Sophie: php-3:5.2.4-3.5mdv2008.0 src

php-5.2.4-3.5mdv2008.0.src.rpm

--- php-5.2.6/sapi/cgi/cgi_main.c.orig	2009-01-21 11:15:39.000000000 -0500
+++ php-5.2.6/sapi/cgi/cgi_main.c	2009-01-21 11:33:10.000000000 -0500
@@ -765,6 +765,39 @@ static void php_cgi_usage(char *argv0)
 }
 /* }}} */
 
+/* {{{ is_valid_path
+ *
+ * some server configurations allow '..' to slip through in the
+ * translated path.   We'll just refuse to handle such a path.
+ */
+static int is_valid_path(const char *path)
+{
+	const char *p;
+
+	if (!path) {
+		return 0;
+	}
+	p = strstr(path, "..");
+	if (p) {
+		if ((p == path || IS_SLASH(*(p-1))) &&
+		    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
+			return 0;
+		}
+		while (1) {
+			p = strstr(p+1, "..");
+			if (!p) {
+				break;
+			}
+			if (IS_SLASH(*(p-1)) &&
+			    (*(p+2) == 0 || IS_SLASH(*(p+2)))) {
+					return 0;
+			}
+		}
+	}
+	return 1;
+}
+/* }}} */
+
 /* {{{ init_request_info
 
   initializes request_info structure
@@ -1061,9 +1094,7 @@ static void init_request_info(TSRMLS_D)
 				if (pt) {
 					efree(pt);
 				}
-				/* some server configurations allow '..' to slip through in the
-				   translated path.   We'll just refuse to handle such a path. */
-				if (script_path_translated && !strstr(script_path_translated, "..")) {
+				if (is_valid_path(script_path_translated)) {
 					SG(request_info).path_translated = estrdup(script_path_translated);
 				}
 			} else {
@@ -1094,9 +1125,7 @@ static void init_request_info(TSRMLS_D)
 				} else {
 					SG(request_info).request_uri = env_script_name;
 				}
-				/* some server configurations allow '..' to slip through in the
-				   translated path.   We'll just refuse to handle such a path. */
-				if (script_path_translated && !strstr(script_path_translated, "..")) {
+				if (is_valid_path(script_path_translated)) {
 					SG(request_info).path_translated = estrdup(script_path_translated);
 				}
 				free(real_path);
@@ -1114,9 +1143,7 @@ static void init_request_info(TSRMLS_D)
 				script_path_translated = env_path_translated;
 			}
 #endif
-			/* some server configurations allow '..' to slip through in the
-			   translated path.   We'll just refuse to handle such a path. */
-			if (script_path_translated && !strstr(script_path_translated, "..")) {
+			if (is_valid_path(script_path_translated)) {
 				SG(request_info).path_translated = estrdup(script_path_translated);
 			}
 #if ENABLE_PATHINFO_CHECK