Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.21.8

Bug #15046 Avoid arbitrary file inclusion.
Submitted: 2008-11-15 14:16 UTC
From: yunosh Assigned: kguest
Status: Closed Package: Date_Holidays (version CVS)
PHP Version: Irrelevant OS:
Roadmaps: 0.21.0    
Subscription  


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 29 - 11 = ?

 
 [2008-11-15 14:16 UTC] yunosh (Jan Schneider)
Description: ------------ The attached patch fixes arbitrary file inclusion by passing the driver name through basename() in the factory. The patch also removes unnecessary PHP_DIRECTORY_SEPARATOR usage.

Comments

 [2008-11-17 00:17 UTC] doconnor (Daniel O'Connor)
Psst, Jan, any chance of a test to demonstrate the problem with the old behaviour? Aside from that, the changes to paths certainly make it a touch more readable :)
 [2008-11-17 00:33 UTC] yunosh (Jan Schneider)
Date_Holidays::factory('../../../../../../../path/to/some/php/file');
 [2008-11-18 21:18 UTC] kguest (Ken Guest)
this smells more like a security bug rather than a feature request...
 [2008-11-19 00:12 UTC] kguest (Ken Guest)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. patched and tested against bug13395.phpt...