#! /bin/sh /usr/share/dpatch/dpatch-run
## 04_CVE-2008-1614.dpatch
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Libtool update

@DPATCH@
--- suphp-0.6.2.orig/src/API_Linux.hpp
+++ suphp-0.6.2/src/API_Linux.hpp
@@ -169,6 +169,11 @@
 	virtual GroupInfo File_getGroup(const File& file) const
 	    throw (SystemException);
 
+        /**
+         * Checks whether a file is a symlink
+         */
+        virtual bool File_isSymlink(const File& file) const throw (SystemException);
+        
 	/**
 	 * Runs another program (replaces current process)
 	 */
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/File.cpp
+++ suphp-0.6.2/src/File.cpp
@@ -57,6 +57,9 @@
 File suPHP::File::getParentDirectory() const {
     std::string path = this->getPath();
     path = path.substr(0, path.rfind('/'));
+    if (path.length() == 0) {
+        path = "/";
+    }
     return File(path);
 }
 
@@ -104,3 +107,7 @@
 GroupInfo suPHP::File::getGroup() const throw (SystemException) {
     return API_Helper::getSystemAPI().File_getGroup(*this);
 }
+
+bool suPHP::File::isSymlink() const throw (SystemException) {
+    return API_Helper::getSystemAPI().File_isSymlink(*this);
+}
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/Application.hpp
+++ suphp-0.6.2/src/Application.hpp
@@ -107,6 +107,14 @@
 			   const Configuration& config) const
 	    throw (SoftException);
 
+         
+         /**
+          * Checks ownership and permissions for parent directories
+          */
+         void checkParentDirectories(const File& file,
+                                     const UserInfo& owner,
+                                     const Configuration& config) const
+             throw (SoftException);
 
     public:
 	/**
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/Application.cpp
+++ suphp-0.6.2/src/Application.cpp
@@ -177,6 +177,7 @@
     throw (SystemException, SoftException) {
     Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
     File scriptFile = File(scriptFilename);
+    File realScriptFile = File(scriptFile.getRealPath());
 
     // Check wheter file exists
     if (!scriptFile.exists()) {
@@ -184,11 +185,13 @@
 	logger.logWarning(error);
 	throw SoftException(error, __FILE__, __LINE__);
     }
-    
-    // Get full path to script file
-
-    File realScriptFile = File(scriptFile.getRealPath());
-    File directory = realScriptFile.getParentDirectory();
+    if (!realScriptFile.exists()) {
+        std::string error = "File " + realScriptFile.getPath() 
+            + " referenced by symlink " +scriptFile.getPath() 
+            + " does not exist";
+        logger.logWarning(error);
+        throw SoftException(error, __FILE__, __LINE__);
+    }
     
     // Check wheter script is in docroot
     if (realScriptFile.getPath().find(config.getDocroot()) != 0) {
@@ -213,8 +216,19 @@
 	logger.logWarning(error);
 	throw SoftException(error, __FILE__, __LINE__);
     }
+    if (config.getCheckVHostDocroot()
+        && scriptFile.getPath().find(environment.getVar("DOCUMENT_ROOT")) 
+        != 0) {
+        
+        std::string error = "File \"" + scriptFile.getPath()
+            + "\" is not in document root of Vhost \""
+            + environment.getVar("DOCUMENT_ROOT") + "\"";
+        logger.logWarning(error);
+        throw SoftException(error, __FILE__, __LINE__);
+    }
 
-    // Check script and directory permissions
+    // Check script permissions
+    // Directories will be checked later
     if (!realScriptFile.hasUserReadBit()) {
 	std::string error = "File \"" + realScriptFile.getPath()
 	    + "\" not readable";
@@ -231,14 +245,6 @@
 	throw SoftException(error, __FILE__, __LINE__);
     }
     
-    if (!config.getAllowDirectoryGroupWriteable() 
-	&& directory.hasGroupWriteBit()) {
-	std::string error = "Directory \"" + directory.getPath()
-	    + "\" is writeable by group";
-	logger.logWarning(error);
-	throw SoftException(error, __FILE__, __LINE__);
-    }
-
     if (!config.getAllowFileOthersWriteable()
 	&& realScriptFile.hasOthersWriteBit()) {
 	std::string error = "File \"" + realScriptFile.getPath()
@@ -247,14 +253,6 @@
 	throw SoftException(error, __FILE__, __LINE__);
     }
     
-    if (!config.getAllowDirectoryOthersWriteable()
-	&& directory.hasOthersWriteBit()) {
-	std::string error = "Directory \"" + directory.getPath()
-	    + "\" is writeable by others";
-	logger.logWarning(error);
-	throw SoftException(error, __FILE__, __LINE__);
-    }
-
     // Check UID/GID of symlink is matching target
     if (scriptFile.getUser() != realScriptFile.getUser()
 	|| scriptFile.getGroup() != realScriptFile.getGroup()) {
@@ -274,7 +272,8 @@
     UserInfo targetUser;
     GroupInfo targetGroup;
 
-    File scriptFile = File(File(scriptFilename).getRealPath());
+    File scriptFile = File(scriptFilename);
+    File realScriptFile = File(scriptFile.getRealPath());
     API& api = API_Helper::getSystemAPI();
     Logger& logger = api.getSystemLogger();
 
@@ -360,7 +359,11 @@
 	throw SoftException(error, __FILE__, __LINE__);
     }
 #endif // OPT_USERGROUP_PARANOID    
-
+    
+    // Check directory ownership and permissions
+    checkParentDirectories(realScriptFile, targetUser, config);
+    checkParentDirectories(scriptFile, targetUser, config);
+    
     // Common code used for all modes
 
     // Set new group first, because we still need super-user privileges
@@ -480,6 +483,43 @@
 }
 
 
+void suPHP::Application::checkParentDirectories(const File& file,
+                                               const UserInfo& owner,
+                                               const Configuration& config) const throw (SoftException) {
+    File directory = file;
+    Logger& logger = API_Helper::getSystemAPI().getSystemLogger();
+    do {
+        directory = directory.getParentDirectory();
+        
+        UserInfo directoryOwner = directory.getUser();
+        if (directoryOwner != owner && !directoryOwner.isSuperUser()) {
+            std::string error = "Directory " + directory.getPath()
+                + " is not owned by " + owner.getUsername();
+            logger.logWarning(error);
+            throw SoftException(error, __FILE__, __LINE__);
+        }
+        
+        if (!directory.isSymlink()
+            && !config.getAllowDirectoryGroupWriteable() 
+            && directory.hasGroupWriteBit()) {
+            std::string error = "Directory \"" + directory.getPath()
+                + "\" is writeable by group";
+            logger.logWarning(error);
+            throw SoftException(error, __FILE__, __LINE__);
+        }
+        
+        if (!directory.isSymlink()
+            && !config.getAllowDirectoryOthersWriteable()
+            && directory.hasOthersWriteBit()) {
+            std::string error = "Directory \"" + directory.getPath()
+                + "\" is writeable by others";
+            logger.logWarning(error);
+            throw SoftException(error, __FILE__, __LINE__);
+        }
+    } while (directory.getPath() != "/");
+}
+
+
 int main(int argc, char **argv) {
     try {
 	API& api = API_Helper::getSystemAPI();
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/API_Linux.cpp
+++ suphp-0.6.2/src/API_Linux.cpp
@@ -225,10 +225,10 @@
 
 bool suPHP::API_Linux::File_exists(const File& file) const {
     struct stat dummy;
-    if (::stat(file.getPath().c_str(), &dummy) == 0)
-	return true;
+    if (::lstat(file.getPath().c_str(), &dummy) == 0)
+        return true;
     else
-	return false;
+        return false;
 }
 
 std::string suPHP::API_Linux::File_getRealPath(const File& file) const
@@ -304,7 +304,7 @@
 bool suPHP::API_Linux::File_hasPermissionBit(const File& file, FileMode perm) 
     const throw (SystemException) {
     struct stat temp;
-    if (stat(file.getPath().c_str(), &temp) == -1) {
+    if (lstat(file.getPath().c_str(), &temp) == -1) {
 	throw SystemException(std::string("Could not stat \"")
 			      + file.getPath() + "\": "
 			      + ::strerror(errno), __FILE__, __LINE__);
@@ -362,7 +362,7 @@
 UserInfo suPHP::API_Linux::File_getUser(const File& file) const
     throw (SystemException) {
     struct stat temp;
-    if (stat(file.getPath().c_str(), &temp) == -1) {
+    if (lstat(file.getPath().c_str(), &temp) == -1) {
 	throw SystemException(std::string("Could not stat \"")
 			      + file.getPath() + "\": "
 			      + ::strerror(errno), __FILE__, __LINE__);
@@ -373,7 +373,7 @@
 GroupInfo suPHP::API_Linux::File_getGroup(const File& file) const
     throw (SystemException) {
     struct stat temp;
-    if (stat(file.getPath().c_str(), &temp) == -1) {
+    if (lstat(file.getPath().c_str(), &temp) == -1) {
 	throw SystemException(std::string("Could not stat \"")
 			      + file.getPath() + "\": "
 			      + ::strerror(errno), __FILE__, __LINE__);
@@ -382,6 +382,11 @@
 }
 
 
+bool suPHP::API_Linux::File_isSymlink(const File& file) const throw (SystemException) {
+    return this->isSymlink(file.getPath());
+}
+
+
 void suPHP::API_Linux::execute(std::string program, const CommandLine& cline,
 			       const Environment& env) const
     throw (SystemException) {
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/File.hpp
+++ suphp-0.6.2/src/File.hpp
@@ -143,7 +143,11 @@
 	 * Returns owning group of file
 	 */
 	GroupInfo getGroup() const throw (SystemException);
-	
+
+        /**
+         * Checks whether this file is a symlink
+         */
+        bool isSymlink() const throw (SystemException);
     };
 };
 
only in patch2:
unchanged:
--- suphp-0.6.2.orig/src/API.hpp
+++ suphp-0.6.2/src/API.hpp
@@ -157,6 +157,12 @@
 	virtual GroupInfo File_getGroup(const File& file) const
 	    throw (SystemException) =0;
 	
+        /**
+         * Checks whether a file is a symlink
+         */
+        virtual bool File_isSymlink(const File& file) const 
+            throw (SystemException) =0;
+        
 	/**
 	 * Runs another program (replaces current process)
 	 */