diff -aur php-4.3.4.orig/ext/standard/exec.c php-4.3.4/ext/standard/exec.c --- php-4.3.4.orig/ext/standard/exec.c 2004-07-08 08:53:06.000000000 +0200 +++ php-4.3.4/ext/standard/exec.c 2004-07-08 08:56:26.000943544 +0200 @@ -178,6 +178,50 @@ #endif return -1; } + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + /* _NO_ safe mode with exec_dir enabled */ + + d = emalloc(strlen(PG(exec_dir)) + strlen(cmd) + 2); + c = strchr(cmd, ' '); + if (c) *c = '\0'; + if (strstr(cmd, "..")) { + php_error(E_WARNING, "No '..' components allowed in path"); + efree(d); + efree(buf); + return -1; + } + b = strrchr(cmd, PHP_DIR_SEPARATOR); + strcpy(d, PG(exec_dir)); + if (b) { + strcat(d, b); + } else { + sprintf(d, "%s%c%s", d, PHP_DIR_SEPARATOR, cmd); + } + if (c) { + *c = ' '; + strcat(d, c); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#if PHP_SIGCHILD + sig_handler = signal (SIGCHLD, SIG_DFL); +#endif +#ifdef PHP_WIN32 + fp = VCWD_POPEN(d, "rb"); +#else + fp = VCWD_POPEN(d, "r"); +#endif + if (!fp) { + php_error(E_WARNING, "Unable to fork [%s]", d); + efree(d); + efree(buf); +#if PHP_SIGCHILD + signal (SIGCHLD, sig_handler); +#endif + return -1; + } } else { /* not safe_mode */ #if PHP_SIGCHILD @@ -190,6 +234,7 @@ #endif if (!fp) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd); + efree(d); efree(buf); #if PHP_SIGCHILD signal (SIGCHLD, sig_handler); @@ -541,13 +586,51 @@ } convert_to_string_ex(cmd); + + if(PG(exec_dir) && strlen(PG(exec_dir))) { + char *d, *b, *tmp=NULL; + b = strchr(Z_STRVAL_PP(cmd), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(cmd), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(cmd); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + + d = emalloc(Z_STRLEN_PP(cmd) + strlen(PG(exec_dir)) + 2); + if (b) { + strcpy(d, PG(exec_dir)); + strcat(d, b); + } else { + sprintf(d, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(cmd)); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + #ifdef PHP_WIN32 - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { + if ((in=VCWD_POPEN(d, "rt"))==NULL) { #else - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { + if ((in=VCWD_POPEN(d, "r"))==NULL) { #endif - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); - RETURN_FALSE; + php_error(E_WARNING, "Unable to execute '%s'", d); + RETURN_FALSE; + } + } else { +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); + RETURN_FALSE; + } } allocated_space = EXEC_INPUT_BUF; ret = (char *) emalloc(allocated_space); diff -aur php-4.3.4.orig/ext/standard/file.c php-4.3.4/ext/standard/file.c --- php-4.3.4.orig/ext/standard/file.c 2004-07-08 08:53:06.000000000 +0200 +++ php-4.3.4/ext/standard/file.c 2004-07-08 08:53:50.433593376 +0200 @@ -1214,6 +1214,34 @@ php_error_docref2(NULL TSRMLS_CC, buf, p, E_WARNING, "%s", strerror(errno)); RETURN_FALSE; } + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + b = strchr(Z_STRVAL_PP(arg1), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(arg1), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(arg1); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + if (b) { + snprintf(buf, sizeof(buf), "%s%s", PG(exec_dir), b); + } else { + snprintf(buf, sizeof(buf), "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(arg1)); + } + + tmp = php_escape_shell_cmd(buf); + fp = VCWD_POPEN(tmp, p); + efree(tmp); + + if (!fp) { + php_error(E_WARNING, "popen(\"%s\", \"%s\") - %s", buf, p, strerror(errno)); + RETURN_FALSE; + } } else { fp = VCWD_POPEN(Z_STRVAL_PP(arg1), p); if (!fp) { diff -aur php-4.3.4.orig/main/main.c php-4.3.4/main/main.c --- php-4.3.4.orig/main/main.c 2004-07-08 08:53:09.000000000 +0200 +++ php-4.3.4/main/main.c 2004-07-08 08:53:50.446591400 +0200 @@ -338,6 +338,7 @@ PHP_INI_ENTRY("max_execution_time", "30", PHP_INI_ALL, OnUpdateTimeout) STD_PHP_INI_ENTRY("open_basedir", NULL, PHP_INI_SYSTEM, OnUpdateString, open_basedir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("safe_mode_exec_dir", PHP_SAFE_MODE_EXEC_DIR, PHP_INI_SYSTEM, OnUpdateString, safe_mode_exec_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("exec_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, exec_dir, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("file_uploads", "1", PHP_INI_SYSTEM, OnUpdateBool, file_uploads, php_core_globals, core_globals) STD_PHP_INI_ENTRY("upload_max_filesize", "2M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt, upload_max_filesize, php_core_globals, core_globals) diff -aur php-4.3.4.orig/main/php_globals.h php-4.3.4/main/php_globals.h --- php-4.3.4.orig/main/php_globals.h 2004-07-08 08:53:09.000000000 +0200 +++ php-4.3.4/main/php_globals.h 2004-07-08 08:53:50.449590944 +0200 @@ -69,6 +69,7 @@ char *unserialize_callback_func; char *safe_mode_exec_dir; + char *exec_dir; long memory_limit; long max_input_time; diff -aur php-4.3.4.orig/php.ini-dist php-4.3.4/php.ini-dist --- php-4.3.4.orig/php.ini-dist 2004-07-08 08:53:10.000000000 +0200 +++ php-4.3.4/php.ini-dist 2004-07-08 08:53:50.489584864 +0200 @@ -465,6 +465,11 @@ ; RFC2616 compliant header. ; Default is zero. ;cgi.rfc2616_headers = 0 + +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = ;;;;;;;;;;;;;;;; diff -aur php-4.3.4.orig/php.ini-recommended php-4.3.4/php.ini-recommended --- php-4.3.4.orig/php.ini-recommended 2004-07-08 08:53:10.000000000 +0200 +++ php-4.3.4/php.ini-recommended 2004-07-08 08:53:50.502582888 +0200 @@ -481,6 +481,11 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = + ;;;;;;;;;;;;;;;; ; File Uploads ;