glob() function can cause crash in ZTS mode.
For relative path in ZTS we can find code:
[...]
cwd_skip = strlen(cwd)+1;
snprintf(work_pattern, MAXPATHLEN, "%s%c%s", cwd, DEFAULT_SLASH, pattern);
[...]
add_next_index_string(return_value, globbuf.gl_pathv[n]+cwd_skip, 1);
[...]
If pattern contains something like "./../../../../../../../*" ,
globbuf.gl_pathv[n] could me shorter than cwd_skip.
In result we can read from illegal area of memory.
in code we can read:
/* we assume that any glob pattern will match files from one
directory only
so checking the dirname of the first match should be
sufficient /
But it's not true. Glob() can match files from more than one directory.
i.e: ".//*" will match files from many directories
About my solution:
- in safe_mode / open_basedir set -- I dont allow use regular expresions
before last slash in pattern -- so glob will match files only from one
directory - pattern is expanded using virtual_file_ex (without using realname of
course) to eliminate '..' '.' dirs. If pattern 'leaves' current
directory, will be used as absolute pattern (result will contain full
names - not relative ones). - added missing globfree() calls.
- added (missing?) terminating '\0' in line 453
This patch is not so beautiful (my english too -- I'm not native english
speaker) , but I hope it will help you fix these bugs.
Best regards.
Marcin Obara