Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:76565 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 84270 invoked from network); 15 Aug 2014 18:46:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2014 18:46:52 -0000 Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.172 as permitted sender) X-PHP-List-Original-Sender: jakub.php@gmail.com X-Host-Fingerprint: 209.85.213.172 mail-ig0-f172.google.com Received: from [209.85.213.172] ([209.85.213.172:54851] helo=mail-ig0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/CA-48767-6955EE35 for ; Fri, 15 Aug 2014 14:46:51 -0400 Received: by mail-ig0-f172.google.com with SMTP id h15so2742992igd.11 for ; Fri, 15 Aug 2014 11:46:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=quP4/vGdAKJQZ6oxRCXb4b81Da9wguuiTgbz9LfsyqU=; b=IaPnUq5r7vf2sM0MmPqyDhW3j/CYsrCPJyECf6Q97BTC6V42vyAuGWjp2HC+fZa7gV vKCjhIzeEy+NgV60NhZuJnQn7hNVv8n6MF1gGjAGZcrAZwzn5I8RH02+rCW7lK0oS1TF 5OEOI7pYQv3ptIzeGkF8nz9/HxhaKOUBUam2OO5eeiBDVa2NkM69dH4vxXqIjjji2ULv sC2hUn4Zp7fj5xNrJdZJSjTFS5etaHamQPIWHwzO0CULBO8lszmQK7EFzf9k2S4ikeHm xTca3wQThx6f8ABiCC/JTTaNEYJg3jsBmJfY0TElBY9PEt+1jFCoOO54XIkgZN6/CvuV st5A== MIME-Version: 1.0 X-Received: by 10.50.79.135 with SMTP id j7mr27035859igx.9.1408128403172; Fri, 15 Aug 2014 11:46:43 -0700 (PDT) Sender: jakub.php@gmail.com Received: by 10.107.135.106 with HTTP; Fri, 15 Aug 2014 11:46:43 -0700 (PDT) In-Reply-To: <53ED6027.3000704@sugarcrm.com> References: <53EA93F0.8090104@sugarcrm.com> <53ED6027.3000704@sugarcrm.com> Date: Fri, 15 Aug 2014 19:46:43 +0100 X-Google-Sender-Auth: ZZhbbIlLxA3Zxor8eUqKJ23SGZI Message-ID: To: Stas Malyshev Cc: Pierre Joye , PHP Internals Content-Type: multipart/alternative; boundary=089e0122a75444f49d0500af711e Subject: Re: [PHP-DEV] Re: glob() bug 47358 From: bukka@php.net (Jakub Zelenka) --089e0122a75444f49d0500af711e Content-Type: text/plain; charset=UTF-8 Hi, On Fri, Aug 15, 2014 at 2:19 AM, Stas Malyshev wrote: > Hi! > > > Sorry, I missed that one. I suspect it was the time where I > > misconfigured git and branches did not get merged. Feel free to merge > > it back/backport as I won't be able to do it before Monday. > > OK, I have backported it (and following Anatol's patches for it). > The Anatol patch ( https://github.com/php/php-src/commit/ad492ca9327fc9f7f0ea7a0ddd32e62cdf0c9137) is actually wrong. I remember that we discussed in the PR 398. The open_basedir cannot be changed from $path/... to /tmp (it's not tightening). The source of the problem is that the open_basedir will always leek information about dirs that the user is not suppose to see (out of the open_basedir restriction). The reason is that false value can indicate that (more info in the PR or https://bugs.php.net/bug.php?id=65489 ). The solution would be to either return empty array instead (it could be considered as a BC break) or re-implement glob. The re-implementaion could be also interesting for perf (removing double allocations - glob + zval) when used for dirs with many items but that would be quite an effort which I'm not sure it's worth it... :). However not sure if it's so big issue as no one should ever use open_basedir in security context anyway... :) Cheers Jakub --089e0122a75444f49d0500af711e--