Fixed Bug #17790

- link and symlink now check uid and open_base_dir for link and its target
24 years ago · 984b48b009
1 changed files with 24 additions and 0 deletions
--- a/ext/standard/link.c
+++ b/ext/standard/link.c
@ -114,6 +114,18 @@ PHP_FUNCTION(symlink)
 		RETURN_FALSE;
 	}

+	if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(frompath), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+		RETURN_FALSE;
+	}
+
+	if (php_check_open_basedir(Z_STRVAL_PP(topath) TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
+	if (php_check_open_basedir(Z_STRVAL_PP(frompath) TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
 	if (!strncasecmp(Z_STRVAL_PP(topath), "http://", 7) || !strncasecmp(Z_STRVAL_PP(topath), "ftp://", 6)) {
 		php_error(E_WARNING, "Unable to symlink to a URL");
 		RETURN_FALSE;
@ -146,6 +158,18 @@ PHP_FUNCTION(link)
 		RETURN_FALSE;
 	}

+	if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(frompath), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+		RETURN_FALSE;
+	}
+
+	if (php_check_open_basedir(Z_STRVAL_PP(topath) TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
+	if (php_check_open_basedir(Z_STRVAL_PP(frompath) TSRMLS_CC)) {
+		RETURN_FALSE;
+	}
+
 	if (!strncasecmp(Z_STRVAL_PP(topath), "http://", 7) || !strncasecmp(Z_STRVAL_PP(topath), "ftp://", 6)) {
 		php_error(E_WARNING, "Unable to link to a URL");
 		RETURN_FALSE;