expand_filepath()'s declaration:
char *expand_filepath(const char *filepath, char *real_path TSRMLS_DC)
It can accept NULL as real_path param. and will dynamically create an expanded
pathname string to return to caller.
It can also accept a MAXPATHLEN-sized array as real_path and is supposed to
copy expanded pathname to this array (as well as return the array).
However, under certain conditions, function always dynamically creates string
(via estrndup()), without checking whether real_path is pre-existing char array.
If these conditons occur when caller expects the copy behavior, the return
value will not be freed (see php_check_specific_open_basedir() in
main/fopen_wrappers.c for sevaral instances).
The following patch (against HEAD, but issue exists in PHP 5.2.5 as well) fixes
this behavior.
--- php-src/main/fopen_wrappers.c 2008-03-26 08:15:31.390625000 -0400
+++ php-src_EDIT/main/fopen_wrappers.c 2008-03-26 08:16:47.156250000 -0400
@@ -676,7 +676,13 @@
* we cannot cannot getcwd() and the requested,
* relatively referenced file is accessible */
copy_len = strlen(filepath) > MAXPATHLEN - 1 ? MAXPATHLEN - 1
: strlen(filepath);
- real_path = estrndup(filepath, copy_len);
+
+ if (real_path) {
+ memcpy(real_path, filepath, copy_len);
+ real_path[copy_len] = '\0';
+ } else {
+ real_path = estrndup(filepath, copy_len);
+ }
close(fdtest);
return real_path;
} else {
---------------------------------
Never miss a thing. Make Yahoo your homepage.
