diff -aur php-4.3.10.orig/ext/standard/exec.c php-4.3.10/ext/standard/exec.c --- php-4.3.10.orig/ext/standard/exec.c 2004-11-10 21:28:27.000000000 +0100 +++ php-4.3.10/ext/standard/exec.c 2004-12-17 16:11:06.583954776 +0100 @@ -179,6 +179,56 @@ return -1; } + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + /* _NO_ safe mode with exec_dir enabled */ + + lcmd = strlen(cmd); + ldir = strlen(PG(exec_dir)); + l = lcmd + ldir + 2; + overflow_limit = l; + c = strchr(cmd, ' '); + if (c) *c = '\0'; + if (strstr(cmd, "..")) { + php_error(E_WARNING, "No '..' components allowed in path"); + efree(buf); + return -1; + } + d = emalloc(l); + strcpy(d, PG(exec_dir)); + overflow_limit -= ldir; + b = strrchr(cmd, PHP_DIR_SEPARATOR); + if (b) { + strcat(d, b); + overflow_limit -= strlen(b); + } else { + strcat(d, "/"); + strcat(d, cmd); + overflow_limit -= (strlen(cmd)+1); + } + if (c) { + *c = ' '; + strncat(d, c, overflow_limit); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; +#if PHP_SIGCHILD + sig_handler = signal (SIGCHLD, SIG_DFL); +#endif +#ifdef PHP_WIN32 + fp = VCWD_POPEN(d, "rb"); +#else + fp = VCWD_POPEN(d, "r"); +#endif + if (!fp) { + php_error(E_WARNING, "Unable to fork [%s]", d); + efree(d); + efree(buf); +#if PHP_SIGCHILD + signal (SIGCHLD, sig_handler); +#endif + return -1; + } } else { /* not safe_mode */ #if PHP_SIGCHILD sig_handler = signal (SIGCHLD, SIG_DFL); @@ -190,6 +240,7 @@ #endif if (!fp) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd); + efree(d); efree(buf); #if PHP_SIGCHILD signal (SIGCHLD, sig_handler); @@ -563,13 +614,51 @@ } convert_to_string_ex(cmd); -#ifdef PHP_WIN32 - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { -#else - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { -#endif - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); - RETURN_FALSE; + + if(PG(exec_dir) && strlen(PG(exec_dir))) { + char *d, *b, *tmp=NULL; + b = strchr(Z_STRVAL_PP(cmd), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(cmd), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(cmd); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + + d = emalloc(Z_STRLEN_PP(cmd) + strlen(PG(exec_dir)) + 2); + if (b) { + strcpy(d, PG(exec_dir)); + strcat(d, b); + } else { + sprintf(d, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(cmd)); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(d, "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(d, "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", d); + RETURN_FALSE; + } + } else { +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); + RETURN_FALSE; + } } allocated_space = EXEC_INPUT_BUF; ret = (char *) emalloc(allocated_space); diff -aur php-4.3.10.orig/ext/standard/file.c php-4.3.10/ext/standard/file.c --- php-4.3.10.orig/ext/standard/file.c 2004-12-08 22:15:02.000000000 +0100 +++ php-4.3.10/ext/standard/file.c 2004-12-17 16:11:04.500271544 +0100 @@ -1240,6 +1240,39 @@ efree(buf); + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + b = strchr(Z_STRVAL_PP(arg1), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(arg1), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(arg1); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + if (b) { + spprintf(&buf, 0, "%s%s", PG(exec_dir), b); + } else { + spprintf(&buf, 0, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(arg1)); + } + + tmp = php_escape_shell_cmd(buf); + fp = VCWD_POPEN(tmp, p); + efree(tmp); + + if (!fp) { + php_error(E_WARNING, "popen(\"%s\", \"%s\") - %s", buf, p, strerror(errno)); + efree(p); + efree(buf); + RETURN_FALSE; + } + + efree(buf); + } else { fp = VCWD_POPEN(Z_STRVAL_PP(arg1), p); if (!fp) { diff -aur php-4.3.10.orig/main/main.c php-4.3.10/main/main.c --- php-4.3.10.orig/main/main.c 2004-10-01 16:27:13.000000000 +0200 +++ php-4.3.10/main/main.c 2004-12-17 16:10:31.923224008 +0100 @@ -336,6 +336,7 @@ PHP_INI_ENTRY("max_execution_time", "30", PHP_INI_ALL, OnUpdateTimeout) STD_PHP_INI_ENTRY("open_basedir", NULL, PHP_INI_SYSTEM, OnUpdateString, open_basedir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("safe_mode_exec_dir", PHP_SAFE_MODE_EXEC_DIR, PHP_INI_SYSTEM, OnUpdateString, safe_mode_exec_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("exec_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, exec_dir, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("file_uploads", "1", PHP_INI_SYSTEM, OnUpdateBool, file_uploads, php_core_globals, core_globals) STD_PHP_INI_ENTRY("upload_max_filesize", "2M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt, upload_max_filesize, php_core_globals, core_globals) diff -aur php-4.3.10.orig/main/php_globals.h php-4.3.10/main/php_globals.h --- php-4.3.10.orig/main/php_globals.h 2003-05-18 12:22:16.000000000 +0200 +++ php-4.3.10/main/php_globals.h 2004-12-17 16:10:31.925223704 +0100 @@ -69,6 +69,7 @@ char *unserialize_callback_func; char *safe_mode_exec_dir; + char *exec_dir; long memory_limit; long max_input_time; diff -aur php-4.3.10.orig/php.ini-dist php-4.3.10/php.ini-dist --- php-4.3.10.orig/php.ini-dist 2004-08-18 07:05:23.000000000 +0200 +++ php-4.3.10/php.ini-dist 2004-12-17 16:10:31.929223096 +0100 @@ -470,6 +470,10 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = ;;;;;;;;;;;;;;;; ; File Uploads ; diff -aur php-4.3.10.orig/php.ini-recommended php-4.3.10/php.ini-recommended --- php-4.3.10.orig/php.ini-recommended 2004-08-18 07:05:23.000000000 +0200 +++ php-4.3.10/php.ini-recommended 2004-12-17 16:10:31.933222488 +0100 @@ -485,6 +485,11 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = + ;;;;;;;;;;;;;;;; ; File Uploads ;