = fopen("$dirname/wonder12345", "w");
fclose($fp);
@@ -19,19 +18,35 @@ fclose($fp);
$fp = fopen("$dirname/file.text", "w");
fclose($fp);
$pattern = "$dirname/*.txt";
$spl_glob_it = new \GlobIterator("$dirname/*.txt");
foreach ($spl_glob_it as $file_info) {
echo $file_info->getFilename() . "\n";
}
$spl_glob_it = new \GlobIterator(dirname(dirname($dirname)) . "/*/*/*");
foreach ($spl_glob_it as $file_info) {
echo $file_info->getFilename() . "\n";
}
$spl_glob_empty = new \GlobIterator("$dirname/*.php");
try {
$spl_glob_empty->count();
} catch (LogicException $e) {
echo "logic exception\n";
}
try {
$spl_glob_it = new \GlobIterator($pattern);
foreach ($spl_glob_it as $file_info) {
$spl_glob[] = $file_info->getFilename();
}
$spl_glob_not_allowed = new \GlobIterator(dirname(dirname($dirname)));
} catch (Exception $e) {
var_dump($e->getMessage());
echo "exception1\n";
}
try {
$spl_glob_sec = new \GlobIterator("$file_path/bug65069-this-will-never-exists");
} catch (Exception $e) {
echo "exception2\n";
}
if (count($spl_glob) == 1)
echo $spl_glob[0]
?>
--CLEAN--
<?php
@@ -44,3 +59,9 @@ rmdir($dirname);
?>
--EXPECT--
wonder.txt
file.text
wonder.txt
wonder12345
logic exception
exception1
exception2
@@ -246,15 +246,18 @@ static php_stream *php_glob_stream_opener(php_stream_wrapper *wrapper, char *pat
}

/* if open_basedir in use, check and filter restricted paths */
if (pglob->glob.gl_pathc && (options & STREAM_DISABLE_OPEN_BASEDIR) == 0) {
if ((options & STREAM_DISABLE_OPEN_BASEDIR) == 0) {
for (i = 0; i < pglob->glob.gl_pathc; i++) {
if (!php_check_open_basedir_ex(pglob->glob.gl_pathv[i], 0 TSRMLS_CC)) {
if (!pglob->open_basedir_indexmap)

This comment has been minimized.

pglob->open_basedir_indexmap = ecalloc(sizeof(int), pglob->glob.gl_pathc);
pglob->open_basedir_indexmap = (int *) emalloc(sizeof(int) * pglob->glob.gl_pathc);
pglob->open_basedir_indexmap[pglob->open_basedir_indexmap_size++] = i;
}
}
if (NULL == pglob->open_basedir_indexmap) {
/* if open_basedir_indexmap is empty and either the glob result is not empty (all found paths are restricted)
* or the pattern path is not in open_basedir directory (security check that prevents getting any info about
* file that is not in open_basedir), then error */
if (NULL == pglob->open_basedir_indexmap && (pglob->glob.gl_pathc || php_check_open_basedir_ex(path, 0 TSRMLS_CC))) {

This comment has been minimized.

Copy link
@weltling

weltling Aug 14, 2013

At the current stage the test still fails for me, and looking here i know why - php_check_open_basedir_ex() doesn't belong here at all. In the case user passes nonexistent pattern path, glob.gl_pathc == 0 and that's enough.Otherwise if user passes a direct path, glob.gc_pathc == 1. In any case basedir check is done in the loop for each expanded path. Open basedir check on a pattern path is the initial mistake you're fixing ;)

globfree(&pglob->glob);
efree(pglob);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "open_basedir restriction in effect. File(%s) is not within the allowed path(s): (%s)", path, PG(open_basedir));
@@ -278,7 +281,7 @@ static php_stream *php_glob_stream_opener(php_stream_wrapper *wrapper, char *pat
pglob->flags |= GLOB_APPEND;

if (pglob->glob.gl_pathc) {
php_glob_stream_path_split(pglob, pglob->glob.gl_pathv[pglob->index], 1, &tmp TSRMLS_CC);
php_glob_stream_path_split(pglob, pglob->glob.gl_pathv[0], 1, &tmp TSRMLS_CC);
} else {
php_glob_stream_path_split(pglob, path, 1, &tmp TSRMLS_CC);
}

0 comments on commit 3dc5e37

Please sign in to comment.
You can’t perform that action at this time.