Fix #70264: CLI server directory traversal

cmb69 · cmb69 · commit 9c805a6cb315 · 2015-08-14T17:05:31.000+02:00
On Windows the built-in webserver doesn't prevent directory traversal when
backslashes are used as path component separators. Even though that is not a
security issue (the CLI webserver is meant for testing only), we fix that by
replacing backslashes in the path with slashes on Windows, because backslashes
may be valid characters for file names on other systems, but not on Windows.
diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
@@ -1579,6 +1579,18 @@ static void normalize_vpath(char **retval, size_t *retval_len, const char *vpath
 
 	decoded_vpath_end = decoded_vpath + php_url_decode(decoded_vpath, vpath_len);
 
+#ifdef PHP_WIN32
+	{
+		char *p = decoded_vpath;
+		
+		do {
+			if (*p == '\\') {
+				*p = '/';
+			}
+		} while (*p++);
+	}
+#endif
+
 	p = decoded_vpath;
 
 	if (p < decoded_vpath_end && *p == '/') {
diff --git a/sapi/cli/tests/bug70264.phpt b/sapi/cli/tests/bug70264.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #70264 (CLI server directory traversal)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+php_cli_server_start(null, null);
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/..\\CREDITS");
+echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/..%5CCREDITS");
+?>
+--EXPECTF--
+Warning: file_get_contents(http://%s/..\CREDITS): failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found
+ in %sbug70264.php on line %d
+
+Warning: file_get_contents(http://%s/..%5CCREDITS): failed to open stream: HTTP request failed! HTTP/1.0 404 Not Found
+ in %sbug70264.php on line %d
