diff -aur php-4.3.9-orig/ext/standard/exec.c php-4.3.9/ext/standard/exec.c --- php-4.3.9-orig/ext/standard/exec.c 2004-05-18 15:43:33.000000000 +0200 +++ php-4.3.9/ext/standard/exec.c 2004-09-24 10:30:14.859790240 +0200 @@ -179,6 +179,50 @@ return -1; } + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + /* _NO_ safe mode with exec_dir enabled */ + + d = emalloc(strlen(PG(exec_dir)) + strlen(cmd) + 2); + c = strchr(cmd, ' '); + if (c) *c = '\0'; + if (strstr(cmd, "..")) { + php_error(E_WARNING, "No '..' components allowed in path"); + efree(d); + efree(buf); + return -1; + } + b = strrchr(cmd, PHP_DIR_SEPARATOR); + strcpy(d, PG(exec_dir)); + if (b) { + strcat(d, b); + } else { + sprintf(d, "%s%c%s", d, PHP_DIR_SEPARATOR, cmd); + } + if (c) { + *c = ' '; + strcat(d, c); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#if PHP_SIGCHILD + sig_handler = signal (SIGCHLD, SIG_DFL); +#endif +#ifdef PHP_WIN32 + fp = VCWD_POPEN(d, "rb"); +#else + fp = VCWD_POPEN(d, "r"); +#endif + if (!fp) { + php_error(E_WARNING, "Unable to fork [%s]", d); + efree(d); + efree(buf); +#if PHP_SIGCHILD + signal (SIGCHLD, sig_handler); +#endif + return -1; + } } else { /* not safe_mode */ #if PHP_SIGCHILD sig_handler = signal (SIGCHLD, SIG_DFL); @@ -190,6 +234,7 @@ #endif if (!fp) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd); + efree(d); efree(buf); #if PHP_SIGCHILD signal (SIGCHLD, sig_handler); @@ -563,13 +608,51 @@ } convert_to_string_ex(cmd); -#ifdef PHP_WIN32 - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { -#else - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { -#endif - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); - RETURN_FALSE; + + if(PG(exec_dir) && strlen(PG(exec_dir))) { + char *d, *b, *tmp=NULL; + b = strchr(Z_STRVAL_PP(cmd), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(cmd), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(cmd); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + + d = emalloc(Z_STRLEN_PP(cmd) + strlen(PG(exec_dir)) + 2); + if (b) { + strcpy(d, PG(exec_dir)); + strcat(d, b); + } else { + sprintf(d, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(cmd)); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(d, "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(d, "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", d); + RETURN_FALSE; + } + } else { +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); + RETURN_FALSE; + } } allocated_space = EXEC_INPUT_BUF; ret = (char *) emalloc(allocated_space); diff -aur php-4.3.9-orig/ext/standard/file.c php-4.3.9/ext/standard/file.c --- php-4.3.9-orig/ext/standard/file.c 2004-08-17 16:10:03.000000000 +0200 +++ php-4.3.9/ext/standard/file.c 2004-09-24 10:30:11.634280592 +0200 @@ -1227,7 +1227,35 @@ efree(p); RETURN_FALSE; } - } else { + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + b = strchr(Z_STRVAL_PP(arg1), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(arg1), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(arg1); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + if (b) { + snprintf(buf, sizeof(buf), "%s%s", PG(exec_dir), b); + } else { + snprintf(buf, sizeof(buf), "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(arg1)); + } + + tmp = php_escape_shell_cmd(buf); + fp = VCWD_POPEN(tmp, p); + efree(tmp); + + if (!fp) { + php_error(E_WARNING, "popen(\"%s\", \"%s\") - %s", buf, p, strerror(errno)); + RETURN_FALSE; + } + } else { fp = VCWD_POPEN(Z_STRVAL_PP(arg1), p); if (!fp) { php_error_docref2(NULL TSRMLS_CC, Z_STRVAL_PP(arg1), p, E_WARNING, "%s", strerror(errno)); diff -aur php-4.3.9-orig/main/main.c php-4.3.9/main/main.c --- php-4.3.9-orig/main/main.c 2004-08-16 14:23:06.000000000 +0200 +++ php-4.3.9/main/main.c 2004-09-24 08:26:16.143646984 +0200 @@ -336,6 +336,7 @@ PHP_INI_ENTRY("max_execution_time", "30", PHP_INI_ALL, OnUpdateTimeout) STD_PHP_INI_ENTRY("open_basedir", NULL, PHP_INI_SYSTEM, OnUpdateString, open_basedir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("safe_mode_exec_dir", PHP_SAFE_MODE_EXEC_DIR, PHP_INI_SYSTEM, OnUpdateString, safe_mode_exec_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("exec_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, exec_dir, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("file_uploads", "1", PHP_INI_SYSTEM, OnUpdateBool, file_uploads, php_core_globals, core_globals) STD_PHP_INI_ENTRY("upload_max_filesize", "2M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt, upload_max_filesize, php_core_globals, core_globals) diff -aur php-4.3.9-orig/main/php_globals.h php-4.3.9/main/php_globals.h --- php-4.3.9-orig/main/php_globals.h 2003-05-18 12:22:16.000000000 +0200 +++ php-4.3.9/main/php_globals.h 2004-09-24 08:26:16.145646680 +0200 @@ -69,6 +69,7 @@ char *unserialize_callback_func; char *safe_mode_exec_dir; + char *exec_dir; long memory_limit; long max_input_time; diff -aur php-4.3.9-orig/php.ini-dist php-4.3.9/php.ini-dist --- php-4.3.9-orig/php.ini-dist 2004-08-18 07:05:23.000000000 +0200 +++ php-4.3.9/php.ini-dist 2004-09-24 08:26:16.149646072 +0200 @@ -470,6 +470,10 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = ;;;;;;;;;;;;;;;; ; File Uploads ; diff -aur php-4.3.9-orig/php.ini-recommended php-4.3.9/php.ini-recommended --- php-4.3.9-orig/php.ini-recommended 2004-08-18 07:05:23.000000000 +0200 +++ php-4.3.9/php.ini-recommended 2004-09-24 08:26:16.153645464 +0200 @@ -485,6 +485,11 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = + ;;;;;;;;;;;;;;;; ; File Uploads ;