#41899 [Asn]: Can't open files with leading relative path of '..' and '..' is not readable

Fri, 06 Jul 2007 19:04:59 -0700 

 ID:               41899
 User updated by:  geoffwa at cs dot rmit dot edu dot au
 Reported By:      geoffwa at cs dot rmit dot edu dot au
 Status:           Assigned
 Bug Type:         Streams related
 Operating System: Solaris 10
 PHP Version:      5.2.3
 Assigned To:      tony2001
 New Comment:

No idea if this is correct but it fixes it:
diff -ur ./php5.2-200707060030/main/safe_mode.c
./php-5.2-snap/main/safe_mode.c
--- ./php5.2-200707060030/main/safe_mode.c      2007-01-13
00:30:58.000000000 +1100
+++ ./php-5.2-snap/main/safe_mode.c     2007-07-07 11:42:10.804129000
+1000
@@ -86,7 +86,8 @@
         * If that fails, passthrough and check directory...
         */
        if (mode != CHECKUID_ALLOW_ONLY_DIR) {
-               expand_filepath(filename, path TSRMLS_CC);
+               // VCWD_STAT() can handle relative paths right?
+               strlcpy(path, filename, MAXPATHLEN);
                ret = VCWD_STAT(path, &sb);
                if (ret < 0) {
                        if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{
diff -ur ./php5.2-200707060030/main/streams/plain_wrapper.c
./php-5.2-snap/main/streams/plain_wrapper.c
--- ./php5.2-200707060030/main/streams/plain_wrapper.c  2007-04-19
00:31:35.000000000 +1000
+++ ./php-5.2-snap/main/streams/plain_wrapper.c 2007-07-07
11:58:57.673891000 +1000
@@ -888,9 +888,10 @@
                return NULL;
        }

-       if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
-               return NULL;
-       }
+       //if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
+       //      return NULL;
+       //}
+       realpath = estrndup(filename, strlen(filename));

        if (persistent) {
                spprintf(&persistent_id, 0, "streams_stdio_%d_%s",
open_flags, realpath);


Previous Comments:
------------------------------------------------------------------------

[2007-07-06 16:04:30] geoffwa at cs dot rmit dot edu dot au

It's still broken in CVS (my bad - forgot to remove the workaround
patch we had).

virtual_file_ex() get called several times, with the last
invocation being:

virtual_file_ex(state = 0xffbfdf9c,
                path = 0xffbfe018 "../b/file",
                verify_path = (nil),
                use_realpath = 1)
                called from function expand_filepath
                virtual_file_ex returns 1

Having written a rather grandoise summary of stepping through
virtual_file_ex() I think the problem might be in php_checkuid_ex().

------------------------------------------------------------------------

[2007-07-06 15:16:04] [EMAIL PROTECTED]

Thanks, but I need to do it myself in order to understand it.

I know quite well that realpath() on Solaris is badly broken, that's
known issue and Sun is not going to do anything about as far as I
understand.
The problem is that we need to invent a workaround for it so that we
don't break working realpath() implementations.
And to do that I need to reproduce it myself and investigate it using
GDB.

------------------------------------------------------------------------

[2007-07-06 15:00:30] geoffwa at cs dot rmit dot edu dot au

Doing a bit of tracing of expand_filepath nets:

(from PHP-5.2.3)
expand_filepath(filepath = 0xffbff5f4 "test2.php",
                real_path = 0xffbfee20 "")
                called from function php_execute_script
expand_filepath returns 0xffbfee20 "/home/g/geoffwa/test/test2.php"
expand_filepath(filepath = 0xffbfdec0 "./a",
                real_path = 0xffbfe2c4 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe2c4 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe108 "./a/b/file",
                real_path = 0xffbfe50c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe50c "/home/g/geoffwa/test/a/b/file"
expand_filepath(filepath = 0xffbfe098 "./a",
                real_path = 0xffbfe49c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe49c "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe028 "./a",
                real_path = 0xffbfe42c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe42c "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe120 "./a/b",
                real_path = 0xffbfe524 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe524 "/home/g/geoffwa/test/a/b"
expand_filepath(filepath = 0xffbfdfd8 "../b/file",
                real_path = 0xffbfe3dc "")
                called from function php_checkuid_ex
expand_filepath returns (nil)

(from PHP 5.2 snap 200707060030)
expand_filepath(filepath = 0xffbff5ef "test2.php",
                real_path = 0xffbfee18 "")
                called from function php_execute_script
expand_filepath returns 0xffbfee18 "/home/g/geoffwa/test/test2.php"
expand_filepath(filepath = 0xffbfdeb8 "./a",
                real_path = 0xffbfe2bc "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe2bc "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe100 "./a/b/file",
                real_path = 0xffbfe504 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe504 "/home/g/geoffwa/test/a/b/file"
expand_filepath(filepath = 0xffbfe090 "./a",
                real_path = 0xffbfe494 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe494 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe020 "./a",
                real_path = 0xffbfe424 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe424 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe118 "./a/b",
                real_path = 0xffbfe51c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe51c "/home/g/geoffwa/test/a/b"
expand_filepath(filepath = 0xffbfdfd0 "../b/file",
                real_path = 0xffbfe3d4 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe3d4 "../b/file"
expand_filepath(filepath = 0x53d1c0 "../b/file",
                real_path = (nil))
                called from function _php_stream_fopen
expand_filepath returns 0x53d398 "../b/file"

------------------------------------------------------------------------

[2007-07-06 14:02:04] [EMAIL PROTECTED]

Which configure options did you use?
As I said, I don't see any difference between 5.2.3 and the snapshot
and there should not be any difference since I don't remember any
changes that could affect it.

>We use Sun Studio's C compiler, so I can use dbx for debugging
I can use that too, but I prefer GDB.

>Is there anything I can trace for you?
No, I'm still hoping to get GCC & GDB working there.

------------------------------------------------------------------------

[2007-07-06 13:56:10] geoffwa at cs dot rmit dot edu dot au

I've updated
http://goanna.cs.rmit.edu.au/~geoffwa/relative_path_bug.php
with a shorter test script and two syscall traces of 5.2.3 and
5.2-200707060030.

Looking through these the main difference is that 5.2.3 makes a stat()
call with an empty path, whereas 5.2-snap makes a stat() call using
the
relative path supplied to fopen() in the PHP script.

We use Sun Studio's C compiler, so I can use dbx for debugging
(gdb crashes on most Sun-compiled binaries I give it). Is there
anything I can trace for you?

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/41899

-- 
Edit this bug report at http://bugs.php.net/?id=41899&edit=1

Reply via email to