#37273 [Opn->Asn]: Symlinks and session handler allow open_basedir bypass

Mon, 20 Aug 2007 03:37:22 -0700 

 ID:               37273
 Updated by:       [EMAIL PROTECTED]
 Reported By:      c dot i dot morris at durham dot ac dot uk
-Status:           Open
+Status:           Assigned
 Bug Type:         Session related
 Operating System: Linux
 PHP Version:      5.1.3
-Assigned To:      
+Assigned To:      iliaa
 New Comment:

Ilia, is this fixed or not? :)


Previous Comments:
------------------------------------------------------------------------

[2007-08-20 10:19:34] [EMAIL PROTECTED]

Security vulnerability should be better fixed in source than
documented.

------------------------------------------------------------------------

[2006-07-27 11:41:42] a dot d dot stribblehill at durham dot ac dot uk

This is *not* a documentation bug: as the original report says, it is a
security vulnerability -- one that can and should be fixed in the code.

------------------------------------------------------------------------

[2006-07-27 01:34:11] [EMAIL PROTECTED]

Reclassified. Ilia will give more info for whomever is going to
document this.

------------------------------------------------------------------------

[2006-06-16 14:32:37] c dot i dot morris at durham dot ac dot uk

For a possible solution to this, in ext/session/mod_files.c, the
ps_files_open function has:
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, 
                                data->filemode);

On systems that support O_NOFOLLOW (FreeBSD, Linux>=2.2, maybe others)
you can probably do
data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY |
O_NOFOLLOW, 
                                data->filemode);
which will cause this open to fail (with error ELOOP) if the session
file is a symlink rather than a regular file.

On systems that don't support O_NOFOLLOW, stat()ing the file and making
sure the file mode isn't S_IFLNK should do it.

Would you like me to try to put together a patch for this?

------------------------------------------------------------------------

[2006-05-03 16:19:05] c dot i dot morris at durham dot ac dot uk

As above - I managed to lose the bug password and it took a while to
come through to my email.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/37273

-- 
Edit this bug report at http://bugs.php.net/?id=37273&edit=1

Reply via email to