diff -aur php-4.4.3.orig/ext/standard/exec.c php-4.4.3/ext/standard/exec.c --- php-4.4.3.orig/ext/standard/exec.c 2006-01-01 14:46:57.000000000 +0100 +++ php-4.4.3/ext/standard/exec.c 2006-08-10 07:35:38.000000000 +0200 @@ -179,6 +179,51 @@ return -1; } + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + /* _NO_ safe mode with exec_dir enabled */ + + d = emalloc(strlen(PG(exec_dir)) + strlen(cmd) + 2); + c = strchr(cmd, ' '); + if (c) *c = '\0'; + if (strstr(cmd, "..")) { + php_error(E_WARNING, "No '..' components allowed in path"); + efree(d); + efree(buf); + return -1; + } + b = strrchr(cmd, PHP_DIR_SEPARATOR); + strcpy(d, PG(exec_dir)); + if (b) { + strcat(d, b); + } else { + sprintf(d, "%s%c%s", d, PHP_DIR_SEPARATOR, cmd); + } + if (c) { + *c = ' '; + strcat(d, c); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#if PHP_SIGCHILD + sig_handler = signal (SIGCHLD, SIG_DFL); +#endif +#ifdef PHP_WIN32 + fp = VCWD_POPEN(d, "rb"); +#else + fp = VCWD_POPEN(d, "r"); +#endif + if (!fp) { + php_error(E_WARNING, "Unable to fork [%s]", d); + efree(d); + efree(buf); +#if PHP_SIGCHILD + signal (SIGCHLD, sig_handler); +#endif + return -1; + } + } else { /* not safe_mode */ #if PHP_SIGCHILD sig_handler = signal (SIGCHLD, SIG_DFL); @@ -190,6 +235,7 @@ #endif if (!fp) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd); + efree(d); efree(buf); #if PHP_SIGCHILD signal (SIGCHLD, sig_handler); @@ -563,13 +609,51 @@ } convert_to_string_ex(cmd); -#ifdef PHP_WIN32 - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { -#else - if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { -#endif - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); - RETURN_FALSE; + + if(PG(exec_dir) && strlen(PG(exec_dir))) { + char *d, *b, *tmp=NULL; + b = strchr(Z_STRVAL_PP(cmd), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(cmd), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(cmd); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + + d = emalloc(Z_STRLEN_PP(cmd) + strlen(PG(exec_dir)) + 2); + if (b) { + strcpy(d, PG(exec_dir)); + strcat(d, b); + } else { + sprintf(d, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(cmd)); + } + tmp = php_escape_shell_cmd(d); + efree(d); + d = tmp; + +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(d, "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(d, "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", d); + RETURN_FALSE; + } + } else { +#ifdef PHP_WIN32 + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) { +#else + if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) { +#endif + php_error(E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd)); + RETURN_FALSE; + } } allocated_space = EXEC_INPUT_BUF; ret = (char *) emalloc(allocated_space); diff -aur php-4.4.3.orig/ext/standard/file.c php-4.4.3/ext/standard/file.c --- php-4.4.3.orig/ext/standard/file.c 2006-04-14 19:46:59.000000000 +0200 +++ php-4.4.3/ext/standard/file.c 2006-08-10 07:35:38.000000000 +0200 @@ -1242,7 +1242,35 @@ efree(buf); - } else { + } else if (PG(exec_dir) && strlen(PG(exec_dir))) { + b = strchr(Z_STRVAL_PP(arg1), ' '); + if (!b) { + b = strrchr(Z_STRVAL_PP(arg1), PHP_DIR_SEPARATOR); + } else { + char *c; + c = Z_STRVAL_PP(arg1); + while ((*b != PHP_DIR_SEPARATOR) && (b != c)) { + b--; + } + if (b == c) { + b = NULL; + } + } + if (b) { + snprintf(buf, sizeof(buf), "%s%s", PG(exec_dir), b); + } else { + snprintf(buf, sizeof(buf), "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, Z_STRVAL_PP(arg1)); + } + + tmp = php_escape_shell_cmd(buf); + fp = VCWD_POPEN(tmp, p); + efree(tmp); + + if (!fp) { + php_error(E_WARNING, "popen(\"%s\", \"%s\") - %s", buf, p, strerror(errno)); + RETURN_FALSE; + } + } else { fp = VCWD_POPEN(Z_STRVAL_PP(arg1), p); if (!fp) { php_error_docref2(NULL TSRMLS_CC, Z_STRVAL_PP(arg1), p, E_WARNING, "%s", strerror(errno)); diff -aur php-4.4.3.orig/main/main.c php-4.4.3/main/main.c --- php-4.4.3.orig/main/main.c 2006-05-19 00:36:14.000000000 +0200 +++ php-4.4.3/main/main.c 2006-08-10 07:35:38.000000000 +0200 @@ -328,6 +328,7 @@ PHP_INI_ENTRY("max_execution_time", "30", PHP_INI_ALL, OnUpdateTimeout) STD_PHP_INI_ENTRY("open_basedir", NULL, PHP_INI_SYSTEM, OnUpdateString, open_basedir, php_core_globals, core_globals) STD_PHP_INI_ENTRY("safe_mode_exec_dir", PHP_SAFE_MODE_EXEC_DIR, PHP_INI_SYSTEM, OnUpdateString, safe_mode_exec_dir, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("exec_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, exec_dir, php_core_globals, core_globals) STD_PHP_INI_BOOLEAN("file_uploads", "1", PHP_INI_SYSTEM, OnUpdateBool, file_uploads, php_core_globals, core_globals) STD_PHP_INI_ENTRY("upload_max_filesize", "2M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateInt, upload_max_filesize, php_core_globals, core_globals) diff -aur php-4.4.3.orig/main/php_globals.h php-4.4.3/main/php_globals.h --- php-4.4.3.orig/main/php_globals.h 2006-01-01 14:46:59.000000000 +0100 +++ php-4.4.3/main/php_globals.h 2006-08-10 07:35:38.000000000 +0200 @@ -69,6 +69,7 @@ char *unserialize_callback_func; char *safe_mode_exec_dir; + char *exec_dir; long memory_limit; long max_input_time; diff -aur php-4.4.3.orig/php.ini-dist php-4.4.3/php.ini-dist --- php-4.4.3.orig/php.ini-dist 2005-12-30 18:19:43.000000000 +0100 +++ php-4.4.3/php.ini-dist 2006-08-10 07:35:38.000000000 +0200 @@ -473,6 +473,10 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = ;;;;;;;;;;;;;;;; ; File Uploads ; diff -aur php-4.4.3.orig/php.ini-recommended php-4.4.3/php.ini-recommended --- php-4.4.3.orig/php.ini-recommended 2005-12-30 18:19:43.000000000 +0100 +++ php-4.4.3/php.ini-recommended 2006-08-10 07:35:38.000000000 +0200 @@ -488,6 +488,10 @@ ; Default is zero. ;cgi.rfc2616_headers = 0 +; Only executables located in the exec_dir will be allowed to be executed +; via the exec family of functions. If safe_mode is enabled, this directive +; is forgotten and safe_mode_exec_dir takes the ride +exec_dir = ;;;;;;;;;;;;;;;; ; File Uploads ;