Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir

bypass).

2 files changed, 24 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index a094eaeb54..8ea894226f 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   in the same way as "instanceof" operator). (Dmitry)
 - Fixed bug #41904 (proc_open(): empty env array should cause empty
   environment to be passed to process). (Jani)
+- Fixed bug #37273 (Symlinks and mod_files session handler allow open_basedir
+  bypass). (Ilia)
 
 16 Aug 2007, PHP 5.2.4RC2
 - Fixed oci8 and PDO_OCI extensions to allow configuring with Oracle 11g client
diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c
index 722e389177..6535c7d345 100644
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -164,6 +164,28 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
 				data->filemode);
 		
 		if (data->fd != -1) {
+#ifndef PHP_WIN32
+			/* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */
+			if (PG(safe_mode) || PG(open_basedir)) {
+				struct stat sbuf;
+
+				if (fstat(data->fd, &sbuf)) {
+					close(data->fd);
+					return;
+				}
+				if (
+					S_ISLNK(sbuf.st_mode) && 
+					(
+						php_check_open_basedir(buf TSRMLS_CC) ||
+						(PG(safe_mode) && !php_checkuid(buf, NULL, CHECKUID_CHECK_FILE_AND_DIR))
+					)
+				) {
+
+					close(data->fd);
+					return;
+				}
+			}
+#endif
 			flock(data->fd, LOCK_EX);
 
 #ifdef F_SETFD