mirror of
https://github.com/php/php-src.git
synced 2024-09-21 01:47:25 +00:00
parent
61d16a6501
commit
127ad70782
3
NEWS
3
NEWS
@ -2,6 +2,9 @@ PHP NEWS
|
||||
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||
?? ??? ????, PHP 8.3.0beta2
|
||||
|
||||
- Core:
|
||||
. Fixed oss-fuzz #60741 (Leak in open_basedir). (ilutov)
|
||||
|
||||
- FFI:
|
||||
. Fix leaking definitions when using FFI::cdef()->new(...). (ilutov)
|
||||
|
||||
|
9
Zend/tests/oss_fuzz_60741.phpt
Normal file
9
Zend/tests/oss_fuzz_60741.phpt
Normal file
@ -0,0 +1,9 @@
|
||||
--TEST--
|
||||
oss-fuzz #60741: Leak in open_basedir
|
||||
--INI--
|
||||
open_basedir="{TMP}"
|
||||
--FILE--
|
||||
<?php
|
||||
ini_set('open_basedir', ini_get('open_basedir'));
|
||||
?>
|
||||
--EXPECT--
|
18
Zend/zend.c
18
Zend/zend.c
@ -1271,29 +1271,11 @@ void zend_call_destructors(void) /* {{{ */
|
||||
}
|
||||
/* }}} */
|
||||
|
||||
static void zend_release_open_basedir(void)
|
||||
{
|
||||
/* Release custom open_basedir config, this needs to happen before ini shutdown */
|
||||
if (PG(open_basedir)) {
|
||||
zend_ini_entry *ini_entry = zend_hash_str_find_ptr(EG(ini_directives), "open_basedir", strlen("open_basedir"));
|
||||
/* ini_entry->modified is unreliable, it might also be set when on_update has failed. */
|
||||
if (ini_entry
|
||||
&& ini_entry->modified
|
||||
&& ini_entry->value != ini_entry->orig_value) {
|
||||
efree(PG(open_basedir));
|
||||
PG(open_basedir) = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
ZEND_API void zend_deactivate(void) /* {{{ */
|
||||
{
|
||||
/* we're no longer executing anything */
|
||||
EG(current_execute_data) = NULL;
|
||||
|
||||
/* Needs to run before zend_ini_deactivate(). */
|
||||
zend_release_open_basedir();
|
||||
|
||||
zend_try {
|
||||
shutdown_scanner();
|
||||
} zend_end_try();
|
||||
|
@ -77,8 +77,12 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
|
||||
char *pathbuf, *ptr, *end;
|
||||
|
||||
if (stage == PHP_INI_STAGE_STARTUP || stage == PHP_INI_STAGE_SHUTDOWN || stage == PHP_INI_STAGE_ACTIVATE || stage == PHP_INI_STAGE_DEACTIVATE) {
|
||||
if (PG(open_basedir_modified)) {
|
||||
efree(*p);
|
||||
}
|
||||
/* We're in a PHP_INI_SYSTEM context, no restrictions */
|
||||
*p = new_value ? ZSTR_VAL(new_value) : NULL;
|
||||
PG(open_basedir_modified) = false;
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
@ -117,15 +121,13 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
|
||||
efree(pathbuf);
|
||||
|
||||
/* Everything checks out, set it */
|
||||
if (*p) {
|
||||
/* Unfortunately entry->modified has already been set to true so we compare entry->value
|
||||
* against entry->orig_value. */
|
||||
if (entry->modified && entry->value != entry->orig_value) {
|
||||
efree(*p);
|
||||
}
|
||||
}
|
||||
zend_string *tmp = smart_str_extract(&buf);
|
||||
*p = estrdup(ZSTR_VAL(tmp));
|
||||
char *result = estrdup(ZSTR_VAL(tmp));
|
||||
if (PG(open_basedir_modified)) {
|
||||
efree(*p);
|
||||
}
|
||||
*p = result;
|
||||
PG(open_basedir_modified) = true;
|
||||
zend_string_release(tmp);
|
||||
|
||||
return SUCCESS;
|
||||
|
@ -80,6 +80,7 @@ struct _php_core_globals {
|
||||
char *user_dir;
|
||||
char *include_path;
|
||||
char *open_basedir;
|
||||
bool open_basedir_modified;
|
||||
char *extension_dir;
|
||||
char *php_binary;
|
||||
char *sys_temp_dir;
|
||||
|
Loading…
Reference in New Issue
Block a user