Disallow parent dir components (..) in open_basedir() at runtime

iluuu1994 · iluuu1994 · commit 61e98bf35eb9 · 2023-03-25T18:02:20.000+01:00
Fix GH-10469 Closes GH-10913
diff --git a/NEWS b/NEWS
@@ -25,6 +25,8 @@ PHP                                                                        NEWS
   . Fix bug GH-10083 (Allow comments between & and parameter). (ilutov)
   . Zend Max Execution Timers is now enabled by default for ZTS builds on
     Linux. (Kévin Dunglas)
+  . Fix bug GH-10469 (Disallow .. in open_basedir paths set at runtime).
+    (ilutov)
 
 - Date:
   . Implement More Appropriate Date/Time Exceptions RFC. (Derick)
diff --git a/UPGRADING b/UPGRADING
@@ -74,6 +74,10 @@ PHP 8.3 UPGRADE NOTES
     "buffer_size" => int
     See GH-9336
   . class_alias() now supports creating an alias of an internal class.
+  . Setting `open_basedir` at runtime using `ini_set('open_basedir', ...);` no
+    longer accepts paths containing the parent directory (`..`). Previously,
+    only paths starting with `..` were disallowed. This could easily be
+    circumvented by prepending `./` to the path.
 
 - Dom:
   . Changed DOMCharacterData::appendData() tentative return type to true.
diff --git a/Zend/tests/gh10469.phpt b/Zend/tests/gh10469.phpt
@@ -0,0 +1,22 @@
+--TEST--
+GH-10469: Disallow open_basedir() with parent dir components (..)
+--FILE--
+<?php
+ini_set('open_basedir', __DIR__);
+
+$originalDir = __DIR__;
+$tmpDir = $originalDir . '/gh10469_tmp';
+@mkdir($tmpDir, 0777, true);
+chdir($tmpDir);
+ini_set('open_basedir', ini_get('open_basedir') . ':./..');
+ini_set('open_basedir', ini_get('open_basedir') . ':./../');
+
+chdir($originalDir);
+var_dump(ini_get('open_basedir'));
+?>
+--CLEAN--
+<?php
+@rmdir(__DIR__ . '/gh10469_tmp');
+?>
+--EXPECTF--
+string(%d) "%stests"
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
@@ -101,11 +101,29 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 			*end = '\0';
 			end++;
 		}
-		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || IS_SLASH(ptr[2]))) {
-			/* Don't allow paths with a leading .. path component to be set at runtime */
-			efree(pathbuf);
-			return FAILURE;
+		/* Don't allow paths with a parent dir component (..) to be set at runtime */
+		char *substr_pos = ptr;
+		while (true) {
+			// Check if we have a .. path component
+			if (substr_pos[0] == '.'
+			 && substr_pos[1] == '.'
+			 && (substr_pos[2] == '\0' || IS_SLASH(substr_pos[2]))) {
+				efree(pathbuf);
+				return FAILURE;
+			}
+			// Skip to the next path component
+			while (true) {
+				substr_pos++;
+				if (*substr_pos == '\0' || *substr_pos == DEFAULT_DIR_SEPARATOR) {
+					goto no_parent_dir_component;
+				} else if (IS_SLASH(*substr_pos)) {
+					// Also skip the slash
+					substr_pos++;
+					break;
+				}
+			}
 		}
+no_parent_dir_component:
 		if (php_check_open_basedir_ex(ptr, 0) != 0) {
 			/* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */
 			efree(pathbuf);
