Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.21.8

Bug #15046 Avoid arbitrary file inclusion.
Submitted: 2008-11-15 09:16 UTC Modified: 2008-11-18 19:12 UTC
From: yunosh Assigned: kguest
Status: Closed Package: Date_Holidays (version CVS)
PHP Version: Irrelevant OS:
Roadmaps: 0.21.0    
Subscription  


 [2008-11-15 09:16 UTC] yunosh (Jan Schneider)
Description: ------------ The attached patch fixes arbitrary file inclusion by passing the driver name through basename() in the factory. The patch also removes unnecessary PHP_DIRECTORY_SEPARATOR usage.

Comments

 [2008-11-16 19:17 UTC] doconnor (Daniel O'Connor)
Psst, Jan, any chance of a test to demonstrate the problem with the old behaviour? Aside from that, the changes to paths certainly make it a touch more readable :)
 [2008-11-16 19:33 UTC] yunosh (Jan Schneider)
Date_Holidays::factory('../../../../../../../path/to/some/php/file');
 [2008-11-18 16:18 UTC] kguest (Ken Guest)
this smells more like a security bug rather than a feature request...
 [2008-11-18 19:12 UTC] kguest (Ken Guest)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. patched and tested against bug13395.phpt...