Check 2nd parameter of tempnam() against path components.

Ilia Alshanetsky · Ilia Alshanetsky · commit 4ca3df56d356 · 2006-03-27T23:40:41.000Z
diff --git a/NEWS b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Mar 2006, PHP 5.1.3RC2
+- Check 2nd parameter of tempnam() against path components. (Ilia)
 - Fixed Apache2 SAPIs header handler modifying header strings. (Mike)
 - Allowed 'auto_globals_jit' work together with 'register_argc_argv'. (Dmitry)
 - Eliminated run-time constant fetching for TRUE, FALSE and NULL. (Dmitry)
diff --git a/ext/standard/file.c b/ext/standard/file.c
@@ -773,8 +773,9 @@ PHP_FUNCTION(tempnam)
 	zval **arg1, **arg2;
 	char *d;
 	char *opened_path;
-	char p[64];
+	char *p;
 	int fd;
+	size_t p_len;
 
 	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &arg1, &arg2) == FAILURE) {
 		WRONG_PARAM_COUNT;
@@ -787,14 +788,19 @@ PHP_FUNCTION(tempnam)
 	}
 	
 	d = estrndup(Z_STRVAL_PP(arg1), Z_STRLEN_PP(arg1));
-	strlcpy(p, Z_STRVAL_PP(arg2), sizeof(p));
+
+	php_basename(Z_STRVAL_PP(arg2), Z_STRLEN_PP(arg2), NULL, 0, &p, &p_len TSRMLS_CC);
+	if (p_len > 64) {
+		p[63] = '\0';
+	}
 
 	if ((fd = php_open_temporary_fd(d, p, &opened_path TSRMLS_CC)) >= 0) {
 		close(fd);
 		RETVAL_STRING(opened_path, 0);
 	} else {
 		RETVAL_FALSE;
 	}
+	efree(p);
 	efree(d);
 }
 /* }}} */
