From a8422d7a82dcf8401cf76626aaf55fed5c407160 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 21 May 2021 12:17:33 +0200
Subject: [PATCH 1/3] Fix #76359: open_basedir bypass through adding ".."

We explicitly forbid adding `..` to `open_basedir`at runtime.
---
 main/fopen_wrappers.c        |  5 +++++
 tests/security/bug76359.phpt | 19 +++++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 tests/security/bug76359.phpt

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index db4be878d8171..a227721528e8a 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -110,6 +110,11 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 			*end = '\0';
 			end++;
 		}
+		if (ptr[0] == '.' && ptr[1] == '.' && ptr[2] == '\0') {
+			/* Don't allow .. to be set at runtime */
+			efree(pathbuf);
+			return FAILURE;
+		}
 		if (php_check_open_basedir_ex(ptr, 0) != 0) {
 			/* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */
 			efree(pathbuf);
diff --git a/tests/security/bug76359.phpt b/tests/security/bug76359.phpt
new file mode 100644
index 0000000000000..df35d67d097da
--- /dev/null
+++ b/tests/security/bug76359.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #76359 (open_basedir bypass through adding "..")
+--FILE--
+<?php
+ini_set('open_basedir', __DIR__);
+mkdir(__DIR__ . "/bug76359");
+chdir(__DIR__ . "/bug76359");
+var_dump(ini_set('open_basedir', ini_get('open_basedir') . PATH_SEPARATOR . ".."));
+chdir("..");
+chdir("..");
+?>
+--EXPECTF--
+bool(false)
+
+Warning: chdir(): open_basedir restriction in effect. File(..) is not within the allowed path(s): (%s) in %s on line %d
+--CLEAN--
+<?php
+@rmdir(__DIR__ . "/bug76359");
+?>

From 20451f09130ef4b1f6cbb4abbe07ca884bb1dca0 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 21 May 2021 13:12:58 +0200
Subject: [PATCH 2/3] Don't allow paths with a leading .. path component to be
 set at runtime

---
 main/fopen_wrappers.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index a227721528e8a..9d88d93b73ad4 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -110,8 +110,12 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 			*end = '\0';
 			end++;
 		}
-		if (ptr[0] == '.' && ptr[1] == '.' && ptr[2] == '\0') {
-			/* Don't allow .. to be set at runtime */
+#ifndef PHP_WIN32
+		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH)) {
+#else
+		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH || ptr[2] == '/')) {
+#endif
+			/* Don't allow paths with a leading .. path component to be set at runtime */
 			efree(pathbuf);
 			return FAILURE;
 		}

From 56a6bba0d3e3f4d8101e5f80b28685e05c023627 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 21 May 2021 15:00:41 +0200
Subject: [PATCH 3/3] Don't reinvent the wheel

---
 main/fopen_wrappers.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index 9d88d93b73ad4..27135020fa3e3 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -110,11 +110,7 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 			*end = '\0';
 			end++;
 		}
-#ifndef PHP_WIN32
-		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH)) {
-#else
-		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH || ptr[2] == '/')) {
-#endif
+		if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || IS_SLASH(ptr[2]))) {
 			/* Don't allow paths with a leading .. path component to be set at runtime */
 			efree(pathbuf);
 			return FAILURE;